From c1ea5253d562730e53285706188e3f0f4ba13d09 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 14:23:23 +0200
Subject: [PATCH] fix: default policy file path for admin to null, and use
 built-in policy if value stays null

---
 README.md        | 2 +-
 admin_approle.tf | 2 +-
 variables.tf     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f3f72ae..27e8f99 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
 | <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    tenant_additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
-| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `"./policies/tenant-admins.policy.hcl"` | no |
+| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
 | <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
 | <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
 
diff --git a/admin_approle.tf b/admin_approle.tf
index e3d187c..dd41eb7 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = file(var.tenant_admin_policy_file)
+  policy = var.tenant_admin_policy_file == null ? file("${path.module}/policies/tenant-admins.policy.hcl") : file(var.tenant_admin_policy_file)
 }
diff --git a/variables.tf b/variables.tf
index 3d060c9..92a4ebc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -20,7 +20,7 @@ variable "tenant_prefix" {
 
 variable "tenant_admin_policy_file" {
   type        = string
-  default     = "./policies/tenant-admins.policy.hcl"
+  default     = null
   description = "The path to the admin policy file for this tenant"
 }