From f51a8bf1f100bce7882bfdb2838295c578bf99b3 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Fri, 24 May 2024 23:50:51 +0200
Subject: [PATCH 01/30] feat: add first roles and approle auth method for
 tenant

---
 .cz.toml                               |  6 +++
 .gitea/workflows/development.yml       | 26 +++++++++++++
 .gitea/workflows/pull-request-open.yml | 35 +++++++++++++++++
 .gitea/workflows/release.yml           | 54 ++++++++++++++++++++++++++
 .pre-commit-config.yaml                | 27 +++++++++++++
 README.md                              | 49 ++++++++++++++++++++++-
 admin_approle.tf                       | 26 +++++++++++++
 extra_policies.tf                      | 43 ++++++++++++++++++++
 main.tf                                | 11 ++++++
 outputs.tf                             |  0
 variables.tf                           | 42 ++++++++++++++++++++
 11 files changed, 318 insertions(+), 1 deletion(-)
 create mode 100644 .cz.toml
 create mode 100644 .gitea/workflows/development.yml
 create mode 100644 .gitea/workflows/pull-request-open.yml
 create mode 100644 .gitea/workflows/release.yml
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 admin_approle.tf
 create mode 100644 extra_policies.tf
 create mode 100644 main.tf
 create mode 100644 outputs.tf
 create mode 100644 variables.tf

diff --git a/.cz.toml b/.cz.toml
new file mode 100644
index 0000000..52d405f
--- /dev/null
+++ b/.cz.toml
@@ -0,0 +1,6 @@
+[tool.commitizen]
+name = "cz_conventional_commits"
+version_provider = "scm"
+# version_files = ["galaxy.yml:^version"]
+update_changelog_on_bump = true
+major_version_zero = true
diff --git a/.gitea/workflows/development.yml b/.gitea/workflows/development.yml
new file mode 100644
index 0000000..bfba126
--- /dev/null
+++ b/.gitea/workflows/development.yml
@@ -0,0 +1,26 @@
+---
+name: development
+on:
+  push:
+    branches-ignore:
+      - main
+
+jobs:
+  commit-check:
+    name: Check commit compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install commitizen
+        run: pip3 install commitizen
+        shell: bash
+        working-directory: ./
+
+      - name: Verify commit message compliance
+        run: |
+          echo "cz check --message '${{ github.event.head_commit.message }}'"
+          cz check --message "${{ github.event.head_commit.message }}"
+        shell: bash
+        working-directory: ./
diff --git a/.gitea/workflows/pull-request-open.yml b/.gitea/workflows/pull-request-open.yml
new file mode 100644
index 0000000..ea2a600
--- /dev/null
+++ b/.gitea/workflows/pull-request-open.yml
@@ -0,0 +1,35 @@
+---
+name: pull-requests-open
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+    branches:
+      - main
+
+jobs:
+  commit-history-check:
+    name: Check commit compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Install commitizen
+        run: pip3 install commitizen
+        shell: bash
+        working-directory: ./
+
+      - run: git log origin/${{ github.event.pull_request.base.ref }}..
+
+      - name: Verify commit message compliance
+        run: |
+          echo "cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}.."
+          cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}..
+        shell: bash
+        working-directory: ./
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
new file mode 100644
index 0000000..e617278
--- /dev/null
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,54 @@
+---
+name: release
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  do-release:
+    if: "!startsWith(github.event.head_commit.message, 'bump:')"
+    runs-on: ubuntu-latest
+    name: Bump version and create changelog with commitizen
+    steps:
+      - name: Get secrets from vault
+        id: import-secrets
+        uses: hashicorp/vault-action@v3
+        with:
+          url: "https://vault.ednz.fr"
+          method: approle
+          roleId: ${{ secrets.VAULT_APPROLE_ID }}
+          secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
+          secrets: |
+            kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
+            kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
+
+      - name: Install commitizen
+        run: pip3 install commitizen
+        shell: bash
+        working-directory: ./
+
+      - name: Configure git credentials
+        uses: oleksiyrudenko/gha-git-credentials@v2
+        with:
+          global: true
+          name: "Gitea-Actions Bot"
+          email: "gitea-actions@ednz.fr"
+          actor: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
+          token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
+
+      - name: Do release
+        run: cz -nr 21 bump --yes
+        shell: bash
+        working-directory: ./
+
+      - name: Push release
+        run: git push && git push --tags
+        shell: bash
+        working-directory: ./
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..b7141fe
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,27 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.86.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - "--hook-config=--path-to-file=README.md"
+          - "--hook-config=--add-to-existing-file=true"
+          - "--hook-config=--create-file-if-not-exist=true"
+          - "--args=--escape=false"
+          - "--args=--lockfile=false"
+          - "--args=--indent 3"
+          - "--args=--show all"
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v3.24.0
+    hooks:
+      - id: commitizen
+      - id: commitizen-branch
+        stages:
+          - post-commit
+          - push
diff --git a/README.md b/README.md
index 3345f7a..294bc72 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,50 @@
 # terraform-vault-tenant
 
-Terraform module to deploy tenant in Hashicorp Vault community version.
\ No newline at end of file
+Terraform module to deploy tenant in Hashicorp Vault community version.<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.0.0 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider_random) | n/a |
+| <a name="provider_vault"></a> [vault](#provider_vault) | n/a |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [random_uuid.extra_roles_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [random_uuid.tenant_admin_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [vault_approle_auth_backend_role.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role_secret_id.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
+| [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_entity.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+| [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
+| <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    tenant_additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
+| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | n/a | yes |
+| <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
+| <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+
+### Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/admin_approle.tf b/admin_approle.tf
new file mode 100644
index 0000000..1c11833
--- /dev/null
+++ b/admin_approle.tf
@@ -0,0 +1,26 @@
+resource "vault_approle_auth_backend_role" "tenant_admin" {
+  backend        = var.global_approle_mount
+  role_name      = "${var.tenant_name}-admin"
+  token_policies = ["default", "${vault_policy.tenant_admin.name}"]
+}
+
+resource "random_uuid" "tenant_admin_secret_id" {}
+
+resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
+  backend   = var.global_approle_mount
+  role_name = vault_approle_auth_backend_role.tenant_admin.role_name
+  secret_id = random_uuid.tenant_admin_secret_id.result
+}
+
+resource "vault_identity_entity" "tenant_admin" {
+  name = "${each.value.prefix}-admin"
+  metadata = {
+    tenant = var.tenant_name
+    prefix = var.tenant_prefix
+  }
+}
+
+resource "vault_policy" "tenant_admin" {
+  name   = "${var.tenant_name}-admin"
+  policy = file(var.tenant_admin_policy_file)
+}
diff --git a/extra_policies.tf b/extra_policies.tf
new file mode 100644
index 0000000..634f8c1
--- /dev/null
+++ b/extra_policies.tf
@@ -0,0 +1,43 @@
+resource "vault_policy" "extra_policies" {
+  for_each = var.tenant_additional_roles
+
+  name   = "${var.tenant_prefix}-${each.key}"
+  policy = file(each.value.policy_file)
+}
+
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+  path = "${var.tenant_prefix}-approle"
+  tune {
+    default_lease_ttl = "3600s"
+    max_lease_ttl     = "14400s"
+  }
+}
+
+resource "vault_approle_auth_backend_role" "extra_roles" {
+  for_each = var.tenant_additional_roles
+
+  backend        = vault_auth_backend.approle.path
+  role_name      = each.key
+  token_policies = ["default", "${vault_policy.extra_policies[each.key].name}"]
+}
+
+resource "random_uuid" "extra_roles_secret_id" { for_each = var.tenant_additional_roles }
+
+resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
+  for_each = var.tenant_additional_roles
+
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.extra_roles[each.key].role_name
+  secret_id = random_uuid.extra_roles_secret_id[each.key].result
+}
+
+resource "vault_identity_entity" "extra_roles" {
+  for_each = var.tenant_additional_roles
+
+  name = "${var.tenant_prefix}-${each.key}"
+  metadata = {
+    tenant = var.tenant_name
+    prefix = var.tenant_prefix
+  }
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..08e0a47
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    vault = {
+      source = "hashicorp/vault"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..90cd9cb
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,42 @@
+variable "global_approle_mount" {
+  type        = string
+  default     = "approle"
+  description = "The mount path for the global AppRole authentication method"
+}
+
+variable "tenant_name" {
+  type        = string
+  description = "The name of the tenant you want to create"
+  validation {
+    condition     = can(regex("^[-a-zA-Z0-9_]*$", var.tenant_name))
+    error_message = "The tenant name must only contain alphanumeric characters, dashes, and underscores."
+  }
+}
+
+variable "tenant_prefix" {
+  type        = string
+  description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
+}
+
+variable "tenant_admin_policy_file" {
+  type        = string
+  description = "The path to the admin policy file for this tenant"
+}
+
+variable "tenant_additional_roles" {
+  type = map(object({
+    policy_file = string
+  }))
+  default     = {}
+  description = <<EOT
+    A map of additional role names, with the path to the associated policy file to add for this tenant.
+    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
+    The variable should look like:
+    tenant_additional_roles = {
+      devs = {
+        policy_file = "/some/path/to/policy.hcl"
+      }
+      admins = {...}
+    }
+  EOT
+}

From 79ce376b04c4a16a1bb7ba6e68ba5a035f7e7cab Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 00:32:21 +0200
Subject: [PATCH 02/30] feat: add outputs to module for policy names and role
 details

---
 README.md         |  7 ++++++-
 examples/.gitkeep |  0
 modules/.gitkeep  |  0
 outputs.tf        | 45 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 examples/.gitkeep
 create mode 100644 modules/.gitkeep

diff --git a/README.md b/README.md
index 294bc72..410198d 100644
--- a/README.md
+++ b/README.md
@@ -46,5 +46,10 @@ No modules.
 
 ### Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_extra_role_policies"></a> [extra_role_policies](#output_extra_role_policies) | The tenant extra role policy names |
+| <a name="output_extra_roles"></a> [extra_roles](#output_extra_roles) | The tenant extra approle roles |
+| <a name="output_tenant_admin_policy"></a> [tenant_admin_policy](#output_tenant_admin_policy) | The tenant admin policy name |
+| <a name="output_tenant_admin_role"></a> [tenant_admin_role](#output_tenant_admin_role) | The tenant admin approle role |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/.gitkeep b/examples/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/modules/.gitkeep b/modules/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/outputs.tf b/outputs.tf
index e69de29..d7cb775 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -0,0 +1,45 @@
+output "tenant_admin_role" {
+  value = {
+    role_id   = vault_approle_auth_backend_role.tenant_admin.role_name
+    secret_id = vault_approle_auth_backend_role_secret_id.tenant_admin.secret_id
+  }
+  sensitive   = true
+  description = "The tenant admin approle role"
+  depends_on = [
+    vault_approle_auth_backend_role.tenant_admin,
+    vault_approle_auth_backend_role_secret_id.tenant_admin
+  ]
+}
+
+output "tenant_admin_policy" {
+  value       = vault_policy.tenant_admin.name
+  sensitive   = false
+  description = "The tenant admin policy name"
+  depends_on  = [vault_policy.tenant_admin]
+}
+
+output "extra_roles" {
+  value = {
+    for key, role in vault_approle_auth_backend_role.extra_roles :
+    key => {
+      role_id   = role.role_name
+      secret_id = vault_approle_auth_backend_role_secret_id.extra_roles[key].secret_id
+    }
+  }
+  sensitive   = true
+  description = "The tenant extra approle roles"
+  depends_on = [
+    vault_approle_auth_backend_role.extra_roles,
+    vault_approle_auth_backend_role_secret_id.extra_roles
+  ]
+}
+
+output "extra_role_policies" {
+  value = {
+    for key, policy in vault_policy.extra_policies :
+    key => policy.name
+  }
+  sensitive   = false
+  description = "The tenant extra role policy names"
+  depends_on  = [vault_policy.extra_policies]
+}

From 5d84d0ef6fc4ec62c18ded7f8c42e49cf1f58526 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 00:33:58 +0200
Subject: [PATCH 03/30] feat: add version constraint to terraform providers

---
 README.md | 6 ++++--
 main.tf   | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 410198d..cab2b10 100644
--- a/README.md
+++ b/README.md
@@ -6,13 +6,15 @@ Terraform module to deploy tenant in Hashicorp Vault community version.<!-- BEGI
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.0.0 |
+| <a name="requirement_random"></a> [random](#requirement_random) | ~> 3.6.2 |
+| <a name="requirement_vault"></a> [vault](#requirement_vault) | ~> 4.2.0 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider_random) | n/a |
-| <a name="provider_vault"></a> [vault](#provider_vault) | n/a |
+| <a name="provider_random"></a> [random](#provider_random) | ~> 3.6.2 |
+| <a name="provider_vault"></a> [vault](#provider_vault) | ~> 4.2.0 |
 
 ### Modules
 
diff --git a/main.tf b/main.tf
index 08e0a47..cfa3b67 100644
--- a/main.tf
+++ b/main.tf
@@ -2,10 +2,12 @@ terraform {
   required_version = ">= 1.0.0"
   required_providers {
     vault = {
-      source = "hashicorp/vault"
+      source  = "hashicorp/vault"
+      version = "~> 4.2.0"
     }
     random = {
-      source = "hashicorp/random"
+      source  = "hashicorp/random"
+      version = "~> 3.6.2"
     }
   }
 }

From 3597adb2fb39bf279f8142b85f1bcac6cbf8ed84 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 12:59:54 +0200
Subject: [PATCH 04/30] feat: add default admin policy

---
 README.md                         | 10 ++++++++--
 extra_policies.tf                 | 14 +++++++-------
 policies/tenant-admins.policy.hcl |  7 +++++++
 variables.tf                      |  1 +
 4 files changed, 23 insertions(+), 9 deletions(-)
 create mode 100644 policies/tenant-admins.policy.hcl

diff --git a/README.md b/README.md
index cab2b10..f3f72ae 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,12 @@
 # terraform-vault-tenant
 
-Terraform module to deploy tenant in Hashicorp Vault community version.<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+This module aims to provide a way for companies and individuals running the community version of vault, to segregate accesses between teams.
+
+This "tenant" module requires that you have at least one approle auth method mounted prior to deploying it. It will create a tenant admin approle role on these mount, and apply the policy you define. It can also create an additional tenant-scoped approle auth mount, and create roles based on policies that you define.
+
+The idea behind this is that outside of access control, a tenant is free to create whatever secret engine, secrets, etc... As long as those are prefixed with their tenant prefix.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements
 
 | Name | Version |
@@ -42,7 +48,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
 | <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    tenant_additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
-| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | n/a | yes |
+| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `"./policies/tenant-admins.policy.hcl"` | no |
 | <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
 | <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
 
diff --git a/extra_policies.tf b/extra_policies.tf
index 634f8c1..4695fdb 100644
--- a/extra_policies.tf
+++ b/extra_policies.tf
@@ -1,10 +1,3 @@
-resource "vault_policy" "extra_policies" {
-  for_each = var.tenant_additional_roles
-
-  name   = "${var.tenant_prefix}-${each.key}"
-  policy = file(each.value.policy_file)
-}
-
 resource "vault_auth_backend" "approle" {
   type = "approle"
   path = "${var.tenant_prefix}-approle"
@@ -41,3 +34,10 @@ resource "vault_identity_entity" "extra_roles" {
     prefix = var.tenant_prefix
   }
 }
+
+resource "vault_policy" "extra_policies" {
+  for_each = var.tenant_additional_roles
+
+  name   = "${var.tenant_prefix}-${each.key}"
+  policy = file(each.value.policy_file)
+}
diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
new file mode 100644
index 0000000..a0b93de
--- /dev/null
+++ b/policies/tenant-admins.policy.hcl
@@ -0,0 +1,7 @@
+path "{{identity.entity.metadata.prefix}}/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
+
+path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
diff --git a/variables.tf b/variables.tf
index 90cd9cb..3d060c9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -20,6 +20,7 @@ variable "tenant_prefix" {
 
 variable "tenant_admin_policy_file" {
   type        = string
+  default     = "./policies/tenant-admins.policy.hcl"
   description = "The path to the admin policy file for this tenant"
 }
 

From 9c4d1443f6a492b4fcb6d9dc9b601dc74021fa7e Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 14:14:12 +0200
Subject: [PATCH 05/30] fix: wrong variable name in admin entity

---
 admin_approle.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin_approle.tf b/admin_approle.tf
index 1c11833..e3d187c 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -13,7 +13,7 @@ resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
 }
 
 resource "vault_identity_entity" "tenant_admin" {
-  name = "${each.value.prefix}-admin"
+  name = "${var.tenant_prefix}-admin"
   metadata = {
     tenant = var.tenant_name
     prefix = var.tenant_prefix

From c1ea5253d562730e53285706188e3f0f4ba13d09 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 14:23:23 +0200
Subject: [PATCH 06/30] fix: default policy file path for admin to null, and
 use built-in policy if value stays null

---
 README.md        | 2 +-
 admin_approle.tf | 2 +-
 variables.tf     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f3f72ae..27e8f99 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
 | <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    tenant_additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
-| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `"./policies/tenant-admins.policy.hcl"` | no |
+| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
 | <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
 | <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
 
diff --git a/admin_approle.tf b/admin_approle.tf
index e3d187c..dd41eb7 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = file(var.tenant_admin_policy_file)
+  policy = var.tenant_admin_policy_file == null ? file("${path.module}/policies/tenant-admins.policy.hcl") : file(var.tenant_admin_policy_file)
 }
diff --git a/variables.tf b/variables.tf
index 3d060c9..92a4ebc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -20,7 +20,7 @@ variable "tenant_prefix" {
 
 variable "tenant_admin_policy_file" {
   type        = string
-  default     = "./policies/tenant-admins.policy.hcl"
+  default     = null
   description = "The path to the admin policy file for this tenant"
 }
 

From 604a02683cd5a058c0a444478903075b30b76e87 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 16:27:53 +0200
Subject: [PATCH 07/30] feat: allow tenant admin to create child token with its
 own permissions

---
 admin_approle.tf                  | 2 +-
 policies/tenant-admins.policy.hcl | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/admin_approle.tf b/admin_approle.tf
index dd41eb7..6205a8a 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? file("${path.module}/policies/tenant-admins.policy.hcl") : file(var.tenant_admin_policy_file)
+  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_name = var.tenant_name }) : templatefile(var.tenant_admin_policy_file, { tenant_name = var.tenant_name })
 }
diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index a0b93de..1b1a02c 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -5,3 +5,10 @@ path "{{identity.entity.metadata.prefix}}/*" {
 path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
   capabilities = ["create", "update", "read", "delete", "list"]
 }
+
+path "auth/token/create" {
+  capabilities = ["create", "update", "delete"]
+  allowed_parameters = {
+    policies = ["${tenant_name}-admin"]
+  }
+}

From 9a30e25a805adfc68d9f02842800a5adb0ecf7ee Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 16:59:55 +0200
Subject: [PATCH 08/30] fix: wrong permissions on token/create for tenant admin

---
 policies/tenant-admins.policy.hcl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index 1b1a02c..09e6ad7 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -7,8 +7,8 @@ path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
 }
 
 path "auth/token/create" {
-  capabilities = ["create", "update", "delete"]
+  capabilities = ["create", "update", "sudo"]
   allowed_parameters = {
-    policies = ["${tenant_name}-admin"]
+    policies = [["${tenant_name}-admin"]]
   }
 }

From a1a7818c15fd20c21f47e2c6afd213d8c3219e74 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 17:10:46 +0200
Subject: [PATCH 09/30] fix: wrong permissions on token/create for tenant admin

---
 policies/tenant-admins.policy.hcl | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index 09e6ad7..108cc05 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -8,7 +8,4 @@ path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
 
 path "auth/token/create" {
   capabilities = ["create", "update", "sudo"]
-  allowed_parameters = {
-    policies = [["${tenant_name}-admin"]]
-  }
 }

From 61481d808d3382fa271ae353b677f513eae89e04 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 18:05:49 +0200
Subject: [PATCH 10/30] fix: wrong permissions on token policy for tenant admin

---
 policies/tenant-admins.policy.hcl | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index 108cc05..d318d9f 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -1,11 +1,7 @@
-path "{{identity.entity.metadata.prefix}}/*" {
+path "${tenant_prefix}/*" {
   capabilities = ["create", "update", "read", "delete", "list"]
 }
 
-path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
+path "sys/mounts/${tenant_prefix}/*" {
   capabilities = ["create", "update", "read", "delete", "list"]
 }
-
-path "auth/token/create" {
-  capabilities = ["create", "update", "sudo"]
-}

From 8ab67a2ed68d6e171fdd9d03bbb2af6972f421a6 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 18:07:00 +0200
Subject: [PATCH 11/30] fix: template of policy file

---
 admin_approle.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin_approle.tf b/admin_approle.tf
index 6205a8a..6ec53e7 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_name = var.tenant_name }) : templatefile(var.tenant_admin_policy_file, { tenant_name = var.tenant_name })
+  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : templatefile(var.tenant_admin_policy_file, { tenant_prefix = var.tenant_prefix })
 }

From 39371c8503201132b635df9267dd518e554fb35b Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 18:24:24 +0200
Subject: [PATCH 12/30] feat: only allow tenant admin to create tokens with its
 own policies

---
 admin_approle.tf                  | 2 +-
 policies/tenant-admins.policy.hcl | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/admin_approle.tf b/admin_approle.tf
index 6ec53e7..c12c7b0 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : templatefile(var.tenant_admin_policy_file, { tenant_prefix = var.tenant_prefix })
+  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix, admin_policies = vault_approle_auth_backend_role.tenant_admin.token_policies }) : file(var.tenant_admin_policy_file)
 }
diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index d318d9f..4452113 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -5,3 +5,10 @@ path "${tenant_prefix}/*" {
 path "sys/mounts/${tenant_prefix}/*" {
   capabilities = ["create", "update", "read", "delete", "list"]
 }
+
+path "auth/token/create" {
+  capabilities = ["create", "update", "delete"]
+  allowed_parameters = {
+    "policies" = [${admin_policies}, ${reverse(admin_policies)}]
+  }
+}

From 8a5a85f33f02eb7924809e1a16b184312fdd4bea Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 18:27:03 +0200
Subject: [PATCH 13/30] fix: circular dependency

---
 admin_approle.tf | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/admin_approle.tf b/admin_approle.tf
index c12c7b0..1d6a56c 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -1,7 +1,11 @@
+locals {
+  tenant_admin_policies = ["default", "${var.tenant_name}-admin"]
+}
+
 resource "vault_approle_auth_backend_role" "tenant_admin" {
   backend        = var.global_approle_mount
   role_name      = "${var.tenant_name}-admin"
-  token_policies = ["default", "${vault_policy.tenant_admin.name}"]
+  token_policies = local.tenant_admin_policies
 }
 
 resource "random_uuid" "tenant_admin_secret_id" {}
@@ -22,5 +26,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix, admin_policies = vault_approle_auth_backend_role.tenant_admin.token_policies }) : file(var.tenant_admin_policy_file)
+  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix, admin_policies = local.tenant_admin_policies }) : file(var.tenant_admin_policy_file)
 }

From 08039667162c4ca3d46a0197080d7c678613911c Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 18:35:35 +0200
Subject: [PATCH 14/30] fix: templating not working for arrays

---
 policies/tenant-admins.policy.hcl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index 4452113..4bb671e 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -9,6 +9,9 @@ path "sys/mounts/${tenant_prefix}/*" {
 path "auth/token/create" {
   capabilities = ["create", "update", "delete"]
   allowed_parameters = {
-    "policies" = [${admin_policies}, ${reverse(admin_policies)}]
+    "policies" = [
+      [${for policy in admin_policies}${policy},${endfor}],
+      [${for policy in reverse(admin_policies)}${policy},${endfor}]
+    ]
   }
 }

From 9a4f2837a0bbd29dd214e65c067f1d378034478d Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 18:39:53 +0200
Subject: [PATCH 15/30] fix: do not allow any token creation for now, will have
 to avoid child tokens in tf provider config

---
 .cz.toml                          |  1 -
 admin_approle.tf                  |  2 +-
 policies/tenant-admins.policy.hcl | 10 ----------
 3 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/.cz.toml b/.cz.toml
index 52d405f..a05167a 100644
--- a/.cz.toml
+++ b/.cz.toml
@@ -1,6 +1,5 @@
 [tool.commitizen]
 name = "cz_conventional_commits"
 version_provider = "scm"
-# version_files = ["galaxy.yml:^version"]
 update_changelog_on_bump = true
 major_version_zero = true
diff --git a/admin_approle.tf b/admin_approle.tf
index 1d6a56c..bdcd121 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -26,5 +26,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix, admin_policies = local.tenant_admin_policies }) : file(var.tenant_admin_policy_file)
+  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : file(var.tenant_admin_policy_file)
 }
diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index 4bb671e..d318d9f 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -5,13 +5,3 @@ path "${tenant_prefix}/*" {
 path "sys/mounts/${tenant_prefix}/*" {
   capabilities = ["create", "update", "read", "delete", "list"]
 }
-
-path "auth/token/create" {
-  capabilities = ["create", "update", "delete"]
-  allowed_parameters = {
-    "policies" = [
-      [${for policy in admin_policies}${policy},${endfor}],
-      [${for policy in reverse(admin_policies)}${policy},${endfor}]
-    ]
-  }
-}

From ba09f9e4dc468cec242cc92ea2df3e0007125a20 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 12:45:35 +0200
Subject: [PATCH 16/30] fix: revert using locals for role policies

---
 admin_approle.tf | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/admin_approle.tf b/admin_approle.tf
index bdcd121..3c866d3 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -1,11 +1,7 @@
-locals {
-  tenant_admin_policies = ["default", "${var.tenant_name}-admin"]
-}
-
 resource "vault_approle_auth_backend_role" "tenant_admin" {
   backend        = var.global_approle_mount
   role_name      = "${var.tenant_name}-admin"
-  token_policies = local.tenant_admin_policies
+  token_policies = ["default", vault_policy.tenant_admin.name]
 }
 
 resource "random_uuid" "tenant_admin_secret_id" {}

From a4e8e140966d0218852b10905360af27f2931c49 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 14:04:22 +0200
Subject: [PATCH 17/30] feat: allow tenant admin to remount secret engines on
 tenant prefix

---
 policies/tenant-admins.policy.hcl | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index d318d9f..5829bee 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -5,3 +5,11 @@ path "${tenant_prefix}/*" {
 path "sys/mounts/${tenant_prefix}/*" {
   capabilities = ["create", "update", "read", "delete", "list"]
 }
+
+path "sys/remount" {
+  capabilities = ["update"]
+  allowed_parameters = {
+    from = "${tenant_prefix}/*"
+    to = "${tenant_prefix}/*"
+  }
+}

From e1128cf244c9509727e14a68c417a6b2748eed85 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 14:48:12 +0200
Subject: [PATCH 18/30] fix: wrong allowed_parameters type for params

---
 policies/tenant-admins.policy.hcl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index 5829bee..1b2e55c 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -9,7 +9,7 @@ path "sys/mounts/${tenant_prefix}/*" {
 path "sys/remount" {
   capabilities = ["update"]
   allowed_parameters = {
-    from = "${tenant_prefix}/*"
-    to = "${tenant_prefix}/*"
+    from = ["${tenant_prefix}/*"]
+    to = ["${tenant_prefix}/*"]
   }
 }

From 154a3ba98a15f06c76eeef43343a8ddd95fe916c Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 15:20:18 +0200
Subject: [PATCH 19/30] fix: increase permissions for remounting secret engines

---
 policies/tenant-admins.policy.hcl | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index 1b2e55c..72698d6 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -9,7 +9,11 @@ path "sys/mounts/${tenant_prefix}/*" {
 path "sys/remount" {
   capabilities = ["update"]
   allowed_parameters = {
-    from = ["${tenant_prefix}/*"]
-    to = ["${tenant_prefix}/*"]
+    "from" = ["${tenant_prefix}/*"]
+    "to" = ["${tenant_prefix}/*"]
   }
 }
+
+path "sys/remount/status/*" {
+  capabilities = ["read"]
+}

From 6872e4191ac78032f1aa4a3f624d2abb56fe66a2 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 15:35:53 +0200
Subject: [PATCH 20/30] fix: remount needs sudo

---
 policies/tenant-admins.policy.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index 72698d6..9aeeaa9 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -7,7 +7,7 @@ path "sys/mounts/${tenant_prefix}/*" {
 }
 
 path "sys/remount" {
-  capabilities = ["update"]
+  capabilities = ["update", "sudo"]
   allowed_parameters = {
     "from" = ["${tenant_prefix}/*"]
     "to" = ["${tenant_prefix}/*"]

From 70c53fbef767fd78fe5d30fb3d3f47946b7efa03 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 16:22:18 +0200
Subject: [PATCH 21/30] feat: move every approle role to dedicated backend, and
 add group to pass metadata along

---
 README.md                         |  3 +++
 admin_approle.tf => admin_role.tf |  9 +++++++--
 approle_auth.tf                   | 23 +++++++++++++++++++++++
 extra_policies.tf                 |  9 ---------
 4 files changed, 33 insertions(+), 11 deletions(-)
 rename admin_approle.tf => admin_role.tf (81%)
 create mode 100644 approle_auth.tf

diff --git a/README.md b/README.md
index 27e8f99..74ce42c 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,9 @@ No modules.
 | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
 | [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_group.tenant_group](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
+| [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
+| [vault_identity_group_alias.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_alias) | resource |
 | [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 | [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 
diff --git a/admin_approle.tf b/admin_role.tf
similarity index 81%
rename from admin_approle.tf
rename to admin_role.tf
index 3c866d3..cbbd489 100644
--- a/admin_approle.tf
+++ b/admin_role.tf
@@ -1,5 +1,5 @@
 resource "vault_approle_auth_backend_role" "tenant_admin" {
-  backend        = var.global_approle_mount
+  backend        = vault_auth_backend.approle.path
   role_name      = "${var.tenant_name}-admin"
   token_policies = ["default", vault_policy.tenant_admin.name]
 }
@@ -7,11 +7,16 @@ resource "vault_approle_auth_backend_role" "tenant_admin" {
 resource "random_uuid" "tenant_admin_secret_id" {}
 
 resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
-  backend   = var.global_approle_mount
+  backend   = vault_auth_backend.approle.path
   role_name = vault_approle_auth_backend_role.tenant_admin.role_name
   secret_id = random_uuid.tenant_admin_secret_id.result
 }
 
+resource "vault_identity_group" "tenant_group" {
+  name = var.tenant_name
+  type = "internal"
+}
+
 resource "vault_identity_entity" "tenant_admin" {
   name = "${var.tenant_prefix}-admin"
   metadata = {
diff --git a/approle_auth.tf b/approle_auth.tf
new file mode 100644
index 0000000..cb28e2b
--- /dev/null
+++ b/approle_auth.tf
@@ -0,0 +1,23 @@
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+  path = "${var.tenant_prefix}-approle"
+  tune {
+    default_lease_ttl = "3600s"
+    max_lease_ttl     = "14400s"
+  }
+}
+
+resource "vault_identity_group" "this" {
+  name = var.tenant_name
+  type = "internal"
+  metadata = {
+    tenant = var.tenant_name
+    prefix = var.tenant_prefix
+  }
+}
+
+resource "vault_identity_group_alias" "this" {
+  name           = var.tenant_name
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_group.this.id
+}
diff --git a/extra_policies.tf b/extra_policies.tf
index 4695fdb..4ed68d0 100644
--- a/extra_policies.tf
+++ b/extra_policies.tf
@@ -1,12 +1,3 @@
-resource "vault_auth_backend" "approle" {
-  type = "approle"
-  path = "${var.tenant_prefix}-approle"
-  tune {
-    default_lease_ttl = "3600s"
-    max_lease_ttl     = "14400s"
-  }
-}
-
 resource "vault_approle_auth_backend_role" "extra_roles" {
   for_each = var.tenant_additional_roles
 

From 23ba2c3ceaaa6be2c65de25f200181c974887f4d Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 16:24:12 +0200
Subject: [PATCH 22/30] fix: remove duplicate resource

---
 README.md       | 1 -
 approle_auth.tf | 9 ---------
 2 files changed, 10 deletions(-)

diff --git a/README.md b/README.md
index 74ce42c..2b43378 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,6 @@ No modules.
 | [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_group.tenant_group](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
-| [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
 | [vault_identity_group_alias.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_alias) | resource |
 | [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 | [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
diff --git a/approle_auth.tf b/approle_auth.tf
index cb28e2b..0ca47c9 100644
--- a/approle_auth.tf
+++ b/approle_auth.tf
@@ -7,15 +7,6 @@ resource "vault_auth_backend" "approle" {
   }
 }
 
-resource "vault_identity_group" "this" {
-  name = var.tenant_name
-  type = "internal"
-  metadata = {
-    tenant = var.tenant_name
-    prefix = var.tenant_prefix
-  }
-}
-
 resource "vault_identity_group_alias" "this" {
   name           = var.tenant_name
   mount_accessor = vault_auth_backend.approle.accessor

From 47f53a2a20de27f1d77c8763b972159e9c6780a5 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 16:24:57 +0200
Subject: [PATCH 23/30] fix: remove duplicate resource

---
 README.md       |  3 +--
 admin_role.tf   | 13 -------------
 approle_auth.tf |  9 +++++++++
 3 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 2b43378..adf482a 100644
--- a/README.md
+++ b/README.md
@@ -38,8 +38,7 @@ No modules.
 | [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
 | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
 | [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
-| [vault_identity_entity.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
-| [vault_identity_group.tenant_group](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
+| [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
 | [vault_identity_group_alias.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_alias) | resource |
 | [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 | [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
diff --git a/admin_role.tf b/admin_role.tf
index cbbd489..95169e4 100644
--- a/admin_role.tf
+++ b/admin_role.tf
@@ -12,19 +12,6 @@ resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
   secret_id = random_uuid.tenant_admin_secret_id.result
 }
 
-resource "vault_identity_group" "tenant_group" {
-  name = var.tenant_name
-  type = "internal"
-}
-
-resource "vault_identity_entity" "tenant_admin" {
-  name = "${var.tenant_prefix}-admin"
-  metadata = {
-    tenant = var.tenant_name
-    prefix = var.tenant_prefix
-  }
-}
-
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
   policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : file(var.tenant_admin_policy_file)
diff --git a/approle_auth.tf b/approle_auth.tf
index 0ca47c9..cb28e2b 100644
--- a/approle_auth.tf
+++ b/approle_auth.tf
@@ -7,6 +7,15 @@ resource "vault_auth_backend" "approle" {
   }
 }
 
+resource "vault_identity_group" "this" {
+  name = var.tenant_name
+  type = "internal"
+  metadata = {
+    tenant = var.tenant_name
+    prefix = var.tenant_prefix
+  }
+}
+
 resource "vault_identity_group_alias" "this" {
   name           = var.tenant_name
   mount_accessor = vault_auth_backend.approle.accessor

From b1f512b85cebc03f714b24c1b5e715d9a12d750b Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 16:25:52 +0200
Subject: [PATCH 24/30] fix: make tenant group external

---
 approle_auth.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/approle_auth.tf b/approle_auth.tf
index cb28e2b..942e077 100644
--- a/approle_auth.tf
+++ b/approle_auth.tf
@@ -9,7 +9,7 @@ resource "vault_auth_backend" "approle" {
 
 resource "vault_identity_group" "this" {
   name = var.tenant_name
-  type = "internal"
+  type = "external"
   metadata = {
     tenant = var.tenant_name
     prefix = var.tenant_prefix

From 4975119e0bd9222c0fc36caff362ae80285dbed3 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 16:27:38 +0200
Subject: [PATCH 25/30] feat: change approle path to <prefix>/approle instead
 of <prefix>-approle

---
 approle_auth.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/approle_auth.tf b/approle_auth.tf
index 942e077..eace7eb 100644
--- a/approle_auth.tf
+++ b/approle_auth.tf
@@ -1,6 +1,6 @@
 resource "vault_auth_backend" "approle" {
   type = "approle"
-  path = "${var.tenant_prefix}-approle"
+  path = "${var.tenant_prefix}/approle"
   tune {
     default_lease_ttl = "3600s"
     max_lease_ttl     = "14400s"

From e4ddcb6be882283d1a60dc1cf06819da39cb67c1 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 19:22:34 +0200
Subject: [PATCH 26/30] feat: create entities for each extra policies

---
 README.md         |  6 ++++--
 admin_role.tf     | 10 ++++++++++
 approle_auth.tf   |  8 +-------
 extra_policies.tf | 24 ++++++++++++++----------
 4 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index adf482a..0518b32 100644
--- a/README.md
+++ b/README.md
@@ -37,9 +37,11 @@ No modules.
 | [vault_approle_auth_backend_role_secret_id.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
 | [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
 | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
-| [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_entity.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_entity.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_entity_alias.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
+| [vault_identity_entity_alias.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
 | [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
-| [vault_identity_group_alias.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_alias) | resource |
 | [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 | [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 
diff --git a/admin_role.tf b/admin_role.tf
index 95169e4..b71aab1 100644
--- a/admin_role.tf
+++ b/admin_role.tf
@@ -16,3 +16,13 @@ resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
   policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : file(var.tenant_admin_policy_file)
 }
+
+resource "vault_identity_entity" "admin" {
+  name = "${var.tenant_prefix}-admin"
+}
+
+resource "vault_identity_entity_alias" "admin" {
+  name           = vault_approle_auth_backend_role.tenant_admin.role_id
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_entity.admin.id
+}
diff --git a/approle_auth.tf b/approle_auth.tf
index eace7eb..66e33a8 100644
--- a/approle_auth.tf
+++ b/approle_auth.tf
@@ -9,15 +9,9 @@ resource "vault_auth_backend" "approle" {
 
 resource "vault_identity_group" "this" {
   name = var.tenant_name
-  type = "external"
+  type = "internal"
   metadata = {
     tenant = var.tenant_name
     prefix = var.tenant_prefix
   }
 }
-
-resource "vault_identity_group_alias" "this" {
-  name           = var.tenant_name
-  mount_accessor = vault_auth_backend.approle.accessor
-  canonical_id   = vault_identity_group.this.id
-}
diff --git a/extra_policies.tf b/extra_policies.tf
index 4ed68d0..7f1be1b 100644
--- a/extra_policies.tf
+++ b/extra_policies.tf
@@ -16,19 +16,23 @@ resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
   secret_id = random_uuid.extra_roles_secret_id[each.key].result
 }
 
-resource "vault_identity_entity" "extra_roles" {
-  for_each = var.tenant_additional_roles
-
-  name = "${var.tenant_prefix}-${each.key}"
-  metadata = {
-    tenant = var.tenant_name
-    prefix = var.tenant_prefix
-  }
-}
-
 resource "vault_policy" "extra_policies" {
   for_each = var.tenant_additional_roles
 
   name   = "${var.tenant_prefix}-${each.key}"
   policy = file(each.value.policy_file)
 }
+
+resource "vault_identity_entity" "extra" {
+  for_each = var.tenant_additional_roles
+
+  name = "${var.tenant_prefix}-${each.key}"
+}
+
+resource "vault_identity_entity_alias" "extra" {
+  for_each = var.tenant_additional_roles
+
+  name           = vault_approle_auth_backend_role.extra_roles[each.key].role_id
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_entity.extra[each.key].id
+}

From ca19309d2a332fc081b3882b84163cc8996044e8 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 22:14:00 +0200
Subject: [PATCH 27/30] feat: refactor module, simplify naming and create
 additional entities for extra roles

---
 README.md                                     | 34 +++++++++----------
 admin_role.tf                                 | 28 ---------------
 approle_auth.tf => auth.tf                    |  8 ++---
 extra_policies.tf                             | 30 ++++++++--------
 outputs.tf                                    | 27 +++++++++------
 ...nant-admins.policy.hcl => root.policy.hcl} |  0
 root.tf                                       | 28 +++++++++++++++
 variables.tf                                  | 16 +++------
 8 files changed, 86 insertions(+), 85 deletions(-)
 delete mode 100644 admin_role.tf
 rename approle_auth.tf => auth.tf (64%)
 rename policies/{tenant-admins.policy.hcl => root.policy.hcl} (100%)
 create mode 100644 root.tf

diff --git a/README.md b/README.md
index 0518b32..fb6d51c 100644
--- a/README.md
+++ b/README.md
@@ -30,37 +30,37 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [random_uuid.extra_roles_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
-| [random_uuid.tenant_admin_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
-| [vault_approle_auth_backend_role.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
-| [vault_approle_auth_backend_role.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
-| [vault_approle_auth_backend_role_secret_id.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
-| [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [random_uuid.extra_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [random_uuid.root_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [vault_approle_auth_backend_role.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role_secret_id.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [vault_approle_auth_backend_role_secret_id.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
 | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
-| [vault_identity_entity.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
-| [vault_identity_entity_alias.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
+| [vault_identity_entity.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity_alias.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
+| [vault_identity_entity_alias.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
 | [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
-| [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
-| [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+| [vault_policy.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+| [vault_policy.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
-| <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    tenant_additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
-| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
-| <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
-| <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+| <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
+| <a name="input_name"></a> [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+| <a name="input_root_policy_file"></a> [root_policy_file](#input_root_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_approle_mount"></a> [approle_mount](#output_approle_mount) | The approle mount for the tenant |
 | <a name="output_extra_role_policies"></a> [extra_role_policies](#output_extra_role_policies) | The tenant extra role policy names |
 | <a name="output_extra_roles"></a> [extra_roles](#output_extra_roles) | The tenant extra approle roles |
-| <a name="output_tenant_admin_policy"></a> [tenant_admin_policy](#output_tenant_admin_policy) | The tenant admin policy name |
-| <a name="output_tenant_admin_role"></a> [tenant_admin_role](#output_tenant_admin_role) | The tenant admin approle role |
+| <a name="output_root_policy"></a> [root_policy](#output_root_policy) | The tenant root policy name |
+| <a name="output_root_role"></a> [root_role](#output_root_role) | The tenant root approle role |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/admin_role.tf b/admin_role.tf
deleted file mode 100644
index b71aab1..0000000
--- a/admin_role.tf
+++ /dev/null
@@ -1,28 +0,0 @@
-resource "vault_approle_auth_backend_role" "tenant_admin" {
-  backend        = vault_auth_backend.approle.path
-  role_name      = "${var.tenant_name}-admin"
-  token_policies = ["default", vault_policy.tenant_admin.name]
-}
-
-resource "random_uuid" "tenant_admin_secret_id" {}
-
-resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
-  backend   = vault_auth_backend.approle.path
-  role_name = vault_approle_auth_backend_role.tenant_admin.role_name
-  secret_id = random_uuid.tenant_admin_secret_id.result
-}
-
-resource "vault_policy" "tenant_admin" {
-  name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : file(var.tenant_admin_policy_file)
-}
-
-resource "vault_identity_entity" "admin" {
-  name = "${var.tenant_prefix}-admin"
-}
-
-resource "vault_identity_entity_alias" "admin" {
-  name           = vault_approle_auth_backend_role.tenant_admin.role_id
-  mount_accessor = vault_auth_backend.approle.accessor
-  canonical_id   = vault_identity_entity.admin.id
-}
diff --git a/approle_auth.tf b/auth.tf
similarity index 64%
rename from approle_auth.tf
rename to auth.tf
index 66e33a8..f554194 100644
--- a/approle_auth.tf
+++ b/auth.tf
@@ -1,6 +1,6 @@
 resource "vault_auth_backend" "approle" {
   type = "approle"
-  path = "${var.tenant_prefix}/approle"
+  path = "${var.prefix}/approle"
   tune {
     default_lease_ttl = "3600s"
     max_lease_ttl     = "14400s"
@@ -8,10 +8,10 @@ resource "vault_auth_backend" "approle" {
 }
 
 resource "vault_identity_group" "this" {
-  name = var.tenant_name
+  name = var.name
   type = "internal"
   metadata = {
-    tenant = var.tenant_name
-    prefix = var.tenant_prefix
+    tenant = var.name
+    prefix = var.prefix
   }
 }
diff --git a/extra_policies.tf b/extra_policies.tf
index 7f1be1b..4d9535c 100644
--- a/extra_policies.tf
+++ b/extra_policies.tf
@@ -1,38 +1,38 @@
-resource "vault_approle_auth_backend_role" "extra_roles" {
-  for_each = var.tenant_additional_roles
+resource "vault_approle_auth_backend_role" "extra" {
+  for_each = var.additional_roles
 
   backend        = vault_auth_backend.approle.path
   role_name      = each.key
-  token_policies = ["default", "${vault_policy.extra_policies[each.key].name}"]
+  token_policies = ["default", "${vault_policy.extra[each.key].name}"]
 }
 
-resource "random_uuid" "extra_roles_secret_id" { for_each = var.tenant_additional_roles }
+resource "random_uuid" "extra_secret_id" { for_each = var.additional_roles }
 
-resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
-  for_each = var.tenant_additional_roles
+resource "vault_approle_auth_backend_role_secret_id" "extra" {
+  for_each = var.additional_roles
 
   backend   = vault_auth_backend.approle.path
-  role_name = vault_approle_auth_backend_role.extra_roles[each.key].role_name
-  secret_id = random_uuid.extra_roles_secret_id[each.key].result
+  role_name = vault_approle_auth_backend_role.extra[each.key].role_name
+  secret_id = random_uuid.extra_secret_id[each.key].result
 }
 
-resource "vault_policy" "extra_policies" {
-  for_each = var.tenant_additional_roles
+resource "vault_policy" "extra" {
+  for_each = var.additional_roles
 
-  name   = "${var.tenant_prefix}-${each.key}"
+  name   = "${var.prefix}-${each.key}"
   policy = file(each.value.policy_file)
 }
 
 resource "vault_identity_entity" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
-  name = "${var.tenant_prefix}-${each.key}"
+  name = "${var.prefix}-${each.key}"
 }
 
 resource "vault_identity_entity_alias" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
-  name           = vault_approle_auth_backend_role.extra_roles[each.key].role_id
+  name           = vault_approle_auth_backend_role.extra[each.key].role_id
   mount_accessor = vault_auth_backend.approle.accessor
   canonical_id   = vault_identity_entity.extra[each.key].id
 }
diff --git a/outputs.tf b/outputs.tf
index d7cb775..89d5969 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,21 +1,28 @@
-output "tenant_admin_role" {
+output "approle_mount" {
+  value       = vault_auth_backend.approle
+  sensitive   = true
+  description = "The approle mount for the tenant"
+}
+
+
+output "root_role" {
   value = {
-    role_id   = vault_approle_auth_backend_role.tenant_admin.role_name
-    secret_id = vault_approle_auth_backend_role_secret_id.tenant_admin.secret_id
+    role_id   = vault_approle_auth_backend_role.root.role_name
+    secret_id = vault_approle_auth_backend_role_secret_id.root.secret_id
   }
   sensitive   = true
-  description = "The tenant admin approle role"
+  description = "The tenant root approle role"
   depends_on = [
-    vault_approle_auth_backend_role.tenant_admin,
-    vault_approle_auth_backend_role_secret_id.tenant_admin
+    vault_approle_auth_backend_role.root,
+    vault_approle_auth_backend_role_secret_id.root
   ]
 }
 
-output "tenant_admin_policy" {
-  value       = vault_policy.tenant_admin.name
+output "root_policy" {
+  value       = vault_policy.root.name
   sensitive   = false
-  description = "The tenant admin policy name"
-  depends_on  = [vault_policy.tenant_admin]
+  description = "The tenant root policy name"
+  depends_on  = [vault_policy.root]
 }
 
 output "extra_roles" {
diff --git a/policies/tenant-admins.policy.hcl b/policies/root.policy.hcl
similarity index 100%
rename from policies/tenant-admins.policy.hcl
rename to policies/root.policy.hcl
diff --git a/root.tf b/root.tf
new file mode 100644
index 0000000..245c02d
--- /dev/null
+++ b/root.tf
@@ -0,0 +1,28 @@
+resource "vault_approle_auth_backend_role" "root" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "${var.name}-admin"
+  token_policies = ["default", vault_policy.tenant_admin.name]
+}
+
+resource "random_uuid" "root_secret_id" {}
+
+resource "vault_approle_auth_backend_role_secret_id" "root" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.root.role_name
+  secret_id = random_uuid.root_secret_id.result
+}
+
+resource "vault_policy" "root" {
+  name   = "${var.name}-root"
+  policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file)
+}
+
+resource "vault_identity_entity" "root" {
+  name = "${var.prefix}-root"
+}
+
+resource "vault_identity_entity_alias" "root" {
+  name           = vault_approle_auth_backend_role.root.role_id
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_entity.root.id
+}
diff --git a/variables.tf b/variables.tf
index 92a4ebc..65d9375 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,10 +1,4 @@
-variable "global_approle_mount" {
-  type        = string
-  default     = "approle"
-  description = "The mount path for the global AppRole authentication method"
-}
-
-variable "tenant_name" {
+variable "name" {
   type        = string
   description = "The name of the tenant you want to create"
   validation {
@@ -13,18 +7,18 @@ variable "tenant_name" {
   }
 }
 
-variable "tenant_prefix" {
+variable "prefix" {
   type        = string
   description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
 }
 
-variable "tenant_admin_policy_file" {
+variable "root_policy_file" {
   type        = string
   default     = null
   description = "The path to the admin policy file for this tenant"
 }
 
-variable "tenant_additional_roles" {
+variable "additional_roles" {
   type = map(object({
     policy_file = string
   }))
@@ -33,7 +27,7 @@ variable "tenant_additional_roles" {
     A map of additional role names, with the path to the associated policy file to add for this tenant.
     A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
     The variable should look like:
-    tenant_additional_roles = {
+    additional_roles = {
       devs = {
         policy_file = "/some/path/to/policy.hcl"
       }

From c268547bd8a982506535fcea3fac67013a4b774d Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 22:23:10 +0200
Subject: [PATCH 28/30] fix: variable validation using old names

---
 variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables.tf b/variables.tf
index 65d9375..89cc6a1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -2,7 +2,7 @@ variable "name" {
   type        = string
   description = "The name of the tenant you want to create"
   validation {
-    condition     = can(regex("^[-a-zA-Z0-9_]*$", var.tenant_name))
+    condition     = can(regex("^[-a-zA-Z0-9_]*$", var.name))
     error_message = "The tenant name must only contain alphanumeric characters, dashes, and underscores."
   }
 }

From 8d4263468fc8ca88ab5eadf65969b99880e88850 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 22:24:33 +0200
Subject: [PATCH 29/30] fix: outputs using old reosurce naming

---
 outputs.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/outputs.tf b/outputs.tf
index 89d5969..f9c022a 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -27,17 +27,17 @@ output "root_policy" {
 
 output "extra_roles" {
   value = {
-    for key, role in vault_approle_auth_backend_role.extra_roles :
+    for key, role in vault_approle_auth_backend_role.extra :
     key => {
       role_id   = role.role_name
-      secret_id = vault_approle_auth_backend_role_secret_id.extra_roles[key].secret_id
+      secret_id = vault_approle_auth_backend_role_secret_id.extra[key].secret_id
     }
   }
   sensitive   = true
   description = "The tenant extra approle roles"
   depends_on = [
-    vault_approle_auth_backend_role.extra_roles,
-    vault_approle_auth_backend_role_secret_id.extra_roles
+    vault_approle_auth_backend_role.extra,
+    vault_approle_auth_backend_role_secret_id.extra
   ]
 }
 

From 83d807d69e0ad089a7b35ed75c361dae4724c2ee Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 22:25:55 +0200
Subject: [PATCH 30/30] fix: some more old naming things

---
 outputs.tf | 4 ++--
 root.tf    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/outputs.tf b/outputs.tf
index f9c022a..7d2c537 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -43,10 +43,10 @@ output "extra_roles" {
 
 output "extra_role_policies" {
   value = {
-    for key, policy in vault_policy.extra_policies :
+    for key, policy in vault_policy.extra :
     key => policy.name
   }
   sensitive   = false
   description = "The tenant extra role policy names"
-  depends_on  = [vault_policy.extra_policies]
+  depends_on  = [vault_policy.extra]
 }
diff --git a/root.tf b/root.tf
index 245c02d..6a756cb 100644
--- a/root.tf
+++ b/root.tf
@@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "root" {
   backend        = vault_auth_backend.approle.path
-  role_name      = "${var.name}-admin"
-  token_policies = ["default", vault_policy.tenant_admin.name]
+  role_name      = "${var.name}-root"
+  token_policies = ["default", vault_policy.root.name]
 }
 
 resource "random_uuid" "root_secret_id" {}