From ca19309d2a332fc081b3882b84163cc8996044e8 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 26 May 2024 22:14:00 +0200
Subject: [PATCH] feat: refactor module, simplify naming and create additional
 entities for extra roles

---
 README.md                                     | 34 +++++++++----------
 admin_role.tf                                 | 28 ---------------
 approle_auth.tf => auth.tf                    |  8 ++---
 extra_policies.tf                             | 30 ++++++++--------
 outputs.tf                                    | 27 +++++++++------
 ...nant-admins.policy.hcl => root.policy.hcl} |  0
 root.tf                                       | 28 +++++++++++++++
 variables.tf                                  | 16 +++------
 8 files changed, 86 insertions(+), 85 deletions(-)
 delete mode 100644 admin_role.tf
 rename approle_auth.tf => auth.tf (64%)
 rename policies/{tenant-admins.policy.hcl => root.policy.hcl} (100%)
 create mode 100644 root.tf

diff --git a/README.md b/README.md
index 0518b32..fb6d51c 100644
--- a/README.md
+++ b/README.md
@@ -30,37 +30,37 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [random_uuid.extra_roles_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
-| [random_uuid.tenant_admin_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
-| [vault_approle_auth_backend_role.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
-| [vault_approle_auth_backend_role.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
-| [vault_approle_auth_backend_role_secret_id.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
-| [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [random_uuid.extra_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [random_uuid.root_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [vault_approle_auth_backend_role.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role_secret_id.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [vault_approle_auth_backend_role_secret_id.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
 | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
-| [vault_identity_entity.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
-| [vault_identity_entity_alias.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
+| [vault_identity_entity.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity_alias.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
+| [vault_identity_entity_alias.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
 | [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
-| [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
-| [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+| [vault_policy.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+| [vault_policy.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
-| <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    tenant_additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
-| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
-| <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
-| <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+| <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
+| <a name="input_name"></a> [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+| <a name="input_root_policy_file"></a> [root_policy_file](#input_root_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_approle_mount"></a> [approle_mount](#output_approle_mount) | The approle mount for the tenant |
 | <a name="output_extra_role_policies"></a> [extra_role_policies](#output_extra_role_policies) | The tenant extra role policy names |
 | <a name="output_extra_roles"></a> [extra_roles](#output_extra_roles) | The tenant extra approle roles |
-| <a name="output_tenant_admin_policy"></a> [tenant_admin_policy](#output_tenant_admin_policy) | The tenant admin policy name |
-| <a name="output_tenant_admin_role"></a> [tenant_admin_role](#output_tenant_admin_role) | The tenant admin approle role |
+| <a name="output_root_policy"></a> [root_policy](#output_root_policy) | The tenant root policy name |
+| <a name="output_root_role"></a> [root_role](#output_root_role) | The tenant root approle role |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/admin_role.tf b/admin_role.tf
deleted file mode 100644
index b71aab1..0000000
--- a/admin_role.tf
+++ /dev/null
@@ -1,28 +0,0 @@
-resource "vault_approle_auth_backend_role" "tenant_admin" {
-  backend        = vault_auth_backend.approle.path
-  role_name      = "${var.tenant_name}-admin"
-  token_policies = ["default", vault_policy.tenant_admin.name]
-}
-
-resource "random_uuid" "tenant_admin_secret_id" {}
-
-resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
-  backend   = vault_auth_backend.approle.path
-  role_name = vault_approle_auth_backend_role.tenant_admin.role_name
-  secret_id = random_uuid.tenant_admin_secret_id.result
-}
-
-resource "vault_policy" "tenant_admin" {
-  name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : file(var.tenant_admin_policy_file)
-}
-
-resource "vault_identity_entity" "admin" {
-  name = "${var.tenant_prefix}-admin"
-}
-
-resource "vault_identity_entity_alias" "admin" {
-  name           = vault_approle_auth_backend_role.tenant_admin.role_id
-  mount_accessor = vault_auth_backend.approle.accessor
-  canonical_id   = vault_identity_entity.admin.id
-}
diff --git a/approle_auth.tf b/auth.tf
similarity index 64%
rename from approle_auth.tf
rename to auth.tf
index 66e33a8..f554194 100644
--- a/approle_auth.tf
+++ b/auth.tf
@@ -1,6 +1,6 @@
 resource "vault_auth_backend" "approle" {
   type = "approle"
-  path = "${var.tenant_prefix}/approle"
+  path = "${var.prefix}/approle"
   tune {
     default_lease_ttl = "3600s"
     max_lease_ttl     = "14400s"
@@ -8,10 +8,10 @@ resource "vault_auth_backend" "approle" {
 }
 
 resource "vault_identity_group" "this" {
-  name = var.tenant_name
+  name = var.name
   type = "internal"
   metadata = {
-    tenant = var.tenant_name
-    prefix = var.tenant_prefix
+    tenant = var.name
+    prefix = var.prefix
   }
 }
diff --git a/extra_policies.tf b/extra_policies.tf
index 7f1be1b..4d9535c 100644
--- a/extra_policies.tf
+++ b/extra_policies.tf
@@ -1,38 +1,38 @@
-resource "vault_approle_auth_backend_role" "extra_roles" {
-  for_each = var.tenant_additional_roles
+resource "vault_approle_auth_backend_role" "extra" {
+  for_each = var.additional_roles
 
   backend        = vault_auth_backend.approle.path
   role_name      = each.key
-  token_policies = ["default", "${vault_policy.extra_policies[each.key].name}"]
+  token_policies = ["default", "${vault_policy.extra[each.key].name}"]
 }
 
-resource "random_uuid" "extra_roles_secret_id" { for_each = var.tenant_additional_roles }
+resource "random_uuid" "extra_secret_id" { for_each = var.additional_roles }
 
-resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
-  for_each = var.tenant_additional_roles
+resource "vault_approle_auth_backend_role_secret_id" "extra" {
+  for_each = var.additional_roles
 
   backend   = vault_auth_backend.approle.path
-  role_name = vault_approle_auth_backend_role.extra_roles[each.key].role_name
-  secret_id = random_uuid.extra_roles_secret_id[each.key].result
+  role_name = vault_approle_auth_backend_role.extra[each.key].role_name
+  secret_id = random_uuid.extra_secret_id[each.key].result
 }
 
-resource "vault_policy" "extra_policies" {
-  for_each = var.tenant_additional_roles
+resource "vault_policy" "extra" {
+  for_each = var.additional_roles
 
-  name   = "${var.tenant_prefix}-${each.key}"
+  name   = "${var.prefix}-${each.key}"
   policy = file(each.value.policy_file)
 }
 
 resource "vault_identity_entity" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
-  name = "${var.tenant_prefix}-${each.key}"
+  name = "${var.prefix}-${each.key}"
 }
 
 resource "vault_identity_entity_alias" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
-  name           = vault_approle_auth_backend_role.extra_roles[each.key].role_id
+  name           = vault_approle_auth_backend_role.extra[each.key].role_id
   mount_accessor = vault_auth_backend.approle.accessor
   canonical_id   = vault_identity_entity.extra[each.key].id
 }
diff --git a/outputs.tf b/outputs.tf
index d7cb775..89d5969 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,21 +1,28 @@
-output "tenant_admin_role" {
+output "approle_mount" {
+  value       = vault_auth_backend.approle
+  sensitive   = true
+  description = "The approle mount for the tenant"
+}
+
+
+output "root_role" {
   value = {
-    role_id   = vault_approle_auth_backend_role.tenant_admin.role_name
-    secret_id = vault_approle_auth_backend_role_secret_id.tenant_admin.secret_id
+    role_id   = vault_approle_auth_backend_role.root.role_name
+    secret_id = vault_approle_auth_backend_role_secret_id.root.secret_id
   }
   sensitive   = true
-  description = "The tenant admin approle role"
+  description = "The tenant root approle role"
   depends_on = [
-    vault_approle_auth_backend_role.tenant_admin,
-    vault_approle_auth_backend_role_secret_id.tenant_admin
+    vault_approle_auth_backend_role.root,
+    vault_approle_auth_backend_role_secret_id.root
   ]
 }
 
-output "tenant_admin_policy" {
-  value       = vault_policy.tenant_admin.name
+output "root_policy" {
+  value       = vault_policy.root.name
   sensitive   = false
-  description = "The tenant admin policy name"
-  depends_on  = [vault_policy.tenant_admin]
+  description = "The tenant root policy name"
+  depends_on  = [vault_policy.root]
 }
 
 output "extra_roles" {
diff --git a/policies/tenant-admins.policy.hcl b/policies/root.policy.hcl
similarity index 100%
rename from policies/tenant-admins.policy.hcl
rename to policies/root.policy.hcl
diff --git a/root.tf b/root.tf
new file mode 100644
index 0000000..245c02d
--- /dev/null
+++ b/root.tf
@@ -0,0 +1,28 @@
+resource "vault_approle_auth_backend_role" "root" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "${var.name}-admin"
+  token_policies = ["default", vault_policy.tenant_admin.name]
+}
+
+resource "random_uuid" "root_secret_id" {}
+
+resource "vault_approle_auth_backend_role_secret_id" "root" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.root.role_name
+  secret_id = random_uuid.root_secret_id.result
+}
+
+resource "vault_policy" "root" {
+  name   = "${var.name}-root"
+  policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file)
+}
+
+resource "vault_identity_entity" "root" {
+  name = "${var.prefix}-root"
+}
+
+resource "vault_identity_entity_alias" "root" {
+  name           = vault_approle_auth_backend_role.root.role_id
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_entity.root.id
+}
diff --git a/variables.tf b/variables.tf
index 92a4ebc..65d9375 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,10 +1,4 @@
-variable "global_approle_mount" {
-  type        = string
-  default     = "approle"
-  description = "The mount path for the global AppRole authentication method"
-}
-
-variable "tenant_name" {
+variable "name" {
   type        = string
   description = "The name of the tenant you want to create"
   validation {
@@ -13,18 +7,18 @@ variable "tenant_name" {
   }
 }
 
-variable "tenant_prefix" {
+variable "prefix" {
   type        = string
   description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
 }
 
-variable "tenant_admin_policy_file" {
+variable "root_policy_file" {
   type        = string
   default     = null
   description = "The path to the admin policy file for this tenant"
 }
 
-variable "tenant_additional_roles" {
+variable "additional_roles" {
   type = map(object({
     policy_file = string
   }))
@@ -33,7 +27,7 @@ variable "tenant_additional_roles" {
     A map of additional role names, with the path to the associated policy file to add for this tenant.
     A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
     The variable should look like:
-    tenant_additional_roles = {
+    additional_roles = {
       devs = {
         policy_file = "/some/path/to/policy.hcl"
       }