# WARNING: Auto-generated by create-host tool
# Manual edits will be overwritten when create-host is run

# Generated host policies
# Each host gets access to its own secrets under hosts/<hostname>/*
locals {
  generated_host_policies = {
    "vaulttest01" = {
      paths = [
        "secret/data/hosts/vaulttest01/*",
      ]
    }

  }

  # Placeholder secrets - user should add actual secrets manually or via tofu
  generated_secrets = {
  }
}

# Create policies for generated hosts
resource "vault_policy" "generated_host_policies" {
  for_each = local.generated_host_policies

  name = "host-${each.key}"

  policy = <<-EOT
    # Allow host to read its own secrets
    %{for path in each.value.paths~}
    path "${path}" {
      capabilities = ["read", "list"]
    }
    %{endfor~}
  EOT
}

# Create AppRoles for generated hosts
resource "vault_approle_auth_backend_role" "generated_hosts" {
  for_each = local.generated_host_policies

  backend            = vault_auth_backend.approle.path
  role_name          = each.key
  token_policies     = ["host-${each.key}"]
  secret_id_ttl      = 0 # Never expire (wrapped tokens provide time limit)
  token_ttl          = 3600
  token_max_ttl      = 3600
  secret_id_num_uses = 0 # Unlimited uses
}