# Enable AppRole auth backend
resource "vault_auth_backend" "approle" {
  type = "approle"
  path = "approle"
}

# Define host access policies
locals {
  host_policies = {
    # Example: monitoring01 host
    # "monitoring01" = {
    #   paths = [
    #     "secret/data/hosts/monitoring01/*",
    #     "secret/data/services/prometheus/*",
    #     "secret/data/services/grafana/*",
    #     "secret/data/shared/smtp/*"
    #   ]
    # }

    # Example: ha1 host
    # "ha1" = {
    #   paths = [
    #     "secret/data/hosts/ha1/*",
    #     "secret/data/shared/mqtt/*"
    #   ]
    # }

    # TODO: actually use this policy
    "ha1" = {
      paths = [
        "secret/data/hosts/ha1/*",
      ]
    }

    # TODO: actually use this policy
    "monitoring01" = {
      paths = [
        "secret/data/hosts/monitoring01/*",
      ]
    }
  }
}

# Generate policies for each host
resource "vault_policy" "host_policies" {
  for_each = local.host_policies

  name = "${each.key}-policy"

  policy = <<EOT
%{~for path in each.value.paths~}
path "${path}" {
  capabilities = ["read", "list"]
}
%{~endfor~}
EOT
}

# Generate AppRoles for each host
resource "vault_approle_auth_backend_role" "hosts" {
  for_each = local.host_policies

  backend        = vault_auth_backend.approle.path
  role_name      = each.key
  token_policies = ["${each.key}-policy"]

  # Token configuration
  token_ttl     = 3600  # 1 hour
  token_max_ttl = 86400 # 24 hours

  # Security settings
  bind_secret_id = true
  secret_id_ttl  = 0 # Never expire (we'll rotate manually)
}