From 3a7ae8550276e7686a5b2c6b288de0f6f389c98a Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 1 Jan 2025 03:42:31 +0100
Subject: [PATCH] fix(terraform/vault/sub-ca): policy path calculation requires
 path resource IDs

It's impossible to recover the path resource IDs from the Terraform
resource IDs form.

Let's just add the path component and do the right thing.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 terraform/vault/sub-ca-options.nix | 16 ++++++++++++----
 terraform/vault/sub-ca.nix         |  5 +----
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/terraform/vault/sub-ca-options.nix b/terraform/vault/sub-ca-options.nix
index 9e5be66..f480091 100644
--- a/terraform/vault/sub-ca-options.nix
+++ b/terraform/vault/sub-ca-options.nix
@@ -4,11 +4,11 @@
 { name, config, lib, ... }:
 let
   inherit (lib) mkEnableOption mkOption types mkIf;
-  mkResourceId = { enableVersioning, certVersion, version, name }:
+  mkResourceId = sep: { enableVersioning, certVersion, version, name }:
     if enableVersioning then
-      "v${toString version}_${name}_v${toString certVersion}"
+      "v${toString version}${sep}${name}${sep}v${toString certVersion}"
     else
-    "unversioned_${name}";
+    "unversioned${sep}${name}";
 in
 {
   options = {
@@ -32,6 +32,11 @@ in
       type = types.str;
     };
 
+    partialResourceIdPath = mkOption {
+      internal = true;
+      type = types.str;
+    };
+
     name = mkOption {
       readOnly = true;
       type = types.str;
@@ -88,7 +93,10 @@ in
   };
 
   config = mkIf config.enable {
-    partialResourceId = mkResourceId {
+    partialResourceId = mkResourceId "_" {
+      inherit (config) enableVersioning certVersion version name;
+    };
+    partialResourceIdPath = mkResourceId "/" {
       inherit (config) enableVersioning certVersion version name;
     };
   };
diff --git a/terraform/vault/sub-ca.nix b/terraform/vault/sub-ca.nix
index 1c42321..2d1c311 100644
--- a/terraform/vault/sub-ca.nix
+++ b/terraform/vault/sub-ca.nix
@@ -189,12 +189,9 @@ in
 
     # Generate the empty policy if there's nothing.
     infra.vault.policies = concatBfs (parentConfig: name: config:
-    let
-      resourceId = "${toplevelConfig.infra.pki.org.id}_${config.partialResourceId}";
-    in
     mapAttrs (name: value:
       mapAttrs' (rulePath: value: {
-        name = "${resourceIdAsPath resourceId}/${rulePath}";
+        name = "${toplevelConfig.infra.pki.org.id}/${config.partialResourceIdPath}/${rulePath}";
         inherit value;
       }) value
     ) config.policies)