fix(terraform/vault/sub-ca): policy path calculation requires path resource IDs

It's impossible to recover the path resource IDs from the Terraform
resource IDs form.

Let's just add the path component and do the right thing.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

terraform/vault/sub-ca-options.nix

@@ -4,11 +4,11 @@
 { name, config, lib, ... }:
 let
   inherit (lib) mkEnableOption mkOption types mkIf;
-  mkResourceId = { enableVersioning, certVersion, version, name }:
+  mkResourceId = sep: { enableVersioning, certVersion, version, name }:
     if enableVersioning then
-      "v${toString version}_${name}_v${toString certVersion}"
+      "v${toString version}${sep}${name}${sep}v${toString certVersion}"
     else
-    "unversioned_${name}";
+    "unversioned${sep}${name}";
 in
 {
   options = {
@@ -32,6 +32,11 @@ in
       type = types.str;
     };
 
+    partialResourceIdPath = mkOption {
+      internal = true;
+      type = types.str;
+    };
+
     name = mkOption {
       readOnly = true;
       type = types.str;
@@ -88,7 +93,10 @@ in
   };
 
   config = mkIf config.enable {
-    partialResourceId = mkResourceId {
+    partialResourceId = mkResourceId "_" {
+      inherit (config) enableVersioning certVersion version name;
+    };
+    partialResourceIdPath = mkResourceId "/" {
       inherit (config) enableVersioning certVersion version name;
     };
   };

terraform/vault/sub-ca.nix

@@ -189,12 +189,9 @@ in
 
     # Generate the empty policy if there's nothing.
     infra.vault.policies = concatBfs (parentConfig: name: config:
-    let
-      resourceId = "${toplevelConfig.infra.pki.org.id}_${config.partialResourceId}";
-    in
     mapAttrs (name: value:
       mapAttrs' (rulePath: value: {
-        name = "${resourceIdAsPath resourceId}/${rulePath}";
+        name = "${toplevelConfig.infra.pki.org.id}/${config.partialResourceIdPath}/${rulePath}";
         inherit value;
       }) value
     ) config.policies)