From b267cffc0e1c4d74f23937c58c0bbc5a758fd652 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Wed, 1 Jan 2025 02:43:56 +0100
Subject: [PATCH] feat(terraform/vault): support for tokens generation

We create the first machine-level token for bagel-box which has the
policy CI.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 terraform/vault/default.nix | 16 ++++++++++++++++
 terraform/vault/generic.nix |  1 +
 terraform/vault/tokens.nix  | 19 +++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 terraform/vault/tokens.nix

diff --git a/terraform/vault/default.nix b/terraform/vault/default.nix
index 9cfa18a..d4acf68 100644
--- a/terraform/vault/default.nix
+++ b/terraform/vault/default.nix
@@ -17,6 +17,22 @@
 
   infra.vault = {
     provider = "vault.floral";
+    tokens = {
+      bagel_box = {
+        policies = [ "ci" ];
+        renewable = true;
+        ttl = "7d";
+        # As long as the token is renewed every 14 days, its TTL can be extended of 7 more days.
+        period = "14d";
+        # A machine-wide token cannot live longer than 365 days, all of this is temporary anyway until we get proper machine identity.
+        explicit_max_ttl = "365d";
+        display_name = "bagel-box@infra.forkos.org machine-wide token";
+
+        metadata = {
+          purpose = "machine-account";
+        };
+      };
+    };
   };
 
   infra.pki = {
diff --git a/terraform/vault/generic.nix b/terraform/vault/generic.nix
index c3305ed..7a372b6 100644
--- a/terraform/vault/generic.nix
+++ b/terraform/vault/generic.nix
@@ -13,5 +13,6 @@ in
   imports = [
     ./policy.nix
     ./sub-ca.nix
+    ./tokens.nix
   ];
 }
diff --git a/terraform/vault/tokens.nix b/terraform/vault/tokens.nix
new file mode 100644
index 0000000..3a4b278
--- /dev/null
+++ b/terraform/vault/tokens.nix
@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+let
+  cfg = config.infra.vault.tokens;
+  inherit (lib) mkOption types mapAttrs;
+  mkToken = name: value: value // {
+    provider = config.infra.vault.provider;
+  };
+in
+{
+  options.infra.vault.tokens = mkOption {
+    # TODO: harden with freeformType json.
+    type = types.attrsOf types.unspecified;
+    default = { };
+  };
+
+  config = {
+    resource.vault_token = mapAttrs mkToken cfg;
+  };
+}