From efeeecb7e27fed9338d48174179f9e798a0641db Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Tue, 31 Dec 2024 18:30:12 +0100
Subject: [PATCH] feat(terraform): support declarative Vault policies

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 terraform/vault/default.nix |  5 +++
 terraform/vault/generic.nix | 16 ++++++++++
 terraform/vault/policy.nix  | 62 +++++++++++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 terraform/vault/generic.nix
 create mode 100644 terraform/vault/policy.nix

diff --git a/terraform/vault/default.nix b/terraform/vault/default.nix
index 9438b2f..127fbd4 100644
--- a/terraform/vault/default.nix
+++ b/terraform/vault/default.nix
@@ -6,6 +6,7 @@
   };
 
   imports = [
+    ./generic.nix
     ./pki.nix
   ];
 
@@ -14,6 +15,10 @@
     address = "https://vault.forkos.org";
   };
 
+  infra.vault = {
+    provider = "vault.floral";
+  };
+
   infra.pki = {
     provider = "vault.floral";
     org = {
diff --git a/terraform/vault/generic.nix b/terraform/vault/generic.nix
new file mode 100644
index 0000000..60345eb
--- /dev/null
+++ b/terraform/vault/generic.nix
@@ -0,0 +1,16 @@
+{ lib, ... }:
+let
+  inherit (lib) mkOption types;
+in
+{
+  options.infra.vault = {
+    provider = mkOption {
+      type = types.str;
+      description = "Provider used for deploying those expressions";
+    };
+  };
+
+  imports = [
+    ./policy.nix
+  ];
+}
diff --git a/terraform/vault/policy.nix b/terraform/vault/policy.nix
new file mode 100644
index 0000000..62a011a
--- /dev/null
+++ b/terraform/vault/policy.nix
@@ -0,0 +1,62 @@
+{ config, lib, ... }:
+let
+  inherit (lib) types mkOption mapAttrs concatStringsSep mapAttrsToList filterAttrs;
+  policyOpts = { ... }: {
+    options = {
+      capabilities = mkOption {
+        type = types.enum [ "create" "read" "update" "patch" "delete" "list" "sudo" "deny" "subscribe" ];
+      };
+
+      min_wrapping_ttl = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+      };
+
+      max_wrapping_ttl = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+      };
+
+      required_parameters = mkOption {
+        type = types.nullOr (types.listOf types.str);
+        default = null;
+      };
+
+      allowed_parameters = mkOption {
+        type = types.nullOr (types.attrsOf (types.listOf types.str));
+        default = null;
+      };
+
+      denied_parameters = mkOption {
+        type = types.nullOr (types.attrsOf (types.listOf types.str));
+        default = null;
+      };
+    };
+  };
+  cfg = config.infra.vault;
+  serializeRuleBody = body:
+    concatStringsSep "\n" (mapAttrsToList (name: value:
+      "${name} = ${builtins.toJSON value}"
+    ) (filterAttrs (n: v: v != null) body));
+  mkRules = rules: concatStringsSep "\n" (mapAttrsToList (path: body:
+  ''
+    path "${path}" {
+      ${serializeRuleBody body}
+    }
+  '') rules);
+  mkPolicy = name: rules: {
+    policy = mkRules rules;
+    inherit name;
+    inherit (cfg) provider;
+  };
+in
+{
+  options.infra.vault.policies = mkOption {
+    type = types.attrsOf (types.attrsOf (types.submodule policyOpts));
+    description = "Vault policies, see https://developer.hashicorp.com/vault/docs/concepts/policies";
+  };
+
+  config = {
+    resource.vault_policy = mapAttrs mkPolicy cfg.policies;
+  };
+}