infra/terraform/vault/policy.nix

{ config, lib, ... }:
let
  inherit (lib) types mkOption mapAttrs concatStringsSep mapAttrsToList filterAttrs;
  cfg = config.infra.vault;
  serializeRuleBody = body:
    concatStringsSep "\n" (mapAttrsToList (name: value:
      "${name} = ${builtins.toJSON value}"
    ) (filterAttrs (n: v: v != null) body));
  mkRules = rules: concatStringsSep "\n" (mapAttrsToList (path: body:
  ''
    path "${path}" {
      ${serializeRuleBody body}
    }
  '') rules);
  mkPolicy = name: rules: {
    policy = mkRules rules;
    inherit name;
    inherit (cfg) provider;
  };
in
{
  options.infra.vault.policies = mkOption {
    type = types.attrsOf (types.attrsOf (types.submodule (import ./policy-options.nix)));
    description = "Vault policies, see https://developer.hashicorp.com/vault/docs/concepts/policies";
    default = { };
  };

  config = {
    resource.vault_policy = mapAttrs mkPolicy cfg.policies;
  };
}