{ config, pkgs, lib, tflib, ... }: let cfg = config.prefab.pushApproles; inherit (lib) mkOption mdDoc types mapAttrsToList mkMerge flip ; inherit (tflib) tf ; metadataType = pkgs.formats.json {}; submoduleOptions = { policies = mkOption { description = mdDoc '' Vault policies added to the approle generated. ''; type = with types; listOf str; default = []; }; host = mkOption { description = mdDoc '' The address of the machine, either IP address, domain name or any other identificator accepted by `ssh`. ''; type = types.str; }; user = mkOption { description = mdDoc '' The user to connect as. ''; type = types.str; }; metadata = mkOption { description = mdDoc '' ''; type = metadataType.type; default = {}; }; approlePath = mkOption { description = mdDoc '' ''; type = types.str; }; }; in { options.prefab.pushApproles = mkOption { description = '' ''; type = with types; attrsOf (submodule {options = submoduleOptions;}); default = {}; }; config.resource = mkMerge (flip mapAttrsToList cfg (hostname: value: { "vault_approle_auth_backend_role"."system-${hostname}" = { backend = value.approlePath; role_name = hostname; token_policies = value.policies; }; "vault_approle_auth_backend_role_secret_id"."system-${hostname}" = { backend = value.approlePath; role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name"; metadata = builtins.toJSON value.metadata; }; "null_resource"."approles-${hostname}" = { triggers = { secret_id = tf "vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id"; role_id = tf "data.vault_approle_auth_backend_role_id.system-${hostname}.role_id"; }; connection = { inherit (value) host user ; }; provisioner = { "remote-exec" = { inline = [ "echo \${nonsensitive(vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id)} > /var/secrets/approle.secretid" "echo \${data.vault_approle_auth_backend_role_id.system-${hostname}.role_id} > /var/secrets/approle.roleid" ]; }; }; }; })); config.data = mkMerge (flip mapAttrsToList cfg (hostname: value: { "vault_approle_auth_backend_role_id"."system-${hostname}" = { backend = value.approlePath; role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name"; }; })); }