{ config, ... }:
{
  resource."vault_mount"."pki_inra" = {
    path                      = "pki-inra";
    type                      = "pki";
    description               = "in.redalder.org";
    default_lease_ttl_seconds = 8640000;
    max_lease_ttl_seconds     = 8640000;
  };

  resource."vault_policy"."pki_inra_update" = {
    name = "pki-inra-update";

    policy = ''
      path "${config.resource."vault_mount"."pki_inra".path}/config/ca" {
        capabilities = ["update"]
      }
    '';
  };

  resource."vault_pki_secret_backend_config_urls"."example" = {
    backend = config.resource."vault_mount"."pki_inra".path;
    issuing_certificates = [
      "https://vault.in.redalder.org:8200/v1/pki/ca"
    ];
    crl_distribution_points = [
      "https://vault.in.redalder.org:8200/v1/pki_int/crl"
    ];
  };

  resource."vault_pki_secret_backend_role"."test_role" = {
    backend          = config.resource."vault_mount"."pki_inra".path;
    name             = "test_role";
    ttl              = 3600;
    allow_ip_sans    = true;
    key_type         = "rsa";
    key_bits         = 4096;
    allowed_domains  = ["test.in.redalder.org"];
    allow_subdomains = false;
  };
}