locals {
    factory_crowdsec_conf_sa_name = "factory-ansible-tool-crowdsec-traefik-plugin"
}


data "vault_policy_document" "factory_crowdsec_conf" {
  rule {
    path         = "kvv2/data/cms/factory/*" #  cms.git//cloudflare/iac.tf
    capabilities = ["read", "list"]
  }
}
resource "vault_policy" "factory_crowdsec_conf" {
  name   = "factory_crowdsec_conf"
  policy = data.vault_policy_document.factory_crowdsec_conf.hcl
}
resource "vault_kubernetes_auth_backend_role" "factory_crowdsec_conf" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "factory_crowdsec_conf"
  bound_service_account_names      = [local.factory_crowdsec_conf_sa_name]
  bound_service_account_namespaces = ["kube-system"]
  token_ttl                        = 3600
  token_policies                   = ["default", vault_policy.factory_crowdsec_conf.name]
  audience                         = "vault"
  alias_name_source                = "serviceaccount_name"
}