data "vault_auth_backend" "kubernetes" {
  path = "kubernetes"
}
variable "name" {
  type = string
  default = "webapp"
}
variable "database" {
  type = string
  nullable = true
  default = null
}
locals {
  name = lower(var.name)
  database = var.database == null ? local.name : var.database

  vault_mount_postgres = { path = "postgres" }
  vault_mount_kvv2 = { path = "kvv2" }
}

resource "vault_database_secret_backend_role" "role" {
  backend             = local.vault_mount_postgres.path
  name                = "${local.name}"
  db_name             = "postgres"
  creation_statements = [
    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
    "GRANT ${local.name}_role TO \"{{name}}\";",
  ] 
  revocation_statements = [
    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";" # should we drop the role ?
  ]
  renew_statements=[]
  rollback_statements=[]
}

resource "vault_kv_secret_v2" "webapp_config" {
  mount                      = local.vault_mount_kvv2.path
  name                       = "webapp/config"
  cas                        = 1
#   delete_all_versions        = true
  data_json                  = jsonencode(
  {
    zip       = "zap",
    foo       = "bar"
  }
  )
}

resource "vault_kubernetes_auth_backend_role" "role" {
  backend                          = data.vault_auth_backend.kubernetes.path
  role_name                        = local.name
  bound_service_account_names      = [local.name]
  bound_service_account_namespaces = [local.name]
  token_ttl                        = 3600
  token_policies                   = ["default", local.name]
  audience                         = "vault"
  alias_name_source                = "serviceaccount_name"
}