# Set up nomad provider in vault for Nomad ACLs
resource "nomad_acl_token" "vault" {
  name = "vault"
  type = "management"
}

resource "vault_nomad_secret_backend" "config" {
  backend     = "nomad"
  description = "Nomad ACL"
  token       = nomad_acl_token.vault.secret_id

  default_lease_ttl_seconds = "3600"
  max_lease_ttl_seconds     = "7200"

  ttl     = "3600"
  max_ttl = "7200"
}

# Vault roles generating Nomad tokens
resource "vault_nomad_secret_role" "nomad-deploy" {
  backend = vault_nomad_secret_backend.config.backend
  role    = "nomad-deploy"
  # Nomad policies
  policies = ["deploy"]
}

resource "vault_nomad_secret_role" "admin-management" {
  backend = vault_nomad_secret_backend.config.backend
  role    = "admin-management"
  type    = "management"
}

resource "vault_nomad_secret_role" "admin" {
  backend = vault_nomad_secret_backend.config.backend
  role    = "admin"
  # Nomad policies
  policies = ["admin"]
}

# Nomad Vault token access
resource "vault_token_auth_backend_role" "nomad-cluster" {
  role_name              = "nomad-cluster"
  token_explicit_max_ttl = 0
  allowed_policies       = ["access-tables", "nomad-task"]
  orphan                 = true
  token_period           = 259200
  renewable              = true
}