# Create an identity for the admin user
resource "vault_identity_entity" "admin" {
  name     = "admin"
  policies = ["admin"]
  metadata = {
    email = "admin@example.com"
  }

  depends_on = [
    vault_policy.admin,
    vault_generic_secret.admin_user,
  ]
}

# Tie the identity to the userpass
resource "vault_identity_entity_alias" "admin" {
  name           = "admin"
  mount_accessor = vault_auth_backend.userpass.accessor
  canonical_id   = vault_identity_entity.admin.id
}

# Tie the identity to a group
resource "vault_identity_group" "admins" {
  name              = "admins"
  member_entity_ids = [vault_identity_entity.admin.id]
}

# Create an oidc client
resource "vault_identity_oidc_assignment" "everyone" {
  name = "everyone"
  entity_ids = [
    vault_identity_entity.admin.id,
  ]
  group_ids = [
    vault_identity_group.admins.id,
  ]
}

resource "vault_identity_oidc_key" "key" {
  name               = "key"
  algorithm          = "RS256"
  rotation_period    = 3600
  verification_ttl   = 7200
  allowed_client_ids = ["*"]
}

resource "vault_identity_oidc_client" "consul" {
  name = "consul"
  redirect_uris = [
    "http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
    "http://127.0.0.1:8251/callback",
    "http://127.0.0.1:8080/callback"
  ]
  assignments = [
    vault_identity_oidc_assignment.everyone.name
  ]
  key              = vault_identity_oidc_key.key.name
  id_token_ttl     = 2400
  access_token_ttl = 7200
}