resource "nomad_acl_token" "vault" {
  name = "vault"
  type = "management"
}

resource "vault_nomad_secret_backend" "config" {
  backend     = "nomad"
  description = "Nomad ACL"
  token       = nomad_acl_token.vault.secret_id
}

resource "vault_nomad_secret_role" "nomad-deploy" {
  backend  = vault_nomad_secret_backend.config.backend
  role     = "nomad-deploy"
  policies = ["nomad-deploy"]
}

resource "vault_nomad_secret_role" "admin" {
  backend = vault_nomad_secret_backend.config.backend
  role    = "admin-management"
  type    = "management"
}

resource "vault_policy" "nomad-deploy" {
  name   = "nomad-deploy"
  policy = <<EOH
path "nomad/creds/nomad-deploy" {
  capabilities = ["read"]
}
EOH
}