From 08b68745f074ca9cf7264ff9743e6853325cd7c6 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Sun, 20 Mar 2022 11:29:10 +0000
Subject: [PATCH] ops/vault: move policies to token_policies

I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
---
 ops/vault/cfg/servers.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ops/vault/cfg/servers.nix b/ops/vault/cfg/servers.nix
index f9c189d632..18b39595a3 100644
--- a/ops/vault/cfg/servers.nix
+++ b/ops/vault/cfg/servers.nix
@@ -83,14 +83,14 @@ in {
       secret_id_num_uses = 0;
       token_ttl = minutes 20;
       token_max_ttl = minutes 30;
+      token_policies =
+        ["default" "server" "\${vault_policy.${serverCfg.resourceName}.name}"]
+        ++ serverCfg.extraPolicies
+        ++ (map (name: "\${vault_policy.app_${name}.name}") serverCfg.apps);
     };
 
     vault_identity_entity.${serverCfg.resourceName} = {
       name = serverName;
-      policies =
-        ["default" "server" "\${vault_policy.${serverCfg.resourceName}.name}"]
-        ++ serverCfg.extraPolicies
-        ++ (map (name: "\${vault_policy.app_${name}.name}") serverCfg.apps);
       metadata.server = serverName;
     };