{ ... }:

{
  resource.vault_jwt_auth_backend.oidc = {
    default_role = "user";
    namespace_in_state = true;

    oidc_discovery_url = "https://accounts.google.com";
    oidc_client_id = "620300851636-6ha1a7t9r4gatrn9gdqa82toem3cbq3b.apps.googleusercontent.com";
    oidc_client_secret = "\${data.vault_generic_secret.misc.data[\"oidcAuthToken\"]}";
  };

  my.authBackend.oidc = {
    resourceType = "vault_jwt_auth_backend";

    tune.default_lease_ttl = "24h";
    tune.max_lease_ttl = "24h";
  };

  resource.vault_jwt_auth_backend_role = let
    baseRole = {
      backend = "\${resource.vault_jwt_auth_backend.oidc.path}";
      role_type = "oidc";
      bound_audiences = ["620300851636-6ha1a7t9r4gatrn9gdqa82toem3cbq3b.apps.googleusercontent.com"];
      user_claim = "sub";
      allowed_redirect_uris = [
        "http://localhost:8250/oidc/callback"
        "https://vault-server-j2gbzkpiaq-ew.a.run.app/ui/vault/auth/oidc/oidc/callback"
        "https://vault.int.lukegb.com/ui/vault/auth/oidc/oidc/callback"
      ];
    };
  in {
    oidc_user = baseRole // {
      role_name = "user";
      token_policies = ["base" "user"];
    };
    oidc_admin = baseRole // {
      role_name = "admin";
      token_policies = ["base" "admin"];
    };
  };
}