{ ... }:

{
  resource.vault_gcp_secret_roleset.lukegbcom_deployer = {
    backend = "\${vault_gcp_secret_backend.gcp.path}";
    roleset = "lukegbcom-deployer";
    project = "lukegbcom";
    secret_type = "access_token";
    token_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
      "https://www.googleapis.com/auth/firebase"
    ];
    binding = [{
      resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";
      roles = ["roles/firebasehosting.admin"];
    }];
  };

  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
      capabilities = ["read"]
    }
  '';
}