ui = true

storage "file" {
  path = "/opt/vault/data"
}

listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_disable = 1
}

api_addr = "http://127.0.0.1:8200"

# Terraform OIDC config for reference
#path "/secret/*" {
#    capabilities = ["read", "list"]
#}
#
#resource "vault_identity_oidc_key" "keycloak_provider_key" {
#  name      = "keycloak"
#  algorithm = "RS256"
#}
#
#resource "vault_jwt_auth_backend" "keycloak" {
#  path               = "oidc"
#  type               = "oidc"
#  default_role       = "{{ keycloak_clients['pki']['groups'] }}"
#
#  oidc_discovery_url="https://{{ keycloak_address }}/realms/master"
#  oidc_client_id="{{ keycloak_clients['pki']['client_id'] }}"
#  oidc_client_secret="{{ keycloak_clients['pki']['client_secret'] }}"
#
#  tune {
#    audit_non_hmac_request_keys  = []
#    audit_non_hmac_response_keys = []
#    default_lease_ttl            = "1h"
#    listing_visibility           = "unauth"
#    max_lease_ttl                = "1h"
#    passthrough_request_headers  = []
#    token_type                   = "default-service"
#  }
#}
#
#resource "vault_jwt_auth_backend_role" "pki" {
#  backend        = vault_jwt_auth_backend.keycloak.path
#  role_name      = "pki"
#  role_type      = "oidc"
#  token_ttl      = 3600
#  token_max_ttl  = 3600
#
#  bound_audiences="{{ pki_domain }}"
#  user_claim      = "sub"
#  claim_mappings = {
#    preferred_username = "username"
#    email              = "email"
#  }
#
#  allowed_redirect_uris = [
#    "https://{{ pki_domain }}/oidc/oidc/callback",
#    "https://{{ pki_domain }}/ui/vault/auth/oidc/oidc/callback"
#  ]
#  groups_claim = format("/resource_access/%s/roles", 
#                     keycloak_openid_client.openid_client.client_id)
#}
#
#data "vault_policy_document" "reader_policy" {
#  rule {
#    path         = "/secret/*"
#    capabilities = ["list", "read"]
#  }
#}
#
#resource "vault_policy" "reader_policy" {
#  name   = "reader"
#  policy = data.vault_policy_document.reader_policy.hcl
#}
#data "vault_policy_document" "manager_policy" {
#  rule {
#    path         = "/secret/*"
#    capabilities = ["create", "update", "delete"]
#  }
#}
#
#resource "vault_policy" "manager_policy" {
#  name   = "management"
#  policy = data.vault_policy_document.manager_policy.hcl
#}
#
#resource "vault_identity_oidc_role" "management_role" {
#  name = "management"
#  key  = vault_identity_oidc_key.keycloak_provider_key.name
#}
#
#resource "vault_identity_group" "management_group" {
#  name     = vault_identity_oidc_role.management_role.name
#  type     = "external"
#  policies = [
#    vault_policy.manager_policy.name
#  ]
#}
#
#resource "vault_identity_group_alias" "management_group_alias" {
#  name           = "pki"
#  mount_accessor = vault_jwt_auth_backend.keycloak.accessor
#  canonical_id   = vault_identity_group.management_group.id
#}