policies.sls

# Write policies from Pillar data
/etc/vault.d/policies.d:
  file.directory:
    - mode: 0700

{% for name, policy in salt['pillar.get']('vault:policies').iteritems() %}
/etc/vault.d/policies.d/{{ name }}.json:
  file.managed:
    - source: salt://shopstyle-vault/files/policy.json
    - mode: 0600
    - template: jinja
    - context:
        policy: {{ policy }}

# Updates the policy if the Pillar data changes
vault-policy-wait-{{ name }}:
  cmd.wait:
    - name: vault policy-write {{ name }} /etc/vault.d/policies.d/{{ name }}.json
    - env:
      - VAULT_ADDR: {{ salt['pillar.get']('vault:vault_addr') }}
      - VAULT_TOKEN: {{ salt['pillar.get']('vault:tokens:initial_root_token') }}
    - watch:
      - file: /etc/vault.d/policies.d/{{ name }}.json

# Ensure the policy will be written if a previous wait/watch fails, etc.
vault-policy-run-{{ name }}:
  cmd.run:
    - name: vault policy-write {{ name }} /etc/vault.d/policies.d/{{ name }}.json
    - env:
      - VAULT_ADDR: {{ salt['pillar.get']('vault:vault_addr') }}
      - VAULT_TOKEN: {{ salt['pillar.get']('vault:tokens:initial_root_token') }}
    - unless: vault policies | grep {{ name }}
{% endfor %}