consolidate vault policies into hydration

Before there was a conflict between the policies set on the core
machines at activation time, and the policies set by hydrate-cluster.
Specifically, the routing policy would always be deleted by terraform.

With this, we can ensure that terraform is aware of all of our defaut
vault policies so rebuilding and/or hydrating doesn't unexpectedly
change them.

Author: nrdxp

modules/terraform/hydrate-cluster/policies.nix

@@ -16,7 +16,15 @@ Related to roles that are impersonated by humans.
 
   __fromTOML = builtins.fromTOML;
 
-  vaultPolicies = tfcfg.locals.policies.vault;
+  # necessary or some of these policies get deleted by terraform; eg routing
+  coreVaultPolicies =
+    builtins.removeAttrs
+    (import ../../../profiles/vault/policies.nix {inherit config lib;})
+    .services
+    .vault
+    .policies ["vault-agent-client" "vault-agent-core"];
+
+  vaultPolicies = coreVaultPolicies // tfcfg.locals.policies.vault;
   nomadPolicies = tfcfg.locals.policies.nomad;
   consulPolicies = tfcfg.locals.policies.consul;