[CE] Add workload bind type and templated policy (#19077)

2023-10-05 15:45:41 -04:00 · 2023-10-05 15:45:41 -04:00 · ad26494016
parent ca4ff6ba1d
commit ad26494016
11 changed files with 176 additions and 132 deletions
--- a/.changelog/19077.txt
+++ b/.changelog/19077.txt
@ -0,0 +1,3 @@
 ```release-note:feature
 acl: Adds workload identity templated policy
 ```
--- a/agent/acl_endpoint_test.go
+++ b/agent/acl_endpoint_test.go
@ -1374,7 +1374,7 @@ func TestACL_HTTP(t *testing.T) {
 			var list map[string]api.ACLTemplatedPolicyResponse
 			require.NoError(t, json.NewDecoder(resp.Body).Decode(&list))
-			require.Len(t, list, 4)
+			require.Len(t, list, 5)
 			require.Equal(t, api.ACLTemplatedPolicyResponse{
 				TemplateName: api.ACLTemplatedPolicyServiceName,
--- a/agent/consul/acl_endpoint.go
+++ b/agent/consul/acl_endpoint.go
@ -1723,19 +1723,8 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
 		return fmt.Errorf("invalid Binding Rule: BindVars cannot be set when bind type is not templated-policy.")
 	}
-	switch rule.BindType {
+	if err := auth.IsValidBindingRule(rule.BindType, rule.BindName, rule.BindVars, blankID.ProjectedVarNames()); err != nil {
-	case structs.BindingRuleBindTypeService:
+		return fmt.Errorf("Invalid Binding Rule: invalid BindName or BindVars: %w", err)
 	case structs.BindingRuleBindTypeNode:
 	case structs.BindingRuleBindTypeRole:
 	case structs.BindingRuleBindTypeTemplatedPolicy:
 	default:
 		return fmt.Errorf("Invalid Binding Rule: unknown BindType %q", rule.BindType)
 	}
 	if valid, err := auth.IsValidBindNameOrBindVars(rule.BindType, rule.BindName, rule.BindVars, blankID.ProjectedVarNames()); err != nil {
 		return fmt.Errorf("Invalid Binding Rule: invalid BindName or BindVars: %v", err)
 	} else if !valid {
 		return fmt.Errorf("Invalid Binding Rule: invalid BindName or BindVars")
 	}
 	req := &structs.ACLBindingRuleBatchSetRequest{
--- a/agent/consul/auth/binder.go
+++ b/agent/consul/auth/binder.go
@ -4,6 +4,7 @@
 package auth
 import (
 	"errors"
 	"fmt"
 	"github.com/hashicorp/go-bexpr"
@ -37,8 +38,8 @@ type BinderStateStore interface {
 	ACLRoleGetByName(ws memdb.WatchSet, roleName string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
 }
-// Bindings contains the ACL roles, service identities, node identities and
+// Bindings contains the ACL roles, service identities, node identities,
-// enterprise meta to be assigned to the created token.
+// templated policies, and enterprise meta to be assigned to the created token.
 type Bindings struct {
 	Roles             []structs.ACLTokenRoleLink
 	ServiceIdentities []*structs.ACLServiceIdentity
@ -91,30 +92,39 @@ func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, verifiedIdentity *authm
 	// Compute role, service identity, node identity or templated policy names by interpolating
 	// the identity's projected variables into the rule BindName templates.
 	for _, rule := range matchingRules {
 		bindName, templatedPolicy, valid, err := computeBindNameAndVars(rule.BindType, rule.BindName, rule.BindVars, verifiedIdentity.ProjectedVars)
 		switch {
 		case err != nil:
 			return nil, fmt.Errorf("cannot compute %q bind name for bind target: %w", rule.BindType, err)
 		case !valid:
 			return nil, fmt.Errorf("computed %q bind name for bind target is invalid: %q", rule.BindType, bindName)
 		}
 		switch rule.BindType {
 		case structs.BindingRuleBindTypeService:
 			bindName, err := computeBindName(rule.BindName, verifiedIdentity.ProjectedVars, acl.IsValidServiceIdentityName)
 			if err != nil {
 				return nil, err
 			}
 			bindings.ServiceIdentities = append(bindings.ServiceIdentities, &structs.ACLServiceIdentity{
 				ServiceName: bindName,
 			})
 		case structs.BindingRuleBindTypeNode:
 			bindName, err := computeBindName(rule.BindName, verifiedIdentity.ProjectedVars, acl.IsValidNodeIdentityName)
 			if err != nil {
 				return nil, err
 			}
 			bindings.NodeIdentities = append(bindings.NodeIdentities, &structs.ACLNodeIdentity{
 				NodeName:   bindName,
 				Datacenter: b.datacenter,
 			})
 		case structs.BindingRuleBindTypeTemplatedPolicy:
 			templatedPolicy, err := generateTemplatedPolicies(rule.BindName, rule.BindVars, verifiedIdentity.ProjectedVars)
 			if err != nil {
 				return nil, err
 			}
 			bindings.TemplatedPolicies = append(bindings.TemplatedPolicies, templatedPolicy)
 		case structs.BindingRuleBindTypeRole:
 			bindName, err := computeBindName(rule.BindName, verifiedIdentity.ProjectedVars, acl.IsValidRoleName)
 			if err != nil {
 				return nil, err
 			}
 			_, role, err := b.store.ACLRoleGetByName(nil, bindName, &bindings.EnterpriseMeta)
 			if err != nil {
 				return nil, err
@ -131,11 +141,11 @@ func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, verifiedIdentity *authm
 	return &bindings, nil
 }
-// IsValidBindNameOrBindVars returns whether the given BindName and/or BindVars template produces valid
+// IsValidBindingRule returns whether the given BindName and/or BindVars template produces valid
 // results when interpolating the auth method's available variables.
-func IsValidBindNameOrBindVars(bindType, bindName string, bindVars *structs.ACLTemplatedPolicyVariables, availableVariables []string) (bool, error) {
+func IsValidBindingRule(bindType, bindName string, bindVars *structs.ACLTemplatedPolicyVariables, availableVariables []string) error {
 	if bindType == "" || bindName == "" {
-		return false, nil
+		return errors.New("bindType and bindName must not be empty")
 	}
 	fakeVarMap := make(map[string]string)
@ -143,63 +153,66 @@ func IsValidBindNameOrBindVars(bindType, bindName string, bindVars *structs.ACLT
 		fakeVarMap[v] = "fake"
 	}
 	_, _, valid, err := computeBindNameAndVars(bindType, bindName, bindVars, fakeVarMap)
 	if err != nil {
 		return false, err
 	}
 	return valid, nil
 }
 // computeBindNameAndVars processes the HIL for the provided bind type+name+vars using the
 // projected variables. When bindtype is templated-policy, it returns the resulting templated policy
 // otherwise, returns nil
 //
 // when bindtype is not templated-policy: it evaluates bindName
 // - If the HIL is invalid ("", nil, false, AN_ERROR) is returned.
 // - If the computed name is not valid for the type ("INVALID_NAME", nil, false, nil) is returned.
 // - If the computed name is valid for the type ("VALID_NAME", nil, true, nil) is returned.
 // when bindtype is templated-policy: it evalueates both bindName and bindVars
 // - If the computed bindvars(failing templated policy schema validation) are invalid ("", nil, false, AN_ERROR) is returned.
 // - if the HIL in bindvars is invalid it returns ("", nil, false, AN_ERROR)
 // - if the computed bindvars are valid and templated policy validation is successful it returns (bindName, TemplatedPolicy, true, nil)
 func computeBindNameAndVars(bindType, bindName string, bindVars *structs.ACLTemplatedPolicyVariables, projectedVars map[string]string) (string, *structs.ACLTemplatedPolicy, bool, error) {
 	bindName, err := template.InterpolateHIL(bindName, projectedVars, true)
 	if err != nil {
 		return "", nil, false, err
 	}
 	var templatedPolicy *structs.ACLTemplatedPolicy
 	var valid bool
 	switch bindType {
 	case structs.BindingRuleBindTypeService:
-		valid = acl.IsValidServiceIdentityName(bindName)
+		if _, err := computeBindName(bindName, fakeVarMap, acl.IsValidServiceIdentityName); err != nil {
-	case structs.BindingRuleBindTypeNode:
+			return fmt.Errorf("failed to validate bindType %q: %w", bindType, err)
 		valid = acl.IsValidNodeIdentityName(bindName)
 	case structs.BindingRuleBindTypeRole:
 		valid = acl.IsValidRoleName(bindName)
 	case structs.BindingRuleBindTypeTemplatedPolicy:
 		templatedPolicy, valid, err = generateTemplatedPolicies(bindName, bindVars, projectedVars)
 		if err != nil {
 			return "", nil, false, err
 		}
 	case structs.BindingRuleBindTypeNode:
 		if _, err := computeBindName(bindName, fakeVarMap, acl.IsValidNodeIdentityName); err != nil {
 			return fmt.Errorf("failed to validate bindType %q: %w", bindType, err)
 		}
 	case structs.BindingRuleBindTypeTemplatedPolicy:
 		// If user-defined templated policies are supported in the future,
 		// we will need to lookup state to ensure a template exists for given
 		// bindName. A possible solution is to rip out the check for templated
 		// policy into its own step which has access to the state store.
 		if _, err := generateTemplatedPolicies(bindName, bindVars, fakeVarMap); err != nil {
 			return fmt.Errorf("failed to validate bindType %q: %w", bindType, err)
 		}
 	case structs.BindingRuleBindTypeRole:
 		if _, err := computeBindName(bindName, fakeVarMap, acl.IsValidRoleName); err != nil {
 			return fmt.Errorf("failed to validate bindType %q: %w", bindType, err)
 		}
 	default:
-		return "", nil, false, fmt.Errorf("unknown binding rule bind type: %s", bindType)
+		return fmt.Errorf("Invalid Binding Rule: unknown BindType %q", bindType)
 	}
-	return bindName, templatedPolicy, valid, nil
+	return nil
 }
-func generateTemplatedPolicies(bindName string, bindVars *structs.ACLTemplatedPolicyVariables, projectedVars map[string]string) (*structs.ACLTemplatedPolicy, bool, error) {
+// computeBindName interprets given HIL bindName with any given variables in projectedVars.
-	computedBindVars, err := computeBindVars(bindVars, projectedVars)
+// validate (if not nil) will be called on the interpreted string.
 func computeBindName(bindName string, projectedVars map[string]string, validate func(string) bool) (string, error) {
 	computed, err := template.InterpolateHIL(bindName, projectedVars, true)
 	if err != nil {
-		return nil, false, err
+		return "", fmt.Errorf("error interpreting template: %w", err)
 	}
 	if validate != nil && !validate(computed) {
 		return "", fmt.Errorf("invalid bind name: %q", computed)
 	}
 	return computed, nil
 }
 // generateTemplatedPolicies fetches a templated policy by bindName then attempts to interpret
 // bindVars with any given variables in projectedVars. The resulting template is validated
 // by the template's schema.
 func generateTemplatedPolicies(
 	bindName string,
 	bindVars *structs.ACLTemplatedPolicyVariables,
 	projectedVars map[string]string,
 ) (*structs.ACLTemplatedPolicy, error) {
 	baseTemplate, ok := structs.GetACLTemplatedPolicyBase(bindName)
 	if !ok {
 		return nil, fmt.Errorf("Bind name for templated-policy bind type does not match existing template name: %s", bindName)
 	}
-	baseTemplate, ok := structs.GetACLTemplatedPolicyBase(bindName)
+	computedBindVars, err := computeBindVars(bindVars, projectedVars)
-
+	if err != nil {
-	if !ok {
+		return nil, fmt.Errorf("failed to interpret templated policy variables: %w", err)
 		return nil, false, fmt.Errorf("Bind name for templated-policy bind type does not match existing template name: %s", bindName)
 	}
 	out := &structs.ACLTemplatedPolicy{
@ -208,12 +221,11 @@ func generateTemplatedPolicies(bindName string, bindVars *structs.ACLTemplatedPo
 		TemplateID:        baseTemplate.TemplateID,
 	}
-	err = out.ValidateTemplatedPolicy(baseTemplate.Schema)
+	if err := out.ValidateTemplatedPolicy(baseTemplate.Schema); err != nil {
-	if err != nil {
+		return nil, fmt.Errorf("templated policy failed validation: %w", err)
 		return nil, false, fmt.Errorf("templated policy failed validation. Error: %v", err)
 	}
-	return out, true, nil
+	return out, nil
 }
 func computeBindVars(bindVars *structs.ACLTemplatedPolicyVariables, projectedVars map[string]string) (*structs.ACLTemplatedPolicyVariables, error) {
--- a/agent/consul/auth/binder_test.go
+++ b/agent/consul/auth/binder_test.go
@ -119,7 +119,7 @@ func TestBinder_Roles_NameValidation(t *testing.T) {
 	_, err := binder.Bind(&structs.ACLAuthMethod{}, &authmethod.Identity{})
 	require.Error(t, err)
-	require.Contains(t, err.Error(), "bind name for bind target is invalid")
+	require.Contains(t, err.Error(), "invalid bind name")
 }
 func TestBinder_ServiceIdentities_Success(t *testing.T) {
@ -187,7 +187,7 @@ func TestBinder_ServiceIdentities_NameValidation(t *testing.T) {
 	_, err := binder.Bind(&structs.ACLAuthMethod{}, &authmethod.Identity{})
 	require.Error(t, err)
-	require.Contains(t, err.Error(), "bind name for bind target is invalid")
+	require.Contains(t, err.Error(), "invalid bind name")
 }
 func TestBinder_NodeIdentities_Success(t *testing.T) {
@ -255,88 +255,87 @@ func TestBinder_NodeIdentities_NameValidation(t *testing.T) {
 	_, err := binder.Bind(&structs.ACLAuthMethod{}, &authmethod.Identity{})
 	require.Error(t, err)
-	require.Contains(t, err.Error(), "bind name for bind target is invalid")
+	require.Contains(t, err.Error(), "invalid bind name")
 }
-func Test_IsValidBindNameOrBindVars(t *testing.T) {
+func Test_IsValidBindingRule(t *testing.T) {
 	type testcase struct {
 		name     string
 		bindType string
 		bindName string
 		bindVars *structs.ACLTemplatedPolicyVariables
 		fields   string
-		valid    bool // valid HIL, invalid contents
+		err      bool
 		err      bool // invalid HIL
 	}
 	for _, test := range []testcase{
 		{"no bind type",
-			"", "", nil, "", false, false},
+			"", "", nil, "", true},
 		{"bad bind type",
-			"invalid", "blah", nil, "", false, true},
+			"invalid", "blah", nil, "", true},
 		// valid HIL, invalid name
 		{"empty",
-			"both", "", nil, "", false, false},
+			"both", "", nil, "", true},
 		{"just end",
-			"both", "}", nil, "", false, false},
+			"both", "}", nil, "", true},
 		{"var without start",
-			"both", " item }", nil, "item", false, false},
+			"both", " item }", nil, "item", true},
 		{"two vars missing second start",
-			"both", "before-${ item }after--more }", nil, "item,more", false, false},
+			"both", "before-${ item }after--more }", nil, "item,more", true},
 		// names for the two types are validated differently
 		{"@ is disallowed",
-			"both", "bad@name", nil, "", false, false},
+			"both", "bad@name", nil, "", true},
 		{"leading dash",
-			"role", "-name", nil, "", true, false},
+			"role", "-name", nil, "", false},
 		{"leading dash",
-			"service", "-name", nil, "", false, false},
+			"service", "-name", nil, "", true},
 		{"trailing dash",
-			"role", "name-", nil, "", true, false},
+			"role", "name-", nil, "", false},
 		{"trailing dash",
-			"service", "name-", nil, "", false, false},
+			"service", "name-", nil, "", true},
 		{"inner dash",
-			"both", "name-end", nil, "", true, false},
+			"both", "name-end", nil, "", false},
 		{"upper case",
-			"role", "NAME", nil, "", true, false},
+			"role", "NAME", nil, "", false},
 		{"upper case",
-			"service", "NAME", nil, "", false, false},
+			"service", "NAME", nil, "", true},
 		// valid HIL, valid name
 		{"no vars",
-			"both", "nothing", nil, "", true, false},
+			"both", "nothing", nil, "", false},
 		{"just var",
-			"both", "${item}", nil, "item", true, false},
+			"both", "${item}", nil, "item", false},
 		{"var in middle",
-			"both", "before-${item}after", nil, "item", true, false},
+			"both", "before-${item}after", nil, "item", false},
 		{"two vars",
-			"both", "before-${item}after-${more}", nil, "item,more", true, false},
+			"both", "before-${item}after-${more}", nil, "item,more", false},
 		// bad
 		{"no bind name",
-			"both", "", nil, "", false, false},
+			"both", "", nil, "", true},
 		{"just start",
-			"both", "${", nil, "", false, true},
+			"both", "${", nil, "", true},
 		{"backwards",
-			"both", "}${", nil, "", false, true},
+			"both", "}${", nil, "", true},
 		{"no varname",
-			"both", "${}", nil, "", false, true},
+			"both", "${}", nil, "", true},
 		{"missing map key",
-			"both", "${item}", nil, "", false, true},
+			"both", "${item}", nil, "", true},
 		{"var without end",
-			"both", "${ item ", nil, "item", false, true},
+			"both", "${ item ", nil, "item", true},
 		{"two vars missing first end",
-			"both", "before-${ item after-${ more }", nil, "item,more", false, true},
+			"both", "before-${ item after-${ more }", nil, "item,more", true},
 		// bind type: templated policy - bad input
-		{"templated-policy missing bindvars", "templated-policy", "builtin/service", nil, "", false, true},
+		{"templated-policy missing bindvars", "templated-policy", "builtin/service", nil, "", true},
 		{"templated-policy with unknown templated policy name",
-			"templated-policy", "builtin/service", &structs.ACLTemplatedPolicyVariables{Name: "before-${item}after-${more}"}, "", false, true},
+			"templated-policy", "builtin/service", &structs.ACLTemplatedPolicyVariables{Name: "before-${item}after-${more}"}, "", true},
 		{"templated-policy with correct bindvars and unknown vars",
-			"templated-policy", "builtin/fake", &structs.ACLTemplatedPolicyVariables{Name: "test"}, "", false, true},
+			"templated-policy", "builtin/fake", &structs.ACLTemplatedPolicyVariables{Name: "test"}, "", true},
 		{"templated-policy with correct bindvars but incorrect HIL",
-			"templated-policy", "builtin/service", &structs.ACLTemplatedPolicyVariables{Name: "before-${ item }after--more }"}, "", false, true},
+			"templated-policy", "builtin/service", &structs.ACLTemplatedPolicyVariables{Name: "before-${ item }after--more }"}, "", true},
 		// bind type: templated policy - good input
 		{"templated-policy with appropriate bindvars",
-			"templated-policy", "builtin/service", &structs.ACLTemplatedPolicyVariables{Name: "before-${item}after-${more}"}, "item,more", true, false},
+			"templated-policy", "builtin/service", &structs.ACLTemplatedPolicyVariables{Name: "before-${item}after-${more}"}, "item,more", false},
 	} {
 		var cases []testcase
 		if test.bindType == "both" {
@ -353,19 +352,13 @@ func Test_IsValidBindNameOrBindVars(t *testing.T) {
 			test := test
 			t.Run(test.bindType+"--"+test.name, func(t *testing.T) {
 				t.Parallel()
-				valid, err := IsValidBindNameOrBindVars(
+				err := IsValidBindingRule(
 					test.bindType,
 					test.bindName,
 					test.bindVars,
 					strings.Split(test.fields, ","),
 				)
-				if test.err {
+				require.Equal(t, test.err, err != nil)
 					require.NotNil(t, err)
 					require.False(t, valid)
 				} else {
 					require.NoError(t, err)
 					require.Equal(t, test.valid, valid)
 				}
 			})
 		}
 	}
--- a/agent/structs/acl_templated_policy.go
+++ b/agent/structs/acl_templated_policy.go
@ -11,12 +11,13 @@ import (
 	"hash/fnv"
 	"html/template"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/lib/stringslice"
 	"github.com/hashicorp/go-multierror"
 	"github.com/xeipuuv/gojsonschema"
 	"golang.org/x/exp/slices"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/lib/stringslice"
 )
 //go:embed acltemplatedpolicy/schemas/node.json
@ -25,13 +26,17 @@ var ACLTemplatedPolicyNodeSchema string
 //go:embed acltemplatedpolicy/schemas/service.json
 var ACLTemplatedPolicyServiceSchema string
 //go:embed acltemplatedpolicy/schemas/workload-identity.json
 var ACLTemplatedPolicyWorkloadIdentitySchema string
 type ACLTemplatedPolicies []*ACLTemplatedPolicy
 const (
-	ACLTemplatedPolicyServiceID     = "00000000-0000-0000-0000-000000000003"
+	ACLTemplatedPolicyServiceID          = "00000000-0000-0000-0000-000000000003"
-	ACLTemplatedPolicyNodeID        = "00000000-0000-0000-0000-000000000004"
+	ACLTemplatedPolicyNodeID             = "00000000-0000-0000-0000-000000000004"
-	ACLTemplatedPolicyDNSID         = "00000000-0000-0000-0000-000000000005"
+	ACLTemplatedPolicyDNSID              = "00000000-0000-0000-0000-000000000005"
-	ACLTemplatedPolicyNomadServerID = "00000000-0000-0000-0000-000000000006"
+	ACLTemplatedPolicyNomadServerID      = "00000000-0000-0000-0000-000000000006"
 	ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007"
 	ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema
 )
@ -73,6 +78,12 @@ var (
 			Schema:       ACLTemplatedPolicyNoRequiredVariablesSchema,
 			Template:     ACLTemplatedPolicyNomadServer,
 		},
 		api.ACLTemplatedPolicyWorkloadIdentityName: {
 			TemplateID:   ACLTemplatedPolicyWorkloadIdentityID,
 			TemplateName: api.ACLTemplatedPolicyWorkloadIdentityName,
 			Schema:       ACLTemplatedPolicyWorkloadIdentitySchema,
 			Template:     ACLTemplatedPolicyWorkloadIdentity,
 		},
 	}
 )
--- a/agent/structs/acl_templated_policy_ce.go
+++ b/agent/structs/acl_templated_policy_ce.go
@ -19,6 +19,9 @@ var ACLTemplatedPolicyDNS string
 //go:embed acltemplatedpolicy/policies/ce/nomad-server.hcl
 var ACLTemplatedPolicyNomadServer string
 //go:embed acltemplatedpolicy/policies/ce/workload-identity.hcl
 var ACLTemplatedPolicyWorkloadIdentity string
 func (t *ACLToken) TemplatedPolicyList() []*ACLTemplatedPolicy {
 	if len(t.TemplatedPolicies) == 0 {
 		return nil
--- a/agent/structs/acl_templated_policy_ce_test.go
+++ b/agent/structs/acl_templated_policy_ce_test.go
@ -8,8 +8,9 @@ package structs
 import (
 	"testing"
 	"github.com/hashicorp/consul/api"
 	"github.com/stretchr/testify/require"
 	"github.com/hashicorp/consul/api"
 )
 func TestStructs_ACLTemplatedPolicy_SyntheticPolicy(t *testing.T) {
@ -79,6 +80,21 @@ service_prefix "" {
 }
 query_prefix "" {
 	policy = "read"
 }`,
 			},
 		},
 		"workload-identity-template": {
 			templatedPolicy: &ACLTemplatedPolicy{
 				TemplateID:   ACLTemplatedPolicyWorkloadIdentityID,
 				TemplateName: api.ACLTemplatedPolicyWorkloadIdentityName,
 				TemplateVariables: &ACLTemplatedPolicyVariables{
 					Name: "api",
 				},
 			},
 			expectedPolicy: &ACLPolicy{
 				Description: "synthetic policy generated from templated policy: builtin/workload-identity",
 				Rules: `identity "api" {
 	policy = "write"
 }`,
 			},
 		},
--- a/agent/structs/acltemplatedpolicy/policies/ce/workload-identity.hcl
+++ b/agent/structs/acltemplatedpolicy/policies/ce/workload-identity.hcl
@ -0,0 +1,3 @@
 identity "{{.Name}}" {
 	policy = "write"
 }
--- a/agent/structs/acltemplatedpolicy/schemas/workload-identity.json
+++ b/agent/structs/acltemplatedpolicy/schemas/workload-identity.json
@ -0,0 +1,13 @@
 {
  "type": "object",
  "properties": {
    "name": { "type": "string", "$ref": "#/definitions/min-length-one" }
  },
  "required": ["name"],
  "definitions": {
    "min-length-one": {
      "type": "string",
      "minLength": 1
    }
  }
 }
--- a/api/acl.go
+++ b/api/acl.go
@ -21,10 +21,11 @@ const (
 	ACLManagementType = "management"
 	// ACLTemplatedPolicy names
-	ACLTemplatedPolicyServiceName     = "builtin/service"
+	ACLTemplatedPolicyServiceName          = "builtin/service"
-	ACLTemplatedPolicyNodeName        = "builtin/node"
+	ACLTemplatedPolicyNodeName             = "builtin/node"
-	ACLTemplatedPolicyDNSName         = "builtin/dns"
+	ACLTemplatedPolicyDNSName              = "builtin/dns"
-	ACLTemplatedPolicyNomadServerName = "builtin/nomad-server"
+	ACLTemplatedPolicyNomadServerName      = "builtin/nomad-server"
 	ACLTemplatedPolicyWorkloadIdentityName = "builtin/workload-identity"
 )
 type ACLLink struct {