return &rbacpb.Principal{
		Identifier: &rbacpb.Principal_AndIds{
			AndIds: &rbacpb.Principal_Set{
				Ids: principals,
			},
		},
	}
}

func principalNot(principal *rbacpb.Principal) *rbacpb.Principal {
	return &rbacpb.Principal{
		Identifier: &rbacpb.Principal_NotId{
			NotId: principal,
		},
	}
}

            rules:
            - any: true
        principals:
        - andIds:
            ids:
            - orIds:
                ids:
                - authenticated:
                    principalName:
                      exact: spiffe://principals1
                - authenticated:
                    principalName:
                      exact: spiffe://principals2
      ns[foo]-policy[httpbin-6]-rule[0]:

	}

	var principals []*rbacpb.Principal
	for _, rl := range m.principals {
		principal, err := generatePrincipal(rl, forTCP, useAuthenticated, action)
		if err != nil {
			return nil, err
		}
		principals = append(principals, principal)
	}
	if len(principals) == 0 {
		return nil, fmt.Errorf("must have at least 1 principal")
	}

	return &rbacpb.Policy{

                - authenticated:
                    principalName:
                      exact: spiffe://td1/ns/foo/sa/rule[0]-from[1]-principal[1]
                - authenticated:
                    principalName:
                      safeRegex:
                        regex: spiffe://.*bar/ns/foo/sa/rule[0]-from[1]-principal[1]

                - authenticated:
                    principalName:
                      exact: spiffe://td1/ns/foo/sa/rule[0]-from[1]-principal[1]
                - authenticated:
                    principalName:
                      safeRegex:
                        regex: spiffe://.*bar/ns/foo/sa/rule[0]-from[1]-principal[1]

	for _, principal := range principals {
		isTrustDomainBeingEnforced := isTrustDomainBeingEnforced(principal)
		// Return the existing principals if the policy doesn't care about the trust domain.
		if !isTrustDomainBeingEnforced {
			principalsIncludingAliases = append(principalsIncludingAliases, principal)
			continue
		}
		trustDomainFromPrincipal, err := getTrustDomainFromSpiffeIdentity(principal)
		if err != nil {

            methods: [ "GET" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Allowed.ServiceAccountName }}" ]
    - to:

            methods: [ "GET" ]
      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # GRPC
            ports: [ "{{ (.To.PortForName `grpc`).WorkloadPort }}" ]
            paths: [ "/proto.EchoTestService/Echo" ]
            methods: [ "POST" ]
      from:
        - source:
            principals: [ "{{ .Denied.ServiceAccountName }}" ]
    - to:
        - operation: # TCP

                        exact: spiffe://not-principal
                  - authenticated:
                      principalName:
                        safeRegex:
                          regex: spiffe://.*not-principal-suffix
                  - authenticated:
                      principalName:
                        prefix: spiffe://not-principal-prefix
                  - authenticated:
                      principalName:

  rules:
  # Has mix of L4 and L7 in from
  - from:
    - source:
        principals: ["from-mix-principal"]
        requestPrincipals: ["from-mix-requestPrincipals"]
        namespaces: ["from-mix-ns"]
    to:
    - operation:
        ports: ["80"]
  # Has mix of L4 and L7 in to
  - from:
    - source:
        principals: ["to-mix-principal"]
        namespaces: ["to-mix-ns"]
    to:
    - operation: