From 2953ec3202ddbea1166345e384f844199e2c3002 Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Tue, 30 Jun 2026 16:29:15 +0200
Subject: [PATCH] feat(vault): erp prod runtime may read the shared GCS backup
 creds (kv_read_paths)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an optional kv_read_paths list to the app_policy module (default []) so an
app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared
backup-creds path owned by another app. Plumbed through the root applications
schema + module call (dynamic rule, read+list).

Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated
Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds
via its own VaultStaticSecret instead of borrowing the Longhorn secret
cross-namespace or duplicating credentials.

No-op for every other app (default []). Only the `erp` runtime policy gains one
read+list rule.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 hashicorp-vault/iac/main.tf                        |  1 +
 hashicorp-vault/iac/modules/app_policy/main.tf     |  8 ++++++++
 .../iac/modules/app_policy/variables.tf            |  5 +++++
 hashicorp-vault/iac/terraform.tfvars               | 14 +++++++++-----
 hashicorp-vault/iac/variables.tf                   |  3 +++
 5 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/hashicorp-vault/iac/main.tf b/hashicorp-vault/iac/main.tf
index f90cf14..f00c6db 100644
--- a/hashicorp-vault/iac/main.tf
+++ b/hashicorp-vault/iac/main.tf
@@ -80,6 +80,7 @@ module "app_policies" {
   name                       = each.value.name
   envs                       = each.value.envs
   ops_policies               = each.value.ops_policies
+  kv_read_paths              = each.value.kv_read_paths
   service_account_names      = each.value.service_account_names
   service_account_namespaces = each.value.service_account_namespaces
   gitea_app_id               = var.gitea_app_id
diff --git a/hashicorp-vault/iac/modules/app_policy/main.tf b/hashicorp-vault/iac/modules/app_policy/main.tf
index b85973d..6e7a34d 100644
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -178,6 +178,14 @@ data "vault_policy_document" "app" {
     path         = "postgres/creds/${local.name}*"
     capabilities = ["read"]
   }
+  # Extra shared paths this app's prod runtime may read (e.g. backup creds).
+  dynamic "rule" {
+    for_each = var.kv_read_paths
+    content {
+      path         = rule.value
+      capabilities = ["read", "list"]
+    }
+  }
 }
 resource "vault_policy" "app" {
   name   = local.name
diff --git a/hashicorp-vault/iac/modules/app_policy/variables.tf b/hashicorp-vault/iac/modules/app_policy/variables.tf
index 432c999..2b7dcf7 100644
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -22,4 +22,9 @@ variable "service_account_namespaces" {
   type        = list(string)
   default     = []
   description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
+}
+variable "kv_read_paths" {
+  type        = list(string)
+  default     = []
+  description = "Extra kvv2 data paths the env=prod runtime policy may read (read,list) — e.g. a shared backup-creds path owned by another app (kvv2/data/longhorn/gcs-backup). Default none."
 }
\ No newline at end of file
diff --git a/hashicorp-vault/iac/terraform.tfvars b/hashicorp-vault/iac/terraform.tfvars
index 74d9971..ba57c93 100644
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,18 +1,22 @@
 applications = [
   { name = "webapp" },
-  { name = "erp", envs = ["prod", "sandbox"] },
+  {
+    name          = "erp"
+    envs          = ["prod", "sandbox"]
+    kv_read_paths = ["kvv2/data/longhorn/gcs-backup"] # backup CronJob reads the shared GCS creds
+  },
   { name = "dance-lessons-coach" },
   {
-    name                   = "cms"
-    ops_policies               = ["factory__cf_r2_arcodange_tf"]
+    name                  = "cms"
+    ops_policies          = ["factory__cf_r2_arcodange_tf"]
     service_account_names = ["cloudflared"]
   },
   {
-    name = "crowdsec"
+    name                       = "crowdsec"
     service_account_namespaces = ["tools"]
   },
   {
-    name = "plausible"
+    name                       = "plausible"
     service_account_namespaces = ["tools"]
   },
 ]
\ No newline at end of file
diff --git a/hashicorp-vault/iac/variables.tf b/hashicorp-vault/iac/variables.tf
index aa01227..e9f6308 100644
--- a/hashicorp-vault/iac/variables.tf
+++ b/hashicorp-vault/iac/variables.tf
@@ -19,5 +19,8 @@ variable "applications" {
     # every existing app — backwards compatible by the elision rule. Non-prod envs
     # produce additional runtime policies named "<name>-<env>".
     envs = optional(list(string), ["prod"])
+    # Extra kvv2 data paths the app's prod runtime policy may read (read,list) —
+    # e.g. a shared backup-creds path owned by another app. Default none.
+    kv_read_paths = optional(list(string), [])
   }))
 }
\ No newline at end of file