feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths)

Adds an optional kv_read_paths list to the app_policy module (default []) so an
app's env=prod runtime policy can read extra kvv2 data paths — e.g. a shared
backup-creds path owned by another app. Plumbed through the root applications
schema + module call (dynamic rule, read+list).

Set for erp: kv_read_paths = ["kvv2/data/longhorn/gcs-backup"], so the dedicated
Dolibarr backup CronJob (erp chart, gated) can read the existing GCS HMAC creds
via its own VaultStaticSecret instead of borrowing the Longhorn secret
cross-namespace or duplicating credentials.

No-op for every other app (default []). Only the `erp` runtime policy gains one
read+list rule.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

hashicorp-vault/iac/main.tf

@@ -80,6 +80,7 @@ module "app_policies" {
   name                       = each.value.name
   envs                       = each.value.envs
   ops_policies               = each.value.ops_policies
+  kv_read_paths              = each.value.kv_read_paths
   service_account_names      = each.value.service_account_names
   service_account_namespaces = each.value.service_account_namespaces
   gitea_app_id               = var.gitea_app_id

hashicorp-vault/iac/modules/app_policy/main.tf

@@ -178,6 +178,14 @@ data "vault_policy_document" "app" {
     path         = "postgres/creds/${local.name}*"
     capabilities = ["read"]
   }
+  # Extra shared paths this app's prod runtime may read (e.g. backup creds).
+  dynamic "rule" {
+    for_each = var.kv_read_paths
+    content {
+      path         = rule.value
+      capabilities = ["read", "list"]
+    }
+  }
 }
 resource "vault_policy" "app" {
   name   = local.name

hashicorp-vault/iac/modules/app_policy/variables.tf

@@ -23,3 +23,8 @@ variable "service_account_namespaces" {
   default     = []
   description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
 }
+variable "kv_read_paths" {
+  type        = list(string)
+  default     = []
+  description = "Extra kvv2 data paths the env=prod runtime policy may read (read,list) — e.g. a shared backup-creds path owned by another app (kvv2/data/longhorn/gcs-backup). Default none."
+}

hashicorp-vault/iac/terraform.tfvars

@@ -1,18 +1,22 @@
 applications = [
   { name = "webapp" },
-  { name = "erp", envs = ["prod", "sandbox"] },
+  {
+    name          = "erp"
+    envs          = ["prod", "sandbox"]
+    kv_read_paths = ["kvv2/data/longhorn/gcs-backup"] # backup CronJob reads the shared GCS creds
+  },
   { name = "dance-lessons-coach" },
   {
-    name                   = "cms"
-    ops_policies               = ["factory__cf_r2_arcodange_tf"]
+    name                  = "cms"
+    ops_policies          = ["factory__cf_r2_arcodange_tf"]
     service_account_names = ["cloudflared"]
   },
   {
-    name = "crowdsec"
+    name                       = "crowdsec"
     service_account_namespaces = ["tools"]
   },
   {
-    name = "plausible"
+    name                       = "plausible"
     service_account_namespaces = ["tools"]
   },
 ]

hashicorp-vault/iac/variables.tf

@@ -19,5 +19,8 @@ variable "applications" {
     # every existing app — backwards compatible by the elision rule. Non-prod envs
     # produce additional runtime policies named "<name>-<env>".
     envs = optional(list(string), ["prod"])
+    # Extra kvv2 data paths the app's prod runtime policy may read (read,list) —
+    # e.g. a shared backup-creds path owned by another app. Default none.
+    kv_read_paths = optional(list(string), [])
   }))
 }