From 512d8e964d650305f2a1db911636a9053a587022 Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Thu, 27 Nov 2025 22:52:02 +0100
Subject: [PATCH] allow several SA to take an app policy

---
 hashicorp-vault/iac/modules/app_policy/main.tf     |  8 +++++---
 .../iac/modules/app_policy/variables.tf            | 10 ++++++++++
 hashicorp-vault/iac/modules/app_roles/main.tf      | 12 ++++++++++--
 hashicorp-vault/iac/modules/app_roles/variables.tf | 14 ++++++++++++++
 hashicorp-vault/iac/terraform.tfvars               |  6 +++++-
 5 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/hashicorp-vault/iac/modules/app_policy/main.tf b/hashicorp-vault/iac/modules/app_policy/main.tf
index 9dc3907..5e3dfb7 100644
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -6,7 +6,9 @@
 # - postgres role
 
 locals {
-  name = lower(var.name)
+  name                             = lower(var.name)
+  bound_service_account_names      = concat([var.name], var.service_accounts_names)
+  bound_service_account_namespaces = concat([var.name], var.service_accounts_namespaces)
 }
 
 data "vault_policy_document" "ops" {
@@ -58,11 +60,11 @@ data "vault_policy_document" "ops" {
     }
     allowed_parameter {
       key   = "bound_service_account_names"
-      value = [jsonencode([local.name])]
+      value = [jsonencode(local.bound_service_account_names)]
     }
     allowed_parameter {
       key   = "bound_service_account_namespaces"
-      value = [jsonencode([local.name])]
+      value = [jsonencode(local.bound_service_account_namespaces)]
     }
     allowed_parameter {
       key = "token_policies"
diff --git a/hashicorp-vault/iac/modules/app_policy/variables.tf b/hashicorp-vault/iac/modules/app_policy/variables.tf
index c475c2a..5118225 100644
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -7,4 +7,14 @@ variable "gitea_app_id" {
 variable "policies" {
   type    = list(string)
   default = []
+}
+variable "service_accounts_names" {
+  type        = list(string)
+  default     = []
+  description = "var.name will always be included by default - whitelist service account that can take this policy"
+}
+variable "service_accounts_namespaces" {
+  type        = list(string)
+  default     = []
+  description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
 }
\ No newline at end of file
diff --git a/hashicorp-vault/iac/modules/app_roles/main.tf b/hashicorp-vault/iac/modules/app_roles/main.tf
index 9b052f5..8e34c71 100644
--- a/hashicorp-vault/iac/modules/app_roles/main.tf
+++ b/hashicorp-vault/iac/modules/app_roles/main.tf
@@ -6,11 +6,19 @@ locals {
   name     = lower(var.name)
   database = var.database == null ? local.name : var.database
 
+  bound_service_account_names      = concat([var.name], var.service_accounts_names)
+  bound_service_account_namespaces = concat([var.name], var.service_accounts_namespaces)
+
   vault_mount_postgres = { path = "postgres" }
   vault_mount_kvv2     = { path = "kvv2" }
 }
 
+moved {
+  from = vault_database_secret_backend_role.role
+  to   = vault_database_secret_backend_role.role[0]
+}
 resource "vault_database_secret_backend_role" "role" {
+  count   = var.disable_database ? 0 : 1
   backend = local.vault_mount_postgres.path
   name    = local.name
   db_name = "postgres"
@@ -29,8 +37,8 @@ resource "vault_database_secret_backend_role" "role" {
 resource "vault_kubernetes_auth_backend_role" "role" {
   backend                          = data.vault_auth_backend.kubernetes.path
   role_name                        = local.name
-  bound_service_account_names      = [local.name]
-  bound_service_account_namespaces = [local.name]
+  bound_service_account_names      = local.service_accounts_names
+  bound_service_account_namespaces = local.service_accounts_namespaces
   token_ttl                        = 3600
   token_policies                   = ["default", local.name]
   audience                         = "vault"
diff --git a/hashicorp-vault/iac/modules/app_roles/variables.tf b/hashicorp-vault/iac/modules/app_roles/variables.tf
index 8b2f5f5..c3f2dad 100644
--- a/hashicorp-vault/iac/modules/app_roles/variables.tf
+++ b/hashicorp-vault/iac/modules/app_roles/variables.tf
@@ -5,4 +5,18 @@ variable "database" {
   type     = string
   nullable = true
   default  = null
+}
+variable "disable_database" {
+  type    = bool
+  default = false
+}
+variable "service_accounts_names" {
+  type        = list(string)
+  default     = []
+  description = "var.name will always be included by default - whitelist service account that can take this policy"
+}
+variable "service_accounts_namespaces" {
+  type        = list(string)
+  default     = []
+  description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
 }
\ No newline at end of file
diff --git a/hashicorp-vault/iac/terraform.tfvars b/hashicorp-vault/iac/terraform.tfvars
index a9eeac7..657bef0 100644
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,5 +1,9 @@
 applications = [
   { name = "webapp" },
   { name = "erp" },
-  { name = "cms", policies = ["factory__cf_r2_arcodange_tf"] },
+  {
+    name                   = "cms"
+    policies               = ["factory__cf_r2_arcodange_tf"]
+    service_accounts_names = ["cloudflared"]
+  },
 ]
\ No newline at end of file