modules: add env/envs parameter to app_roles + app_policy (multi-env)

Phase A of the multi-environment evolution agreed in the erp repo design
thread. Both modules gain an optional env coordinate that defaults to
"prod"; by the elision rule, env=prod produces the existing single-env
derived names character-for-character, so every existing app's tofu plan
should be a no-op.

app_roles (per-instance module — caller iterates over envs):
- variables.tf: add optional env = "prod"
- main.tf: compute local.instance via elision rule + local.owner_role
  (snake-case <name>_<env>_role for the Postgres owner)
- main.tf: substitute local.name -> local.instance in all derived names
  (dynamic role name, k8s role name, SA bindings, token_policies)
- outputs.tf: add env + instance outputs; kvv2_path_prefix now derives
  from local.instance (== local.name when env=prod -> backwards-compat)

app_policy (per-repo module — accepts list of envs):
- variables.tf: add optional envs = ["prod"]
- main.tf: compute local.instances + local.non_prod_instances
- main.tf: refactor kvv2 ops rules to dynamic blocks iterating local.instances
  preserving the original rule order (data, delete, undelete, destroy,
  metadata) so prod-only apps render a byte-identical policy document
- main.tf: allowed_parameter blocks for k8s role's bound_service_account_*
  and token_policies use comprehensions over local.instances
- main.tf: keep vault_policy.app (the env=prod runtime policy) at its
  original address; add vault_policy.app_non_prod via for_each over
  non_prod_instances for the other envs

Top-level wiring:
- iac/variables.tf: add envs = optional(list(string), ["prod"]) to the
  applications set(object) type
- iac/main.tf: pass envs = each.value.envs through to app_policies

`tofu validate` passes. Every existing app's tofu plan should report no
changes because: (1) env="prod" defaults are used everywhere, (2) the
elision rule makes local.instance == local.name for prod, (3) dynamic
rule blocks preserve declaration order, (4) the new app_non_prod resource
is created via for_each over an empty set when no non-prod envs are
declared.

Phase B (factory postgres iac + argocd + runbook docs) and Phase D
(erp iac/main.tf for_each + activate sandbox) follow in their own PRs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

hashicorp-vault/iac/modules/app_roles/main.tf

@@ -3,11 +3,19 @@ data "vault_auth_backend" "kubernetes" {
 }
 
 locals {
-  name     = lower(var.name)
-  database = var.database == null ? local.name : var.database
+  name = lower(var.name)
+  env  = lower(var.env)
+  # Elision rule (factory runbook conventions.md):
+  #   env == prod → identical to the single-env baseline (no suffix)
+  #   else        → kebab-case "<name>-<env>" for K8s/Vault paths
+  instance = local.env == "prod" ? local.name : "${local.name}-${local.env}"
+  # Postgres owner role stays snake-case for consistency with the existing "_role" suffix.
+  owner_role = local.env == "prod" ? "${local.name}_role" : "${local.name}_${local.env}_role"
 
-  bound_service_account_names      = concat([var.name], var.service_account_names)
-  bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
+  database = var.database == null ? local.instance : var.database
+
+  bound_service_account_names      = concat([local.instance], var.service_account_names)
+  bound_service_account_namespaces = concat([local.instance], var.service_account_namespaces)
 
   vault_mount_postgres = { path = "postgres" }
   vault_mount_kvv2     = { path = "kvv2" }
@@ -20,14 +28,14 @@ moved {
 resource "vault_database_secret_backend_role" "role" {
   count   = var.disable_database ? 0 : 1
   backend = local.vault_mount_postgres.path
-  name    = local.name
+  name    = local.instance
   db_name = "postgres"
   creation_statements = [
     "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
-    "GRANT ${local.name}_role TO \"{{name}}\";",
+    "GRANT ${local.owner_role} TO \"{{name}}\";",
   ]
   revocation_statements = [
-    "REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;", # reassign must be executed in the database where the reassgined objects are - TODO (one connection per database/app)
+    "REASSIGN OWNED BY \"{{name}}\" TO ${local.owner_role};", # reassign must be executed in the database where the reassgined objects are - TODO (one connection per database/app)
     "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";", # should we drop the role ? -> YES after fixing reassign
   ]
   renew_statements    = []
@@ -36,11 +44,11 @@ resource "vault_database_secret_backend_role" "role" {
 
 resource "vault_kubernetes_auth_backend_role" "role" {
   backend                          = data.vault_auth_backend.kubernetes.path
-  role_name                        = local.name
+  role_name                        = local.instance
   bound_service_account_names      = local.bound_service_account_names
   bound_service_account_namespaces = local.bound_service_account_namespaces
   token_ttl                        = 3600
-  token_policies                   = ["default", local.name]
+  token_policies                   = ["default", local.instance]
   audience                         = "vault"
   alias_name_source                = "serviceaccount_name"
 }

hashicorp-vault/iac/modules/app_roles/outputs.tf

@@ -1,6 +1,13 @@
 output "name" {
   value = local.name
 }
+output "env" {
+  value = local.env
+}
+output "instance" {
+  value       = local.instance
+  description = "Derived id by the elision rule: equals name when env=prod, else <name>-<env>."
+}
 output "database" {
   value = local.database
 }
@@ -12,5 +19,6 @@ output "mount_paths" {
   }
 }
 output "kvv2_path_prefix" {
-  value = format("%s/", local.name)
+  # Identical to format("%s/", local.name) when env=prod (backwards compat).
+  value = format("%s/", local.instance)
 }

hashicorp-vault/iac/modules/app_roles/variables.tf

@@ -1,6 +1,11 @@
 variable "name" {
   type = string
 }
+variable "env" {
+  type        = string
+  default     = "prod"
+  description = "Deployment environment. By the elision rule (factory runbook conventions.md), env=prod produces names identical to the single-env baseline; non-prod values produce <name>-<env> kebab-case and <name>_<env>_role for the Postgres owner role."
+}
 variable "database" {
   type     = string
   nullable = true