modules: add env/envs parameter to app_roles + app_policy (multi-env)

Phase A of the multi-environment evolution agreed in the erp repo design thread. Both modules gain an optional env coordinate that defaults to "prod"; by the elision rule, env=prod produces the existing single-env derived names character-for-character, so every existing app's tofu plan is a no-op. app_roles (per-instance module — caller iterates over envs): - variables.tf: add optional env = "prod" - main.tf: compute local.instance via elision rule + local.owner_role (snake-case <name>_<env>_role for the Postgres owner). The name/env/ database locals are grouped so fmt keeps the existing `name` alignment (no whitespace churn on unchanged keys). - main.tf: substitute local.name -> local.instance / local.owner_role in the dynamic role name, k8s role name, SA bindings, token_policies - outputs.tf: add env + instance outputs; kvv2_path_prefix derives from local.instance (== local.name when env=prod → backwards-compat) app_policy (per-repo module — accepts list of envs): - variables.tf: add optional envs = ["prod"] - main.tf: compute local.instances + local.non_prod_instances; remove the now-dead bound_service_account_* alias locals (the allowed_parameter blocks build their values from per_instance_sa_* maps instead) - main.tf: kvv2 ops rules become dynamic blocks iterating local.instances in the original order (data, delete, undelete, destroy, metadata), so a prod-only app renders a byte-identical policy document - main.tf: allowed_parameter for bound_service_account_* + token_policies use comprehensions over local.instances (1-element → identical to old static values for prod-only apps) - main.tf: keep vault_policy.app (env=prod runtime policy) at its original address; add vault_policy.app_non_prod via for_each over non_prod_instances (empty set for prod-only apps → no new resources) Top-level wiring: - iac/variables.tf: add envs = optional(list(string), ["prod"]) to the applications set(object) type - iac/main.tf: pass envs = each.value.envs to app_policies Verified: `tofu fmt -check` clean on all touched files, `tofu validate` passes. Backwards-compat reasoning for the no-op plan is in the PR body. Phase B (factory postgres iac + argocd + runbook docs) and Phase D (erp iac/main.tf for_each + activate sandbox) follow in their own PRs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-15 14:29:11 +02:00
parent 023cee3447
commit a3e121b468
7 changed files with 124 additions and 44 deletions
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -6,9 +6,16 @@
 # - postgres role

 locals {
-  name                             = lower(var.name)
-  bound_service_account_names      = concat([var.name], var.service_account_names)
-  bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
+  name = lower(var.name)
+  envs = [for e in var.envs : lower(e)]
+
+  # Elision rule: env=prod → bare name; else <name>-<env>
+  instances          = [for e in local.envs : e == "prod" ? local.name : "${local.name}-${e}"]
+  non_prod_instances = [for e in local.envs : "${local.name}-${e}" if e != "prod"]
+
+  # Per-instance SA name/namespace sets used by the CI policy's allowed_parameter blocks.
+  per_instance_sa_names      = { for inst in local.instances : inst => concat([inst], var.service_account_names) }
+  per_instance_sa_namespaces = { for inst in local.instances : inst => concat([inst], var.service_account_namespaces) }
 }

 data "vault_policy_document" "ops" {
@@ -60,41 +67,61 @@ data "vault_policy_document" "ops" {
    }
    allowed_parameter {
      key   = "bound_service_account_names"
-      value = [jsonencode(local.bound_service_account_names)]
+      value = [for inst in local.instances : jsonencode(local.per_instance_sa_names[inst])]
    }
    allowed_parameter {
      key   = "bound_service_account_namespaces"
-      value = [jsonencode(local.bound_service_account_namespaces)]
+      value = [for inst in local.instances : jsonencode(local.per_instance_sa_namespaces[inst])]
    }
    allowed_parameter {
      key = "token_policies"
-      value = [
-        jsonencode(["default", local.name]),
-        jsonencode([local.name, "default"])
-      ]
+      value = flatten([
+        for inst in local.instances : [
+          jsonencode(["default", inst]),
+          jsonencode([inst, "default"])
+        ]
+      ])
    }

  }
-  # allow editing app secrets
-  rule {
-    path         = "kvv2/data/${local.name}/*"
-    capabilities = ["create", "update", "read", "delete"]
+  # allow editing app secrets — one rule per (capability × instance) preserves the
+  # original rule order (data, delete, undelete, destroy, metadata) so prod-only apps
+  # render a byte-identical policy document (no Vault state diff). Multi-env apps add
+  # extra rules per non-prod instance.
+  dynamic "rule" {
+    for_each = local.instances
+    content {
+      path         = "kvv2/data/${rule.value}/*"
+      capabilities = ["create", "update", "read", "delete"]
+    }
  }
-  rule {
-    path         = "kvv2/delete/${local.name}/*"
-    capabilities = ["update"]
+  dynamic "rule" {
+    for_each = local.instances
+    content {
+      path         = "kvv2/delete/${rule.value}/*"
+      capabilities = ["update"]
+    }
  }
-  rule {
-    path         = "kvv2/undelete/${local.name}/*"
-    capabilities = ["update"]
+  dynamic "rule" {
+    for_each = local.instances
+    content {
+      path         = "kvv2/undelete/${rule.value}/*"
+      capabilities = ["update"]
+    }
  }
-  rule {
-    path         = "kvv2/destroy/${local.name}/*"
-    capabilities = ["update"]
+  dynamic "rule" {
+    for_each = local.instances
+    content {
+      path         = "kvv2/destroy/${rule.value}/*"
+      capabilities = ["update"]
+    }
  }
-  rule {
-    path         = "kvv2/metadata/${local.name}/*"
-    capabilities = ["read", "list", "delete"]
+  dynamic "rule" {
+    for_each = local.instances
+    content {
+      path         = "kvv2/metadata/${rule.value}/*"
+      capabilities = ["read", "list", "delete"]
+    }
  }
  # allow edit vault role (risky ?)
 }
@@ -139,6 +166,9 @@ resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
  role_type  = "jwt"
 }

+# Runtime policy for the env=prod instance — kept at its single-env address
+# (data.vault_policy_document.app, vault_policy.app, name = local.name) so existing
+# state isn't disturbed when this module is upgraded.
 data "vault_policy_document" "app" {
  rule {
    path         = "kvv2/data/${local.name}/*"
@@ -152,4 +182,23 @@ data "vault_policy_document" "app" {
 resource "vault_policy" "app" {
  name   = local.name
  policy = data.vault_policy_document.app.hcl
+}
+
+# Runtime policies for non-prod envs. Each one is named <name>-<env> and reads
+# only its own kvv2 + postgres creds paths.
+data "vault_policy_document" "app_non_prod" {
+  for_each = toset(local.non_prod_instances)
+  rule {
+    path         = "kvv2/data/${each.key}/*"
+    capabilities = ["read", "list"]
+  }
+  rule {
+    path         = "postgres/creds/${each.key}*"
+    capabilities = ["read"]
+  }
+}
+resource "vault_policy" "app_non_prod" {
+  for_each = toset(local.non_prod_instances)
+  name     = each.key
+  policy   = data.vault_policy_document.app_non_prod[each.key].hcl
 }
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -1,6 +1,11 @@
 variable "name" {
  type = string
 }
+variable "envs" {
+  type        = list(string)
+  default     = ["prod"]
+  description = "List of environments this app deploys to. The CI policy + JWT role + identity group are created ONCE per repo regardless. One runtime policy is created per env; the env=prod runtime policy keeps its single-env address for backwards compatibility (no state move)."
+}
 variable "gitea_app_id" {
  type = string
 }