Merge pull request 'fix(vault): rename applications.policies → ops_policies (cms CI was silently missing its R2 policy)' (#4 ) from claude/fix-cms-ops-policies-key into main

fix(vault): rename applications.policies field to ops_policies (cms CI was silently missing its R2 policy)
The `applications` object field was declared `policies` in variables.tf, but the cms tfvars entry, the runbook (doc/runbooks/new-web-app/03-vault-platform.md), the guidebook (vibe/guidebooks/tools/secrets-and-vso.md) and the module input (modules/app_policy variable `ops_policies`) all use the name `ops_policies`. Because Terraform silently drops unknown attributes when converting a value to an object() type, cms's `ops_policies = ["factory__cf_r2_arcodange_tf"]` was discarded and `each.value.policies` fell back to [] — so gitea_cicd_cms never received the `factory__cf_r2_arcodange_tf` token policy (read on kvv1/cloudflare/r2/arcodange-tf + kvv1/zoho/self_client, defined in factory iac/cloudflare.tf). cms CI was missing its Cloudflare R2 Terraform-state permissions. Fix at the root: rename the schema field `policies` -> `ops_policies` (and its single reference main.tf:82 `each.value.policies` -> `each.value.ops_policies`), aligning the whole chain. This is lower-churn than renaming the tfvars key (the chosen alternative would also have required fixing the runbook + guidebook, which both already document `ops_policies`) and prevents the next app created from the runbook from re-introducing the same silently-dropped key. Behavioural change: gitea_cicd_cms gains `factory__cf_r2_arcodange_tf` in its token_policies. No other app sets this field (all default []), so no other role changes. Reviewer: confirm the R2 policy is the intended grant for cms CI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-28 19:21:54 +02:00 · 2026-06-28 19:18:06 +02:00 · 2026-06-28 17:19:20 +02:00 · 2026-06-28 17:14:53 +02:00 · 2026-06-19 19:22:29 +02:00 · 2026-06-15 14:29:11 +02:00
5 changed files with 11 additions and 15 deletions
--- a/hashicorp-vault/iac/main.tf
+++ b/hashicorp-vault/iac/main.tf
@@ -79,7 +79,7 @@ module "app_policies" {
  for_each                   = { for app in var.applications : app.name => app }
  name                       = each.value.name
  envs                       = each.value.envs
-  ops_policies               = each.value.policies
+  ops_policies               = each.value.ops_policies
  service_account_names      = each.value.service_account_names
  service_account_namespaces = each.value.service_account_namespaces
  gitea_app_id               = var.gitea_app_id
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -8,18 +8,14 @@
 locals {
  name = lower(var.name)
  envs = [for e in var.envs : lower(e)]
  # Elision rule: env=prod → bare name; else <name>-<env>
-  instances = [for e in local.envs : e == "prod" ? local.name : "${local.name}-${e}"]
+  instances          = [for e in local.envs : e == "prod" ? local.name : "${local.name}-${e}"]
  # Non-prod instances only (for the per-env runtime policy iteration that doesn't touch the prod state address)
  non_prod_instances = [for e in local.envs : "${local.name}-${e}" if e != "prod"]
  # Per-instance SA name/namespace sets used by the CI policy's allowed_parameter blocks.
  per_instance_sa_names      = { for inst in local.instances : inst => concat([inst], var.service_account_names) }
  per_instance_sa_namespaces = { for inst in local.instances : inst => concat([inst], var.service_account_namespaces) }
  # Backwards-compat aliases kept for any caller that referenced these (unused outside the module).
  bound_service_account_names      = concat([var.name], var.service_account_names)
  bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
 }
 data "vault_policy_document" "ops" {
--- a/hashicorp-vault/iac/modules/app_roles/main.tf
+++ b/hashicorp-vault/iac/modules/app_roles/main.tf
@@ -3,17 +3,17 @@ data "vault_auth_backend" "kubernetes" {
 }
 locals {
-  name = lower(var.name)
+  name     = lower(var.name)
-  env  = lower(var.env)
+  env      = lower(var.env)
  database = var.database == null ? local.instance : var.database
  # Elision rule (factory runbook conventions.md):
  #   env == prod → identical to the single-env baseline (no suffix)
-  #   else        → kebab-case "<name>-<env>" for K8s/Vault paths
+  #   else        → kebab-case "<name>-<env>" for K8s/Vault paths.
  instance = local.env == "prod" ? local.name : "${local.name}-${local.env}"
  # Postgres owner role stays snake-case for consistency with the existing "_role" suffix.
  instance   = local.env == "prod" ? local.name : "${local.name}-${local.env}"
  owner_role = local.env == "prod" ? "${local.name}_role" : "${local.name}_${local.env}_role"
  database = var.database == null ? local.instance : var.database
  bound_service_account_names      = concat([local.instance], var.service_account_names)
  bound_service_account_namespaces = concat([local.instance], var.service_account_namespaces)
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,6 +1,6 @@
 applications = [
  { name = "webapp" },
-  { name = "erp" },
+  { name = "erp", envs = ["prod", "sandbox"] },
  { name = "dance-lessons-coach" },
  {
    name                   = "cms"
--- a/hashicorp-vault/iac/variables.tf
+++ b/hashicorp-vault/iac/variables.tf
@@ -12,7 +12,7 @@ variable "POSTGRES_CREDENTIALS_EDITOR_PASSWORD" {
 variable "applications" {
  type = set(object({
    name                       = string
-    policies                   = optional(list(string), [])
+    ops_policies               = optional(list(string), [])
    service_account_names      = optional(list(string), [])
    service_account_namespaces = optional(list(string), [])
    # Multi-env extension: list of envs this app deploys to. Defaults to ["prod"] for
Author	SHA1	Message	Date
arcodange	06c5eb4391	Merge pull request 'fix(vault): rename applications.policies → ops_policies (cms CI was silently missing its R2 policy)' (#4 ) from claude/fix-cms-ops-policies-key into main Some checks failed Helm Charts / Library charts tool (push) Blocked by required conditions Details Helm Charts / Application charts pgcat (push) Blocked by required conditions Details Helm Charts / Detect changed charts (push) Failing after 10m13s Details	2026-06-28 19:21:54 +02:00
Gabriel Radureau	3170a341d1	fix(vault): rename applications.policies field to ops_policies (cms CI was silently missing its R2 policy) Some checks failed Helm Charts / Library charts tool (push) Blocked by required conditions Details Helm Charts / Application charts pgcat (push) Blocked by required conditions Details Helm Charts / Detect changed charts (pull_request) Successful in 19s Details Helm Charts / Library charts tool (pull_request) Has been skipped Details Helm Charts / Application charts pgcat (pull_request) Has been skipped Details Helm Charts / Detect changed charts (push) Failing after 13m59s Details The `applications` object field was declared `policies` in variables.tf, but the cms tfvars entry, the runbook (doc/runbooks/new-web-app/03-vault-platform.md), the guidebook (vibe/guidebooks/tools/secrets-and-vso.md) and the module input (modules/app_policy variable `ops_policies`) all use the name `ops_policies`. Because Terraform silently drops unknown attributes when converting a value to an object() type, cms's `ops_policies = ["factory__cf_r2_arcodange_tf"]` was discarded and `each.value.policies` fell back to [] — so gitea_cicd_cms never received the `factory__cf_r2_arcodange_tf` token policy (read on kvv1/cloudflare/r2/arcodange-tf + kvv1/zoho/self_client, defined in factory iac/cloudflare.tf). cms CI was missing its Cloudflare R2 Terraform-state permissions. Fix at the root: rename the schema field `policies` -> `ops_policies` (and its single reference main.tf:82 `each.value.policies` -> `each.value.ops_policies`), aligning the whole chain. This is lower-churn than renaming the tfvars key (the chosen alternative would also have required fixing the runbook + guidebook, which both already document `ops_policies`) and prevents the next app created from the runbook from re-introducing the same silently-dropped key. Behavioural change: gitea_cicd_cms gains `factory__cf_r2_arcodange_tf` in its token_policies. No other app sets this field (all default []), so no other role changes. Reviewer: confirm the R2 policy is the intended grant for cms CI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-28 19:18:06 +02:00
arcodange	fd93359f2e	Merge pull request 'feat(multi-env): Phase D2 — Vault policies for erp-sandbox' (#3 ) from claude/phaseD-erp-sandbox-vault into main Some checks failed Helm Charts / Application charts pgcat (push) Blocked by required conditions Details Helm Charts / Detect changed charts (push) Successful in 1m8s Details Helm Charts / Library charts tool (push) Failing after 11m12s Details	2026-06-28 17:19:20 +02:00
Gabriel Radureau	25569eb29d	feat(multi-env): Phase D2 — Vault policies for erp-sandbox Some checks failed Helm Charts / Library charts tool (push) Blocked by required conditions Details Helm Charts / Application charts pgcat (push) Blocked by required conditions Details Helm Charts / Library charts tool (pull_request) Blocked by required conditions Details Helm Charts / Application charts pgcat (pull_request) Blocked by required conditions Details Helm Charts / Detect changed charts (pull_request) Failing after 11m29s Details Helm Charts / Detect changed charts (push) Failing after 12m7s Details ADR-0002 Phase D, Vault layer. `erp` gains `envs = ["prod", "sandbox"]`, which flows into the app_policy module (main.tf:81 `envs = each.value.envs`). For erp the module now resolves instances = ["erp", "erp-sandbox"], so the apply: - ADDS vault_policy.app_non_prod["erp-sandbox"] — the runtime policy named `erp-sandbox` (read kvv2/data/erp-sandbox/* + postgres/creds/erp-sandbox), consumed by the sandbox pod's VSO. - UPDATES vault_policy.ops["erp"] in place — the `erp-ops` CI policy gains the erp-sandbox kvv2 data/delete/undelete/destroy/metadata rules + the erp-sandbox values in the k8s-role allowed_parameter lists, so CI can manage the sandbox instance. The glob rules (postgres/roles/erp, kvv1/cloudflare/erp, auth/kubernetes/role/erp) already covered erp-sandbox, so they don't change. No destroy/replace. prod `erp` runtime policy + every other app render byte-identical (their envs still default to ["prod"]). Diff kept to the single erp line — the pre-existing cms/crowdsec/plausible alignment is left as-is on main (not reformatting unrelated entries). D2 of Phase D. D1 (postgres DB+role) = factory#17 (merged). D3 (erp iac creds + KV) and D4 (ArgoCD) follow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-28 17:14:53 +02:00
arcodange	01de97853d	Merge pull request 'modules: Phase A of multi-env — add env/envs parameter to app_roles and app_policy' (#2 ) from claude/multi-env-modules into main All checks were successful Helm Charts / Detect changed charts (push) Successful in 51s Details Helm Charts / Library charts tool (push) Has been skipped Details Helm Charts / Application charts pgcat (push) Has been skipped Details Reviewed-on: #2	2026-06-19 19:22:29 +02:00
Gabriel Radureau	a3e121b468	modules: add env/envs parameter to app_roles + app_policy (multi-env) All checks were successful Helm Charts / Detect changed charts (push) Successful in 23s Details Helm Charts / Detect changed charts (pull_request) Successful in 22s Details Helm Charts / Library charts tool (push) Has been skipped Details Helm Charts / Library charts tool (pull_request) Has been skipped Details Helm Charts / Application charts pgcat (push) Has been skipped Details Helm Charts / Application charts pgcat (pull_request) Has been skipped Details Phase A of the multi-environment evolution agreed in the erp repo design thread. Both modules gain an optional env coordinate that defaults to "prod"; by the elision rule, env=prod produces the existing single-env derived names character-for-character, so every existing app's tofu plan is a no-op. app_roles (per-instance module — caller iterates over envs): - variables.tf: add optional env = "prod" - main.tf: compute local.instance via elision rule + local.owner_role (snake-case <name>_<env>_role for the Postgres owner). The name/env/ database locals are grouped so fmt keeps the existing `name` alignment (no whitespace churn on unchanged keys). - main.tf: substitute local.name -> local.instance / local.owner_role in the dynamic role name, k8s role name, SA bindings, token_policies - outputs.tf: add env + instance outputs; kvv2_path_prefix derives from local.instance (== local.name when env=prod → backwards-compat) app_policy (per-repo module — accepts list of envs): - variables.tf: add optional envs = ["prod"] - main.tf: compute local.instances + local.non_prod_instances; remove the now-dead bound_service_account_* alias locals (the allowed_parameter blocks build their values from per_instance_sa_* maps instead) - main.tf: kvv2 ops rules become dynamic blocks iterating local.instances in the original order (data, delete, undelete, destroy, metadata), so a prod-only app renders a byte-identical policy document - main.tf: allowed_parameter for bound_service_account_* + token_policies use comprehensions over local.instances (1-element → identical to old static values for prod-only apps) - main.tf: keep vault_policy.app (env=prod runtime policy) at its original address; add vault_policy.app_non_prod via for_each over non_prod_instances (empty set for prod-only apps → no new resources) Top-level wiring: - iac/variables.tf: add envs = optional(list(string), ["prod"]) to the applications set(object) type - iac/main.tf: pass envs = each.value.envs to app_policies Verified: `tofu fmt -check` clean on all touched files, `tofu validate` passes. Backwards-compat reasoning for the no-op plan is in the PR body. Phase B (factory postgres iac + argocd + runbook docs) and Phase D (erp iac/main.tf for_each + activate sandbox) follow in their own PRs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-15 14:29:11 +02:00