🤖 ci(vault): declare dance-lessons-coach JWT role + ops policy

2026-05-06 12:55:17 +02:00
7 changed files with 44 additions and 124 deletions
--- a/hashicorp-vault/iac/main.tf
+++ b/hashicorp-vault/iac/main.tf
@@ -75,12 +75,11 @@ resource "vault_kubernetes_auth_backend_role" "vso" {
 }
 module "app_policies" {
-  source                     = "./modules/app_policy"
+  source       = "./modules/app_policy"
-  for_each                   = { for app in var.applications : app.name => app }
+  for_each     = { for app in var.applications : app.name => app }
-  name                       = each.value.name
+  name         = each.value.name
-  envs                       = each.value.envs
+  ops_policies     = each.value.policies
-  ops_policies               = each.value.policies
+  service_account_names = each.value.service_account_names
-  service_account_names      = each.value.service_account_names
+  service_account_namespaces =  each.value.service_account_namespaces
-  service_account_namespaces = each.value.service_account_namespaces
+  gitea_app_id = var.gitea_app_id
  gitea_app_id               = var.gitea_app_id
 }
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -6,16 +6,9 @@
 # - postgres role
 locals {
-  name = lower(var.name)
+  name                             = lower(var.name)
-  envs = [for e in var.envs : lower(e)]
+  bound_service_account_names      = concat([var.name], var.service_account_names)
-
+  bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
  # Elision rule: env=prod → bare name; else <name>-<env>
  instances          = [for e in local.envs : e == "prod" ? local.name : "${local.name}-${e}"]
  non_prod_instances = [for e in local.envs : "${local.name}-${e}" if e != "prod"]
  # Per-instance SA name/namespace sets used by the CI policy's allowed_parameter blocks.
  per_instance_sa_names      = { for inst in local.instances : inst => concat([inst], var.service_account_names) }
  per_instance_sa_namespaces = { for inst in local.instances : inst => concat([inst], var.service_account_namespaces) }
 }
 data "vault_policy_document" "ops" {
@@ -67,61 +60,41 @@ data "vault_policy_document" "ops" {
    }
    allowed_parameter {
      key   = "bound_service_account_names"
-      value = [for inst in local.instances : jsonencode(local.per_instance_sa_names[inst])]
+      value = [jsonencode(local.bound_service_account_names)]
    }
    allowed_parameter {
      key   = "bound_service_account_namespaces"
-      value = [for inst in local.instances : jsonencode(local.per_instance_sa_namespaces[inst])]
+      value = [jsonencode(local.bound_service_account_namespaces)]
    }
    allowed_parameter {
      key = "token_policies"
-      value = flatten([
+      value = [
-        for inst in local.instances : [
+        jsonencode(["default", local.name]),
-          jsonencode(["default", inst]),
+        jsonencode([local.name, "default"])
-          jsonencode([inst, "default"])
+      ]
        ]
      ])
    }
  }
-  # allow editing app secrets — one rule per (capability × instance) preserves the
+  # allow editing app secrets
-  # original rule order (data, delete, undelete, destroy, metadata) so prod-only apps
+  rule {
-  # render a byte-identical policy document (no Vault state diff). Multi-env apps add
+    path         = "kvv2/data/${local.name}/*"
-  # extra rules per non-prod instance.
+    capabilities = ["create", "update", "read", "delete"]
  dynamic "rule" {
    for_each = local.instances
    content {
      path         = "kvv2/data/${rule.value}/*"
      capabilities = ["create", "update", "read", "delete"]
    }
  }
-  dynamic "rule" {
+  rule {
-    for_each = local.instances
+    path         = "kvv2/delete/${local.name}/*"
-    content {
+    capabilities = ["update"]
      path         = "kvv2/delete/${rule.value}/*"
      capabilities = ["update"]
    }
  }
-  dynamic "rule" {
+  rule {
-    for_each = local.instances
+    path         = "kvv2/undelete/${local.name}/*"
-    content {
+    capabilities = ["update"]
      path         = "kvv2/undelete/${rule.value}/*"
      capabilities = ["update"]
    }
  }
-  dynamic "rule" {
+  rule {
-    for_each = local.instances
+    path         = "kvv2/destroy/${local.name}/*"
-    content {
+    capabilities = ["update"]
      path         = "kvv2/destroy/${rule.value}/*"
      capabilities = ["update"]
    }
  }
-  dynamic "rule" {
+  rule {
-    for_each = local.instances
+    path         = "kvv2/metadata/${local.name}/*"
-    content {
+    capabilities = ["read", "list", "delete"]
      path         = "kvv2/metadata/${rule.value}/*"
      capabilities = ["read", "list", "delete"]
    }
  }
  # allow edit vault role (risky ?)
 }
@@ -166,9 +139,6 @@ resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
  role_type  = "jwt"
 }
 # Runtime policy for the env=prod instance — kept at its single-env address
 # (data.vault_policy_document.app, vault_policy.app, name = local.name) so existing
 # state isn't disturbed when this module is upgraded.
 data "vault_policy_document" "app" {
  rule {
    path         = "kvv2/data/${local.name}/*"
@@ -183,22 +153,3 @@ resource "vault_policy" "app" {
  name   = local.name
  policy = data.vault_policy_document.app.hcl
 }
 # Runtime policies for non-prod envs. Each one is named <name>-<env> and reads
 # only its own kvv2 + postgres creds paths.
 data "vault_policy_document" "app_non_prod" {
  for_each = toset(local.non_prod_instances)
  rule {
    path         = "kvv2/data/${each.key}/*"
    capabilities = ["read", "list"]
  }
  rule {
    path         = "postgres/creds/${each.key}*"
    capabilities = ["read"]
  }
 }
 resource "vault_policy" "app_non_prod" {
  for_each = toset(local.non_prod_instances)
  name     = each.key
  policy   = data.vault_policy_document.app_non_prod[each.key].hcl
 }
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -1,11 +1,6 @@
 variable "name" {
  type = string
 }
 variable "envs" {
  type        = list(string)
  default     = ["prod"]
  description = "List of environments this app deploys to. The CI policy + JWT role + identity group are created ONCE per repo regardless. One runtime policy is created per env; the env=prod runtime policy keeps its single-env address for backwards compatibility (no state move)."
 }
 variable "gitea_app_id" {
  type = string
 }
--- a/hashicorp-vault/iac/modules/app_roles/main.tf
+++ b/hashicorp-vault/iac/modules/app_roles/main.tf
@@ -4,18 +4,10 @@ data "vault_auth_backend" "kubernetes" {
 locals {
  name     = lower(var.name)
-  env      = lower(var.env)
+  database = var.database == null ? local.name : var.database
  database = var.database == null ? local.instance : var.database
-  # Elision rule (factory runbook conventions.md):
+  bound_service_account_names      = concat([var.name], var.service_account_names)
-  #   env == prod → identical to the single-env baseline (no suffix)
+  bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
  #   else        → kebab-case "<name>-<env>" for K8s/Vault paths.
  # Postgres owner role stays snake-case for consistency with the existing "_role" suffix.
  instance   = local.env == "prod" ? local.name : "${local.name}-${local.env}"
  owner_role = local.env == "prod" ? "${local.name}_role" : "${local.name}_${local.env}_role"
  bound_service_account_names      = concat([local.instance], var.service_account_names)
  bound_service_account_namespaces = concat([local.instance], var.service_account_namespaces)
  vault_mount_postgres = { path = "postgres" }
  vault_mount_kvv2     = { path = "kvv2" }
@@ -28,14 +20,14 @@ moved {
 resource "vault_database_secret_backend_role" "role" {
  count   = var.disable_database ? 0 : 1
  backend = local.vault_mount_postgres.path
-  name    = local.instance
+  name    = local.name
  db_name = "postgres"
  creation_statements = [
    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
-    "GRANT ${local.owner_role} TO \"{{name}}\";",
+    "GRANT ${local.name}_role TO \"{{name}}\";",
  ]
  revocation_statements = [
-    "REASSIGN OWNED BY \"{{name}}\" TO ${local.owner_role};",       # reassign must be executed in the database where the reassgined objects are - TODO (one connection per database/app)
+    "REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;", # reassign must be executed in the database where the reassgined objects are - TODO (one connection per database/app)
    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";", # should we drop the role ? -> YES after fixing reassign
  ]
  renew_statements    = []
@@ -44,11 +36,11 @@ resource "vault_database_secret_backend_role" "role" {
 resource "vault_kubernetes_auth_backend_role" "role" {
  backend                          = data.vault_auth_backend.kubernetes.path
-  role_name                        = local.instance
+  role_name                        = local.name
  bound_service_account_names      = local.bound_service_account_names
  bound_service_account_namespaces = local.bound_service_account_namespaces
  token_ttl                        = 3600
-  token_policies                   = ["default", local.instance]
+  token_policies                   = ["default", local.name]
  audience                         = "vault"
  alias_name_source                = "serviceaccount_name"
 }
--- a/hashicorp-vault/iac/modules/app_roles/outputs.tf
+++ b/hashicorp-vault/iac/modules/app_roles/outputs.tf
@@ -1,13 +1,6 @@
 output "name" {
  value = local.name
 }
 output "env" {
  value = local.env
 }
 output "instance" {
  value       = local.instance
  description = "Derived id by the elision rule: equals name when env=prod, else <name>-<env>."
 }
 output "database" {
  value = local.database
 }
@@ -19,6 +12,5 @@ output "mount_paths" {
  }
 }
 output "kvv2_path_prefix" {
-  # Identical to format("%s/", local.name) when env=prod (backwards compat).
+  value = format("%s/", local.name)
  value = format("%s/", local.instance)
 }
--- a/hashicorp-vault/iac/modules/app_roles/variables.tf
+++ b/hashicorp-vault/iac/modules/app_roles/variables.tf
@@ -1,11 +1,6 @@
 variable "name" {
  type = string
 }
 variable "env" {
  type        = string
  default     = "prod"
  description = "Deployment environment. By the elision rule (factory runbook conventions.md), env=prod produces names identical to the single-env baseline; non-prod values produce <name>-<env> kebab-case and <name>_<env>_role for the Postgres owner role."
 }
 variable "database" {
  type     = string
  nullable = true
--- a/hashicorp-vault/iac/variables.tf
+++ b/hashicorp-vault/iac/variables.tf
@@ -11,13 +11,9 @@ variable "POSTGRES_CREDENTIALS_EDITOR_PASSWORD" {
 }
 variable "applications" {
  type = set(object({
-    name                       = string
+    name     = string
-    policies                   = optional(list(string), [])
+    policies = optional(list(string), [])
-    service_account_names      = optional(list(string), [])
+    service_account_names = optional(list(string), [])
    service_account_namespaces = optional(list(string), [])
    # Multi-env extension: list of envs this app deploys to. Defaults to ["prod"] for
    # every existing app — backwards compatible by the elision rule. Non-prod envs
    # produce additional runtime policies named "<name>-<env>".
    envs = optional(list(string), ["prod"])
  }))
 }