2026-06-30 17:40:34 +02:00
5 changed files with 26 additions and 5 deletions
--- a/hashicorp-vault/iac/main.tf
+++ b/hashicorp-vault/iac/main.tf
@@ -80,6 +80,7 @@ module "app_policies" {
  name                       = each.value.name
  envs                       = each.value.envs
  ops_policies               = each.value.ops_policies
+  kv_read_paths              = each.value.kv_read_paths
  service_account_names      = each.value.service_account_names
  service_account_namespaces = each.value.service_account_namespaces
  gitea_app_id               = var.gitea_app_id
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -178,6 +178,14 @@ data "vault_policy_document" "app" {
    path         = "postgres/creds/${local.name}*"
    capabilities = ["read"]
  }
+  # Extra shared paths this app's prod runtime may read (e.g. backup creds).
+  dynamic "rule" {
+    for_each = var.kv_read_paths
+    content {
+      path         = rule.value
+      capabilities = ["read", "list"]
+    }
+  }
 }
 resource "vault_policy" "app" {
  name   = local.name
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -22,4 +22,9 @@ variable "service_account_namespaces" {
  type        = list(string)
  default     = []
  description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
+}
+variable "kv_read_paths" {
+  type        = list(string)
+  default     = []
+  description = "Extra kvv2 data paths the env=prod runtime policy may read (read,list) — e.g. a shared backup-creds path owned by another app (kvv2/data/longhorn/gcs-backup). Default none."
 }
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,18 +1,22 @@
 applications = [
  { name = "webapp" },
-  { name = "erp", envs = ["prod", "sandbox"] },
+  {
+    name          = "erp"
+    envs          = ["prod", "sandbox"]
+    kv_read_paths = ["kvv2/data/longhorn/gcs-backup"] # backup CronJob reads the shared GCS creds
+  },
  { name = "dance-lessons-coach" },
  {
-    name                   = "cms"
-    ops_policies               = ["factory__cf_r2_arcodange_tf"]
+    name                  = "cms"
+    ops_policies          = ["factory__cf_r2_arcodange_tf"]
    service_account_names = ["cloudflared"]
  },
  {
-    name = "crowdsec"
+    name                       = "crowdsec"
    service_account_namespaces = ["tools"]
  },
  {
-    name = "plausible"
+    name                       = "plausible"
    service_account_namespaces = ["tools"]
  },
 ]
--- a/hashicorp-vault/iac/variables.tf
+++ b/hashicorp-vault/iac/variables.tf
@@ -19,5 +19,8 @@ variable "applications" {
    # every existing app — backwards compatible by the elision rule. Non-prod envs
    # produce additional runtime policies named "<name>-<env>".
    envs = optional(list(string), ["prod"])
+    # Extra kvv2 data paths the app's prod runtime policy may read (read,list) —
+    # e.g. a shared backup-creds path owned by another app. Default none.
+    kv_read_paths = optional(list(string), [])
  }))
 }