Gabriel Radureau
3170a341d1
Some checks failed
Helm Charts / Library charts tool (push) Blocked by required conditions
Helm Charts / Application charts pgcat (push) Blocked by required conditions
Helm Charts / Detect changed charts (pull_request) Successful in 19s
Helm Charts / Library charts tool (pull_request) Has been skipped
Helm Charts / Application charts pgcat (pull_request) Has been skipped
Helm Charts / Detect changed charts (push) Failing after 13m59s
The `applications` object field was declared `policies` in variables.tf, but the cms tfvars entry, the runbook (doc/runbooks/new-web-app/03-vault-platform.md), the guidebook (vibe/guidebooks/tools/secrets-and-vso.md) and the module input (modules/app_policy variable `ops_policies`) all use the name `ops_policies`. Because Terraform silently drops unknown attributes when converting a value to an object() type, cms's `ops_policies = ["factory__cf_r2_arcodange_tf"]` was discarded and `each.value.policies` fell back to [] — so gitea_cicd_cms never received the `factory__cf_r2_arcodange_tf` token policy (read on kvv1/cloudflare/r2/arcodange-tf + kvv1/zoho/self_client, defined in factory iac/cloudflare.tf). cms CI was missing its Cloudflare R2 Terraform-state permissions. Fix at the root: rename the schema field `policies` -> `ops_policies` (and its single reference main.tf:82 `each.value.policies` -> `each.value.ops_policies`), aligning the whole chain. This is lower-churn than renaming the tfvars key (the chosen alternative would also have required fixing the runbook + guidebook, which both already document `ops_policies`) and prevents the next app created from the runbook from re-introducing the same silently-dropped key. Behavioural change: gitea_cicd_cms gains `factory__cf_r2_arcodange_tf` in its token_policies. No other app sets this field (all default []), so no other role changes. Reviewer: confirm the R2 policy is the intended grant for cms CI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>