From 2f89d564f749fb09560d1907627b7818b2b74c76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sat, 21 Feb 2026 23:49:51 +0100
Subject: [PATCH] vault: add approles for pn01/pn02, fix provision playbook

Add pn01 and pn02 to hosts-generated.tf for Vault AppRole access.

Fix provision-approle.yml: the localhost play was skipped when using
-l filter, since localhost didn't match the target. Merged into a
single play using delegate_to: localhost for the bao commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 ansible/playbooks/provision-approle.yml | 28 +++++++------------------
 terraform/vault/hosts-generated.tf      | 10 +++++++++
 2 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/ansible/playbooks/provision-approle.yml b/ansible/playbooks/provision-approle.yml
index b9c12df..f3ac8df 100644
--- a/ansible/playbooks/provision-approle.yml
+++ b/ansible/playbooks/provision-approle.yml
@@ -23,14 +23,12 @@
       when: ansible_play_hosts | length != 1
       run_once: true
 
-- name: Fetch AppRole credentials from OpenBao
-  hosts: localhost
-  connection: local
+- name: Provision AppRole credentials
+  hosts: all
   gather_facts: false
 
   vars:
-    target_host: "{{ groups['all'] | first }}"
-    target_hostname: "{{ hostvars[target_host]['short_hostname'] | default(target_host.split('.')[0]) }}"
+    target_hostname: "{{ inventory_hostname.split('.')[0] }}"
 
   tasks:
     - name: Display target host
@@ -45,6 +43,7 @@
         BAO_SKIP_VERIFY: "1"
       register: role_id_result
       changed_when: false
+      delegate_to: localhost
 
     - name: Generate secret-id for host
       ansible.builtin.command:
@@ -54,21 +53,8 @@
         BAO_SKIP_VERIFY: "1"
       register: secret_id_result
       changed_when: true
+      delegate_to: localhost
 
-    - name: Store credentials for next play
-      ansible.builtin.set_fact:
-        vault_role_id: "{{ role_id_result.stdout }}"
-        vault_secret_id: "{{ secret_id_result.stdout }}"
-
-- name: Deploy AppRole credentials to host
-  hosts: all
-  gather_facts: false
-
-  vars:
-    vault_role_id: "{{ hostvars['localhost']['vault_role_id'] }}"
-    vault_secret_id: "{{ hostvars['localhost']['vault_secret_id'] }}"
-
-  tasks:
     - name: Create AppRole directory
       ansible.builtin.file:
         path: /var/lib/vault/approle
@@ -79,7 +65,7 @@
 
     - name: Write role-id
       ansible.builtin.copy:
-        content: "{{ vault_role_id }}"
+        content: "{{ role_id_result.stdout }}"
         dest: /var/lib/vault/approle/role-id
         mode: "0600"
         owner: root
@@ -87,7 +73,7 @@
 
     - name: Write secret-id
       ansible.builtin.copy:
-        content: "{{ vault_secret_id }}"
+        content: "{{ secret_id_result.stdout }}"
         dest: /var/lib/vault/approle/secret-id
         mode: "0600"
         owner: root
diff --git a/terraform/vault/hosts-generated.tf b/terraform/vault/hosts-generated.tf
index 5fa92c2..c73fe04 100644
--- a/terraform/vault/hosts-generated.tf
+++ b/terraform/vault/hosts-generated.tf
@@ -53,6 +53,16 @@ locals {
       ]
       extra_policies = ["prometheus-metrics"]
     }
+    "pn01" = {
+      paths = [
+        "secret/data/hosts/pn01/*",
+      ]
+    }
+    "pn02" = {
+      paths = [
+        "secret/data/hosts/pn02/*",
+      ]
+    }
 
   }