From 38348c5980d1e8c5e2617a453bc99f46dfde1b0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sat, 7 Feb 2026 14:05:42 +0100
Subject: [PATCH] vault: add homelab-deploy policy to generated hosts

The homelab-deploy listener requires access to shared/homelab-deploy/*
secrets. Update hosts-generated.tf and the generator script to include
this policy automatically.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 scripts/create-host/generators.py  | 2 +-
 terraform/vault/hosts-generated.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/create-host/generators.py b/scripts/create-host/generators.py
index bd1f1da..a202a39 100644
--- a/scripts/create-host/generators.py
+++ b/scripts/create-host/generators.py
@@ -144,7 +144,7 @@ resource "vault_approle_auth_backend_role" "generated_hosts" {
 
   backend            = vault_auth_backend.approle.path
   role_name          = each.key
-  token_policies     = ["host-\${each.key}"]
+  token_policies     = ["host-\${each.key}", "homelab-deploy"]
   secret_id_ttl      = 0  # Never expire (wrapped tokens provide time limit)
   token_ttl          = 3600
   token_max_ttl      = 3600
diff --git a/terraform/vault/hosts-generated.tf b/terraform/vault/hosts-generated.tf
index 630a7bb..72def73 100644
--- a/terraform/vault/hosts-generated.tf
+++ b/terraform/vault/hosts-generated.tf
@@ -50,7 +50,7 @@ resource "vault_approle_auth_backend_role" "generated_hosts" {
 
   backend            = vault_auth_backend.approle.path
   role_name          = each.key
-  token_policies     = ["host-${each.key}"]
+  token_policies     = ["host-${each.key}", "homelab-deploy"]
   secret_id_ttl      = 0 # Never expire (wrapped tokens provide time limit)
   token_ttl          = 3600
   token_max_ttl      = 3600