From 43c81f6688c34fa32aee41d8e1275cc661bc4525 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Tue, 17 Feb 2026 20:13:22 +0100
Subject: [PATCH] terraform: fix loki-push policy for generated hosts

Revert ns1/ns2 from approle.tf (they're in hosts-generated.tf) and add
loki-push policy to generated AppRoles instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 terraform/vault/approle.tf         | 15 +--------------
 terraform/vault/hosts-generated.tf |  2 +-
 2 files changed, 2 insertions(+), 15 deletions(-)

diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf
index 451b823..5f76056 100644
--- a/terraform/vault/approle.tf
+++ b/terraform/vault/approle.tf
@@ -89,20 +89,7 @@ locals {
       ]
     }
 
-    # Wave 3: DNS servers
-    "ns1" = {
-      paths = [
-        "secret/data/hosts/ns1/*",
-        "secret/data/shared/dns/*",
-      ]
-    }
-
-    "ns2" = {
-      paths = [
-        "secret/data/hosts/ns2/*",
-        "secret/data/shared/dns/*",
-      ]
-    }
+    # Wave 3: DNS servers (managed in hosts-generated.tf)
 
     # Wave 4: http-proxy
     "http-proxy" = {
diff --git a/terraform/vault/hosts-generated.tf b/terraform/vault/hosts-generated.tf
index 7172d20..4854b70 100644
--- a/terraform/vault/hosts-generated.tf
+++ b/terraform/vault/hosts-generated.tf
@@ -74,7 +74,7 @@ resource "vault_approle_auth_backend_role" "generated_hosts" {
 
   backend            = vault_auth_backend.approle.path
   role_name          = each.key
-  token_policies     = ["host-${each.key}", "homelab-deploy", "nixos-exporter"]
+  token_policies     = ["host-${each.key}", "homelab-deploy", "nixos-exporter", "loki-push"]
   secret_id_ttl      = 0 # Never expire (wrapped tokens provide time limit)
   token_ttl          = 3600
   token_max_ttl      = 3600