From ccb1c3fe2e095e484e9231e9c6bcfba7ac6e5d04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Thu, 5 Feb 2026 18:58:39 +0100
Subject: [PATCH] terraform: auto-generate backup password instead of manual

Remove backup_helper_secret variable and switch shared/backup/password
to auto_generate. New password will be added alongside existing restic
repository key.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 terraform/vault/secrets.tf   | 6 +++---
 terraform/vault/variables.tf | 6 ------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf
index 557c153..5db851c 100644
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -51,10 +51,10 @@ locals {
       password_length = 32
     }
 
-    # Shared backup password
+    # Shared backup password (auto-generated, add alongside existing restic key)
     "shared/backup/password" = {
-      auto_generate = false
-      data          = { password = var.backup_helper_secret }
+      auto_generate   = true
+      password_length = 32
     }
 
     # NATS NKey for alerttonotify
diff --git a/terraform/vault/variables.tf b/terraform/vault/variables.tf
index d5055ef..5799067 100644
--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -16,12 +16,6 @@ variable "vault_skip_tls_verify" {
   default     = true
 }
 
-variable "backup_helper_secret" {
-  description = "Backup helper password (shared across hosts)"
-  type        = string
-  sensitive   = true
-}
-
 variable "nats_nkey" {
   description = "NATS NKey for alerttonotify"
   type        = string