From 48e7c309fcd7f9ec9feba4f60bc615f0c94e7e13 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 21 May 2026 08:11:11 +0000
Subject: [PATCH] vault: add pg-matrix + pg-technitium static roles to
 allowed_roles

Both static-roles existed in Vault state (created out-of-band) but
were missing from the postgresql connection's allowed_roles list. Vault
was logging 'is not an allowed role' rotation errors every 10s for both,
sustained CPU waste ~40-70m.

Adopted both via 'import {}' (import blocks removed after first apply
per the canonical adoption pattern).

- pg-matrix: username=matrix, rotation_period=86400 (1d)
- pg-technitium: username=technitium, rotation_period=604800 (7d)

Verified: 'is not an allowed role' errors stopped in vault-0 logs
immediately after apply.
---
 stacks/vault/main.tf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf
index 559fcc98..36a7ffea 100644
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@@ -617,6 +617,7 @@ resource "vault_database_secret_backend_connection" "postgresql" {
     "pg-wealthfolio-sync", "pg-fire-planner",
     "pg-postiz", "pg-instagram-poster",
     "pg-recruiter-responder",
+    "pg-matrix", "pg-technitium",
   ]
 
   postgresql {
@@ -813,6 +814,22 @@ resource "vault_database_secret_backend_static_role" "pg_recruiter_responder" {
   rotation_period = 604800
 }
 
+resource "vault_database_secret_backend_static_role" "pg_matrix" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-matrix"
+  username        = "matrix"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "pg_technitium" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-technitium"
+  username        = "technitium"
+  rotation_period = 604800
+}
+
 # =============================================================================
 # Kubernetes Secrets Engine — Dynamic K8s Credentials
 # =============================================================================