Use autogroup:admin and dst:* for admin grants

The previous commit incorrectly assumed autogroup:admin and dst:["*"] didn't work. The actual issue was that tagging gilbert converted it from a user-owned device to a tagged device, losing user identity. Now that gilbert remains untagged, autogroup:admin works correctly. This simplifies the policy and allows future admins to inherit access. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-17 11:58:05 -08:00 · 2026-01-17 11:55:13 -08:00 · 2026-01-17 11:55:13 -08:00
commit 3e2e9ecb80
1 changed files with 7 additions and 14 deletions
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@ -11,18 +11,11 @@
 	},

 	// ============== Access Grants ==============
-	// Note: autogroup:admin doesn't work reliably - use specific emails
-	// Note: dst: ["*"] doesn't work reliably - use explicit tags
 	"grants": [
-		// --- Erich: full access to all infrastructure ---
+		// --- Admins: full access to all infrastructure ---
 		{
-			"src": ["blume.erich@gmail.com"],
-			"dst": ["tag:homelab", "tag:nas"],
-			"ip":  ["*"],
-		},
-		{
-			"src": ["blume.erich@gmail.com"],
-			"dst": ["tag:grafana", "tag:kiwix", "tag:forge", "tag:devpi", "tag:loki", "tag:pg", "tag:feed"],
+			"src": ["autogroup:admin"],
+			"dst": ["*"],
 			"ip":  ["*"],
 		},

@ -77,18 +70,18 @@
 			"dst":    ["autogroup:self"],
 			"users":  ["autogroup:nonroot"],
 		},
-		// Erich can SSH to homelab (for ansible)
+		// Admins can SSH to homelab (for ansible)
 		{
 			"action": "check",
-			"src":    ["blume.erich@gmail.com"],
+			"src":    ["autogroup:admin"],
 			"dst":    ["tag:homelab"],
 			"users":  ["autogroup:nonroot"],
 			"checkPeriod": "12h0m0s",
 		},
-		// Erich can SSH to NAS
+		// Admins can SSH to NAS
 		{
 			"action": "check",
-			"src":    ["blume.erich@gmail.com"],
+			"src":    ["autogroup:admin"],
 			"dst":    ["tag:nas"],
 			"users":  ["autogroup:nonroot"],
 			"checkPeriod": "12h0m0s",