mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-29 19:46:17 +01:00
66 lines
1.2 KiB
HCL
66 lines
1.2 KiB
HCL
variable "hostname" {
|
|
description = "Host of the Nomad server"
|
|
type = string
|
|
}
|
|
|
|
variable "datacenter" {
|
|
description = "Which DC to create the consul policy in."
|
|
type = string
|
|
}
|
|
|
|
variable "vault_consul_secret_backend" {
|
|
description = "Consul secret backend instance in Vault"
|
|
type = any
|
|
}
|
|
|
|
variable "encryption_key_path" {
|
|
type = string
|
|
}
|
|
|
|
variable "encryption_key" {
|
|
type = string
|
|
}
|
|
|
|
variable "replication_token_path" {
|
|
type = string
|
|
default = ""
|
|
}
|
|
|
|
variable "vault_token_path" {
|
|
type = string
|
|
}
|
|
|
|
variable "consul_token_path" {
|
|
type = string
|
|
}
|
|
|
|
variable "vault_mount" {
|
|
type = any
|
|
}
|
|
|
|
resource "vault_policy" "nomad-server-integration" {
|
|
name = "${var.hostname}-nomad-server-agent"
|
|
|
|
policy = <<EOF
|
|
path "${var.vault_mount.path}/data/${var.encryption_key_path}" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "${var.vault_mount.path}/data/${var.vault_token_path}" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "${var.vault_mount.path}/data/${var.consul_token_path}" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "${var.vault_mount.path}/data/${var.replication_token_path}" {
|
|
capabilities = [${var.replication_token_path != null ? "\"read\"" : ""}]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
output "vault_policy" {
|
|
value = vault_policy.nomad-server-integration
|
|
}
|