magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-26 10:06:13 +01:00
Code Issues Packages Projects Releases Wiki Activity
dotfiles/terraform/nomad-server/vault.tf
main a5a651dbb9
Large rework and cleanup 
Signed-off-by: main <magic_rb@redalder.org>
2022-07-31 11:03:59 +02:00

78 lines
2.1 KiB
HCL
Raw Blame History

resource "vault_policy" "nomad-server" {
name = "${var.hostname}-nomad-server"
policy = <<EOF
# Allow creating tokens under "nomad-cluster" token role. The token role name
# should be updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
# Allow looking up "nomad-cluster" token role. The token role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
}
# Allow looking up the token passed to Nomad to validate the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}
# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup. Note this requires update permissions because the Vault API
# is a POST
path "sys/capabilities-self" {
capabilities = ["update"]
}
# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
}
EOF
}
resource "vault_token_auth_backend_role" "nomad-server" {
role_name = "${var.hostname}-nomad-server"
allowed_policies = [
vault_policy.nomad-server.name
]
orphan = true
renewable = true
}
resource "vault_token" "nomad-server" {
policies = [
vault_policy.nomad-server.name
]
renewable = true
ttl = "24h"
explicit_max_ttl = 0
role_name = vault_token_auth_backend_role.nomad-server.role_name
display_name = "${var.hostname}-nomad-server-Vault-token"
}
resource "vault_kv_secret_v2" "nomad-server-vault" {
mount = var.vault_mount.path
name = var.vault_token_path
delete_all_versions = true
data_json = jsonencode({
secret = vault_token.nomad-server.client_token
})
}
Reference in a new issue View git blame Copy permalink