homelab-nomad/acls/nomad_vault.tf

49 lines
1.2 KiB
Terraform
Raw Permalink Normal View History

2022-04-15 12:12:15 -07:00
# Set up nomad provider in vault for Nomad ACLs
2022-03-21 21:26:04 -07:00
resource "nomad_acl_token" "vault" {
name = "vault"
type = "management"
}
resource "vault_nomad_secret_backend" "config" {
2022-04-13 14:01:14 -07:00
backend = "nomad"
description = "Nomad ACL"
token = nomad_acl_token.vault.secret_id
default_lease_ttl_seconds = "3600"
max_lease_ttl_seconds = "7200"
2022-07-27 15:56:40 -07:00
ttl = "3600"
max_ttl = "7200"
2022-03-21 21:26:04 -07:00
}
# Vault roles generating Nomad tokens
2022-03-21 21:26:04 -07:00
resource "vault_nomad_secret_role" "nomad-deploy" {
backend = vault_nomad_secret_backend.config.backend
role = "nomad-deploy"
# Nomad policies
policies = ["deploy"]
2022-03-21 21:26:04 -07:00
}
resource "vault_nomad_secret_role" "admin-management" {
2022-03-21 21:26:04 -07:00
backend = vault_nomad_secret_backend.config.backend
2022-04-13 14:01:14 -07:00
role = "admin-management"
type = "management"
2022-03-21 21:26:04 -07:00
}
resource "vault_nomad_secret_role" "admin" {
backend = vault_nomad_secret_backend.config.backend
role = "admin"
# Nomad policies
policies = ["admin"]
2022-03-21 21:26:04 -07:00
}
2022-04-15 12:12:15 -07:00
# Nomad Vault token access
resource "vault_token_auth_backend_role" "nomad-cluster" {
role_name = "nomad-cluster"
token_explicit_max_ttl = 0
allowed_policies = ["access-tables", "nomad-task"]
2022-04-15 12:12:15 -07:00
orphan = true
token_period = 259200
renewable = true
}