homelab-nomad/acls/nomad_vault.tf

48 lines
1.3 KiB
Terraform
Raw Normal View History

2022-04-15 19:12:15 +00:00
# Set up nomad provider in vault for Nomad ACLs
2022-03-22 04:26:04 +00:00
resource "nomad_acl_token" "vault" {
name = "vault"
type = "management"
}
resource "vault_nomad_secret_backend" "config" {
2022-04-13 21:01:14 +00:00
backend = "nomad"
description = "Nomad ACL"
token = nomad_acl_token.vault.secret_id
default_lease_ttl_seconds = "3600"
max_lease_ttl_seconds = "7200"
max_ttl = "240"
ttl = "120"
2022-03-22 04:26:04 +00:00
}
# Vault roles generating Nomad tokens
2022-03-22 04:26:04 +00:00
resource "vault_nomad_secret_role" "nomad-deploy" {
backend = vault_nomad_secret_backend.config.backend
role = "nomad-deploy"
# Nomad policies
policies = ["deploy"]
2022-03-22 04:26:04 +00:00
}
resource "vault_nomad_secret_role" "admin-management" {
2022-03-22 04:26:04 +00:00
backend = vault_nomad_secret_backend.config.backend
2022-04-13 21:01:14 +00:00
role = "admin-management"
type = "management"
2022-03-22 04:26:04 +00:00
}
resource "vault_nomad_secret_role" "admin" {
backend = vault_nomad_secret_backend.config.backend
role = "admin"
# Nomad policies
policies = ["admin"]
2022-03-22 04:26:04 +00:00
}
2022-04-15 19:12:15 +00:00
# Nomad Vault token access
resource "vault_token_auth_backend_role" "nomad-cluster" {
role_name = "nomad-cluster"
token_explicit_max_ttl = 0
allowed_policies = ["access-tables", "nomad-task"]
2022-04-15 19:12:15 +00:00
orphan = true
token_period = 259200
renewable = true
}