diff --git a/.secrets-baseline b/.secrets-baseline index 7555cef..ccea31d 100644 --- a/.secrets-baseline +++ b/.secrets-baseline @@ -193,25 +193,7 @@ "line_number": 252, "is_secret": false } - ], - "core/syslogng.nomad": [ - { - "type": "Base64 High Entropy String", - "filename": "core/syslogng.nomad", - "hashed_secret": "298b5925fe7c7458cb8a12a74621fdedafea5ad6", - "is_verified": false, - "line_number": 159, - "is_secret": false - }, - { - "type": "Base64 High Entropy String", - "filename": "core/syslogng.nomad", - "hashed_secret": "3a1cec2d3c3de7e4da4d99c6731ca696c24b72b4", - "is_verified": false, - "line_number": 159, - "is_secret": false - } ] }, - "generated_at": "2022-11-11T21:26:53Z" + "generated_at": "2022-11-21T00:23:03Z" } diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 531f971..0a60545 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -1,78 +1,40 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hashicorp/consul" { - version = "2.14.0" - hashes = [ - "h1:lJWOdlqevg6FQLFlfM3tGOsy9yPrjm9/vqkfzVrqT/A=", - "h1:xRwktNwLL3Vo43F7v73tfcgbcnjCE2KgCzcNrsQJ1cc=", - "zh:06dcca1f76b839af8f86c7b6f65b944003a7a35b30b865b3884f48e2c42f9aee", - "zh:16111df6a485e21cee6ca33cb863434baa1ca360c819c8e2af85e465c1361d2b", - "zh:26b59c82ac2861b2651c1fa31955c3e7790e3c2d5d097f22aa34d3c294da63cf", - "zh:70fd6853099126a602d5ac26caa80214a4a8a38f0cad8a5e3b7bef49923419d3", - "zh:7d4f0061d6fb86e0a5639ed02381063b868245082ec4e3a461bcda964ed00fcc", - "zh:a48cbf57d6511922362d5b0f76f449fba7a550c9d0702635fabb43b4f0a09fc0", - "zh:bb54994a53dd8e1ff84ca50742ce893863dc166fd41b91d951f4cb89fe6a6bc0", - "zh:bc61b19ee3c8d55a9915a3ad84203c87bfd0d57eca8eec788524b14e8b67f090", - "zh:cbe3238e756ada23c1e7c97c42a5c72bf810dc5bd1265c9f074c3e739d1090b0", - "zh:e30198054239eab46493e59956b9cd8c376c3bbd9515ac102a96d1fbd32e423f", - "zh:e74365dba529a0676107e413986d7be81c2125c197754ce69e3e89d8daa53153", - ] -} - provider "registry.terraform.io/hashicorp/external" { - version = "2.2.2" + version = "2.2.3" hashes = [ - "h1:e7RpnZ2PbJEEPnfsg7V0FNwbfSk0/Z3FdrLsXINBmDY=", - "zh:0b84ab0af2e28606e9c0c1289343949339221c3ab126616b831ddb5aaef5f5ca", - "zh:10cf5c9b9524ca2e4302bf02368dc6aac29fb50aeaa6f7758cce9aa36ae87a28", - "zh:56a016ee871c8501acb3f2ee3b51592ad7c3871a1757b098838349b17762ba6b", - "zh:719d6ef39c50e4cffc67aa67d74d195adaf42afcf62beab132dafdb500347d39", + "h1:uvOYRWcVIqOZSl8YjjaB18yZFz1AWIt2CnK7O45rckg=", + "zh:184ecd339d764de845db0e5b8a9c87893dcd0c9d822167f73658f89d80ec31c9", + "zh:2661eaca31d17d6bbb18a8f673bbfe3fe1b9b7326e60d0ceb302017003274e3c", + "zh:2c0a180f6d1fc2ba6e03f7dfc5f73b617e45408681f75bca75aa82f3796df0e4", + "zh:4b92ae44c6baef4c4952c47be00541055cb5280dd3bc8031dba5a1b2ee982387", + "zh:5641694d5daf3893d7ea90be03b6fa575211a08814ffe70998d5adb8b59cdc0a", + "zh:5bd55a2be8a1c20d732ac9c604b839e1cadc8c49006315dffa4d709b6874df32", + "zh:6e0ef5d11e1597202424b7d69b9da7b881494c9b13a3d4026fc47012dc651c79", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7fbfc4d37435ac2f717b0316f872f558f608596b389b895fcb549f118462d327", - "zh:8ac71408204db606ce63fe8f9aeaf1ddc7751d57d586ec421e62d440c402e955", - "zh:a4cacdb06f114454b6ed0033add28006afa3f65a0ea7a43befe45fc82e6809fb", - "zh:bb5ce3132b52ae32b6cc005bc9f7627b95259b9ffe556de4dad60d47d47f21f0", - "zh:bb60d2976f125ffd232a7ccb4b3f81e7109578b23c9c6179f13a11d125dca82a", - "zh:f9540ecd2e056d6e71b9ea5f5a5cf8f63dd5c25394b9db831083a9d4ea99b372", - "zh:ffd998b55b8a64d4335a090b6956b4bf8855b290f7554dd38db3302de9c41809", + "zh:9e19f89fa25004d3b926a8d15ea630b4bde62f1fa4ed5e11a3d27aabddb77353", + "zh:b763efdd69fd097616b4a4c89cf333b4cee9699ac6432d73d2756f8335d1213f", + "zh:e3b561efdee510b2b445f76a52a902c52bee8e13095e7f4bed7c80f10f8d294a", + "zh:fe660bb8781ee043a093b9a20e53069974475dcaa5791a1f45fd03c61a26478a", ] } provider "registry.terraform.io/hashicorp/nomad" { - version = "1.4.16" + version = "1.4.19" hashes = [ - "h1:PQxNPNmMVOErxryTWIJwr22k95DTSODmgRylqjc2TjI=", - "h1:tyfjD/maKzb0RxxD9KWgLnkJu9lnYziYsQgGw85Giz8=", - "zh:0d4fbb7030d9caac3b123e60afa44f50c83cc2a983e1866aec7f30414abe7b0e", - "zh:0db080228e07c72d6d8ca8c45249d6f97cd0189fce82a77abbdcd49a52e57572", - "zh:0df88393271078533a217654b96f0672c60eb59570d72e6aefcb839eea87a7a0", - "zh:2883b335bb6044b0db6a00e602d6926c047c7f330294a73a90d089f98b24d084", - "zh:390158d928009a041b3a182bdd82376b50530805ae92be2b84ed7c3b0fa902a0", - "zh:7169b8f8df4b8e9659c49043848fd5f7f8473d0471f67815e8b04980f827f5ef", - "zh:9417ee1383b1edd137024882d7035be4dca51fb4f725ca00ed87729086ec1755", - "zh:a22910b5a29eeab5610350700b4899267c1b09b66cf21f7e4d06afc61d425800", - "zh:a6185c9cd7aa458cd81861058ba568b6411fbac344373a20155e20256f4a7557", - "zh:b6260ca9f034df1b47905b4e2a9c33b67dbf77224a694d5b10fb09ae92ffad4c", - "zh:d87c12a6a7768f2b6c2a59495c7dc00f9ecc52b1b868331d4c284f791e278a1e", - ] -} - -provider "registry.terraform.io/hashicorp/vault" { - version = "3.3.1" - hashes = [ - "h1:SOTmxGynxFf1hECFq0/FGujGQZNktePze/4mfdR/iiU=", - "h1:i7EC2IF0KParI+JPA5ZtXJrAn3bAntW5gEMLvOXwpW4=", - "zh:3e1866037f43c1083ff825dce2a9e3853c757bb0121c5ae528ee3cf3f99b4113", - "zh:49636cc5c4939134e098c4ec0163c41fae103f24d7e1e8fc0432f8ad93d596a0", - "zh:5258a7001719c4aeb84f4c4da7115b795da4794754938a3c4176a4b578fe93a1", - "zh:7461738691e2e8ea91aba73d4351cfbc30fcaedcf0e332c9d35ef215f93aa282", - "zh:815529478e33a6727273b08340a4c62c9aeb3da02abf8f091bb4f545c8451fce", - "zh:8e6fede9f5e25b507faf6cacd61b997035b8b62859245861149ddb2990ada8eb", - "zh:9acc2387084b9c411e264c4351633bc82f9c4e420f8e6bbad9f87b145351f929", - "zh:b9e4af3b06386ceed720f0163a1496088c154aa1430ae072c525ffefa4b37891", - "zh:c7d5dfb8f8536694db6740e2a4afd2d681b60b396ded469282524c62ce154861", - "zh:d0850be710c6fd682634a2f823beed0164231cc873b1dc09038aa477c926f57c", - "zh:e90c2cba9d89db5eab295b2f046f24a53f23002bcfe008633d398fb3fa16d941", + "h1:EdBny2gaLr/IE+l+6csyCKeIGFMYZ/4tHKpcbS7ArgE=", + "zh:2f3ceeb3318a6304026035b0ac9ee3e52df04913bb9ee78827e58c5398b41254", + "zh:3fbe76c7d957d20dfe3c8c0528b33084651f22a95be9e0452b658e0922916e2a", + "zh:595671a05828cfe6c42ef73aac894ac39f81a52cc662a76f37eb74ebe04ddf75", + "zh:5d76e8788d2af3e60daf8076babf763ec887480bbb9734baccccd8fcddf4f03e", + "zh:676985afeaca6e67b22d60d43fd0ed7055763029ffebc3026089fe2fd3b4a288", + "zh:69152ce6164ac999a640cff962ece45208270e1ac37c10dac484eeea5cf47275", + "zh:6da0b15c05b81f947ec8e139bd81eeeb05c0d36eb5a967b985d0625c60998b40", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:822c0a3bbada5e38099a379db8b2e339526843699627c3be3664cc3b3752bab7", + "zh:af23af2f98a84695b25c8eba7028a81ad4aad63c44aefb79e01bbe2dc82e7f78", + "zh:e36cac9960b7506d92925b667254322520966b9c3feb3ca6102e57a1fb9b1761", + "zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f", ] } diff --git a/Makefile b/Makefile index 18a739f..158b710 100644 --- a/Makefile +++ b/Makefile @@ -39,10 +39,10 @@ secrets-update: $(VENV) .secrets-baseline ansible_galaxy: ansible_galaxy/ansible_collections ansible_galaxy/roles ansible_galaxy/ansible_collections: $(VENV) ./ansible_galaxy/requirements.yml - $(VENV)/bin/ansible-galaxy collection install -p ./ansible_galaxy -r ./ansible_collections/requirements.yml + $(VENV)/bin/ansible-galaxy collection install -p ./ansible_galaxy -r ./ansible_galaxy/requirements.yml ansible_galaxy/roles: $(VENV) ./ansible_galaxy/requirements.yml - $(VENV)/bin/ansible-galaxy install -p ./ansible_galaxy/roles -r ./ansible_roles/requirements.yml + $(VENV)/bin/ansible-galaxy install -p ./ansible_galaxy/roles -r ./ansible_galaxy/requirements.yml .PHONY: ansible-cluster ansible-cluster: $(VENV) ansible_galaxy diff --git a/ansible_playbooks/recover-consul.yaml b/ansible_playbooks/recover-consul.yaml index 0c6b9d5..4b5e03c 100644 --- a/ansible_playbooks/recover-consul.yaml +++ b/ansible_playbooks/recover-consul.yaml @@ -63,22 +63,22 @@ state: restarted become: true -- name: Start Vault - hosts: nomad_instances - - tasks: - - name: Start Vault - systemd: - name: vault - state: started - become: true - -- name: Start Nomad - hosts: nomad_instances - - tasks: - - name: Start Nomad - systemd: - name: nomad - state: started - become: true +# - name: Start Vault +# hosts: nomad_instances +# +# tasks: +# - name: Start Vault +# systemd: +# name: vault +# state: started +# become: true +# +# - name: Start Nomad +# hosts: nomad_instances +# +# tasks: +# - name: Start Nomad +# systemd: +# name: nomad +# state: started +# become: true diff --git a/ansible_playbooks/setup-cluster.yml b/ansible_playbooks/setup-cluster.yml index d88aafd..8aacce7 100644 --- a/ansible_playbooks/setup-cluster.yml +++ b/ansible_playbooks/setup-cluster.yml @@ -1,148 +1,4 @@ --- -- name: Build Consul cluster - hosts: consul_instances - any_errors_fatal: true - - roles: - - role: ansible-consul - vars: - consul_version: "1.13.3-1" - consul_install_upgrade: true - consul_install_from_repo: true - consul_os_repo_prerequisites: [] - - consul_node_role: server - consul_raft_protocol: 3 - consul_bootstrap_expect: true - consul_bootstrap_expect_value: "{{ [(play_hosts | length), 3] | min }}" - - consul_user: consul - consul_manage_user: true - consul_group: bin - consul_manage_group: true - - # consul_tls_enable: true - consul_connect_enabled: true - consul_ports_grpc: 8502 - consul_client_address: "0.0.0.0" - - # Autopilot - consul_autopilot_enable: true - consul_autopilot_cleanup_dead_Servers: true - - # Enable metrics - consul_config_custom: - telemetry: - prometheus_retention_time: "2h" - - # DNS forwarding - consul_dnsmasq_enable: true - consul_dnsmasq_servers: - # TODO: use addresses of other nomad nodes? - # Maybe this can be [] to get the values from dhcp - - 1.1.1.1 - - 1.0.0.1 - consul_dnsmasq_bind_interfaces: true - consul_dnsmasq_listen_addresses: - # Listen only to loopback interface - - 127.0.0.1 - - become: true - - tasks: - - name: Start Consul - systemd: - state: started - name: consul - become: true - - # If DNS is broken after dnsmasq, then need to set /etc/resolv.conf to something - # pointing to 127.0.0.1 and possibly restart Docker and Nomad - # Actually, we should point to our external Nomad address so that Docker uses it - - name: Update resolv.conf - lineinfile: - dest: /etc/resolv.conf - create: true - line: "nameserver {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" - become: true - -- name: Setup Vault cluster - hosts: vault_instances - - roles: - - name: ansible-vault - vars: - vault_version: 1.12.0-1 - vault_install_hashi_repo: true - vault_harden_file_perms: true - # Maybe this should be restricted - vault_group: bin - vault_bin_path: /usr/bin - vault_address: 0.0.0.0 - - vault_backend: consul - become: true - - tasks: - - name: Get Vault status - uri: - url: http://127.0.0.1:8200/v1/sys/health - method: GET - status_code: 200, 429, 472, 473, 501, 503 - body_format: json - return_content: true - register: vault_status - - - name: Initialize Vault - when: not vault_status.json["initialized"] - block: - - name: Initialize Vault - command: - argv: - - "vault" - - "operator" - - "init" - - "-format=json" - - "-address=http://127.0.0.1:8200/" - - "-key-shares={{ vault_init_key_shares|default(3) }}" - - "-key-threshold={{ vault_init_key_threshold|default(2) }}" - run_once: true - register: vault_init - - - name: Save initialize result - copy: - content: "{{ vault_init.stdout }}" - dest: "../vault-keys.json" - when: vault_init is succeeded - delegate_to: localhost - run_once: true - - - name: Unseal from init - no_log: true - command: - argv: - - "vault" - - "operator" - - "unseal" - - "-address=http://127.0.0.1:8200/" - - "{{ item }}" - loop: "{{ (vault_init.stdout | from_json)['unseal_keys_hex'] }}" - when: vault_init is succeeded - - - name: Unseal Vault - no_log: true - command: - argv: - - "vault" - - "operator" - - "unseal" - - "-address=http://127.0.0.1:8200/" - - "{{ item }}" - loop: "{{ unseal_keys_hex }}" - when: - - unseal_keys_hex is defined - - vault_status.json["sealed"] - - name: Install Docker hosts: nomad_instances become: true @@ -323,8 +179,8 @@ enabled: true selinuxlabel: "z" # Send logs to journald so we can scrape them for Loki - logging: - type: journald + # logging: + # type: journald extra_labels: - "job_name" - "job_id" @@ -352,35 +208,9 @@ # Enable ACLs nomad_acl_enabled: true - # Enable vault integration - # HACK: Only talk to local Vault for now because it doesn't have HTTPS - # TODO: Would be really great to have this over https and point to vault.consul.service - # nomad_vault_address: "https://vault.service.consul:8200" - # Right now, each node only talks to it's local Vault, so if that node is rebooted and - # that vault is sealed, it will not have access to vault. This is a problem if a node - # must reboot. - nomad_vault_address: "http://127.0.0.1:8200" - # TODO: This fails on first run because the Nomad-Vault integration can't be set up - # until Nomad has started. Could maybe figure out if ACLs have been set up and leave - # these out until the later play, maybe just bootstrap the nomad-cluster role in Vault - # befor Nomad is set up - nomad_vault_create_from_role: "nomad-cluster" - # TODO: (security) Probably want to restict this to a narrower scoped token - nomad_vault_enabled: "{{ root_token is defined }}" - nomad_vault_token: "{{ root_token | default('') }}" - nomad_config_custom: ui: enabled: true - consul: - ui_url: "https://consul.thefij.rocks/ui" - vault: - ui_url: "https://vault.thefij.rocks/ui" - consul: - tags: - - "traefik.enable=true" - - "traefik.consulcatalog.connect=true" - - "traefik.http.routers.nomadclient.entrypoints=websecure" - name: Bootstrap Nomad ACLs and scheduler hosts: nomad_instances @@ -435,20 +265,6 @@ changed_when: false register: read_secretid - - name: Enable service scheduler preemption - command: - argv: - - nomad - - operator - - scheduler - - set-config - - -preempt-system-scheduler=true - - -preempt-service-scheduler=true - environment: - NOMAD_TOKEN: "{{ read_secretid.stdout }}" - delegate_to: "{{ play_hosts[0] }}" - run_once: true - - name: Look for policy command: argv: @@ -465,8 +281,6 @@ copy: src: ../acls/nomad-anon-policy.hcl dest: /tmp/anonymous.policy.hcl - delegate_to: "{{ play_hosts[0] }}" - register: anon_policy run_once: true - name: Create anon-policy @@ -485,18 +299,32 @@ delegate_to: "{{ play_hosts[0] }}" run_once: true - - name: Set up Nomad backend and roles in Vault - community.general.terraform: - project_path: ../acls - force_init: true - variables: - consul_address: "{{ play_hosts[0] }}:8500" - vault_token: "{{ root_token }}" - nomad_secret_id: "{{ read_secretid.stdout }}" - delegate_to: localhost + - name: Enable service scheduler preemption + command: + argv: + - nomad + - operator + - scheduler + - set-config + - -preempt-system-scheduler=true + - -preempt-service-scheduler=true + environment: + NOMAD_TOKEN: "{{ read_secretid.stdout }}" + delegate_to: "{{ play_hosts[0] }}" run_once: true - notify: - - Restart Nomad + + # - name: Set up Nomad backend and roles in Vault + # community.general.terraform: + # project_path: ../acls + # force_init: true + # variables: + # consul_address: "{{ play_hosts[0] }}:8500" + # vault_token: "{{ root_token }}" + # nomad_secret_id: "{{ read_secretid.stdout }}" + # delegate_to: localhost + # run_once: true + # notify: + # - Restart Nomad handlers: - name: Restart Nomad diff --git a/core/blocky/blocky.nomad b/core/blocky/blocky.nomad index 1b07113..45c5b8a 100644 --- a/core/blocky/blocky.nomad +++ b/core/blocky/blocky.nomad @@ -37,11 +37,13 @@ job "blocky" { service { name = "blocky-dns" + provider = "nomad" port = "dns" } service { name = "blocky-api" + provider = "nomad" port = "api" meta { @@ -53,41 +55,6 @@ job "blocky" { "traefik.http.routers.blocky-api.entryPoints=websecure", ] - connect { - sidecar_service { - proxy { - local_service_port = 4000 - - expose { - path { - path = "/metrics" - protocol = "http" - local_path_port = 4000 - listener_port = "api" - } - } - - upstreams { - destination_name = "redis" - local_bind_port = 6379 - } - - upstreams { - destination_name = "mysql-server" - local_bind_port = 4040 - } - } - } - - sidecar_task { - resources { - cpu = 50 - memory = 20 - memory_max = 50 - } - } - } - check { name = "api-health" port = "api" @@ -118,13 +85,6 @@ job "blocky" { memory_max = 100 } - vault { - policies = [ - "access-tables", - "nomad-task", - ] - } - template { data = var.config_data destination = "app/config.yml" @@ -149,21 +109,16 @@ job "blocky" { ] } - vault { - policies = [ - "access-tables", - "nomad-task", - ] - } - template { data = <> certResolver = "letsEncrypt" [[entryPoints.websecure.http.tls.domains]] - main = "*.<< keyOrDefault "global/base_hostname" "${var.base_hostname}" >>" - << end ->> + main = "*.<< with nomadVar "nomad/jobs" >><< .base_hostname >><< end >>" [entryPoints.metrics] address = ":8989" @@ -146,34 +137,30 @@ job "traefik" { directory = "/etc/traefik/conf" watch = true -[providers.consulCatalog] - connectAware = true - connectByDefault = true +[providers.nomad] exposedByDefault = false - defaultRule = "Host(`{{normalize .Name}}.<< keyOrDefault "global/base_hostname" "${var.base_hostname}" >>`)" - [providers.consulCatalog.endpoint] - address = "http://<< env "CONSUL_HTTP_ADDR" >>" + defaultRule = "Host(`{{normalize .Name}}.<< with nomadVar "nomad/jobs" >><< .base_hostname >><< end >>`)" + [providers.nomad.endpoint] + address = "http://<< env "attr.unique.network.ip-address" >>:4646" -<< if keyExists "traefik/acme/email" ->> [certificatesResolvers.letsEncrypt.acme] - email = "<< key "traefik/acme/email" >>" + email = "<< with nomadVar "nomad/jobs/traefik" >><< .acme_email >><< end >>" # Store in /local because /secrets doesn't persist with ephemeral disk storage = "/local/acme.json" [certificatesResolvers.letsEncrypt.acme.dnsChallenge] provider = "cloudflare" resolvers = ["1.1.1.1:53", "8.8.8.8:53"] delayBeforeCheck = 0 -<< end ->> EOH destination = "local/config/traefik.toml" } template { data = < dict: + headers = {} + if NOMAD_TOKEN: + headers["X-Nomad-Token"] = NOMAD_TOKEN + + result = requests.post( + f"{NOMAD_ADDR}/v1/var/{path}", + headers=headers, + json={ + "Path": path, + "Items": {k: str(v) for k, v in items.items()}, + }, + ) + + print(result.text) + result.raise_for_status() + + return result.json() + + +def write_consul(): + with open("./ansible_playbooks/vars/consul_values.yml") as f: + vars = yaml.load(f, yaml.CLoader)["consul_values"] + + key_values = defaultdict(list) + for path, value in vars.items(): + path, _, item = path.rpartition("/") + key_values[path].append((item, value)) + + for path, items in key_values.items(): + print("path", path, "items", items) + response = write_var(path, dict(items)) + print(response) + + +def write_vault(): + with open("./ansible_playbooks/vars/vault_hashi_vault_values.yml") as f: + vars = yaml.load(f, yaml.CLoader)["hashi_vault_values"] + prefix = "secrets/" + + for path, items in vars.items(): + print("path", path, "items", items) + response = write_var(prefix + path, items) + print(response) + +def write_nomad(): + with open("./ansible_playbooks/vars/nomad_vars.yml") as f: + vars = yaml.load(f, yaml.CLoader) + + for path, items in vars.items(): + print("path", path, "items", items) + response = write_var(path, items) + print(response) + + +def main(): + write_nomad() + + +if __name__ == "__main__": + main() diff --git a/providers.tf b/providers.tf index 6e5ef19..0c909a1 100644 --- a/providers.tf +++ b/providers.tf @@ -1,45 +1,6 @@ -# Configure Consul provider -provider "consul" { - address = var.consul_address -} - -# Get Nomad client from Consul -data "consul_service" "nomad" { - name = "nomad-client" -} - -# Get Vault client from Consul -data "consul_service" "vault" { - name = "vault" - tag = "active" -} - -locals { - # Get Nomad address from Consul - nomad_node = data.consul_service.nomad.service[0] - nomad_node_address = "http://${local.nomad_node.node_address}:${local.nomad_node.port}" - - # Get Vault address from Consul - vault_node = data.consul_service.vault.service[0] - vault_node_address = "http://${local.vault_node.node_address}:${local.vault_node.port}" -} - -# Configure the Vault provider -provider "vault" { - address = length(var.vault_address) == 0 ? local.vault_node_address : var.vault_address - token = var.vault_token -} - -# Something that should exist in a post bootstrap module, right now module includes bootstrapping -# which requries Admin -# data "vault_nomad_access_token" "deploy" { -# backend = "nomad" -# role = "deploy" -# } - # Configure the Nomad provider provider "nomad" { - address = length(var.nomad_address) == 0 ? local.nomad_node_address : var.nomad_address + address = var.nomad_address secret_id = var.nomad_secret_id # secret_id = length(var.nomad_secret_id) == 0 ? data.vault_nomad_access_token.admin.secret_id : var.nomad_secret_id region = "global" diff --git a/services.tf b/services.tf index 1f9cac3..25ebceb 100644 --- a/services.tf +++ b/services.tf @@ -1,5 +1,5 @@ -module "services" { - source = "./services" - - depends_on = [module.databases, module.core] -} +# module "services" { +# source = "./services" +# +# depends_on = [module.databases, module.core] +# } diff --git a/vars.tf b/vars.tf index 9fe54fc..6702560 100644 --- a/vars.tf +++ b/vars.tf @@ -1,16 +1,6 @@ -variable "consul_address" { - type = string - default = "http://n1.thefij:8500" -} - -variable "vault_address" { - type = string - default = "" -} - variable "nomad_address" { type = string - default = "" + default = "http://n1.thefij:4646" } variable "base_hostname" { @@ -25,9 +15,3 @@ variable "nomad_secret_id" { sensitive = true default = "" } - -variable "vault_token" { - type = string - sensitive = true - default = "" -}