Add nomad ACLs and roles for use in oidc auth

2023-07-07 00:30:02 -07:00 · 2023-07-07 00:30:02 -07:00 · 6dbe0f7f45
parent eae5b201b6
commit 6dbe0f7f45
10 changed files with 52 additions and 272 deletions
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.

 provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.19"
+  version = "1.4.20"
  hashes = [
-    "h1:EdBny2gaLr/IE+l+6csyCKeIGFMYZ/4tHKpcbS7ArgE=",
-    "zh:2f3ceeb3318a6304026035b0ac9ee3e52df04913bb9ee78827e58c5398b41254",
-    "zh:3fbe76c7d957d20dfe3c8c0528b33084651f22a95be9e0452b658e0922916e2a",
-    "zh:595671a05828cfe6c42ef73aac894ac39f81a52cc662a76f37eb74ebe04ddf75",
-    "zh:5d76e8788d2af3e60daf8076babf763ec887480bbb9734baccccd8fcddf4f03e",
-    "zh:676985afeaca6e67b22d60d43fd0ed7055763029ffebc3026089fe2fd3b4a288",
-    "zh:69152ce6164ac999a640cff962ece45208270e1ac37c10dac484eeea5cf47275",
-    "zh:6da0b15c05b81f947ec8e139bd81eeeb05c0d36eb5a967b985d0625c60998b40",
+    "h1:M/QVXHPfeySejJZI3I8mBYrL/J9VsbnyF/dKIMlUhXo=",
+    "zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
+    "zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
+    "zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
+    "zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:822c0a3bbada5e38099a379db8b2e339526843699627c3be3664cc3b3752bab7",
-    "zh:af23af2f98a84695b25c8eba7028a81ad4aad63c44aefb79e01bbe2dc82e7f78",
-    "zh:e36cac9960b7506d92925b667254322520966b9c3feb3ca6102e57a1fb9b1761",
-    "zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
+    "zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
+    "zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
+    "zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
+    "zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
+    "zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
+    "zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
+    "zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
  ]
 }
--- a/acls/.terraform.lock.hcl
+++ b/acls/.terraform.lock.hcl
@ -1,59 +1,21 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.

-provider "registry.terraform.io/hashicorp/consul" {
-  version = "2.15.1"
-  hashes = [
-    "h1:PexyQBRLDA+SR+sWlzYBZswry5O5h/tTfj87CaECtLc=",
-    "zh:1806830a3cf103e65e772a7d28fd4df2788c29a029fb2def1326bc777ad107ed",
-    "zh:252be544fb4c9daf09cad7d3776daf5fa66b62740d3ea9d6d499a7b1697c3433",
-    "zh:50985fe02a8e5ae47c75d7c28c911b25d7dc4716cff2ed55ca05889ab77a1f73",
-    "zh:54cf0ec90538703c66937c77e8d72a38d5af47437eb0b8b55eb5836c5d288878",
-    "zh:704f536c621337e06fffef6d5f49ac81f52d249f937250527c12884cb83aefed",
-    "zh:896d8ef6d0b555299f124eb25bce8a17d735da14ef21f07582098d301f47da30",
-    "zh:976277a85b0a0baafe267cc494f766448d1da5b6936ddcb3ce393bd4d22f08d2",
-    "zh:c7faa9a2b11bc45833a3e8e340f22f1ecf01597eaeffa7669234b4549d7dfa85",
-    "zh:caf851ef9c8ce482864badf7058f9278d4537112fa236efd8f1a9315801d9061",
-    "zh:db203435d58b0ac842540861b3307a623423275d85754c171773f3b210ae5b24",
-    "zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
-    "zh:f710a37190429045d109edd35de69db3b5f619919c2fa04c77a3a639fea9fd7d",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/nomad" {
-  version = "1.4.17"
+  version = "1.4.20"
  hashes = [
-    "h1:iPylWr144mqXvM8NBVMTm+MS6JRhqIihlpJG91GYDyA=",
-    "zh:146f97eacd9a0c78b357a6cfd2cb12765d4b18e9660a75500ee3e748c6eba41a",
-    "zh:2eb89a6e5cee9aea03a96ea9f141096fe3baf219b2700ce30229d2d882f5015f",
-    "zh:3d0f971f79b615c1014c75e2f99f34bd4b4da542ca9f31d5ea7fadc4e9de39c1",
-    "zh:46099a750c752ce05aa14d663a86478a5ad66d95aff3d69367f1d3628aac7792",
-    "zh:71e56006b013dcfe1e4e059b2b07148b44fcd79351ae2c357e0d97e27ae0d916",
-    "zh:74febd25d776688f0558178c2f5a0e6818bbf4cdaa2e160d7049da04103940f0",
+    "h1:M/QVXHPfeySejJZI3I8mBYrL/J9VsbnyF/dKIMlUhXo=",
+    "zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
+    "zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
+    "zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
+    "zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:af18c064a5f0dd5422d6771939274841f635b619ab392c73d5bf9720945fdb85",
-    "zh:c133d7a862079da9f06e301c530eacbd70e9288fa2276ec0704df907270ee328",
-    "zh:c894cf98d239b9f5a4b7cde9f5c836face0b5b93099048ee817b0380ea439c65",
-    "zh:c918642870f0cafdbe4d7dd07c909701fc3ddb47cac8357bdcde1327bf78c11d",
-    "zh:f8f5655099a57b4b9c0018a2d49133771e24c7ff8262efb1ceb140fd224aa9b6",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/vault" {
-  version = "3.7.0"
-  hashes = [
-    "h1:idawLPCbZgHIb+NRLJs4YdIcQgACqYiT5VwQfChkn+w=",
-    "zh:256b82692c560c76ad51414a2c003cadfa10338a9df333dbe22dd14a9ed16f95",
-    "zh:329ed8135a98bd6a000d014e40bc5981c6868cf50eedf454f1a1f72ac463bdf0",
-    "zh:3b32c18b492a6ac8e1ccac40d28cd42a88892ef8f3515291676136e3faac351c",
-    "zh:4c5ea8e80543b36b1999257a41c8b9cde852542251de82a94cff2f9d280ac2ec",
-    "zh:5d968ed305cde7aa3567a943cb2f5f8def54b40a2292b66027b1405a1cf28585",
-    "zh:60226d1a0a496a9a6c1d646800dd7e1bd1c4f5527e7307ff0bca9f4d0b5395e2",
-    "zh:71b11def501c994ee5305f24bd47ebfcca2314c5acca3efcdd209373d0068ac0",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:89be6b5db3be473bfd14422a9abf83245c4b22ce47a8fe463bbebf8e20958ab1",
-    "zh:8f91051d43ae309bb8f3f6a9659f0fd26b1b239faf671c139b4e9ad0d208db05",
-    "zh:b5114983273d3170878f657b92738b2c40953aedeef2e1840588ecaf1bc0827e",
-    "zh:fd56db01c5444dc8ca2e0ad2f13fc4c17735d0fdeb5960e23176fb3f5a5114d3",
+    "zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
+    "zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
+    "zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
+    "zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
+    "zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
+    "zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
+    "zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
  ]
 }
--- a/acls/nomad_roles.tf
+++ b/acls/nomad_roles.tf
@ -0,0 +1,17 @@
+resource "nomad_acl_role" "admin" {
+  name        = "admin"
+  description = "Nomad administrators"
+
+  policy {
+    name = nomad_acl_policy.admin.name
+  }
+}
+
+resource "nomad_acl_role" "deploy" {
+  name        = "deploy"
+  description = "Authorized to conduct deployments and view logs"
+
+  policy {
+    name = nomad_acl_policy.deploy.name
+  }
+}
--- a/acls/nomad_vault.tf
+++ b/acls/nomad_vault.tf
@ -1,48 +0,0 @@
-# Set up nomad provider in vault for Nomad ACLs
-resource "nomad_acl_token" "vault" {
-  name = "vault"
-  type = "management"
-}
-
-resource "vault_nomad_secret_backend" "config" {
-  backend     = "nomad"
-  description = "Nomad ACL"
-  token       = nomad_acl_token.vault.secret_id
-
-  default_lease_ttl_seconds = "3600"
-  max_lease_ttl_seconds     = "7200"
-
-  ttl     = "3600"
-  max_ttl = "7200"
-}
-
-# Vault roles generating Nomad tokens
-resource "vault_nomad_secret_role" "nomad-deploy" {
-  backend = vault_nomad_secret_backend.config.backend
-  role    = "nomad-deploy"
-  # Nomad policies
-  policies = ["deploy"]
-}
-
-resource "vault_nomad_secret_role" "admin-management" {
-  backend = vault_nomad_secret_backend.config.backend
-  role    = "admin-management"
-  type    = "management"
-}
-
-resource "vault_nomad_secret_role" "admin" {
-  backend = vault_nomad_secret_backend.config.backend
-  role    = "admin"
-  # Nomad policies
-  policies = ["admin"]
-}
-
-# Nomad Vault token access
-resource "vault_token_auth_backend_role" "nomad-cluster" {
-  role_name              = "nomad-cluster"
-  token_explicit_max_ttl = 0
-  allowed_policies       = ["access-tables", "nomad-task"]
-  orphan                 = true
-  token_period           = 259200
-  renewable              = true
-}
--- a/acls/nomad_vault_db.tf
+++ b/acls/nomad_vault_db.tf
@ -1,17 +0,0 @@
-# resource "vault_mount" "db" {
-#   path = "database"
-#   type = "database"
-# }
-#
-# resource "vault_database_secret_backend_connection" "mysql" {
-#   backend       = vault_mount.db.path
-#   name          = "mysql"
-#   allowed_roles = ["accessdb"]
-#
-#   mysql {
-#     # How to give access here?
-#     connection_url = "{{username}}:{{password}}@tcp(mysql-server.service.consul:3306)"
-#     username = ""
-#     password = ""
-#   }
-# }
--- a/acls/providers.tf
+++ b/acls/providers.tf
@ -1,38 +1,6 @@
-# Configure Consul provider
-provider "consul" {
-  address = var.consul_address
-}
-
-# Get Nomad client from Consul
-data "consul_service" "nomad" {
-  name = "nomad-client"
-}
-
-# Get Vault client from Consul
-data "consul_service" "vault" {
-  name = "vault"
-  tag  = "active"
-}
-
-locals {
-  # Get Nomad address from Consul
-  nomad_node         = data.consul_service.nomad.service[0]
-  nomad_node_address = "http://${local.nomad_node.node_address}:${local.nomad_node.port}"
-
-  # Get Vault address from Consul
-  vault_node         = data.consul_service.vault.service[0]
-  vault_node_address = "http://${local.vault_node.node_address}:${local.vault_node.port}"
-}
-
 # Configure the Nomad provider
 provider "nomad" {
-  address   = local.nomad_node_address
+  address   = var.nomad_address
  secret_id = var.nomad_secret_id
  region    = "global"
 }
-
-# Configure the Vault provider
-provider "vault" {
-  address = local.vault_node_address
-  token   = var.vault_token
-}
--- a/acls/vars.tf
+++ b/acls/vars.tf
@ -1,8 +1,3 @@
-variable "consul_address" {
-  type    = string
-  default = "http://n1.thefij:8500"
-}
-
 variable "nomad_secret_id" {
  type        = string
  description = "Secret ID for ACL bootstrapped Nomad"
@ -10,8 +5,7 @@ variable "nomad_secret_id" {
  default     = ""
 }

-variable "vault_token" {
-  type      = string
-  sensitive = true
-  default   = ""
+variable "nomad_address" {
+  type    = string
+  default = "http://n1.thefij:4646"
 }
--- a/acls/vault_login.tf
+++ b/acls/vault_login.tf
@ -1,8 +0,0 @@
-resource "vault_auth_backend" "userpass" {
-  type = "userpass"
-
-  tune {
-    max_lease_ttl      = "1h"
-    listing_visibility = "unauth"
-  }
-}
--- a/acls/vault_policies.tf
+++ b/acls/vault_policies.tf
@ -1,83 +0,0 @@
-resource "vault_policy" "admin" {
-  name = "admin"
-
-  policy = <<EOF
-path "*" {
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-}
-  EOF
-}
-
-resource "vault_policy" "nomad-deploy" {
-  name   = "nomad-deploy"
-  policy = <<EOH
-path "nomad/creds/nomad-deploy" {
-  capabilities = ["read"]
-}
-EOH
-}
-
-# Policy for clusters
-resource "vault_policy" "nomad-task" {
-  name   = "nomad-task"
-  policy = <<EOH
-path "kv/data/*" {
-  # Does this need create, update, delete?
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-EOH
-}
-
-# Policy for nomad tokens
-resource "vault_policy" "nomad-server" {
-  name   = "nomad-server"
-  policy = <<EOH
-# Allow creating tokens under "nomad-cluster" token role. The token role name
-# should be updated if "nomad-cluster" is not used.
-path "auth/token/create/nomad-cluster" {
-  capabilities = ["update"]
-}
-
-# Allow looking up "nomad-cluster" token role. The token role name should be
-# updated if "nomad-cluster" is not used.
-path "auth/token/roles/nomad-cluster" {
-  capabilities = ["read"]
-}
-
-# Allow looking up the token passed to Nomad to validate # the token has the
-# proper capabilities. This is provided by the "default" policy.
-path "auth/token/lookup-self" {
-  capabilities = ["read"]
-}
-
-# Allow looking up incoming tokens to validate they have permissions to access
-# the tokens they are requesting. This is only required if
-# `allow_unauthenticated` is set to false.
-path "auth/token/lookup" {
-  capabilities = ["update"]
-}
-
-# Allow revoking tokens that should no longer exist. This allows revoking
-# tokens for dead tasks.
-path "auth/token/revoke-accessor" {
-  capabilities = ["update"]
-}
-
-# Allow checking the capabilities of our own token. This is used to validate the
-# token upon startup.
-path "sys/capabilities-self" {
-  capabilities = ["update"]
-}
-
-# Allow our own token to be renewed.
-path "auth/token/renew-self" {
-  capabilities = ["update"]
-}
-
-# This section grants all access on "secret/*". Further restrictions can be
-# applied to this broad policy, as shown below.
-path "kv/data/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-EOH
-}
--- a/root.tf
+++ b/root.tf
@ -1,15 +1,10 @@
 # Can't run this as part of root and as a submodule because of tf state
-# module "acls" {
-#   source = "./acls"
-#
-#   consul_address = var.consul_address
-#   nomad_secret_id = var.nomad_secret_id
-#   vault_token = var.vault_token
-# }
+module "acls" {
+  source = "./acls"

-# module "storage_plugins" {
-#   source = "./storage_plugins"
-# }
+  nomad_address   = var.nomad_address
+  nomad_secret_id = var.nomad_secret_id
+}

 terraform {
  required_version = ">=1.2.9"