Add nomad ACLs and roles for use in oidc auth
This commit is contained in:
parent
eae5b201b6
commit
6dbe0f7f45
26
.terraform.lock.hcl
generated
26
.terraform.lock.hcl
generated
@ -2,20 +2,20 @@
|
|||||||
# Manual edits may be lost in future updates.
|
# Manual edits may be lost in future updates.
|
||||||
|
|
||||||
provider "registry.terraform.io/hashicorp/nomad" {
|
provider "registry.terraform.io/hashicorp/nomad" {
|
||||||
version = "1.4.19"
|
version = "1.4.20"
|
||||||
hashes = [
|
hashes = [
|
||||||
"h1:EdBny2gaLr/IE+l+6csyCKeIGFMYZ/4tHKpcbS7ArgE=",
|
"h1:M/QVXHPfeySejJZI3I8mBYrL/J9VsbnyF/dKIMlUhXo=",
|
||||||
"zh:2f3ceeb3318a6304026035b0ac9ee3e52df04913bb9ee78827e58c5398b41254",
|
"zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
|
||||||
"zh:3fbe76c7d957d20dfe3c8c0528b33084651f22a95be9e0452b658e0922916e2a",
|
"zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
|
||||||
"zh:595671a05828cfe6c42ef73aac894ac39f81a52cc662a76f37eb74ebe04ddf75",
|
"zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
|
||||||
"zh:5d76e8788d2af3e60daf8076babf763ec887480bbb9734baccccd8fcddf4f03e",
|
"zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
|
||||||
"zh:676985afeaca6e67b22d60d43fd0ed7055763029ffebc3026089fe2fd3b4a288",
|
|
||||||
"zh:69152ce6164ac999a640cff962ece45208270e1ac37c10dac484eeea5cf47275",
|
|
||||||
"zh:6da0b15c05b81f947ec8e139bd81eeeb05c0d36eb5a967b985d0625c60998b40",
|
|
||||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||||
"zh:822c0a3bbada5e38099a379db8b2e339526843699627c3be3664cc3b3752bab7",
|
"zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
|
||||||
"zh:af23af2f98a84695b25c8eba7028a81ad4aad63c44aefb79e01bbe2dc82e7f78",
|
"zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
|
||||||
"zh:e36cac9960b7506d92925b667254322520966b9c3feb3ca6102e57a1fb9b1761",
|
"zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
|
||||||
"zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
|
"zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
|
||||||
|
"zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
|
||||||
|
"zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
|
||||||
|
"zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
64
acls/.terraform.lock.hcl
generated
64
acls/.terraform.lock.hcl
generated
@ -1,59 +1,21 @@
|
|||||||
# This file is maintained automatically by "terraform init".
|
# This file is maintained automatically by "terraform init".
|
||||||
# Manual edits may be lost in future updates.
|
# Manual edits may be lost in future updates.
|
||||||
|
|
||||||
provider "registry.terraform.io/hashicorp/consul" {
|
|
||||||
version = "2.15.1"
|
|
||||||
hashes = [
|
|
||||||
"h1:PexyQBRLDA+SR+sWlzYBZswry5O5h/tTfj87CaECtLc=",
|
|
||||||
"zh:1806830a3cf103e65e772a7d28fd4df2788c29a029fb2def1326bc777ad107ed",
|
|
||||||
"zh:252be544fb4c9daf09cad7d3776daf5fa66b62740d3ea9d6d499a7b1697c3433",
|
|
||||||
"zh:50985fe02a8e5ae47c75d7c28c911b25d7dc4716cff2ed55ca05889ab77a1f73",
|
|
||||||
"zh:54cf0ec90538703c66937c77e8d72a38d5af47437eb0b8b55eb5836c5d288878",
|
|
||||||
"zh:704f536c621337e06fffef6d5f49ac81f52d249f937250527c12884cb83aefed",
|
|
||||||
"zh:896d8ef6d0b555299f124eb25bce8a17d735da14ef21f07582098d301f47da30",
|
|
||||||
"zh:976277a85b0a0baafe267cc494f766448d1da5b6936ddcb3ce393bd4d22f08d2",
|
|
||||||
"zh:c7faa9a2b11bc45833a3e8e340f22f1ecf01597eaeffa7669234b4549d7dfa85",
|
|
||||||
"zh:caf851ef9c8ce482864badf7058f9278d4537112fa236efd8f1a9315801d9061",
|
|
||||||
"zh:db203435d58b0ac842540861b3307a623423275d85754c171773f3b210ae5b24",
|
|
||||||
"zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
|
|
||||||
"zh:f710a37190429045d109edd35de69db3b5f619919c2fa04c77a3a639fea9fd7d",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
provider "registry.terraform.io/hashicorp/nomad" {
|
provider "registry.terraform.io/hashicorp/nomad" {
|
||||||
version = "1.4.17"
|
version = "1.4.20"
|
||||||
hashes = [
|
hashes = [
|
||||||
"h1:iPylWr144mqXvM8NBVMTm+MS6JRhqIihlpJG91GYDyA=",
|
"h1:M/QVXHPfeySejJZI3I8mBYrL/J9VsbnyF/dKIMlUhXo=",
|
||||||
"zh:146f97eacd9a0c78b357a6cfd2cb12765d4b18e9660a75500ee3e748c6eba41a",
|
"zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
|
||||||
"zh:2eb89a6e5cee9aea03a96ea9f141096fe3baf219b2700ce30229d2d882f5015f",
|
"zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
|
||||||
"zh:3d0f971f79b615c1014c75e2f99f34bd4b4da542ca9f31d5ea7fadc4e9de39c1",
|
"zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
|
||||||
"zh:46099a750c752ce05aa14d663a86478a5ad66d95aff3d69367f1d3628aac7792",
|
"zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
|
||||||
"zh:71e56006b013dcfe1e4e059b2b07148b44fcd79351ae2c357e0d97e27ae0d916",
|
|
||||||
"zh:74febd25d776688f0558178c2f5a0e6818bbf4cdaa2e160d7049da04103940f0",
|
|
||||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||||
"zh:af18c064a5f0dd5422d6771939274841f635b619ab392c73d5bf9720945fdb85",
|
"zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
|
||||||
"zh:c133d7a862079da9f06e301c530eacbd70e9288fa2276ec0704df907270ee328",
|
"zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
|
||||||
"zh:c894cf98d239b9f5a4b7cde9f5c836face0b5b93099048ee817b0380ea439c65",
|
"zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
|
||||||
"zh:c918642870f0cafdbe4d7dd07c909701fc3ddb47cac8357bdcde1327bf78c11d",
|
"zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
|
||||||
"zh:f8f5655099a57b4b9c0018a2d49133771e24c7ff8262efb1ceb140fd224aa9b6",
|
"zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
|
||||||
]
|
"zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
|
||||||
}
|
"zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
|
||||||
|
|
||||||
provider "registry.terraform.io/hashicorp/vault" {
|
|
||||||
version = "3.7.0"
|
|
||||||
hashes = [
|
|
||||||
"h1:idawLPCbZgHIb+NRLJs4YdIcQgACqYiT5VwQfChkn+w=",
|
|
||||||
"zh:256b82692c560c76ad51414a2c003cadfa10338a9df333dbe22dd14a9ed16f95",
|
|
||||||
"zh:329ed8135a98bd6a000d014e40bc5981c6868cf50eedf454f1a1f72ac463bdf0",
|
|
||||||
"zh:3b32c18b492a6ac8e1ccac40d28cd42a88892ef8f3515291676136e3faac351c",
|
|
||||||
"zh:4c5ea8e80543b36b1999257a41c8b9cde852542251de82a94cff2f9d280ac2ec",
|
|
||||||
"zh:5d968ed305cde7aa3567a943cb2f5f8def54b40a2292b66027b1405a1cf28585",
|
|
||||||
"zh:60226d1a0a496a9a6c1d646800dd7e1bd1c4f5527e7307ff0bca9f4d0b5395e2",
|
|
||||||
"zh:71b11def501c994ee5305f24bd47ebfcca2314c5acca3efcdd209373d0068ac0",
|
|
||||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
|
||||||
"zh:89be6b5db3be473bfd14422a9abf83245c4b22ce47a8fe463bbebf8e20958ab1",
|
|
||||||
"zh:8f91051d43ae309bb8f3f6a9659f0fd26b1b239faf671c139b4e9ad0d208db05",
|
|
||||||
"zh:b5114983273d3170878f657b92738b2c40953aedeef2e1840588ecaf1bc0827e",
|
|
||||||
"zh:fd56db01c5444dc8ca2e0ad2f13fc4c17735d0fdeb5960e23176fb3f5a5114d3",
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
17
acls/nomad_roles.tf
Normal file
17
acls/nomad_roles.tf
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
resource "nomad_acl_role" "admin" {
|
||||||
|
name = "admin"
|
||||||
|
description = "Nomad administrators"
|
||||||
|
|
||||||
|
policy {
|
||||||
|
name = nomad_acl_policy.admin.name
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "nomad_acl_role" "deploy" {
|
||||||
|
name = "deploy"
|
||||||
|
description = "Authorized to conduct deployments and view logs"
|
||||||
|
|
||||||
|
policy {
|
||||||
|
name = nomad_acl_policy.deploy.name
|
||||||
|
}
|
||||||
|
}
|
@ -1,48 +0,0 @@
|
|||||||
# Set up nomad provider in vault for Nomad ACLs
|
|
||||||
resource "nomad_acl_token" "vault" {
|
|
||||||
name = "vault"
|
|
||||||
type = "management"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_nomad_secret_backend" "config" {
|
|
||||||
backend = "nomad"
|
|
||||||
description = "Nomad ACL"
|
|
||||||
token = nomad_acl_token.vault.secret_id
|
|
||||||
|
|
||||||
default_lease_ttl_seconds = "3600"
|
|
||||||
max_lease_ttl_seconds = "7200"
|
|
||||||
|
|
||||||
ttl = "3600"
|
|
||||||
max_ttl = "7200"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Vault roles generating Nomad tokens
|
|
||||||
resource "vault_nomad_secret_role" "nomad-deploy" {
|
|
||||||
backend = vault_nomad_secret_backend.config.backend
|
|
||||||
role = "nomad-deploy"
|
|
||||||
# Nomad policies
|
|
||||||
policies = ["deploy"]
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_nomad_secret_role" "admin-management" {
|
|
||||||
backend = vault_nomad_secret_backend.config.backend
|
|
||||||
role = "admin-management"
|
|
||||||
type = "management"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_nomad_secret_role" "admin" {
|
|
||||||
backend = vault_nomad_secret_backend.config.backend
|
|
||||||
role = "admin"
|
|
||||||
# Nomad policies
|
|
||||||
policies = ["admin"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Nomad Vault token access
|
|
||||||
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
|
||||||
role_name = "nomad-cluster"
|
|
||||||
token_explicit_max_ttl = 0
|
|
||||||
allowed_policies = ["access-tables", "nomad-task"]
|
|
||||||
orphan = true
|
|
||||||
token_period = 259200
|
|
||||||
renewable = true
|
|
||||||
}
|
|
@ -1,17 +0,0 @@
|
|||||||
# resource "vault_mount" "db" {
|
|
||||||
# path = "database"
|
|
||||||
# type = "database"
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# resource "vault_database_secret_backend_connection" "mysql" {
|
|
||||||
# backend = vault_mount.db.path
|
|
||||||
# name = "mysql"
|
|
||||||
# allowed_roles = ["accessdb"]
|
|
||||||
#
|
|
||||||
# mysql {
|
|
||||||
# # How to give access here?
|
|
||||||
# connection_url = "{{username}}:{{password}}@tcp(mysql-server.service.consul:3306)"
|
|
||||||
# username = ""
|
|
||||||
# password = ""
|
|
||||||
# }
|
|
||||||
# }
|
|
@ -1,38 +1,6 @@
|
|||||||
# Configure Consul provider
|
|
||||||
provider "consul" {
|
|
||||||
address = var.consul_address
|
|
||||||
}
|
|
||||||
|
|
||||||
# Get Nomad client from Consul
|
|
||||||
data "consul_service" "nomad" {
|
|
||||||
name = "nomad-client"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Get Vault client from Consul
|
|
||||||
data "consul_service" "vault" {
|
|
||||||
name = "vault"
|
|
||||||
tag = "active"
|
|
||||||
}
|
|
||||||
|
|
||||||
locals {
|
|
||||||
# Get Nomad address from Consul
|
|
||||||
nomad_node = data.consul_service.nomad.service[0]
|
|
||||||
nomad_node_address = "http://${local.nomad_node.node_address}:${local.nomad_node.port}"
|
|
||||||
|
|
||||||
# Get Vault address from Consul
|
|
||||||
vault_node = data.consul_service.vault.service[0]
|
|
||||||
vault_node_address = "http://${local.vault_node.node_address}:${local.vault_node.port}"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Configure the Nomad provider
|
# Configure the Nomad provider
|
||||||
provider "nomad" {
|
provider "nomad" {
|
||||||
address = local.nomad_node_address
|
address = var.nomad_address
|
||||||
secret_id = var.nomad_secret_id
|
secret_id = var.nomad_secret_id
|
||||||
region = "global"
|
region = "global"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Configure the Vault provider
|
|
||||||
provider "vault" {
|
|
||||||
address = local.vault_node_address
|
|
||||||
token = var.vault_token
|
|
||||||
}
|
|
||||||
|
10
acls/vars.tf
10
acls/vars.tf
@ -1,8 +1,3 @@
|
|||||||
variable "consul_address" {
|
|
||||||
type = string
|
|
||||||
default = "http://n1.thefij:8500"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "nomad_secret_id" {
|
variable "nomad_secret_id" {
|
||||||
type = string
|
type = string
|
||||||
description = "Secret ID for ACL bootstrapped Nomad"
|
description = "Secret ID for ACL bootstrapped Nomad"
|
||||||
@ -10,8 +5,7 @@ variable "nomad_secret_id" {
|
|||||||
default = ""
|
default = ""
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "vault_token" {
|
variable "nomad_address" {
|
||||||
type = string
|
type = string
|
||||||
sensitive = true
|
default = "http://n1.thefij:4646"
|
||||||
default = ""
|
|
||||||
}
|
}
|
||||||
|
@ -1,8 +0,0 @@
|
|||||||
resource "vault_auth_backend" "userpass" {
|
|
||||||
type = "userpass"
|
|
||||||
|
|
||||||
tune {
|
|
||||||
max_lease_ttl = "1h"
|
|
||||||
listing_visibility = "unauth"
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,83 +0,0 @@
|
|||||||
resource "vault_policy" "admin" {
|
|
||||||
name = "admin"
|
|
||||||
|
|
||||||
policy = <<EOF
|
|
||||||
path "*" {
|
|
||||||
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_policy" "nomad-deploy" {
|
|
||||||
name = "nomad-deploy"
|
|
||||||
policy = <<EOH
|
|
||||||
path "nomad/creds/nomad-deploy" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
EOH
|
|
||||||
}
|
|
||||||
|
|
||||||
# Policy for clusters
|
|
||||||
resource "vault_policy" "nomad-task" {
|
|
||||||
name = "nomad-task"
|
|
||||||
policy = <<EOH
|
|
||||||
path "kv/data/*" {
|
|
||||||
# Does this need create, update, delete?
|
|
||||||
capabilities = ["create", "read", "update", "delete", "list"]
|
|
||||||
}
|
|
||||||
EOH
|
|
||||||
}
|
|
||||||
|
|
||||||
# Policy for nomad tokens
|
|
||||||
resource "vault_policy" "nomad-server" {
|
|
||||||
name = "nomad-server"
|
|
||||||
policy = <<EOH
|
|
||||||
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
|
||||||
# should be updated if "nomad-cluster" is not used.
|
|
||||||
path "auth/token/create/nomad-cluster" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow looking up "nomad-cluster" token role. The token role name should be
|
|
||||||
# updated if "nomad-cluster" is not used.
|
|
||||||
path "auth/token/roles/nomad-cluster" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow looking up the token passed to Nomad to validate # the token has the
|
|
||||||
# proper capabilities. This is provided by the "default" policy.
|
|
||||||
path "auth/token/lookup-self" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow looking up incoming tokens to validate they have permissions to access
|
|
||||||
# the tokens they are requesting. This is only required if
|
|
||||||
# `allow_unauthenticated` is set to false.
|
|
||||||
path "auth/token/lookup" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow revoking tokens that should no longer exist. This allows revoking
|
|
||||||
# tokens for dead tasks.
|
|
||||||
path "auth/token/revoke-accessor" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow checking the capabilities of our own token. This is used to validate the
|
|
||||||
# token upon startup.
|
|
||||||
path "sys/capabilities-self" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow our own token to be renewed.
|
|
||||||
path "auth/token/renew-self" {
|
|
||||||
capabilities = ["update"]
|
|
||||||
}
|
|
||||||
|
|
||||||
# This section grants all access on "secret/*". Further restrictions can be
|
|
||||||
# applied to this broad policy, as shown below.
|
|
||||||
path "kv/data/*" {
|
|
||||||
capabilities = ["create", "read", "update", "delete", "list"]
|
|
||||||
}
|
|
||||||
EOH
|
|
||||||
}
|
|
15
root.tf
15
root.tf
@ -1,15 +1,10 @@
|
|||||||
# Can't run this as part of root and as a submodule because of tf state
|
# Can't run this as part of root and as a submodule because of tf state
|
||||||
# module "acls" {
|
module "acls" {
|
||||||
# source = "./acls"
|
source = "./acls"
|
||||||
#
|
|
||||||
# consul_address = var.consul_address
|
|
||||||
# nomad_secret_id = var.nomad_secret_id
|
|
||||||
# vault_token = var.vault_token
|
|
||||||
# }
|
|
||||||
|
|
||||||
# module "storage_plugins" {
|
nomad_address = var.nomad_address
|
||||||
# source = "./storage_plugins"
|
nomad_secret_id = var.nomad_secret_id
|
||||||
# }
|
}
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">=1.2.9"
|
required_version = ">=1.2.9"
|
||||||
|
Loading…
Reference in New Issue
Block a user