diff --git a/acls/acls.tf b/acls/acls.tf index 4631b7c..13961c6 100644 --- a/acls/acls.tf +++ b/acls/acls.tf @@ -1,5 +1,4 @@ resource "nomad_acl_policy" "create_post_bootstrap_policy" { - # count = can(tobool(var.nomad_secret_id)) ? 1 : 0 name = "anonymous" description = "Anon RW" rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl") diff --git a/acls/nomad-admin-policy.hcl b/acls/nomad-admin-policy.hcl new file mode 100644 index 0000000..9fe3564 --- /dev/null +++ b/acls/nomad-admin-policy.hcl @@ -0,0 +1,24 @@ +namespace "*" { + policy = "write" + capabilities = ["alloc-node-exec"] +} + +agent { + policy = "write" +} + +operator { + policy = "write" +} + +quota { + policy = "write" +} + +node { + policy = "write" +} + +host_volume "*" { + policy = "write" +} diff --git a/acls/nomad-anon-bootstrap.hcl b/acls/nomad-anon-bootstrap.hcl index 9fe3564..fcdc372 100644 --- a/acls/nomad-anon-bootstrap.hcl +++ b/acls/nomad-anon-bootstrap.hcl @@ -1,24 +1,23 @@ namespace "*" { - policy = "write" - capabilities = ["alloc-node-exec"] + policy = "read" } agent { - policy = "write" + policy = "read" } operator { - policy = "write" + policy = "read" } quota { - policy = "write" + policy = "read" } node { - policy = "write" + policy = "read" } host_volume "*" { - policy = "write" + policy = "read" }