Add ability to set service workload acl for task socket

2023-09-27 21:35:16 -07:00 · 2023-09-27 21:35:16 -07:00 · 91b4ef0ba7
commit 91b4ef0ba7
parent d83591cfd4
3 changed files with 31 additions and 0 deletions
--- a/services/service/main.tf
+++ b/services/service/main.tf
@ -38,11 +38,27 @@ resource "nomad_job" "service" {

    mysql_bootstrap    = var.mysql_bootstrap
    postgres_bootstrap = var.postgres_bootstrap
+
+    workload_identity_env = var.workload_acl_policy != null
  })

  detach = var.detach
 }

+resource "nomad_acl_policy" "workload_special" {
+  count = var.workload_acl_policy != null ? 1 : 0
+
+  name        = var.workload_acl_policy.name
+  description = var.workload_acl_policy.description
+  rules_hcl   = var.workload_acl_policy.rules_hcl
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = var.name
+  }
+}
+
 resource "nomad_acl_policy" "secrets_mysql" {
  count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0

--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@ -189,6 +189,11 @@ EOF
        %{~ endif ~}
      }
      %{~ endif ~}
+      %{~ if workload_identity_env }
+      identity {
+        env = true
+      }
+      %{~ endif ~}
    }
    %{~ if mysql_bootstrap != null }
    task "mysql-bootstrap" {
--- a/services/service/vars.tf
+++ b/services/service/vars.tf
@ -262,3 +262,13 @@ variable "use_wesher" {
  description = "Indicates whether or not services should expose themselves on the wesher network"
  default     = true
 }
+
+variable "workload_acl_policy" {
+  type = object({
+    name        = string
+    description = string
+    rules_hcl   = string
+  })
+
+  default = null
+}