Update diun config to read from task socket

services/diun.tf

@@ -16,10 +16,13 @@ module "diun" {
     DIUN_DEFAULTS_INCLUDETAGS           = "^\\d+(\\.\\d+){0,2}$"
 
     # Nomad API
-    # TODO: Use socket in $NOMAD_SECRETS_DIR/api.sock when we can assign workload ACLs with Terraform to
-    # allow read access. Will need to update template to allow passing token by env
-    NOMAD_ADDR           = "http://$${attr.unique.network.ip-address}:4646/"
-    DIUN_PROVIDERS_NOMAD = true
+    NOMAD_ADDR                    = "unix:///secrets/api.sock"
+    DIUN_PROVIDERS_NOMAD          = true
+    DIUN_PROVIDERS_NOMAD_SECRETID = "$${NOMAD_TOKEN}"
+  }
+
+  task_identity = {
+    env = true
   }
 
   templates = [
@@ -36,3 +39,16 @@ module "diun" {
     },
   ]
 }
+
+resource "nomad_acl_policy" "diun_query_jobs" {
+  name        = "diun-query-jobs"
+  description = "Allow diun to query jobs"
+  rules_hcl   = <<EOH
+namespace "default" {
+  capabilities = ["list-jobs", "read-job"]
+}
+EOH
+  job_acl {
+    job_id = module.diun.job_id
+  }
+}