From 9af55580e79b910a75f2f87b7b8a4a668b6480d8 Mon Sep 17 00:00:00 2001 From: Ian Fijolek Date: Wed, 1 May 2024 10:18:54 -0700 Subject: [PATCH] Update diun config to read from task socket --- services/diun.tf | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/services/diun.tf b/services/diun.tf index 8d50040..0042568 100644 --- a/services/diun.tf +++ b/services/diun.tf @@ -16,10 +16,13 @@ module "diun" { DIUN_DEFAULTS_INCLUDETAGS = "^\\d+(\\.\\d+){0,2}$" # Nomad API - # TODO: Use socket in $NOMAD_SECRETS_DIR/api.sock when we can assign workload ACLs with Terraform to - # allow read access. Will need to update template to allow passing token by env - NOMAD_ADDR = "http://$${attr.unique.network.ip-address}:4646/" - DIUN_PROVIDERS_NOMAD = true + NOMAD_ADDR = "unix:///secrets/api.sock" + DIUN_PROVIDERS_NOMAD = true + DIUN_PROVIDERS_NOMAD_SECRETID = "$${NOMAD_TOKEN}" + } + + task_identity = { + env = true } templates = [ @@ -36,3 +39,16 @@ module "diun" { }, ] } + +resource "nomad_acl_policy" "diun_query_jobs" { + name = "diun-query-jobs" + description = "Allow diun to query jobs" + rules_hcl = <