Move databases to their own tf files and improve first start

databases/main.tf

@@ -1,62 +0,0 @@
-resource "nomad_job" "mysql-server" {
-  jobspec = file("${path.module}/mysql.nomad")
-
-  # Block until deployed as there are servics dependent on this one
-  detach = false
-}
-
-resource "nomad_acl_policy" "secrets_mysql" {
-  name        = "secrets-mysql"
-  description = "Give access to MySQL secrets"
-  rules_hcl   = <<EOH
-namespace "default" {
-  variables {
-    path "secrets/mysql/*" {
-      capabilities = ["read"]
-    }
-  }
-}
-EOH
-
-  job_acl {
-    job_id = resource.nomad_job.mysql-server.id
-  }
-}
-
-resource "nomad_job" "postgres-server" {
-  jobspec = file("${path.module}/postgres.nomad")
-
-  # Block until deployed as there are servics dependent on this one
-  detach = false
-}
-
-resource "nomad_acl_policy" "secrets_postgres" {
-  name        = "secrets-postgres"
-  description = "Give access to Postgres secrets"
-  rules_hcl   = <<EOH
-namespace "default" {
-  variables {
-    path "secrets/postgres/*" {
-      capabilities = ["read"]
-    }
-  }
-}
-EOH
-
-  job_acl {
-    job_id = resource.nomad_job.postgres-server.id
-  }
-}
-
-resource "nomad_job" "redis" {
-  for_each = toset(["blocky", "authelia"])
-
-  jobspec = templatefile("${path.module}/redis.nomad",
-    {
-      name = each.key,
-    }
-  )
-
-  # Block until deployed as there are servics dependent on this one
-  detach = false
-}

databases/mysql.tf

@@ -0,0 +1,41 @@
+resource "nomad_job" "mysql-server" {
+  jobspec = file("${path.module}/mysql.nomad")
+
+  # Block until deployed as there are servics dependent on this one
+  detach = false
+}
+
+resource "nomad_acl_policy" "secrets_mysql" {
+  name        = "secrets-mysql"
+  description = "Give access to MySQL secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/mysql" {
+      capabilities = ["read"]
+    }
+    path "secrets/mysql/*" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    # job_id = resource.nomad_job.mysql-server.id
+    job_id = "mysql-server"
+  }
+}
+
+# Create self-scoped psk so that config is valid at first start
+resource "random_password" "mysql_mysql_psk" {
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "mysql_mysql_psk" {
+  path = "secrets/mysql/allowed_psks/mysql"
+  items = {
+    psk = "mysql:${resource.random_password.mysql_mysql_psk.result}"
+  }
+}

databases/postgres.tf

@@ -0,0 +1,41 @@
+resource "nomad_job" "postgres-server" {
+  jobspec = file("${path.module}/postgres.nomad")
+
+  # Block until deployed as there are servics dependent on this one
+  detach = false
+}
+
+resource "nomad_acl_policy" "secrets_postgres" {
+  name        = "secrets-postgres"
+  description = "Give access to Postgres secrets"
+  rules_hcl   = <<EOH
+namespace "default" {
+  variables {
+    path "secrets/postgres" {
+      capabilities = ["read"]
+    }
+    path "secrets/postgres/*" {
+      capabilities = ["read"]
+    }
+  }
+}
+EOH
+
+  job_acl {
+    # job_id = resource.nomad_job.postgres-server.id
+    job_id = "postgres-server"
+  }
+}
+
+# Create self-scoped psk so that config is valid at first start
+resource "random_password" "postgres_postgres_psk" {
+  length           = 32
+  override_special = "!@#%&*-_="
+}
+
+resource "nomad_variable" "postgres_postgres_psk" {
+  path = "secrets/postgres/allowed_psks/postgres"
+  items = {
+    psk = "postgres:${resource.random_password.postgres_postgres_psk.result}"
+  }
+}

databases/redis.tf

@@ -0,0 +1,12 @@
+resource "nomad_job" "redis" {
+  for_each = toset(["blocky", "authelia"])
+
+  jobspec = templatefile("${path.module}/redis.nomad",
+    {
+      name = each.key,
+    }
+  )
+
+  # Block until deployed as there are servics dependent on this one
+  detach = false
+}