Give Diun task socket access to read jobs

services/diun.tf

@@ -35,4 +35,18 @@ module "diun" {
       mount       = false
     },
   ]
+
+  workload_acl_policy = {
+    name        = "diun-read"
+    description = "Give the diun task read access to jobs"
+
+    rules_hcl = <<EOH
+namespace "default" {
+  capabilities = [
+    "list-jobs",
+    "read-job",
+  ]
+}
+EOH
+  }
 }

services/service/main.tf

@@ -38,11 +38,27 @@ resource "nomad_job" "service" {
 
     mysql_bootstrap    = var.mysql_bootstrap
     postgres_bootstrap = var.postgres_bootstrap
+
+    workload_identity_env = var.workload_acl_policy != null
   })
 
   detach = var.detach
 }
 
+resource "nomad_acl_policy" "workload_special" {
+  count = var.workload_acl_policy != null ? 1 : 0
+
+  name        = var.workload_acl_policy.name
+  description = var.workload_acl_policy.description
+  rules_hcl   = var.workload_acl_policy.rules_hcl
+
+  job_acl {
+    job_id = var.name
+    group  = var.name
+    task   = var.name
+  }
+}
+
 resource "nomad_acl_policy" "secrets_mysql" {
   count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
 

services/service/service_template.nomad

@@ -189,6 +189,11 @@ EOF
         %{~ endif ~}
       }
       %{~ endif ~}
+      %{~ if workload_identity_env }
+      identity {
+        env = true
+      }
+      %{~ endif ~}
     }
     %{~ if mysql_bootstrap != null }
     task "mysql-bootstrap" {

services/service/vars.tf

@@ -262,3 +262,13 @@ variable "use_wesher" {
   description = "Indicates whether or not services should expose themselves on the wesher network"
   default     = true
 }
+
+variable "workload_acl_policy" {
+  type = object({
+    name        = string
+    description = string
+    rules_hcl   = string
+  })
+
+  default = null
+}