Compare commits

...

2 Commits

4 changed files with 45 additions and 0 deletions

View File

@ -35,4 +35,18 @@ module "diun" {
mount = false mount = false
}, },
] ]
workload_acl_policy = {
name = "diun-read"
description = "Give the diun task read access to jobs"
rules_hcl = <<EOH
namespace "default" {
capabilities = [
"list-jobs",
"read-job",
]
}
EOH
}
} }

View File

@ -38,11 +38,27 @@ resource "nomad_job" "service" {
mysql_bootstrap = var.mysql_bootstrap mysql_bootstrap = var.mysql_bootstrap
postgres_bootstrap = var.postgres_bootstrap postgres_bootstrap = var.postgres_bootstrap
workload_identity_env = var.workload_acl_policy != null
}) })
detach = var.detach detach = var.detach
} }
resource "nomad_acl_policy" "workload_special" {
count = var.workload_acl_policy != null ? 1 : 0
name = var.workload_acl_policy.name
description = var.workload_acl_policy.description
rules_hcl = var.workload_acl_policy.rules_hcl
job_acl {
job_id = var.name
group = var.name
task = var.name
}
}
resource "nomad_acl_policy" "secrets_mysql" { resource "nomad_acl_policy" "secrets_mysql" {
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0 count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0

View File

@ -189,6 +189,11 @@ EOF
%{~ endif ~} %{~ endif ~}
} }
%{~ endif ~} %{~ endif ~}
%{~ if workload_identity_env }
identity {
env = true
}
%{~ endif ~}
} }
%{~ if mysql_bootstrap != null } %{~ if mysql_bootstrap != null }
task "mysql-bootstrap" { task "mysql-bootstrap" {

View File

@ -262,3 +262,13 @@ variable "use_wesher" {
description = "Indicates whether or not services should expose themselves on the wesher network" description = "Indicates whether or not services should expose themselves on the wesher network"
default = true default = true
} }
variable "workload_acl_policy" {
type = object({
name = string
description = string
rules_hcl = string
})
default = null
}