resource "nomad_job" "service" { jobspec = templatefile("${path.module}/service_template.nomad", { name = var.name count = var.instance_count priority = var.priority image = var.image image_pull_timeout = var.image_pull_timeout args = var.args env = var.env task_meta = var.task_meta group_meta = var.group_meta job_meta = var.job_meta constraints = var.constraints docker_devices = var.docker_devices service_port = var.service_port service_port_static = var.service_port_static service_check = var.service_check ports = var.ports sticky_disk = var.sticky_disk resources = var.resources stunnel_resources = var.stunnel_resources service_tags = var.service_tags custom_services = var.custom_services use_wesher = var.use_wesher ingress = var.ingress ingress_rule = var.ingress_rule ingress_middlewares = var.ingress_middlewares prometheus = var.prometheus templates = var.templates host_volumes = var.host_volumes use_mysql = var.use_mysql || var.mysql_bootstrap != null use_postgres = var.use_postgres || var.postgres_bootstrap != null use_redis = var.use_redis use_ldap = var.use_ldap mysql_bootstrap = var.mysql_bootstrap postgres_bootstrap = var.postgres_bootstrap }) detach = var.detach } resource "nomad_acl_policy" "secrets_mysql" { count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0 name = "${var.name}-secrets-mysql" description = "Give access to MySQL secrets" rules_hcl = <<EOH namespace "default" { variables { path "secrets/mysql" { capabilities = ["read"] } } } EOH job_acl { job_id = resource.nomad_job.service.id group = var.name task = "mysql-bootstrap" } } resource "random_password" "mysql_psk" { count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0 length = 32 override_special = "!@#%&*-_=" } resource "nomad_variable" "mysql_psk" { count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0 path = "secrets/mysql/allowed_psks/${var.name}" items = { psk = "${var.name}:${resource.random_password.mysql_psk[0].result}" } } resource "nomad_acl_policy" "mysql_psk" { count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0 name = "${var.name}-secrets-mysql-psk" description = "Give access to MySQL PSK secrets" rules_hcl = <<EOH namespace "default" { variables { path "secrets/mysql/allowed_psks/${var.name}" { capabilities = ["read"] } } } EOH job_acl { job_id = resource.nomad_job.service.id group = var.name task = "stunnel" } } resource "nomad_acl_policy" "secrets_postgres" { count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0 name = "${var.name}-secrets-postgres" description = "Give access to Postgres secrets" rules_hcl = <<EOH namespace "default" { variables { path "secrets/postgres" { capabilities = ["read"] } } } EOH job_acl { job_id = resource.nomad_job.service.id group = var.name task = "postgres-bootstrap" } } resource "random_password" "postgres_psk" { count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0 length = 32 override_special = "!@#%&*-_=" } resource "nomad_variable" "postgres_psk" { count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0 path = "secrets/postgres/allowed_psks/${var.name}" items = { psk = "${var.name}:${resource.random_password.postgres_psk[0].result}" } } resource "nomad_acl_policy" "postgres_psk" { count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0 name = "${var.name}-secrets-postgres-psk" description = "Give access to Postgres PSK secrets" rules_hcl = <<EOH namespace "default" { variables { path "secrets/postgres/allowed_psks/${var.name}" { capabilities = ["read"] } } } EOH job_acl { job_id = resource.nomad_job.service.id group = var.name task = "stunnel" } } resource "random_password" "ldap_psk" { count = var.use_ldap ? 1 : 0 length = 32 override_special = "!@#%&*-_=" } resource "nomad_variable" "ldap_psk" { count = var.use_ldap ? 1 : 0 path = "secrets/ldap/allowed_psks/${var.name}" items = { psk = "${var.name}:${resource.random_password.ldap_psk[0].result}" } } resource "nomad_acl_policy" "ldap_psk" { count = var.use_ldap ? 1 : 0 name = "${var.name}-secrets-ldap-psk" description = "Give access to ldap PSK secrets" rules_hcl = <<EOH namespace "default" { variables { path "secrets/ldap/allowed_psks/${var.name}" { capabilities = ["read"] } } } EOH job_acl { job_id = resource.nomad_job.service.id group = var.name task = "stunnel" } } resource "nomad_acl_policy" "secrets_smtp" { count = var.use_smtp ? 1 : 0 name = "${var.name}-secrets-smtp" description = "Give access to SMTP secrets" rules_hcl = <<EOH namespace "default" { variables { path "secrets/smtp" { capabilities = ["read"] } } } EOH job_acl { job_id = resource.nomad_job.service.id group = var.name task = var.name } }