287 lines
6.9 KiB
HCL
287 lines
6.9 KiB
HCL
locals {
|
|
port_names = concat(
|
|
var.service_port != null ? ["main"] : [],
|
|
[for port in var.ports : port.name if port.task_config],
|
|
)
|
|
}
|
|
|
|
resource "nomad_job" "service" {
|
|
jobspec = templatefile("${path.module}/service_template.nomad", {
|
|
name = var.name
|
|
count = var.instance_count
|
|
priority = var.priority
|
|
image = var.image
|
|
image_pull_timeout = var.image_pull_timeout
|
|
args = var.args
|
|
env = var.env
|
|
task_meta = var.task_meta
|
|
task_identity = var.task_identity
|
|
group_meta = var.group_meta
|
|
job_meta = var.job_meta
|
|
constraints = var.constraints
|
|
docker_devices = var.docker_devices
|
|
user = var.user
|
|
actions = var.actions
|
|
|
|
service_port = var.service_port
|
|
service_port_static = var.service_port_static
|
|
service_check = var.service_check
|
|
ports = var.ports
|
|
port_names = local.port_names
|
|
sticky_disk = var.sticky_disk
|
|
resources = var.resources
|
|
stunnel_resources = var.stunnel_resources
|
|
service_tags = var.service_tags
|
|
custom_services = var.custom_services
|
|
use_wesher = var.use_wesher
|
|
|
|
ingress = var.ingress
|
|
ingress_rule = var.ingress_rule
|
|
ingress_middlewares = var.ingress_middlewares
|
|
prometheus = var.prometheus
|
|
|
|
templates = var.templates
|
|
host_volumes = var.host_volumes
|
|
|
|
use_mysql = var.use_mysql || var.mysql_bootstrap != null
|
|
use_postgres = var.use_postgres || var.postgres_bootstrap != null
|
|
use_redis = var.use_redis
|
|
use_ldap = var.use_ldap
|
|
|
|
mysql_bootstrap = var.mysql_bootstrap
|
|
postgres_bootstrap = var.postgres_bootstrap
|
|
})
|
|
|
|
detach = var.detach
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_mysql" {
|
|
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-mysql"
|
|
description = "Give access to MySQL secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.service.id
|
|
group = var.name
|
|
task = "mysql-bootstrap"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "mysql_psk" {
|
|
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
|
|
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "mysql_psk" {
|
|
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
|
|
|
|
path = "secrets/mysql/allowed_psks/${var.name}"
|
|
items = {
|
|
psk = "${var.name}:${resource.random_password.mysql_psk[0].result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "mysql_psk" {
|
|
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-mysql-psk"
|
|
description = "Give access to MySQL PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql/allowed_psks/${var.name}" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.service.id
|
|
group = var.name
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_postgres" {
|
|
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-postgres"
|
|
description = "Give access to Postgres secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.service.id
|
|
group = var.name
|
|
task = "postgres-bootstrap"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "postgres_psk" {
|
|
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
|
|
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "postgres_psk" {
|
|
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
|
|
|
|
path = "secrets/postgres/allowed_psks/${var.name}"
|
|
items = {
|
|
psk = "${var.name}:${resource.random_password.postgres_psk[0].result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "postgres_psk" {
|
|
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-postgres-psk"
|
|
description = "Give access to Postgres PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres/allowed_psks/${var.name}" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.service.id
|
|
group = var.name
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "ldap_psk" {
|
|
count = var.use_ldap ? 1 : 0
|
|
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "ldap_psk" {
|
|
count = var.use_ldap ? 1 : 0
|
|
|
|
path = "secrets/ldap/allowed_psks/${var.name}"
|
|
items = {
|
|
psk = "${var.name}:${resource.random_password.ldap_psk[0].result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "ldap_psk" {
|
|
count = var.use_ldap ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-ldap-psk"
|
|
description = "Give access to ldap PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/ldap/allowed_psks/${var.name}" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.service.id
|
|
group = var.name
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_smtp" {
|
|
count = var.use_smtp ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-smtp"
|
|
description = "Give access to SMTP secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/smtp" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.service.id
|
|
group = var.name
|
|
task = var.name
|
|
}
|
|
}
|
|
|
|
module "oidc_client" {
|
|
count = var.oidc_client_config != null ? 1 : 0
|
|
|
|
source = "../../core/oidc_client"
|
|
name = var.name
|
|
|
|
oidc_client_config = {
|
|
description = var.oidc_client_config.description
|
|
authorization_policy = var.oidc_client_config.authorization_policy
|
|
redirect_uris = var.oidc_client_config.redirect_uris
|
|
scopes = var.oidc_client_config.scopes
|
|
}
|
|
|
|
job_acl = {
|
|
job_id = resource.nomad_job.service.id
|
|
group = var.name
|
|
task = var.name
|
|
}
|
|
}
|
|
|
|
# Action cron jobs
|
|
resource "nomad_job" "action_cron" {
|
|
for_each = tomap({ for action in var.actions : action.name => action if action.cron != null })
|
|
jobspec = templatefile("${path.module}/service_scheduled.nomad", {
|
|
name = var.name
|
|
action_name = each.value.name
|
|
action_cron = each.value.cron
|
|
})
|
|
}
|
|
|
|
resource "nomad_acl_policy" "action_cron_workload_policy" {
|
|
for_each = resource.nomad_job.action_cron
|
|
|
|
name = "service-action-${each.value.id}"
|
|
description = "Give custom service cron actions access to execute actions."
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
capabilities = [
|
|
"list-jobs",
|
|
"read-job",
|
|
"alloc-exec",
|
|
]
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.value.id
|
|
}
|
|
}
|