Ian Fijolek
f5898b0283
Allows required jobs to access shared secrets and auto generates psks for stunnel. Currently supporting MySQL, Postgres, and LDAP.
83 lines
1.7 KiB
HCL
83 lines
1.7 KiB
HCL
resource "nomad_job" "lldap" {
|
|
jobspec = templatefile("${path.module}/lldap.nomad", {
|
|
use_wesher = var.use_wesher,
|
|
})
|
|
|
|
depends_on = [resource.nomad_job.mysql-server]
|
|
|
|
# Block until deployed as there are servics dependent on this one
|
|
detach = false
|
|
}
|
|
|
|
# Generate secrets and policies for access to MySQL
|
|
resource "nomad_acl_policy" "lldap_mysql_bootstrap_secrets" {
|
|
name = "lldap-secrets-mysql"
|
|
description = "Give access to MySQL secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = "lldap"
|
|
group = "lldap"
|
|
task = "bootstrap"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "lldap_mysql_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "lldap_mysql_psk" {
|
|
path = "secrets/mysql/allowed_psks/lldap"
|
|
items = {
|
|
psk = "lldap:${resource.random_password.lldap_mysql_psk.result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "lldap_mysql_psk" {
|
|
name = "lldap-secrets-mysql-psk"
|
|
description = "Give access to MySQL PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql/allowed_psks/lldap" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = "lldap"
|
|
group = "lldap"
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
# Give access to all ldap secrets
|
|
resource "nomad_acl_policy" "secrets_ldap" {
|
|
name = "secrets-ldap"
|
|
description = "Give access to Postgres secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/ldap/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.lldap.id
|
|
}
|
|
}
|