homelab-nomad/services/service/main.tf
Ian Fijolek f5898b0283 Add workload ACL management for mysql and postgres access
Allows required jobs to access shared secrets and auto generates psks
for stunnel.

Currently supporting MySQL, Postgres, and LDAP.
2023-08-29 12:48:48 -07:00

201 lines
4.8 KiB
HCL

resource "nomad_job" "service" {
jobspec = templatefile("${path.module}/service_template.nomad", {
name = var.name
count = var.instance_count
priority = var.priority
image = var.image
image_pull_timeout = var.image_pull_timeout
args = var.args
env = var.env
task_meta = var.task_meta
group_meta = var.group_meta
job_meta = var.job_meta
constraints = var.constraints
docker_devices = var.docker_devices
service_port = var.service_port
service_port_static = var.service_port_static
ports = var.ports
sticky_disk = var.sticky_disk
resources = var.resources
stunnel_resources = var.stunnel_resources
service_tags = var.service_tags
custom_services = var.custom_services
use_wesher = var.use_wesher
ingress = var.ingress
ingress_rule = var.ingress_rule
ingress_middlewares = var.ingress_middlewares
prometheus = var.prometheus
templates = var.templates
host_volumes = var.host_volumes
use_mysql = var.use_mysql || var.mysql_bootstrap != null
use_postgres = var.use_postgres || var.postgres_bootstrap != null
use_redis = var.use_redis
use_ldap = var.use_ldap
mysql_bootstrap = var.mysql_bootstrap
postgres_bootstrap = var.postgres_bootstrap
})
}
resource "nomad_acl_policy" "secrets_mysql" {
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
name = "${var.name}-secrets-mysql"
description = "Give access to MySQL secrets"
rules_hcl = <<EOH
namespace "default" {
variables {
path "secrets/mysql" {
capabilities = ["read"]
}
}
}
EOH
job_acl {
job_id = var.name
group = var.name
task = "mysql-bootstrap"
}
}
resource "random_password" "mysql_psk" {
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
length = 32
override_special = "!@#%&*-_="
}
resource "nomad_variable" "mysql_psk" {
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
path = "secrets/mysql/allowed_psks/${var.name}"
items = {
psk = "${var.name}:${resource.random_password.mysql_psk[0].result}"
}
}
resource "nomad_acl_policy" "mysql_psk" {
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
name = "${var.name}-secrets-mysql-psk"
description = "Give access to MySQL PSK secrets"
rules_hcl = <<EOH
namespace "default" {
variables {
path "secrets/mysql/allowed_psks/${var.name}" {
capabilities = ["read"]
}
}
}
EOH
job_acl {
job_id = var.name
group = var.name
task = "stunnel"
}
}
resource "nomad_acl_policy" "secrets_postgres" {
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
name = "${var.name}-secrets-postgres"
description = "Give access to Postgres secrets"
rules_hcl = <<EOH
namespace "default" {
variables {
path "secrets/postgres" {
capabilities = ["read"]
}
}
}
EOH
job_acl {
job_id = var.name
group = var.name
task = "postgres-bootstrap"
}
}
resource "random_password" "postgres_psk" {
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
length = 32
override_special = "!@#%&*-_="
}
resource "nomad_variable" "postgres_psk" {
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
path = "secrets/postgres/allowed_psks/${var.name}"
items = {
psk = "${var.name}:${resource.random_password.postgres_psk[0].result}"
}
}
resource "nomad_acl_policy" "postgres_psk" {
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
name = "${var.name}-secrets-postgres-psk"
description = "Give access to Postgres PSK secrets"
rules_hcl = <<EOH
namespace "default" {
variables {
path "secrets/postgres/allowed_psks/${var.name}" {
capabilities = ["read"]
}
}
}
EOH
job_acl {
job_id = var.name
group = var.name
task = "stunnel"
}
}
resource "random_password" "ldap_psk" {
count = var.use_ldap ? 1 : 0
length = 32
override_special = "!@#%&*-_="
}
resource "nomad_variable" "ldap_psk" {
count = var.use_ldap ? 1 : 0
path = "secrets/ldap/allowed_psks/${var.name}"
items = {
psk = "${var.name}:${resource.random_password.ldap_psk[0].result}"
}
}
resource "nomad_acl_policy" "ldap_psk" {
count = var.use_ldap ? 1 : 0
name = "${var.name}-secrets-ldap-psk"
description = "Give access to ldap PSK secrets"
rules_hcl = <<EOH
namespace "default" {
variables {
path "secrets/ldap/allowed_psks/${var.name}" {
capabilities = ["read"]
}
}
}
EOH
job_acl {
job_id = var.name
group = var.name
task = "stunnel"
}
}