137 lines
2.9 KiB
HCL
137 lines
2.9 KiB
HCL
resource "nomad_job" "backup" {
|
|
jobspec = templatefile("${path.module}/backup.nomad", {
|
|
module_path = path.module,
|
|
batch_node = null,
|
|
use_wesher = var.use_wesher
|
|
})
|
|
}
|
|
|
|
resource "nomad_job" "backup-oneoff" {
|
|
# TODO: Get list of nomad hosts dynamically
|
|
for_each = toset(["n1", "n2", "pi4"])
|
|
# for_each = toset([
|
|
# for node in data.consul_service.nomad.service :
|
|
# node.node_name
|
|
# ])
|
|
|
|
jobspec = templatefile("${path.module}/backup.nomad", {
|
|
module_path = path.module,
|
|
batch_node = each.key,
|
|
use_wesher = var.use_wesher
|
|
})
|
|
}
|
|
|
|
locals {
|
|
# NOTE: This can't be dynamic in first deploy since these values are not known
|
|
# all_job_ids = toset(flatten([[for job in resource.nomad_job.backup-oneoff : job.id], [resource.nomad_job.backup.id]]))
|
|
all_job_ids = toset(["backup", "backup-oneoff-n1", "backup-oneoff-n2", "backup-oneoff-pi4"])
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_mysql" {
|
|
for_each = local.all_job_ids
|
|
|
|
name = "${each.key}-secrets-mysql"
|
|
description = "Give access to MySQL secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.key
|
|
}
|
|
}
|
|
|
|
resource "random_password" "mysql_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "mysql_psk" {
|
|
path = "secrets/mysql/allowed_psks/backups"
|
|
items = {
|
|
psk = "backups:${resource.random_password.mysql_psk.result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "mysql_psk" {
|
|
for_each = local.all_job_ids
|
|
|
|
name = "${each.key}-secrets-mysql-psk"
|
|
description = "Give access to MySQL PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql/allowed_psks/backups" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.key
|
|
group = "backup"
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_postgres" {
|
|
for_each = local.all_job_ids
|
|
|
|
name = "${each.key}-secrets-postgres"
|
|
description = "Give access to Postgres secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.key
|
|
}
|
|
}
|
|
|
|
resource "random_password" "postgres_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "postgres_psk" {
|
|
path = "secrets/postgres/allowed_psks/backups"
|
|
items = {
|
|
psk = "backups:${resource.random_password.postgres_psk.result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "postgres_psk" {
|
|
for_each = local.all_job_ids
|
|
|
|
name = "${each.key}-secrets-postgres-psk"
|
|
description = "Give access to Postgres PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres/allowed_psks/backups" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.key
|
|
group = "backup"
|
|
task = "stunnel"
|
|
}
|
|
}
|