Ian Fijolek
056eac976c
Can't use the job id for creating the variables and permissions because we end up with circular dependencies. The job won't return until it's successful in Nomad and it won't start in nomad without access to varibles
124 lines
2.6 KiB
HCL
124 lines
2.6 KiB
HCL
resource "nomad_job" "lldap" {
|
|
jobspec = templatefile("${path.module}/lldap.nomad", {
|
|
use_wesher = var.use_wesher,
|
|
})
|
|
|
|
depends_on = [resource.nomad_job.mysql-server]
|
|
|
|
# Block until deployed as there are servics dependent on this one
|
|
detach = false
|
|
}
|
|
|
|
# Give access to ldap secrets
|
|
resource "nomad_acl_policy" "lldap_ldap_secrets" {
|
|
name = "lldap-secrets-ldap"
|
|
description = "Give access to LDAP secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/ldap/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "secrets/ldap" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
# job_id = resource.nomad_job.lldap.id
|
|
job_id = "lldap"
|
|
}
|
|
}
|
|
|
|
# Create self-scoped psk so that config is valid at first start
|
|
resource "random_password" "lldap_ldap_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "lldap_ldap_psk" {
|
|
path = "secrets/ldap/allowed_psks/ldap"
|
|
items = {
|
|
psk = "lldap:${resource.random_password.lldap_ldap_psk.result}"
|
|
}
|
|
}
|
|
|
|
# Give access to smtp secrets
|
|
resource "nomad_acl_policy" "lldap_smtp_secrets" {
|
|
name = "lldap-secrets-smtp"
|
|
description = "Give access to SMTP secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/smtp" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
# job_id = resource.nomad_job.lldap.id
|
|
job_id = "lldap"
|
|
group = "lldap"
|
|
task = "lldap"
|
|
}
|
|
}
|
|
|
|
# Generate secrets and policies for access to MySQL
|
|
resource "nomad_acl_policy" "lldap_mysql_bootstrap_secrets" {
|
|
name = "lldap-secrets-mysql"
|
|
description = "Give access to MySQL secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
# job_id = resource.nomad_job.lldap.id
|
|
job_id = "lldap"
|
|
group = "lldap"
|
|
task = "bootstrap"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "lldap_mysql_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "lldap_mysql_psk" {
|
|
path = "secrets/mysql/allowed_psks/lldap"
|
|
items = {
|
|
psk = "lldap:${resource.random_password.lldap_mysql_psk.result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "lldap_mysql_psk" {
|
|
name = "lldap-secrets-mysql-psk"
|
|
description = "Give access to MySQL PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql/allowed_psks/lldap" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
# job_id = resource.nomad_job.lldap.id
|
|
job_id = "lldap"
|
|
group = "lldap"
|
|
task = "stunnel"
|
|
}
|
|
}
|