42 lines
995 B
HCL
42 lines
995 B
HCL
resource "nomad_job" "postgres-server" {
|
|
jobspec = file("${path.module}/postgres.nomad")
|
|
|
|
# Block until deployed as there are servics dependent on this one
|
|
detach = false
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_postgres" {
|
|
name = "secrets-postgres"
|
|
description = "Give access to Postgres secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "secrets/postgres/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
# job_id = resource.nomad_job.postgres-server.id
|
|
job_id = "postgres-server"
|
|
}
|
|
}
|
|
|
|
# Create self-scoped psk so that config is valid at first start
|
|
resource "random_password" "postgres_postgres_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "postgres_postgres_psk" {
|
|
path = "secrets/postgres/allowed_psks/postgres"
|
|
items = {
|
|
psk = "postgres:${resource.random_password.postgres_postgres_psk.result}"
|
|
}
|
|
}
|