Ian Fijolek
f5898b0283
Allows required jobs to access shared secrets and auto generates psks for stunnel. Currently supporting MySQL, Postgres, and LDAP.
143 lines
2.8 KiB
HCL
143 lines
2.8 KiB
HCL
resource "nomad_job" "backup" {
|
|
hcl2 {
|
|
enabled = true
|
|
}
|
|
|
|
jobspec = templatefile("${path.module}/backup.nomad", {
|
|
module_path = path.module,
|
|
batch_node = null,
|
|
use_wesher = var.use_wesher
|
|
})
|
|
}
|
|
|
|
resource "nomad_job" "backup-oneoff" {
|
|
# TODO: Get list of nomad hosts dynamically
|
|
for_each = toset(["n1", "n2", "pi4"])
|
|
# for_each = toset([
|
|
# for node in data.consul_service.nomad.service :
|
|
# node.node_name
|
|
# ])
|
|
|
|
hcl2 {
|
|
enabled = true
|
|
}
|
|
|
|
jobspec = templatefile("${path.module}/backup.nomad", {
|
|
module_path = path.module,
|
|
batch_node = each.key,
|
|
use_wesher = var.use_wesher
|
|
})
|
|
}
|
|
|
|
locals {
|
|
all_job_ids = toset(flatten([[for job in resource.nomad_job.backup-oneoff : job.id], [resource.nomad_job.backup.id]]))
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_mysql" {
|
|
for_each = local.all_job_ids
|
|
|
|
name = "${each.key}-secrets-mysql"
|
|
description = "Give access to MySQL secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.key
|
|
}
|
|
}
|
|
|
|
resource "random_password" "mysql_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "mysql_psk" {
|
|
path = "secrets/mysql/allowed_psks/backups"
|
|
items = {
|
|
psk = "backups:${resource.random_password.mysql_psk.result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "mysql_psk" {
|
|
for_each = local.all_job_ids
|
|
|
|
name = "${each.key}-secrets-mysql-psk"
|
|
description = "Give access to MySQL PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql/allowed_psks/backups" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.key
|
|
group = "backup"
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_postgres" {
|
|
for_each = local.all_job_ids
|
|
|
|
name = "${each.key}-secrets-postgres"
|
|
description = "Give access to Postgres secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.key
|
|
}
|
|
}
|
|
|
|
resource "random_password" "postgres_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "postgres_psk" {
|
|
path = "secrets/postgres/allowed_psks/backups"
|
|
items = {
|
|
psk = "backups:${resource.random_password.postgres_psk.result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "postgres_psk" {
|
|
for_each = local.all_job_ids
|
|
|
|
name = "${each.key}-secrets-postgres-psk"
|
|
description = "Give access to Postgres PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres/allowed_psks/backups" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = each.key
|
|
group = "backup"
|
|
task = "stunnel"
|
|
}
|
|
}
|