Ian Fijolek
f5898b0283
Allows required jobs to access shared secrets and auto generates psks for stunnel. Currently supporting MySQL, Postgres, and LDAP.
70 lines
1.3 KiB
HCL
70 lines
1.3 KiB
HCL
locals {
|
|
config_data = file("${path.module}/config.yml")
|
|
}
|
|
|
|
resource "nomad_job" "blocky" {
|
|
hcl2 {
|
|
enabled = true
|
|
vars = {
|
|
"config_data" = local.config_data,
|
|
}
|
|
}
|
|
|
|
jobspec = templatefile("${path.module}/blocky.nomad", {
|
|
use_wesher = var.use_wesher,
|
|
})
|
|
}
|
|
|
|
# Generate secrets and policies for access to MySQL
|
|
resource "nomad_acl_policy" "blocky_mysql_bootstrap_secrets" {
|
|
name = "blocky-secrets-mysql"
|
|
description = "Give access to MySQL secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = "blocky"
|
|
group = "blocky"
|
|
task = "bootstrap"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "blocky_mysql_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "blocky_mysql_psk" {
|
|
path = "secrets/mysql/allowed_psks/blocky"
|
|
items = {
|
|
psk = "blocky:${resource.random_password.blocky_mysql_psk.result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "blocky_mysql_psk" {
|
|
name = "blocky-secrets-mysql-psk"
|
|
description = "Give access to MySQL PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql/allowed_psks/blocky" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = "blocky"
|
|
group = "blocky"
|
|
task = "stunnel"
|
|
}
|
|
}
|