Ian Fijolek
f5898b0283
Allows required jobs to access shared secrets and auto generates psks for stunnel. Currently supporting MySQL, Postgres, and LDAP.
201 lines
4.8 KiB
HCL
201 lines
4.8 KiB
HCL
resource "nomad_job" "service" {
|
|
jobspec = templatefile("${path.module}/service_template.nomad", {
|
|
name = var.name
|
|
count = var.instance_count
|
|
priority = var.priority
|
|
image = var.image
|
|
image_pull_timeout = var.image_pull_timeout
|
|
args = var.args
|
|
env = var.env
|
|
task_meta = var.task_meta
|
|
group_meta = var.group_meta
|
|
job_meta = var.job_meta
|
|
constraints = var.constraints
|
|
docker_devices = var.docker_devices
|
|
|
|
service_port = var.service_port
|
|
service_port_static = var.service_port_static
|
|
ports = var.ports
|
|
sticky_disk = var.sticky_disk
|
|
resources = var.resources
|
|
stunnel_resources = var.stunnel_resources
|
|
service_tags = var.service_tags
|
|
custom_services = var.custom_services
|
|
use_wesher = var.use_wesher
|
|
|
|
ingress = var.ingress
|
|
ingress_rule = var.ingress_rule
|
|
ingress_middlewares = var.ingress_middlewares
|
|
prometheus = var.prometheus
|
|
|
|
templates = var.templates
|
|
host_volumes = var.host_volumes
|
|
|
|
use_mysql = var.use_mysql || var.mysql_bootstrap != null
|
|
use_postgres = var.use_postgres || var.postgres_bootstrap != null
|
|
use_redis = var.use_redis
|
|
use_ldap = var.use_ldap
|
|
|
|
mysql_bootstrap = var.mysql_bootstrap
|
|
postgres_bootstrap = var.postgres_bootstrap
|
|
})
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_mysql" {
|
|
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-mysql"
|
|
description = "Give access to MySQL secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = var.name
|
|
group = var.name
|
|
task = "mysql-bootstrap"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "mysql_psk" {
|
|
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
|
|
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "mysql_psk" {
|
|
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
|
|
|
|
path = "secrets/mysql/allowed_psks/${var.name}"
|
|
items = {
|
|
psk = "${var.name}:${resource.random_password.mysql_psk[0].result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "mysql_psk" {
|
|
count = var.use_mysql || var.mysql_bootstrap != null ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-mysql-psk"
|
|
description = "Give access to MySQL PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql/allowed_psks/${var.name}" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = var.name
|
|
group = var.name
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "secrets_postgres" {
|
|
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-postgres"
|
|
description = "Give access to Postgres secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = var.name
|
|
group = var.name
|
|
task = "postgres-bootstrap"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "postgres_psk" {
|
|
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
|
|
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "postgres_psk" {
|
|
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
|
|
|
|
path = "secrets/postgres/allowed_psks/${var.name}"
|
|
items = {
|
|
psk = "${var.name}:${resource.random_password.postgres_psk[0].result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "postgres_psk" {
|
|
count = var.use_postgres || var.postgres_bootstrap != null ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-postgres-psk"
|
|
description = "Give access to Postgres PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/postgres/allowed_psks/${var.name}" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = var.name
|
|
group = var.name
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "ldap_psk" {
|
|
count = var.use_ldap ? 1 : 0
|
|
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "ldap_psk" {
|
|
count = var.use_ldap ? 1 : 0
|
|
|
|
path = "secrets/ldap/allowed_psks/${var.name}"
|
|
items = {
|
|
psk = "${var.name}:${resource.random_password.ldap_psk[0].result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "ldap_psk" {
|
|
count = var.use_ldap ? 1 : 0
|
|
|
|
name = "${var.name}-secrets-ldap-psk"
|
|
description = "Give access to ldap PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/ldap/allowed_psks/${var.name}" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = var.name
|
|
group = var.name
|
|
task = "stunnel"
|
|
}
|
|
}
|