104 lines
2.1 KiB
HCL
104 lines
2.1 KiB
HCL
resource "nomad_job" "lldap" {
|
|
jobspec = templatefile("${path.module}/lldap.nomad", {
|
|
use_wesher = var.use_wesher,
|
|
})
|
|
|
|
depends_on = [resource.nomad_job.mysql-server]
|
|
|
|
# Block until deployed as there are servics dependent on this one
|
|
detach = false
|
|
}
|
|
|
|
# Give access to smtp secrets
|
|
resource "nomad_acl_policy" "lldap_smtp_secrets" {
|
|
name = "lldap-secrets-smtp"
|
|
description = "Give access to SMTP secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/smtp" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.lldap.id
|
|
group = "lldap"
|
|
task = "lldap"
|
|
}
|
|
}
|
|
|
|
# Generate secrets and policies for access to MySQL
|
|
resource "nomad_acl_policy" "lldap_mysql_bootstrap_secrets" {
|
|
name = "lldap-secrets-mysql"
|
|
description = "Give access to MySQL secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.lldap.id
|
|
group = "lldap"
|
|
task = "bootstrap"
|
|
}
|
|
}
|
|
|
|
resource "random_password" "lldap_mysql_psk" {
|
|
length = 32
|
|
override_special = "!@#%&*-_="
|
|
}
|
|
|
|
resource "nomad_variable" "lldap_mysql_psk" {
|
|
path = "secrets/mysql/allowed_psks/lldap"
|
|
items = {
|
|
psk = "lldap:${resource.random_password.lldap_mysql_psk.result}"
|
|
}
|
|
}
|
|
|
|
resource "nomad_acl_policy" "lldap_mysql_psk" {
|
|
name = "lldap-secrets-mysql-psk"
|
|
description = "Give access to MySQL PSK secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/mysql/allowed_psks/lldap" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.lldap.id
|
|
group = "lldap"
|
|
task = "stunnel"
|
|
}
|
|
}
|
|
|
|
# Give access to all ldap secrets
|
|
resource "nomad_acl_policy" "secrets_ldap" {
|
|
name = "secrets-ldap"
|
|
description = "Give access to Postgres secrets"
|
|
rules_hcl = <<EOH
|
|
namespace "default" {
|
|
variables {
|
|
path "secrets/ldap/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
}
|
|
}
|
|
EOH
|
|
|
|
job_acl {
|
|
job_id = resource.nomad_job.lldap.id
|
|
}
|
|
}
|