49 lines
1.2 KiB
HCL
49 lines
1.2 KiB
HCL
# Set up nomad provider in vault for Nomad ACLs
|
|
resource "nomad_acl_token" "vault" {
|
|
name = "vault"
|
|
type = "management"
|
|
}
|
|
|
|
resource "vault_nomad_secret_backend" "config" {
|
|
backend = "nomad"
|
|
description = "Nomad ACL"
|
|
token = nomad_acl_token.vault.secret_id
|
|
|
|
default_lease_ttl_seconds = "3600"
|
|
max_lease_ttl_seconds = "7200"
|
|
|
|
ttl = "3600"
|
|
max_ttl = "7200"
|
|
}
|
|
|
|
# Vault roles generating Nomad tokens
|
|
resource "vault_nomad_secret_role" "nomad-deploy" {
|
|
backend = vault_nomad_secret_backend.config.backend
|
|
role = "nomad-deploy"
|
|
# Nomad policies
|
|
policies = ["deploy"]
|
|
}
|
|
|
|
resource "vault_nomad_secret_role" "admin-management" {
|
|
backend = vault_nomad_secret_backend.config.backend
|
|
role = "admin-management"
|
|
type = "management"
|
|
}
|
|
|
|
resource "vault_nomad_secret_role" "admin" {
|
|
backend = vault_nomad_secret_backend.config.backend
|
|
role = "admin"
|
|
# Nomad policies
|
|
policies = ["admin"]
|
|
}
|
|
|
|
# Nomad Vault token access
|
|
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
|
role_name = "nomad-cluster"
|
|
token_explicit_max_ttl = 0
|
|
allowed_policies = ["access-tables", "nomad-task"]
|
|
orphan = true
|
|
token_period = 259200
|
|
renewable = true
|
|
}
|