orchestration-tests/nomad/acls/nomad_vault.tf

116 lines
3.1 KiB
Terraform
Raw Permalink Normal View History

2022-04-15 19:12:15 +00:00
# Set up nomad provider in vault for Nomad ACLs
2022-03-22 04:26:04 +00:00
resource "nomad_acl_token" "vault" {
name = "vault"
type = "management"
}
resource "vault_nomad_secret_backend" "config" {
2022-04-13 21:01:14 +00:00
backend = "nomad"
description = "Nomad ACL"
token = nomad_acl_token.vault.secret_id
2022-03-22 04:26:04 +00:00
}
resource "vault_nomad_secret_role" "nomad-deploy" {
2022-04-13 21:01:14 +00:00
backend = vault_nomad_secret_backend.config.backend
role = "nomad-deploy"
2022-04-05 05:19:32 +00:00
policies = ["nomad-deploy"]
2022-03-22 04:26:04 +00:00
}
resource "vault_nomad_secret_role" "admin" {
backend = vault_nomad_secret_backend.config.backend
2022-04-13 21:01:14 +00:00
role = "admin-management"
type = "management"
2022-03-22 04:26:04 +00:00
}
resource "vault_policy" "nomad-deploy" {
2022-04-13 21:01:14 +00:00
name = "nomad-deploy"
2022-03-22 04:26:04 +00:00
policy = <<EOH
path "nomad/creds/nomad-deploy" {
capabilities = ["read"]
}
EOH
}
2022-04-15 19:12:15 +00:00
# Nomad Vault token access
resource "vault_token_auth_backend_role" "nomad-cluster" {
role_name = "nomad-cluster"
token_explicit_max_ttl = 0
allowed_policies = ["access-tables", "nomad-task"]
2022-04-15 19:12:15 +00:00
orphan = true
token_period = 259200
renewable = true
}
# Policy for clusters
resource "vault_policy" "nomad-task" {
name = "nomad-task"
policy = <<EOH
# This section grants all access on "secret/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOH
}
2022-04-15 19:12:15 +00:00
# Policy for nomad tokens
resource "vault_policy" "nomad-token" {
name = "nomad-server"
policy = <<EOH
# Allow creating tokens under "nomad-cluster" token role. The token role name
# should be updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
# Allow looking up "nomad-cluster" token role. The token role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
}
# Allow looking up the token passed to Nomad to validate # the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}
# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
path "sys/capabilities-self" {
capabilities = ["update"]
}
# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
}
# This section grants all access on "secret/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
2022-04-15 19:12:15 +00:00
EOH
}
# Create a vault token for Nomad
# resource "vault_token" "nomad-token" {
# policies = ["nomad-server"]
# period = "72h"
# no_parent = true
# }