Update Nomad and Vault ACLs

Now nomad is read only and tokens can be retrieved from Vault
2022-07-27 13:13:11 -07:00 · 2022-07-27 13:13:11 -07:00 · 25ec582eaf
parent 92a30e6709
commit 25ec582eaf
6 changed files with 113 additions and 90 deletions
--- a/nomad/acls/acls.tf
+++ b/nomad/acls/acls.tf
@ -1,5 +0,0 @@
-resource "nomad_acl_policy" "create_post_bootstrap_policy" {
-  name        = "anonymous"
-  description = "Anon RW"
-  rules_hcl   = file("${path.module}/nomad-anon-bootstrap.hcl")
-}
--- a/nomad/acls/nomad-deploy-policy.hcl
+++ b/nomad/acls/nomad-deploy-policy.hcl
@ -0,0 +1,4 @@
+namespace "*" {
+  policy       = "read"
+  capabilities = ["submit-job", "dispatch-job", "read-logs"]
+}
--- a/nomad/acls/nomad_policies.tf
+++ b/nomad/acls/nomad_policies.tf
@ -0,0 +1,18 @@
+resource "nomad_acl_policy" "anon_policy" {
+  name        = "anonymous"
+  description = "Anon RO"
+  rules_hcl   = file("${path.module}/nomad-anon-bootstrap.hcl")
+}
+
+resource "nomad_acl_policy" "admin" {
+  name        = "admin"
+  description = "Admin RW for admins"
+  rules_hcl   = file("${path.module}/nomad-admin-policy.hcl")
+}
+
+# TODO: Limit this scope
+resource "nomad_acl_policy" "deploy" {
+  name        = "deploy"
+  description = "Admin RW"
+  rules_hcl   = file("${path.module}/nomad-deploy-policy.hcl")
+}
--- a/nomad/acls/nomad_vault.tf
+++ b/nomad/acls/nomad_vault.tf
@ -8,27 +8,32 @@ resource "vault_nomad_secret_backend" "config" {
  backend     = "nomad"
  description = "Nomad ACL"
  token       = nomad_acl_token.vault.secret_id
+
+  default_lease_ttl_seconds = "3600"
+  max_lease_ttl_seconds     = "7200"
+  max_ttl                   = "240"
+  ttl                       = "120"
 }

+# Vault roles generating Nomad tokens
 resource "vault_nomad_secret_role" "nomad-deploy" {
-  backend  = vault_nomad_secret_backend.config.backend
-  role     = "nomad-deploy"
-  policies = ["nomad-deploy"]
+  backend = vault_nomad_secret_backend.config.backend
+  role    = "nomad-deploy"
+  # Nomad policies
+  policies = ["deploy"]
 }

-resource "vault_nomad_secret_role" "admin" {
+resource "vault_nomad_secret_role" "admin-management" {
  backend = vault_nomad_secret_backend.config.backend
  role    = "admin-management"
  type    = "management"
 }

-resource "vault_policy" "nomad-deploy" {
-  name   = "nomad-deploy"
-  policy = <<EOH
-path "nomad/creds/nomad-deploy" {
-  capabilities = ["read"]
-}
-EOH
+resource "vault_nomad_secret_role" "admin" {
+  backend = vault_nomad_secret_backend.config.backend
+  role    = "admin"
+  # Nomad policies
+  policies = ["admin"]
 }

 # Nomad Vault token access
@ -40,76 +45,3 @@ resource "vault_token_auth_backend_role" "nomad-cluster" {
  token_period           = 259200
  renewable              = true
 }
-
-# Policy for clusters
-resource "vault_policy" "nomad-task" {
-  name   = "nomad-task"
-  policy = <<EOH
-# This section grants all access on "secret/*". Further restrictions can be
-# applied to this broad policy, as shown below.
-path "kv/data/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-EOH
-}
-
-# Policy for nomad tokens
-resource "vault_policy" "nomad-token" {
-  name   = "nomad-server"
-  policy = <<EOH
-# Allow creating tokens under "nomad-cluster" token role. The token role name
-# should be updated if "nomad-cluster" is not used.
-path "auth/token/create/nomad-cluster" {
-  capabilities = ["update"]
-}
-
-# Allow looking up "nomad-cluster" token role. The token role name should be
-# updated if "nomad-cluster" is not used.
-path "auth/token/roles/nomad-cluster" {
-  capabilities = ["read"]
-}
-
-# Allow looking up the token passed to Nomad to validate # the token has the
-# proper capabilities. This is provided by the "default" policy.
-path "auth/token/lookup-self" {
-  capabilities = ["read"]
-}
-
-# Allow looking up incoming tokens to validate they have permissions to access
-# the tokens they are requesting. This is only required if
-# `allow_unauthenticated` is set to false.
-path "auth/token/lookup" {
-  capabilities = ["update"]
-}
-
-# Allow revoking tokens that should no longer exist. This allows revoking
-# tokens for dead tasks.
-path "auth/token/revoke-accessor" {
-  capabilities = ["update"]
-}
-
-# Allow checking the capabilities of our own token. This is used to validate the
-# token upon startup.
-path "sys/capabilities-self" {
-  capabilities = ["update"]
-}
-
-# Allow our own token to be renewed.
-path "auth/token/renew-self" {
-  capabilities = ["update"]
-}
-
-# This section grants all access on "secret/*". Further restrictions can be
-# applied to this broad policy, as shown below.
-path "kv/data/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-EOH
-}
-
-# Create a vault token for Nomad
-# resource "vault_token" "nomad-token" {
-#   policies = ["nomad-server"]
-#   period = "72h"
-#   no_parent = true
-# }
--- a/nomad/acls/nomad_vault_db.tf
+++ b/nomad/acls/nomad_vault_db.tf
@ -10,7 +10,7 @@
 #
 #   mysql {
 #     # How to give access here?
-#     connection_url = "{{username}}:{{password}}@tcp(localhost:3306)"
+#     connection_url = "{{username}}:{{password}}@tcp(mysql-server.service.consul:3306)"
 #     username = ""
 #     password = ""
 #   }
--- a/nomad/acls/vault_policies.tf
+++ b/nomad/acls/vault_policies.tf
@ -7,3 +7,77 @@ path "*" {
 }
  EOF
 }
+
+resource "vault_policy" "nomad-deploy" {
+  name   = "nomad-deploy"
+  policy = <<EOH
+path "nomad/creds/nomad-deploy" {
+  capabilities = ["read"]
+}
+EOH
+}
+
+# Policy for clusters
+resource "vault_policy" "nomad-task" {
+  name   = "nomad-task"
+  policy = <<EOH
+path "kv/data/*" {
+  # Does this need create, update, delete?
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+EOH
+}
+
+# Policy for nomad tokens
+resource "vault_policy" "nomad-server" {
+  name   = "nomad-server"
+  policy = <<EOH
+# Allow creating tokens under "nomad-cluster" token role. The token role name
+# should be updated if "nomad-cluster" is not used.
+path "auth/token/create/nomad-cluster" {
+  capabilities = ["update"]
+}
+
+# Allow looking up "nomad-cluster" token role. The token role name should be
+# updated if "nomad-cluster" is not used.
+path "auth/token/roles/nomad-cluster" {
+  capabilities = ["read"]
+}
+
+# Allow looking up the token passed to Nomad to validate # the token has the
+# proper capabilities. This is provided by the "default" policy.
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+
+# Allow looking up incoming tokens to validate they have permissions to access
+# the tokens they are requesting. This is only required if
+# `allow_unauthenticated` is set to false.
+path "auth/token/lookup" {
+  capabilities = ["update"]
+}
+
+# Allow revoking tokens that should no longer exist. This allows revoking
+# tokens for dead tasks.
+path "auth/token/revoke-accessor" {
+  capabilities = ["update"]
+}
+
+# Allow checking the capabilities of our own token. This is used to validate the
+# token upon startup.
+path "sys/capabilities-self" {
+  capabilities = ["update"]
+}
+
+# Allow our own token to be renewed.
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}
+
+# This section grants all access on "secret/*". Further restrictions can be
+# applied to this broad policy, as shown below.
+path "kv/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+EOH
+}