Update Nomad and Vault ACLs

Now nomad is read only and tokens can be retrieved from Vault
This commit is contained in:
IamTheFij 2022-07-27 13:13:11 -07:00
parent 92a30e6709
commit 25ec582eaf
6 changed files with 113 additions and 90 deletions

View File

@ -1,5 +0,0 @@
resource "nomad_acl_policy" "create_post_bootstrap_policy" {
name = "anonymous"
description = "Anon RW"
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
}

View File

@ -0,0 +1,4 @@
namespace "*" {
policy = "read"
capabilities = ["submit-job", "dispatch-job", "read-logs"]
}

View File

@ -0,0 +1,18 @@
resource "nomad_acl_policy" "anon_policy" {
name = "anonymous"
description = "Anon RO"
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
}
resource "nomad_acl_policy" "admin" {
name = "admin"
description = "Admin RW for admins"
rules_hcl = file("${path.module}/nomad-admin-policy.hcl")
}
# TODO: Limit this scope
resource "nomad_acl_policy" "deploy" {
name = "deploy"
description = "Admin RW"
rules_hcl = file("${path.module}/nomad-deploy-policy.hcl")
}

View File

@ -8,27 +8,32 @@ resource "vault_nomad_secret_backend" "config" {
backend = "nomad" backend = "nomad"
description = "Nomad ACL" description = "Nomad ACL"
token = nomad_acl_token.vault.secret_id token = nomad_acl_token.vault.secret_id
default_lease_ttl_seconds = "3600"
max_lease_ttl_seconds = "7200"
max_ttl = "240"
ttl = "120"
} }
# Vault roles generating Nomad tokens
resource "vault_nomad_secret_role" "nomad-deploy" { resource "vault_nomad_secret_role" "nomad-deploy" {
backend = vault_nomad_secret_backend.config.backend backend = vault_nomad_secret_backend.config.backend
role = "nomad-deploy" role = "nomad-deploy"
policies = ["nomad-deploy"] # Nomad policies
policies = ["deploy"]
} }
resource "vault_nomad_secret_role" "admin" { resource "vault_nomad_secret_role" "admin-management" {
backend = vault_nomad_secret_backend.config.backend backend = vault_nomad_secret_backend.config.backend
role = "admin-management" role = "admin-management"
type = "management" type = "management"
} }
resource "vault_policy" "nomad-deploy" { resource "vault_nomad_secret_role" "admin" {
name = "nomad-deploy" backend = vault_nomad_secret_backend.config.backend
policy = <<EOH role = "admin"
path "nomad/creds/nomad-deploy" { # Nomad policies
capabilities = ["read"] policies = ["admin"]
}
EOH
} }
# Nomad Vault token access # Nomad Vault token access
@ -40,76 +45,3 @@ resource "vault_token_auth_backend_role" "nomad-cluster" {
token_period = 259200 token_period = 259200
renewable = true renewable = true
} }
# Policy for clusters
resource "vault_policy" "nomad-task" {
name = "nomad-task"
policy = <<EOH
# This section grants all access on "secret/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOH
}
# Policy for nomad tokens
resource "vault_policy" "nomad-token" {
name = "nomad-server"
policy = <<EOH
# Allow creating tokens under "nomad-cluster" token role. The token role name
# should be updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
# Allow looking up "nomad-cluster" token role. The token role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
}
# Allow looking up the token passed to Nomad to validate # the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}
# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
path "sys/capabilities-self" {
capabilities = ["update"]
}
# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
}
# This section grants all access on "secret/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOH
}
# Create a vault token for Nomad
# resource "vault_token" "nomad-token" {
# policies = ["nomad-server"]
# period = "72h"
# no_parent = true
# }

View File

@ -10,7 +10,7 @@
# #
# mysql { # mysql {
# # How to give access here? # # How to give access here?
# connection_url = "{{username}}:{{password}}@tcp(localhost:3306)" # connection_url = "{{username}}:{{password}}@tcp(mysql-server.service.consul:3306)"
# username = "" # username = ""
# password = "" # password = ""
# } # }

View File

@ -7,3 +7,77 @@ path "*" {
} }
EOF EOF
} }
resource "vault_policy" "nomad-deploy" {
name = "nomad-deploy"
policy = <<EOH
path "nomad/creds/nomad-deploy" {
capabilities = ["read"]
}
EOH
}
# Policy for clusters
resource "vault_policy" "nomad-task" {
name = "nomad-task"
policy = <<EOH
path "kv/data/*" {
# Does this need create, update, delete?
capabilities = ["create", "read", "update", "delete", "list"]
}
EOH
}
# Policy for nomad tokens
resource "vault_policy" "nomad-server" {
name = "nomad-server"
policy = <<EOH
# Allow creating tokens under "nomad-cluster" token role. The token role name
# should be updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
# Allow looking up "nomad-cluster" token role. The token role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
}
# Allow looking up the token passed to Nomad to validate # the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}
# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
path "sys/capabilities-self" {
capabilities = ["update"]
}
# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
}
# This section grants all access on "secret/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "kv/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
EOH
}