WIP nomad vault db integration

2022-04-15 12:12:15 -07:00 · 2022-04-15 12:12:15 -07:00 · 420e67b68b
commit 420e67b68b
parent af743820ec
1 changed files with 66 additions and 0 deletions
--- a/nomad/acls/nomad_vault.tf
+++ b/nomad/acls/nomad_vault.tf
@ -1,3 +1,4 @@
+# Set up nomad provider in vault for Nomad ACLs
 resource "nomad_acl_token" "vault" {
  name = "vault"
  type = "management"
@ -29,3 +30,68 @@ path "nomad/creds/nomad-deploy" {
 }
 EOH
 }
+
+# Nomad Vault token access
+resource "vault_token_auth_backend_role" "nomad-cluster" {
+  role_name              = "nomad-cluster"
+  token_explicit_max_ttl = 0
+  allowed_policies       = ["access-tables"]
+  orphan                 = true
+  token_period           = 259200
+  renewable              = true
+}
+
+# Policy for nomad tokens
+resource "vault_policy" "nomad-token" {
+  name   = "nomad-server"
+  policy = <<EOH
+# Allow creating tokens under "nomad-cluster" token role. The token role name
+# should be updated if "nomad-cluster" is not used.
+path "auth/token/create/nomad-cluster" {
+  capabilities = ["update"]
+}
+
+# Allow looking up "nomad-cluster" token role. The token role name should be
+# updated if "nomad-cluster" is not used.
+path "auth/token/roles/nomad-cluster" {
+  capabilities = ["read"]
+}
+
+# Allow looking up the token passed to Nomad to validate # the token has the
+# proper capabilities. This is provided by the "default" policy.
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+
+# Allow looking up incoming tokens to validate they have permissions to access
+# the tokens they are requesting. This is only required if
+# `allow_unauthenticated` is set to false.
+path "auth/token/lookup" {
+  capabilities = ["update"]
+}
+
+# Allow revoking tokens that should no longer exist. This allows revoking
+# tokens for dead tasks.
+path "auth/token/revoke-accessor" {
+  capabilities = ["update"]
+}
+
+# Allow checking the capabilities of our own token. This is used to validate the
+# token upon startup.
+path "sys/capabilities-self" {
+  capabilities = ["update"]
+}
+
+# Allow our own token to be renewed.
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}
+EOH
+}
+
+# Create a vault token for Nomad
+# resource "vault_token" "nomad-token" {
+#   policies = ["nomad-server"]
+#   period = "72h"
+#   no_parent = true
+# }