From 420e67b68bb58a986f7b56f4e818c7f25575251c Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Fri, 15 Apr 2022 12:12:15 -0700
Subject: [PATCH] WIP nomad vault db integration

---
 nomad/acls/nomad_vault.tf | 66 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/nomad/acls/nomad_vault.tf b/nomad/acls/nomad_vault.tf
index f2cfdef..3c38c63 100644
--- a/nomad/acls/nomad_vault.tf
+++ b/nomad/acls/nomad_vault.tf
@@ -1,3 +1,4 @@
+# Set up nomad provider in vault for Nomad ACLs
 resource "nomad_acl_token" "vault" {
   name = "vault"
   type = "management"
@@ -29,3 +30,68 @@ path "nomad/creds/nomad-deploy" {
 }
 EOH
 }
+
+# Nomad Vault token access
+resource "vault_token_auth_backend_role" "nomad-cluster" {
+  role_name              = "nomad-cluster"
+  token_explicit_max_ttl = 0
+  allowed_policies       = ["access-tables"]
+  orphan                 = true
+  token_period           = 259200
+  renewable              = true
+}
+
+# Policy for nomad tokens
+resource "vault_policy" "nomad-token" {
+  name   = "nomad-server"
+  policy = <<EOH
+# Allow creating tokens under "nomad-cluster" token role. The token role name
+# should be updated if "nomad-cluster" is not used.
+path "auth/token/create/nomad-cluster" {
+  capabilities = ["update"]
+}
+
+# Allow looking up "nomad-cluster" token role. The token role name should be
+# updated if "nomad-cluster" is not used.
+path "auth/token/roles/nomad-cluster" {
+  capabilities = ["read"]
+}
+
+# Allow looking up the token passed to Nomad to validate # the token has the
+# proper capabilities. This is provided by the "default" policy.
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+
+# Allow looking up incoming tokens to validate they have permissions to access
+# the tokens they are requesting. This is only required if
+# `allow_unauthenticated` is set to false.
+path "auth/token/lookup" {
+  capabilities = ["update"]
+}
+
+# Allow revoking tokens that should no longer exist. This allows revoking
+# tokens for dead tasks.
+path "auth/token/revoke-accessor" {
+  capabilities = ["update"]
+}
+
+# Allow checking the capabilities of our own token. This is used to validate the
+# token upon startup.
+path "sys/capabilities-self" {
+  capabilities = ["update"]
+}
+
+# Allow our own token to be renewed.
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}
+EOH
+}
+
+# Create a vault token for Nomad
+# resource "vault_token" "nomad-token" {
+#   policies = ["nomad-server"]
+#   period = "72h"
+#   no_parent = true
+# }