From 65ce1b55f013e0d3adbe8bdb6d432aa0eef964cd Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Tue, 28 Jun 2022 12:11:07 -0700
Subject: [PATCH] Fix secrets access from nomad tasks

Probably can be cleaned up and updated to follow least access
---
 nomad/acls/nomad_vault.tf       | 20 +++++++++++-
 nomad/nextcloud/nextcloud.nomad | 56 +++++++++++++++++++++++++++------
 2 files changed, 66 insertions(+), 10 deletions(-)

diff --git a/nomad/acls/nomad_vault.tf b/nomad/acls/nomad_vault.tf
index 3c38c63..3f4a13a 100644
--- a/nomad/acls/nomad_vault.tf
+++ b/nomad/acls/nomad_vault.tf
@@ -35,12 +35,24 @@ EOH
 resource "vault_token_auth_backend_role" "nomad-cluster" {
   role_name              = "nomad-cluster"
   token_explicit_max_ttl = 0
-  allowed_policies       = ["access-tables"]
+  allowed_policies       = ["access-tables", "nomad-task"]
   orphan                 = true
   token_period           = 259200
   renewable              = true
 }
 
+# Policy for clusters
+resource "vault_policy" "nomad-task" {
+  name   = "nomad-task"
+  policy = <<EOH
+# This section grants all access on "secret/*". Further restrictions can be
+# applied to this broad policy, as shown below.
+path "kv/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+EOH
+}
+
 # Policy for nomad tokens
 resource "vault_policy" "nomad-token" {
   name   = "nomad-server"
@@ -86,6 +98,12 @@ path "sys/capabilities-self" {
 path "auth/token/renew-self" {
   capabilities = ["update"]
 }
+
+# This section grants all access on "secret/*". Further restrictions can be
+# applied to this broad policy, as shown below.
+path "kv/data/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
 EOH
 }
 
diff --git a/nomad/nextcloud/nextcloud.nomad b/nomad/nextcloud/nextcloud.nomad
index 837bd35..7f42e37 100644
--- a/nomad/nextcloud/nextcloud.nomad
+++ b/nomad/nextcloud/nextcloud.nomad
@@ -90,21 +90,43 @@ job "nextcloud" {
         args = [
           "/bin/bash",
           "-c",
-          "/usr/bin/mysql -h${NOMAD_UPSTREAM_IP_mysql_server} -P${NOMAD_UPSTREAM_PORT_mysql_server} -uroot -psupersecretpassword < /bootstrap.sql",
+          "/usr/bin/mysql --defaults-extra-file=/task/my.cnf < /task/bootstrap.sql",
         ]
 
         mount {
           type = "bind"
-          source = "local/bootstrap.sql"
-          target = "/bootstrap.sql"
+          source = "local/"
+          target = "/task/"
         }
       }
 
+      vault {
+        policies = [
+          "access-tables",
+          "nomad-task",
+        ]
+      }
+
       template {
         data = <<EOF
-        CREATE DATABASE IF NOT EXISTS `${var.nextcloud_db}`;
-        CREATE USER IF NOT EXISTS '${var.nextcloud_user}'@'%' IDENTIFIED BY '${var.nextcloud_pass}';
-        GRANT ALL ON `${var.nextcloud_db}`.* to '${var.nextcloud_user}'@'%';
+[client]
+host={{ env "NOMAD_UPSTREAM_IP_mysql_server" }}
+port={{ env "NOMAD_UPSTREAM_PORT_mysql_server" }}
+user=root
+{{ with secret "kv/data/mysql" }}
+password={{ .Data.data.root_password }}
+{{ end }}
+        EOF
+        destination = "local/my.cnf"
+      }
+
+      template {
+        data = <<EOF
+{{ with secret "kv/data/nextcloud" }}
+CREATE DATABASE IF NOT EXISTS `{{ .Data.data.db_name }}`;
+CREATE USER IF NOT EXISTS '{{ .Data.data.db_user }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass }}';
+GRANT ALL ON `{{ .Data.data.db_name }}`.* to '{{ .Data.data.db_user }}'@'%';
+{{ end }}
         EOF
         destination = "local/bootstrap.sql"
       }
@@ -131,9 +153,25 @@ job "nextcloud" {
 
       env = {
         "MYSQL_HOST" = "${NOMAD_UPSTREAM_ADDR_mysql_server}"
-        "MYSQL_DATABASE" = "${var.nextcloud_db}"
-        "MYSQL_USER" = "${var.nextcloud_user}"
-        "MYSQL_PASSWORD" = "${var.nextcloud_pass}"
+      }
+
+      vault {
+        policies = [
+          "access-tables",
+          "nomad-task",
+        ]
+      }
+
+      template {
+        data = <<EOF
+        {{ with secret "kv/data/nextcloud" }}
+        MYSQL_DATABASE={{ .Data.data.db_name }}
+        MYSQL_USER={{ .Data.data.db_user }}
+        MYSQL_PASSWORD={{ .Data.data.db_pass }}
+        {{ end }}
+        EOF
+        destination = "secrets/db.env"
+        env = true
       }
 
       resources {