Update playbook, move acls and comment for fixes

There are some items that I found are broken on first run and made some changes
2022-07-25 10:51:34 -07:00 · 2022-07-25 10:51:34 -07:00 · 888b1236f1
parent a0aba7f2f0
commit 888b1236f1
1 changed files with 18 additions and 0 deletions
--- a/nomad/setup-cluster.yml
+++ b/nomad/setup-cluster.yml
@ -172,6 +172,9 @@
            name: hvac
            extra_args: --index-url https://pypi.org/simple

+        # TODO: This fails on first run because `root_token` isn't found
+        # Fails after taht too because the kv/ space has not been created yet either! Oh noes!
+        # Maybe move data bootstrapping to after the cluster is bootstrapped
        - name: Write values
          community.hashi_vault.vault_write:
            url: "http://{{ inventory_hostname }}:8200"
@ -337,6 +340,9 @@
        nomad_acl_enabled: true

        # Enable vault integration
+        # TODO: This fails on first run because the Nomad-Vault integration can't be set up
+        # until Nomad has started. Could maybe figure out if ACLs have been set up and leave
+        # these out until the later play
        nomad_vault_address: "http://vault.service.consul:8200"
        nomad_vault_create_from_role: "nomad-cluster"
        nomad_vault_enabled: "{{ root_token is defined }}"
@ -365,6 +371,7 @@
  hosts: nomad_instances

  tasks:
+    # Need to wait until nomad is running
    - name: Bootstrap ACLs
      command:
        argv:
@ -430,3 +437,14 @@
      when: policies.stdout == "No policies found" or anon_policy.changed
      delegate_to: "{{ play_hosts[0] }}"
      run_once: true
+
+    - name: Set up Nomad backend and roles in Vault
+      community.general.terraform:
+        project_path: ./acls
+        force_init: true
+        variables:
+          consul_address: "{{ play_hosts[0] }}:8500"
+          vault_token: "{{ root_token }}"
+          nomad_secret_id: "{{ read_secretid.stdout }}"
+      delegate_to: localhost
+      run_once: true