Make anonymous nomad read only

nomad/acls/acls.tf

@@ -1,5 +1,4 @@
 resource "nomad_acl_policy" "create_post_bootstrap_policy" {
-  # count       = can(tobool(var.nomad_secret_id)) ? 1 : 0
   name        = "anonymous"
   description = "Anon RW"
   rules_hcl   = file("${path.module}/nomad-anon-bootstrap.hcl")

nomad/acls/nomad-admin-policy.hcl

@@ -0,0 +1,24 @@
+namespace "*" {
+  policy       = "write"
+  capabilities = ["alloc-node-exec"]
+}
+
+agent {
+  policy = "write"
+}
+
+operator {
+  policy = "write"
+}
+
+quota {
+  policy = "write"
+}
+
+node {
+  policy = "write"
+}
+
+host_volume "*" {
+  policy = "write"
+}

nomad/acls/nomad-anon-bootstrap.hcl

@@ -1,24 +1,23 @@
 namespace "*" {
-  policy       = "write"
-  capabilities = ["alloc-node-exec"]
+  policy       = "read"
 }
 
 agent {
-  policy = "write"
+  policy = "read"
 }
 
 operator {
-  policy = "write"
+  policy = "read"
 }
 
 quota {
-  policy = "write"
+  policy = "read"
 }
 
 node {
-  policy = "write"
+  policy = "read"
 }
 
 host_volume "*" {
-  policy = "write"
+  policy = "read"
 }