WIP: Begin config to bootstrap ACLs

Following guide here: https://learn.hashicorp.com/tutorials/consul/vault-consul-secrets?in=consul/vault-secure Unsure of how this will actually authenticate though.
2022-07-25 22:11:08 -07:00 · 2022-07-25 22:11:08 -07:00 · ce2d2bb6cd
parent 25ec582eaf
commit ce2d2bb6cd
3 changed files with 49 additions and 28 deletions
--- a/nomad/acls/consul_vault.tf
+++ b/nomad/acls/consul_vault.tf
@ -0,0 +1,23 @@
+resource "vault_consul_secret_backend" "config" {
+  path        = "consul"
+  description = "Manages the Consul backend"
+
+  address = "http://127.0.0.1:8500"
+  token   = var.consul_token
+}
+
+resource "consul_acl_policy" "server_policy" {
+  name  = "consul-servers"
+  rules = <<EOH
+node_prefix "server-" {
+  policy = "write"
+}
+node_prefix "" {
+  policy = "read"
+}
+service_prefix "" {
+  policy = "read"
+}
+
+  EOH
+}
--- a/nomad/acls/vars.tf
+++ b/nomad/acls/vars.tf
@ -3,15 +3,19 @@ variable "consul_address" {
  default = "http://n1.thefij:8500"
 }

+variable "consul_token" {
+  type        = string
+  description = "Token for setting up consul"
+  sensitive   = true
+}
+
 variable "nomad_secret_id" {
  type        = string
  description = "Secret ID for ACL bootstrapped Nomad"
  sensitive   = true
-  default     = ""
 }

 variable "vault_token" {
  type      = string
  sensitive = true
-  default   = ""
 }
--- a/nomad/setup-cluster.yml
+++ b/nomad/setup-cluster.yml
@ -3,9 +3,6 @@
  hosts: consul_instances
  any_errors_fatal: true

-  vars_files:
-    - consul_values.yml
-
  roles:
    - role: ansible-consul
      vars:
@ -32,6 +29,9 @@
        consul_ports_grpc: 8502
        consul_client_address: "0.0.0.0"

+        consul_acl_enabled: true
+        consul_acl_default_policy: "deny"
+
        # Enable metrics
        consul_config_custom:
          telemetry:
@ -52,6 +52,7 @@
      become: true

  tasks:
+    # Bootstrap ACLs
    - name: Start Consul
      systemd:
        state: started
@ -61,35 +62,28 @@
    # If DNS is broken after dnsmasq, then need to set /etc/resolv.conf to something
    # pointing to 127.0.0.1 and possibly restart Docker and Nomad

-    - name: Add values
+    - name: Boostrap ACLs
+      command:
+        argv:
+          - "consul"
+          - "acl"
+          - "bootstrap"
+          - "-format=json"
+      run_once: true
+      ignore_errors: true
+      register: bootstrap_result
+
+    - name: Save bootstrap result
+      copy:
+        content: "{{ bootstrap_result.stdout }}"
+        dest: "./consul_bootstrap.json"
+      when: bootstrap_result is succeeded
      delegate_to: localhost
      run_once: true
-      block:
-        - name: Install python-consul
-          pip:
-            name: python-consul
-            extra_args: --index-url https://pypi.org/simple
-
-        - name: Set hostname
-          consul_kv:
-            host: "{{ inventory_hostname }}"
-            key: global/base_hostname
-            # TODO: propogate this through via Consul and Nomad templates rather than Terraform
-            value: dev.homelab
-
-        - name: Write values
-          consul_kv:
-            host: "{{ inventory_hostname }}"
-            key: "{{ item.key }}"
-            value: "{{ item.value }}"
-          loop: "{{ consul_values | default({}) | dict2items }}"

 - name: Setup Vault cluster
  hosts: vault_instances

-  vars_files:
-    - ./vault_hashi_vault_values.yml
-
  roles:
    - name: ansible-vault
      vars: