From ce2d2bb6cdfa8cfa5b17d900e9387465a1033bf1 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Mon, 25 Jul 2022 22:11:08 -0700
Subject: [PATCH] WIP: Begin config to bootstrap ACLs

Following guide here: https://learn.hashicorp.com/tutorials/consul/vault-consul-secrets?in=consul/vault-secure

Unsure of how this will actually authenticate though.
---
 nomad/acls/consul_vault.tf | 23 +++++++++++++++++++
 nomad/acls/vars.tf         |  8 +++++--
 nomad/setup-cluster.yml    | 46 +++++++++++++++++---------------------
 3 files changed, 49 insertions(+), 28 deletions(-)
 create mode 100644 nomad/acls/consul_vault.tf

diff --git a/nomad/acls/consul_vault.tf b/nomad/acls/consul_vault.tf
new file mode 100644
index 0000000..79e8101
--- /dev/null
+++ b/nomad/acls/consul_vault.tf
@@ -0,0 +1,23 @@
+resource "vault_consul_secret_backend" "config" {
+  path        = "consul"
+  description = "Manages the Consul backend"
+
+  address = "http://127.0.0.1:8500"
+  token   = var.consul_token
+}
+
+resource "consul_acl_policy" "server_policy" {
+  name  = "consul-servers"
+  rules = <<EOH
+node_prefix "server-" {
+  policy = "write"
+}
+node_prefix "" {
+  policy = "read"
+}
+service_prefix "" {
+  policy = "read"
+}
+
+  EOH
+}
diff --git a/nomad/acls/vars.tf b/nomad/acls/vars.tf
index 4c6fcca..52aeb75 100644
--- a/nomad/acls/vars.tf
+++ b/nomad/acls/vars.tf
@@ -3,15 +3,19 @@ variable "consul_address" {
   default = "http://n1.thefij:8500"
 }
 
+variable "consul_token" {
+  type        = string
+  description = "Token for setting up consul"
+  sensitive   = true
+}
+
 variable "nomad_secret_id" {
   type        = string
   description = "Secret ID for ACL bootstrapped Nomad"
   sensitive   = true
-  default     = ""
 }
 
 variable "vault_token" {
   type      = string
   sensitive = true
-  default   = ""
 }
diff --git a/nomad/setup-cluster.yml b/nomad/setup-cluster.yml
index 92a1649..0500c6e 100644
--- a/nomad/setup-cluster.yml
+++ b/nomad/setup-cluster.yml
@@ -3,9 +3,6 @@
   hosts: consul_instances
   any_errors_fatal: true
 
-  vars_files:
-    - consul_values.yml
-
   roles:
     - role: ansible-consul
       vars:
@@ -32,6 +29,9 @@
         consul_ports_grpc: 8502
         consul_client_address: "0.0.0.0"
 
+        consul_acl_enabled: true
+        consul_acl_default_policy: "deny"
+
         # Enable metrics
         consul_config_custom:
           telemetry:
@@ -52,6 +52,7 @@
       become: true
 
   tasks:
+    # Bootstrap ACLs
     - name: Start Consul
       systemd:
         state: started
@@ -61,35 +62,28 @@
     # If DNS is broken after dnsmasq, then need to set /etc/resolv.conf to something
     # pointing to 127.0.0.1 and possibly restart Docker and Nomad
 
-    - name: Add values
+    - name: Boostrap ACLs
+      command:
+        argv:
+          - "consul"
+          - "acl"
+          - "bootstrap"
+          - "-format=json"
+      run_once: true
+      ignore_errors: true
+      register: bootstrap_result
+
+    - name: Save bootstrap result
+      copy:
+        content: "{{ bootstrap_result.stdout }}"
+        dest: "./consul_bootstrap.json"
+      when: bootstrap_result is succeeded
       delegate_to: localhost
       run_once: true
-      block:
-        - name: Install python-consul
-          pip:
-            name: python-consul
-            extra_args: --index-url https://pypi.org/simple
-
-        - name: Set hostname
-          consul_kv:
-            host: "{{ inventory_hostname }}"
-            key: global/base_hostname
-            # TODO: propogate this through via Consul and Nomad templates rather than Terraform
-            value: dev.homelab
-
-        - name: Write values
-          consul_kv:
-            host: "{{ inventory_hostname }}"
-            key: "{{ item.key }}"
-            value: "{{ item.value }}"
-          loop: "{{ consul_values | default({}) | dict2items }}"
 
 - name: Setup Vault cluster
   hosts: vault_instances
 
-  vars_files:
-    - ./vault_hashi_vault_values.yml
-
   roles:
     - name: ansible-vault
       vars: