WIP: Begin config to bootstrap ACLs

Following guide here: https://learn.hashicorp.com/tutorials/consul/vault-consul-secrets?in=consul/vault-secure

Unsure of how this will actually authenticate though.
This commit is contained in:
IamTheFij 2022-07-25 22:11:08 -07:00
parent 25ec582eaf
commit ce2d2bb6cd
3 changed files with 49 additions and 28 deletions

View File

@ -0,0 +1,23 @@
resource "vault_consul_secret_backend" "config" {
path = "consul"
description = "Manages the Consul backend"
address = "http://127.0.0.1:8500"
token = var.consul_token
}
resource "consul_acl_policy" "server_policy" {
name = "consul-servers"
rules = <<EOH
node_prefix "server-" {
policy = "write"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
EOH
}

View File

@ -3,15 +3,19 @@ variable "consul_address" {
default = "http://n1.thefij:8500" default = "http://n1.thefij:8500"
} }
variable "consul_token" {
type = string
description = "Token for setting up consul"
sensitive = true
}
variable "nomad_secret_id" { variable "nomad_secret_id" {
type = string type = string
description = "Secret ID for ACL bootstrapped Nomad" description = "Secret ID for ACL bootstrapped Nomad"
sensitive = true sensitive = true
default = ""
} }
variable "vault_token" { variable "vault_token" {
type = string type = string
sensitive = true sensitive = true
default = ""
} }

View File

@ -3,9 +3,6 @@
hosts: consul_instances hosts: consul_instances
any_errors_fatal: true any_errors_fatal: true
vars_files:
- consul_values.yml
roles: roles:
- role: ansible-consul - role: ansible-consul
vars: vars:
@ -32,6 +29,9 @@
consul_ports_grpc: 8502 consul_ports_grpc: 8502
consul_client_address: "0.0.0.0" consul_client_address: "0.0.0.0"
consul_acl_enabled: true
consul_acl_default_policy: "deny"
# Enable metrics # Enable metrics
consul_config_custom: consul_config_custom:
telemetry: telemetry:
@ -52,6 +52,7 @@
become: true become: true
tasks: tasks:
# Bootstrap ACLs
- name: Start Consul - name: Start Consul
systemd: systemd:
state: started state: started
@ -61,35 +62,28 @@
# If DNS is broken after dnsmasq, then need to set /etc/resolv.conf to something # If DNS is broken after dnsmasq, then need to set /etc/resolv.conf to something
# pointing to 127.0.0.1 and possibly restart Docker and Nomad # pointing to 127.0.0.1 and possibly restart Docker and Nomad
- name: Add values - name: Boostrap ACLs
command:
argv:
- "consul"
- "acl"
- "bootstrap"
- "-format=json"
run_once: true
ignore_errors: true
register: bootstrap_result
- name: Save bootstrap result
copy:
content: "{{ bootstrap_result.stdout }}"
dest: "./consul_bootstrap.json"
when: bootstrap_result is succeeded
delegate_to: localhost delegate_to: localhost
run_once: true run_once: true
block:
- name: Install python-consul
pip:
name: python-consul
extra_args: --index-url https://pypi.org/simple
- name: Set hostname
consul_kv:
host: "{{ inventory_hostname }}"
key: global/base_hostname
# TODO: propogate this through via Consul and Nomad templates rather than Terraform
value: dev.homelab
- name: Write values
consul_kv:
host: "{{ inventory_hostname }}"
key: "{{ item.key }}"
value: "{{ item.value }}"
loop: "{{ consul_values | default({}) | dict2items }}"
- name: Setup Vault cluster - name: Setup Vault cluster
hosts: vault_instances hosts: vault_instances
vars_files:
- ./vault_hashi_vault_values.yml
roles: roles:
- name: ansible-vault - name: ansible-vault
vars: vars: