Update security todos and reference node IP for consul queries

nomad/acls/nomad_policies.tf

@@ -10,7 +10,7 @@ resource "nomad_acl_policy" "admin" {
   rules_hcl   = file("${path.module}/nomad-admin-policy.hcl")
 }
 
-# TODO: Limit this scope
+# TODO: (security) Limit this scope
 resource "nomad_acl_policy" "deploy" {
   name        = "deploy"
   description = "Write for job deployments"

nomad/core.tf

@@ -17,8 +17,6 @@ module "traefik" {
 
 module "metrics" {
   source = "./metrics"
-
-  consul_address = var.consul_address
 }
 
 module "loki" {

nomad/databases/adminer.nomad

@@ -25,7 +25,6 @@ job "adminer" {
 
             upstreams {
               destination_name = "mysql-server"
-              # TODO: how do I get these to not bind to the host eth0 address
               local_bind_port = 4040
             }
 

nomad/metrics/metrics.tf

@@ -1,8 +1,3 @@
-variable "consul_address" {
-  type        = string
-  description = "address of consul server for dynamic scraping"
-}
-
 resource "nomad_job" "exporters" {
   hcl2 {
     enabled = true
@@ -20,12 +15,6 @@ data "consul_nodes" "all-nodes" {
 resource "nomad_job" "prometheus" {
   hcl2 {
     enabled = true
-    vars = {
-      # TODO: May not need this because we have an env variable for that
-      # "consul_address" = "${var.consul_address}",
-      # TODO: Should this be a list?
-      "consul_address" = "http://${data.consul_nodes.all-nodes.nodes[0].address}:8500",
-    }
   }
 
   jobspec = file("${path.module}/prometheus.nomad")

nomad/metrics/prometheus.nomad

@@ -1,9 +1,3 @@
-variable "consul_address" {
-  type = string
-  description = "Full address of Consul instance to get catalog from"
-  default = "http://127.0.0.1:5400"
-}
-
 job "prometheus" {
   datacenters = ["dc1"]
 
@@ -97,8 +91,7 @@ scrape_configs:
       format:
         - "prometheus"
     consul_sd_configs:
-      - server: "${var.consul_address}"
-      # - server: "{{ env "CONSUL_HTTP_ADDR" }}"
+      - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
         services:
           - "nomad-client"
 
@@ -108,8 +101,7 @@ scrape_configs:
       format:
         - "prometheus"
     consul_sd_configs:
-      - server: "${var.consul_address}"
-      # - server: "{{ env "CONSUL_HTTP_ADDR" }}"
+      - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
         services:
           - "consul"
     relabel_configs:
@@ -120,8 +112,7 @@ scrape_configs:
   - job_name: "exporters"
     metrics_path: "/metrics"
     consul_sd_configs:
-      - server: "${var.consul_address}"
-      # - server: "{{ env "CONSUL_HTTP_ADDR" }}"
+      - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
     relabel_configs:
       - source_labels: [__meta_consul_service]
         action: drop
@@ -143,8 +134,7 @@ scrape_configs:
   - job_name: "envoy"
     metrics_path: "/metrics"
     consul_sd_configs:
-      - server: "${var.consul_address}"
-      # - server: "{{ env "CONSUL_HTTP_ADDR" }}"
+      - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
     relabel_configs:
       - source_labels: [__meta_consul_service]
         action: keep

nomad/setup-cluster.yml

@@ -372,7 +372,7 @@
         # Only talk to local Vault for now because it doesn't have HTTPS
         nomad_vault_address: "http://127.0.0.1:8200"
         nomad_vault_create_from_role: "nomad-cluster"
-        # TODO: Probably want to restict this to a narrower scoped token
+        # TODO: (security) Probably want to restict this to a narrower scoped token
         nomad_vault_enabled: "{{ root_token is defined }}"
         nomad_vault_token: "{{ root_token | default('') }}"