diff --git a/nomad/acls/nomad_policies.tf b/nomad/acls/nomad_policies.tf index bb8a303..94b15f5 100644 --- a/nomad/acls/nomad_policies.tf +++ b/nomad/acls/nomad_policies.tf @@ -10,7 +10,7 @@ resource "nomad_acl_policy" "admin" { rules_hcl = file("${path.module}/nomad-admin-policy.hcl") } -# TODO: Limit this scope +# TODO: (security) Limit this scope resource "nomad_acl_policy" "deploy" { name = "deploy" description = "Write for job deployments" diff --git a/nomad/core.tf b/nomad/core.tf index 5685ef9..d32dbcf 100644 --- a/nomad/core.tf +++ b/nomad/core.tf @@ -17,8 +17,6 @@ module "traefik" { module "metrics" { source = "./metrics" - - consul_address = var.consul_address } module "loki" { diff --git a/nomad/databases/adminer.nomad b/nomad/databases/adminer.nomad index edad1c2..fa33339 100644 --- a/nomad/databases/adminer.nomad +++ b/nomad/databases/adminer.nomad @@ -25,7 +25,6 @@ job "adminer" { upstreams { destination_name = "mysql-server" - # TODO: how do I get these to not bind to the host eth0 address local_bind_port = 4040 } diff --git a/nomad/metrics/metrics.tf b/nomad/metrics/metrics.tf index dc5ae19..7f0a991 100644 --- a/nomad/metrics/metrics.tf +++ b/nomad/metrics/metrics.tf @@ -1,8 +1,3 @@ -variable "consul_address" { - type = string - description = "address of consul server for dynamic scraping" -} - resource "nomad_job" "exporters" { hcl2 { enabled = true @@ -20,12 +15,6 @@ data "consul_nodes" "all-nodes" { resource "nomad_job" "prometheus" { hcl2 { enabled = true - vars = { - # TODO: May not need this because we have an env variable for that - # "consul_address" = "${var.consul_address}", - # TODO: Should this be a list? - "consul_address" = "http://${data.consul_nodes.all-nodes.nodes[0].address}:8500", - } } jobspec = file("${path.module}/prometheus.nomad") diff --git a/nomad/metrics/prometheus.nomad b/nomad/metrics/prometheus.nomad index 3b4295e..13d86f5 100644 --- a/nomad/metrics/prometheus.nomad +++ b/nomad/metrics/prometheus.nomad @@ -1,9 +1,3 @@ -variable "consul_address" { - type = string - description = "Full address of Consul instance to get catalog from" - default = "http://127.0.0.1:5400" -} - job "prometheus" { datacenters = ["dc1"] @@ -97,8 +91,7 @@ scrape_configs: format: - "prometheus" consul_sd_configs: - - server: "${var.consul_address}" - # - server: "{{ env "CONSUL_HTTP_ADDR" }}" + - server: "http://{{env "attr.unique.network.ip-address"}}:8500" services: - "nomad-client" @@ -108,8 +101,7 @@ scrape_configs: format: - "prometheus" consul_sd_configs: - - server: "${var.consul_address}" - # - server: "{{ env "CONSUL_HTTP_ADDR" }}" + - server: "http://{{env "attr.unique.network.ip-address"}}:8500" services: - "consul" relabel_configs: @@ -120,8 +112,7 @@ scrape_configs: - job_name: "exporters" metrics_path: "/metrics" consul_sd_configs: - - server: "${var.consul_address}" - # - server: "{{ env "CONSUL_HTTP_ADDR" }}" + - server: "http://{{env "attr.unique.network.ip-address"}}:8500" relabel_configs: - source_labels: [__meta_consul_service] action: drop @@ -143,8 +134,7 @@ scrape_configs: - job_name: "envoy" metrics_path: "/metrics" consul_sd_configs: - - server: "${var.consul_address}" - # - server: "{{ env "CONSUL_HTTP_ADDR" }}" + - server: "http://{{env "attr.unique.network.ip-address"}}:8500" relabel_configs: - source_labels: [__meta_consul_service] action: keep diff --git a/nomad/setup-cluster.yml b/nomad/setup-cluster.yml index bb3eb20..f096358 100644 --- a/nomad/setup-cluster.yml +++ b/nomad/setup-cluster.yml @@ -372,7 +372,7 @@ # Only talk to local Vault for now because it doesn't have HTTPS nomad_vault_address: "http://127.0.0.1:8200" nomad_vault_create_from_role: "nomad-cluster" - # TODO: Probably want to restict this to a narrower scoped token + # TODO: (security) Probably want to restict this to a narrower scoped token nomad_vault_enabled: "{{ root_token is defined }}" nomad_vault_token: "{{ root_token | default('') }}"