Compare commits
2 Commits
main
...
consul-acl
Author | SHA1 | Date | |
---|---|---|---|
fd4ec07965 | |||
ce2d2bb6cd |
@ -2,21 +2,21 @@
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/consul" {
|
||||
version = "2.14.0"
|
||||
version = "2.15.1"
|
||||
hashes = [
|
||||
"h1:lJWOdlqevg6FQLFlfM3tGOsy9yPrjm9/vqkfzVrqT/A=",
|
||||
"h1:xRwktNwLL3Vo43F7v73tfcgbcnjCE2KgCzcNrsQJ1cc=",
|
||||
"zh:06dcca1f76b839af8f86c7b6f65b944003a7a35b30b865b3884f48e2c42f9aee",
|
||||
"zh:16111df6a485e21cee6ca33cb863434baa1ca360c819c8e2af85e465c1361d2b",
|
||||
"zh:26b59c82ac2861b2651c1fa31955c3e7790e3c2d5d097f22aa34d3c294da63cf",
|
||||
"zh:70fd6853099126a602d5ac26caa80214a4a8a38f0cad8a5e3b7bef49923419d3",
|
||||
"zh:7d4f0061d6fb86e0a5639ed02381063b868245082ec4e3a461bcda964ed00fcc",
|
||||
"zh:a48cbf57d6511922362d5b0f76f449fba7a550c9d0702635fabb43b4f0a09fc0",
|
||||
"zh:bb54994a53dd8e1ff84ca50742ce893863dc166fd41b91d951f4cb89fe6a6bc0",
|
||||
"zh:bc61b19ee3c8d55a9915a3ad84203c87bfd0d57eca8eec788524b14e8b67f090",
|
||||
"zh:cbe3238e756ada23c1e7c97c42a5c72bf810dc5bd1265c9f074c3e739d1090b0",
|
||||
"zh:e30198054239eab46493e59956b9cd8c376c3bbd9515ac102a96d1fbd32e423f",
|
||||
"zh:e74365dba529a0676107e413986d7be81c2125c197754ce69e3e89d8daa53153",
|
||||
"h1:PexyQBRLDA+SR+sWlzYBZswry5O5h/tTfj87CaECtLc=",
|
||||
"zh:1806830a3cf103e65e772a7d28fd4df2788c29a029fb2def1326bc777ad107ed",
|
||||
"zh:252be544fb4c9daf09cad7d3776daf5fa66b62740d3ea9d6d499a7b1697c3433",
|
||||
"zh:50985fe02a8e5ae47c75d7c28c911b25d7dc4716cff2ed55ca05889ab77a1f73",
|
||||
"zh:54cf0ec90538703c66937c77e8d72a38d5af47437eb0b8b55eb5836c5d288878",
|
||||
"zh:704f536c621337e06fffef6d5f49ac81f52d249f937250527c12884cb83aefed",
|
||||
"zh:896d8ef6d0b555299f124eb25bce8a17d735da14ef21f07582098d301f47da30",
|
||||
"zh:976277a85b0a0baafe267cc494f766448d1da5b6936ddcb3ce393bd4d22f08d2",
|
||||
"zh:c7faa9a2b11bc45833a3e8e340f22f1ecf01597eaeffa7669234b4549d7dfa85",
|
||||
"zh:caf851ef9c8ce482864badf7058f9278d4537112fa236efd8f1a9315801d9061",
|
||||
"zh:db203435d58b0ac842540861b3307a623423275d85754c171773f3b210ae5b24",
|
||||
"zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
|
||||
"zh:f710a37190429045d109edd35de69db3b5f619919c2fa04c77a3a639fea9fd7d",
|
||||
]
|
||||
}
|
||||
|
||||
@ -40,39 +40,40 @@ provider "registry.terraform.io/hashicorp/external" {
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/nomad" {
|
||||
version = "1.4.16"
|
||||
version = "1.4.17"
|
||||
hashes = [
|
||||
"h1:PQxNPNmMVOErxryTWIJwr22k95DTSODmgRylqjc2TjI=",
|
||||
"h1:tyfjD/maKzb0RxxD9KWgLnkJu9lnYziYsQgGw85Giz8=",
|
||||
"zh:0d4fbb7030d9caac3b123e60afa44f50c83cc2a983e1866aec7f30414abe7b0e",
|
||||
"zh:0db080228e07c72d6d8ca8c45249d6f97cd0189fce82a77abbdcd49a52e57572",
|
||||
"zh:0df88393271078533a217654b96f0672c60eb59570d72e6aefcb839eea87a7a0",
|
||||
"zh:2883b335bb6044b0db6a00e602d6926c047c7f330294a73a90d089f98b24d084",
|
||||
"zh:390158d928009a041b3a182bdd82376b50530805ae92be2b84ed7c3b0fa902a0",
|
||||
"zh:7169b8f8df4b8e9659c49043848fd5f7f8473d0471f67815e8b04980f827f5ef",
|
||||
"zh:9417ee1383b1edd137024882d7035be4dca51fb4f725ca00ed87729086ec1755",
|
||||
"zh:a22910b5a29eeab5610350700b4899267c1b09b66cf21f7e4d06afc61d425800",
|
||||
"zh:a6185c9cd7aa458cd81861058ba568b6411fbac344373a20155e20256f4a7557",
|
||||
"zh:b6260ca9f034df1b47905b4e2a9c33b67dbf77224a694d5b10fb09ae92ffad4c",
|
||||
"zh:d87c12a6a7768f2b6c2a59495c7dc00f9ecc52b1b868331d4c284f791e278a1e",
|
||||
"h1:iPylWr144mqXvM8NBVMTm+MS6JRhqIihlpJG91GYDyA=",
|
||||
"zh:146f97eacd9a0c78b357a6cfd2cb12765d4b18e9660a75500ee3e748c6eba41a",
|
||||
"zh:2eb89a6e5cee9aea03a96ea9f141096fe3baf219b2700ce30229d2d882f5015f",
|
||||
"zh:3d0f971f79b615c1014c75e2f99f34bd4b4da542ca9f31d5ea7fadc4e9de39c1",
|
||||
"zh:46099a750c752ce05aa14d663a86478a5ad66d95aff3d69367f1d3628aac7792",
|
||||
"zh:71e56006b013dcfe1e4e059b2b07148b44fcd79351ae2c357e0d97e27ae0d916",
|
||||
"zh:74febd25d776688f0558178c2f5a0e6818bbf4cdaa2e160d7049da04103940f0",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:af18c064a5f0dd5422d6771939274841f635b619ab392c73d5bf9720945fdb85",
|
||||
"zh:c133d7a862079da9f06e301c530eacbd70e9288fa2276ec0704df907270ee328",
|
||||
"zh:c894cf98d239b9f5a4b7cde9f5c836face0b5b93099048ee817b0380ea439c65",
|
||||
"zh:c918642870f0cafdbe4d7dd07c909701fc3ddb47cac8357bdcde1327bf78c11d",
|
||||
"zh:f8f5655099a57b4b9c0018a2d49133771e24c7ff8262efb1ceb140fd224aa9b6",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/vault" {
|
||||
version = "3.3.1"
|
||||
version = "3.8.0"
|
||||
constraints = "3.8.0"
|
||||
hashes = [
|
||||
"h1:SOTmxGynxFf1hECFq0/FGujGQZNktePze/4mfdR/iiU=",
|
||||
"h1:i7EC2IF0KParI+JPA5ZtXJrAn3bAntW5gEMLvOXwpW4=",
|
||||
"zh:3e1866037f43c1083ff825dce2a9e3853c757bb0121c5ae528ee3cf3f99b4113",
|
||||
"zh:49636cc5c4939134e098c4ec0163c41fae103f24d7e1e8fc0432f8ad93d596a0",
|
||||
"zh:5258a7001719c4aeb84f4c4da7115b795da4794754938a3c4176a4b578fe93a1",
|
||||
"zh:7461738691e2e8ea91aba73d4351cfbc30fcaedcf0e332c9d35ef215f93aa282",
|
||||
"zh:815529478e33a6727273b08340a4c62c9aeb3da02abf8f091bb4f545c8451fce",
|
||||
"zh:8e6fede9f5e25b507faf6cacd61b997035b8b62859245861149ddb2990ada8eb",
|
||||
"zh:9acc2387084b9c411e264c4351633bc82f9c4e420f8e6bbad9f87b145351f929",
|
||||
"zh:b9e4af3b06386ceed720f0163a1496088c154aa1430ae072c525ffefa4b37891",
|
||||
"zh:c7d5dfb8f8536694db6740e2a4afd2d681b60b396ded469282524c62ce154861",
|
||||
"zh:d0850be710c6fd682634a2f823beed0164231cc873b1dc09038aa477c926f57c",
|
||||
"zh:e90c2cba9d89db5eab295b2f046f24a53f23002bcfe008633d398fb3fa16d941",
|
||||
"h1:F+1vJ14D9nNx3sNrCbKxvpJZ+QnVmD1p/ITbYPlkRg4=",
|
||||
"zh:2c807352fd061f31d2972f131b74ab2e2c47031760a9f18b6f4b4a699d384969",
|
||||
"zh:3c5d6334c367c41d570f0eb226be0dfbdb31034669b8914b509f145a279c2bfa",
|
||||
"zh:4ce3887e53cc9536bfd500fac09caaab93084ed145532a521826a5093e7f8dd7",
|
||||
"zh:6990eac4216fb8d7fcbe0a483cc1c6a077d0e970db84fb1c0b9032158b555c0e",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:939576f814ee4406131bdd3564cee041b05176d2e0a0b55e8081019348125e76",
|
||||
"zh:a0545395bd6039f7c9998113ada4334717eb1c74fee4ece7da1d4f3e6d5ef7ba",
|
||||
"zh:a086e5e4fdadcb0492f48074047954cc6c437b9ee57d9ec7ba850fb7cb5455a8",
|
||||
"zh:c997156a7c23fa06304d7e22cfd64407e9ed69237c5780d20026521ce2be478d",
|
||||
"zh:d47ad773cf50d703450cf301872cbc33938712a5ae491dfebf77611e1bcb0237",
|
||||
"zh:d95de02ccc23416e2eefb689c94046a5dcb4c65ab96cebc61838c5b1ef70e1d3",
|
||||
"zh:f166c7ed64c12978c4296d477ca508df82791648e6e9ff523268c1d361493851",
|
||||
]
|
||||
}
|
||||
|
@ -40,20 +40,21 @@ provider "registry.terraform.io/hashicorp/nomad" {
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/hashicorp/vault" {
|
||||
version = "3.7.0"
|
||||
version = "3.8.0"
|
||||
constraints = "3.8.0"
|
||||
hashes = [
|
||||
"h1:idawLPCbZgHIb+NRLJs4YdIcQgACqYiT5VwQfChkn+w=",
|
||||
"zh:256b82692c560c76ad51414a2c003cadfa10338a9df333dbe22dd14a9ed16f95",
|
||||
"zh:329ed8135a98bd6a000d014e40bc5981c6868cf50eedf454f1a1f72ac463bdf0",
|
||||
"zh:3b32c18b492a6ac8e1ccac40d28cd42a88892ef8f3515291676136e3faac351c",
|
||||
"zh:4c5ea8e80543b36b1999257a41c8b9cde852542251de82a94cff2f9d280ac2ec",
|
||||
"zh:5d968ed305cde7aa3567a943cb2f5f8def54b40a2292b66027b1405a1cf28585",
|
||||
"zh:60226d1a0a496a9a6c1d646800dd7e1bd1c4f5527e7307ff0bca9f4d0b5395e2",
|
||||
"zh:71b11def501c994ee5305f24bd47ebfcca2314c5acca3efcdd209373d0068ac0",
|
||||
"h1:F+1vJ14D9nNx3sNrCbKxvpJZ+QnVmD1p/ITbYPlkRg4=",
|
||||
"zh:2c807352fd061f31d2972f131b74ab2e2c47031760a9f18b6f4b4a699d384969",
|
||||
"zh:3c5d6334c367c41d570f0eb226be0dfbdb31034669b8914b509f145a279c2bfa",
|
||||
"zh:4ce3887e53cc9536bfd500fac09caaab93084ed145532a521826a5093e7f8dd7",
|
||||
"zh:6990eac4216fb8d7fcbe0a483cc1c6a077d0e970db84fb1c0b9032158b555c0e",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:89be6b5db3be473bfd14422a9abf83245c4b22ce47a8fe463bbebf8e20958ab1",
|
||||
"zh:8f91051d43ae309bb8f3f6a9659f0fd26b1b239faf671c139b4e9ad0d208db05",
|
||||
"zh:b5114983273d3170878f657b92738b2c40953aedeef2e1840588ecaf1bc0827e",
|
||||
"zh:fd56db01c5444dc8ca2e0ad2f13fc4c17735d0fdeb5960e23176fb3f5a5114d3",
|
||||
"zh:939576f814ee4406131bdd3564cee041b05176d2e0a0b55e8081019348125e76",
|
||||
"zh:a0545395bd6039f7c9998113ada4334717eb1c74fee4ece7da1d4f3e6d5ef7ba",
|
||||
"zh:a086e5e4fdadcb0492f48074047954cc6c437b9ee57d9ec7ba850fb7cb5455a8",
|
||||
"zh:c997156a7c23fa06304d7e22cfd64407e9ed69237c5780d20026521ce2be478d",
|
||||
"zh:d47ad773cf50d703450cf301872cbc33938712a5ae491dfebf77611e1bcb0237",
|
||||
"zh:d95de02ccc23416e2eefb689c94046a5dcb4c65ab96cebc61838c5b1ef70e1d3",
|
||||
"zh:f166c7ed64c12978c4296d477ca508df82791648e6e9ff523268c1d361493851",
|
||||
]
|
||||
}
|
||||
|
15
nomad/acls/consul_policies.tf
Normal file
15
nomad/acls/consul_policies.tf
Normal file
@ -0,0 +1,15 @@
|
||||
resource "consul_acl_policy" "server_policy" {
|
||||
name = "consul-servers"
|
||||
rules = <<EOH
|
||||
node_prefix "server-" {
|
||||
policy = "write"
|
||||
}
|
||||
node_prefix "" {
|
||||
policy = "read"
|
||||
}
|
||||
service_prefix "" {
|
||||
policy = "read"
|
||||
}
|
||||
|
||||
EOH
|
||||
}
|
20
nomad/acls/consul_vault.tf
Normal file
20
nomad/acls/consul_vault.tf
Normal file
@ -0,0 +1,20 @@
|
||||
resource "vault_consul_secret_backend" "config" {
|
||||
path = "consul"
|
||||
description = "Manages the Consul backend"
|
||||
|
||||
address = "http://127.0.0.1:8300"
|
||||
# Using root token here, do consul tokens expire?
|
||||
token = var.consul_token
|
||||
}
|
||||
|
||||
resource "vault_consul_secret_backend_role" "consul_servers" {
|
||||
name = "consul-servers"
|
||||
backend = vault_consul_secret_backend.config.path
|
||||
|
||||
consul_policies = [
|
||||
"consul-servers"
|
||||
]
|
||||
|
||||
max_ttl = 240
|
||||
ttl = 120
|
||||
}
|
@ -1,3 +1,12 @@
|
||||
terraform {
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "3.8.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Configure Consul provider
|
||||
provider "consul" {
|
||||
address = var.consul_address
|
||||
|
@ -3,15 +3,19 @@ variable "consul_address" {
|
||||
default = "http://n1.thefij:8500"
|
||||
}
|
||||
|
||||
variable "consul_token" {
|
||||
type = string
|
||||
description = "Token for setting up consul"
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
variable "nomad_secret_id" {
|
||||
type = string
|
||||
description = "Secret ID for ACL bootstrapped Nomad"
|
||||
sensitive = true
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "vault_token" {
|
||||
type = string
|
||||
sensitive = true
|
||||
default = ""
|
||||
}
|
||||
|
@ -1,3 +1,12 @@
|
||||
terraform {
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "3.8.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Configure Consul provider
|
||||
provider "consul" {
|
||||
address = var.consul_address
|
||||
|
@ -3,9 +3,6 @@
|
||||
hosts: consul_instances
|
||||
any_errors_fatal: true
|
||||
|
||||
vars_files:
|
||||
- consul_values.yml
|
||||
|
||||
roles:
|
||||
- role: ansible-consul
|
||||
vars:
|
||||
@ -32,6 +29,9 @@
|
||||
consul_ports_grpc: 8502
|
||||
consul_client_address: "0.0.0.0"
|
||||
|
||||
consul_acl_enabled: true
|
||||
consul_acl_default_policy: "deny"
|
||||
|
||||
# Enable metrics
|
||||
consul_config_custom:
|
||||
telemetry:
|
||||
@ -52,6 +52,7 @@
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
# Bootstrap ACLs
|
||||
- name: Start Consul
|
||||
systemd:
|
||||
state: started
|
||||
@ -61,35 +62,28 @@
|
||||
# If DNS is broken after dnsmasq, then need to set /etc/resolv.conf to something
|
||||
# pointing to 127.0.0.1 and possibly restart Docker and Nomad
|
||||
|
||||
- name: Add values
|
||||
- name: Boostrap ACLs
|
||||
command:
|
||||
argv:
|
||||
- "consul"
|
||||
- "acl"
|
||||
- "bootstrap"
|
||||
- "-format=json"
|
||||
run_once: true
|
||||
ignore_errors: true
|
||||
register: bootstrap_result
|
||||
|
||||
- name: Save bootstrap result
|
||||
copy:
|
||||
content: "{{ bootstrap_result.stdout }}"
|
||||
dest: "./consul_bootstrap.json"
|
||||
when: bootstrap_result is succeeded
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
block:
|
||||
- name: Install python-consul
|
||||
pip:
|
||||
name: python-consul
|
||||
extra_args: --index-url https://pypi.org/simple
|
||||
|
||||
- name: Set hostname
|
||||
consul_kv:
|
||||
host: "{{ inventory_hostname }}"
|
||||
key: global/base_hostname
|
||||
# TODO: propogate this through via Consul and Nomad templates rather than Terraform
|
||||
value: dev.homelab
|
||||
|
||||
- name: Write values
|
||||
consul_kv:
|
||||
host: "{{ inventory_hostname }}"
|
||||
key: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
loop: "{{ consul_values | default({}) | dict2items }}"
|
||||
|
||||
- name: Setup Vault cluster
|
||||
hosts: vault_instances
|
||||
|
||||
vars_files:
|
||||
- ./vault_hashi_vault_values.yml
|
||||
|
||||
roles:
|
||||
- name: ansible-vault
|
||||
vars:
|
||||
|
Loading…
Reference in New Issue
Block a user