|
|
|
|
@ -18,14 +18,6 @@ variable "github_vault_admins" {
|
|
|
|
|
type = list(any)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
variable "nomad_addr" {
|
|
|
|
|
type = string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
variable "nomad_token" {
|
|
|
|
|
type = string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
variable "vault_admins" {
|
|
|
|
|
type = list(any)
|
|
|
|
|
}
|
|
|
|
|
@ -59,16 +51,6 @@ resource "vault_github_team" "tf" {
|
|
|
|
|
team = var.github_tf_team
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "vault_nomad_secret_backend" "main" {
|
|
|
|
|
address = var.nomad_addr
|
|
|
|
|
backend = "nomad"
|
|
|
|
|
default_lease_ttl_seconds = "3600"
|
|
|
|
|
max_lease_ttl_seconds = "7200"
|
|
|
|
|
max_ttl = "240"
|
|
|
|
|
token = var.nomad_token
|
|
|
|
|
ttl = "120"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "vault_consul_secret_backend" "main" {
|
|
|
|
|
address = var.consul_http_addr
|
|
|
|
|
default_lease_ttl_seconds = "3600"
|
|
|
|
|
@ -102,11 +84,6 @@ data "vault_policy_document" "admin" {
|
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "nomad/*"
|
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "sys/auth/*"
|
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
|
@ -137,11 +114,6 @@ data "vault_policy_document" "admin" {
|
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "nomad/*"
|
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "secret/*"
|
|
|
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
|
|
|
@ -195,48 +167,6 @@ resource "vault_policy" "pghdsa_admin" {
|
|
|
|
|
policy = data.vault_policy_document.pghdsa_admin.hcl
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data "vault_policy_document" "nomad_server" {
|
|
|
|
|
rule {
|
|
|
|
|
path = "auth/token/create/nomad-cluster"
|
|
|
|
|
capabilities = ["update"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "auth/token/roles/nomad-cluster"
|
|
|
|
|
capabilities = ["read"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "auth/token/lookup-self"
|
|
|
|
|
capabilities = ["read"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "auth/token/lookup"
|
|
|
|
|
capabilities = ["update"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "auth/token/revoke-accessor"
|
|
|
|
|
capabilities = ["update"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "sys/capabilities-self"
|
|
|
|
|
capabilities = ["update"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule {
|
|
|
|
|
path = "auth/token/renew-self"
|
|
|
|
|
capabilities = ["update"]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "vault_policy" "nomad_server" {
|
|
|
|
|
name = "nomad-server"
|
|
|
|
|
policy = data.vault_policy_document.nomad_server.hcl
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data "vault_policy_document" "consul_gossip" {
|
|
|
|
|
rule {
|
|
|
|
|
path = "secret/consul/gossip"
|
|
|
|
|
@ -268,12 +198,4 @@ resource "vault_consul_secret_backend_role" "main" {
|
|
|
|
|
policies = ["consul-servers"]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "vault_token_auth_backend_role" "nomad" {
|
|
|
|
|
role_name = "nomad-cluster"
|
|
|
|
|
disallowed_policies = [vault_policy.nomad_server.name]
|
|
|
|
|
orphan = true
|
|
|
|
|
token_period = 259200
|
|
|
|
|
renewable = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// vim:filetype=terraform
|
|
|
|
|
|
