kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 10:25:42 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
7edf1885c43dcafe746da34258e966935b208c23
nomad/e2e/terraform/hcp_vault.tf
Tim Gross 020fa6f8ba E2E with HCP Consul/Vault (#12267) 
Use HCP Consul and HCP Vault for the Consul and Vault clusters used in E2E testing. This has the following benefits:

* Without the need to support mTLS bootstrapping for Consul and Vault, we can simplify the mTLS configuration by leaning on Terraform instead of janky bash shell scripting.
* Vault bootstrapping is no longer required, so we can eliminate even more janky shell scripting
* Our E2E exercises HCP, which is important to us as an organization
* With the reduction in configurability, we can simplify the Terraform configuration and drop the complicated `provision.sh`/`provision.ps1` scripts we were using previously. We can template Nomad configuration files and upload them with the `file` provisioner.
* Packer builds for Linux and Windows become much simpler.

tl;dr way less janky shell scripting!
2022-03-18 09:27:28 -04:00

50 lines
1.4 KiB
HCL
Raw Blame History

# Note: the test environment must have the following values set:
# export HCP_CLIENT_ID=
# export HCP_CLIENT_SECRET=
# export VAULT_TOKEN=
# export VAULT_ADDR=
data "hcp_vault_cluster" "e2e_shared_vault" {
cluster_id = var.hcp_vault_cluster_id
}
# Nomad servers configuration for Vault
resource "vault_policy" "nomad" {
name = "nomad-server"
policy = data.local_file.vault_policy_for_nomad.content
}
data "local_file" "vault_policy_for_nomad" {
filename = "${path.root}/etc/acls/vault/nomad-policy.hcl"
}
resource "vault_token" "nomad" {
policies = [vault_policy.nomad.name]
no_parent = true
renewable = true
ttl = "72h"
}
# this is the role that Nomad will use for derived tokens. It's not
# allowed access to nomad-policy so that only mint tokens for tasks,
# not for new clusters
resource "vault_token_auth_backend_role" "nomad_cluster" {
role_name = "nomad-tasks"
disallowed_policies = [vault_policy.nomad.name]
orphan = true
token_period = "259200"
renewable = true
token_max_ttl = "0"
}
resource "local_file" "nomad_config_for_vault" {
sensitive_content = templatefile("etc/nomad.d/vault.hcl", {
token = vault_token.nomad.client_token
url = data.hcp_vault_cluster.e2e_shared_vault.vault_private_endpoint_url
namespace = var.hcp_vault_namespace
})
filename = "uploads/shared/nomad.d/vault.hcl"
file_permission = "0600"
}
Reference in New Issue View Git Blame Copy Permalink