-
Notifications
You must be signed in to change notification settings - Fork 1
/
consul.tf
96 lines (75 loc) · 2.45 KB
/
consul.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
resource "vault_consul_secret_backend" "consul" {
count = var.configure_for_consul ? 1 : 0
path = "consul"
description = "Provide tokens for consul"
address = var.consul_address
bootstrap = var.consul_bootstrap
default_lease_ttl_seconds = var.consul_default_lease_ttl
max_lease_ttl_seconds = var.consul_max_lease_ttl
}
data "vault_policy_document" "consul_root" {
rule {
path = "consul/*"
capabilities = [
"create",
"read",
"update",
"delete",
"list",
"sudo",
]
description = "Full access to configure the consul secret backend"
}
}
resource "vault_policy" "consul_root" {
count = var.configure_for_consul ? 1 : 0
name = "resin-consul-root"
policy = data.vault_policy_document.consul_root.hcl
}
resource "vault_consul_secret_backend_role" "consul_role_root" {
count = var.configure_for_consul ? 1 : 0
backend = vault_consul_secret_backend.consul[0].path
name = "root"
consul_policies = ["global-management"]
}
resource "vault_consul_secret_backend_role" "consul_role_agent" {
count = var.configure_for_consul ? 1 : 0
backend = vault_consul_secret_backend.consul[0].path
name = "agent"
consul_policies = ["resin-consul-agent"]
}
data "vault_policy_document" "consul_agent" {
rule {
path = "resin_internal/data/consul/gossip"
capabilities = ["read"]
description = "Consul gossip key"
}
rule {
path = "consul/creds/agent"
capabilities = ["read"]
description = "Consul agent role"
}
}
resource "vault_policy" "consul_agent" {
count = var.configure_for_consul ? 1 : 0
name = "resin-consul-agent"
policy = data.vault_policy_document.consul_agent.hcl
}
resource "vault_consul_secret_backend_role" "consul_role_vault" {
count = var.configure_for_consul ? 1 : 0
backend = vault_consul_secret_backend.consul[0].path
name = "vault"
consul_policies = ["resin-vault-server"]
}
resource "vault_consul_secret_backend_role" "consul_role_nomad_client" {
count = var.configure_for_consul ? 1 : 0
backend = vault_consul_secret_backend.consul[0].path
name = "nomad-client"
consul_policies = ["resin-nomad-client"]
}
resource "vault_consul_secret_backend_role" "consul_role_nomad_server" {
count = var.configure_for_consul ? 1 : 0
backend = vault_consul_secret_backend.consul[0].path
name = "nomad-server"
consul_policies = ["resin-nomad-server"]
}