github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/e2e/terraform/hcp_vault.tf (about) 1 # Note: the test environment must have the following values set: 2 # export HCP_CLIENT_ID= 3 # export HCP_CLIENT_SECRET= 4 # export VAULT_TOKEN= 5 # export VAULT_ADDR= 6 7 data "hcp_vault_cluster" "e2e_shared_vault" { 8 cluster_id = var.hcp_vault_cluster_id 9 } 10 11 # Nomad servers configuration for Vault 12 13 resource "vault_policy" "nomad" { 14 name = "${local.random_name}-nomad-server" 15 policy = data.local_file.vault_policy_for_nomad.content 16 } 17 18 data "local_file" "vault_policy_for_nomad" { 19 filename = "${path.root}/etc/acls/vault/nomad-policy.hcl" 20 } 21 22 resource "vault_token" "nomad" { 23 policies = [vault_policy.nomad.name] 24 no_parent = true 25 renewable = true 26 ttl = "72h" 27 } 28 29 # this is the role that Nomad will use for derived tokens. It's not 30 # allowed access to nomad-policy so that only mint tokens for tasks, 31 # not for new clusters 32 resource "vault_token_auth_backend_role" "nomad_cluster" { 33 role_name = "nomad-tasks" 34 disallowed_policies = [vault_policy.nomad.name] 35 orphan = true 36 token_period = "259200" 37 renewable = true 38 token_max_ttl = "0" 39 } 40 41 resource "local_sensitive_file" "nomad_config_for_vault" { 42 content = templatefile("etc/nomad.d/vault.hcl", { 43 token = vault_token.nomad.client_token 44 url = data.hcp_vault_cluster.e2e_shared_vault.vault_private_endpoint_url 45 namespace = var.hcp_vault_namespace 46 }) 47 filename = "uploads/shared/nomad.d/vault.hcl" 48 file_permission = "0600" 49 }