github.com/hernad/nomad@v1.6.112/e2e/terraform/hcp_vault.tf (about) 1 # Copyright (c) HashiCorp, Inc. 2 # SPDX-License-Identifier: MPL-2.0 3 4 # Note: the test environment must have the following values set: 5 # export HCP_CLIENT_ID= 6 # export HCP_CLIENT_SECRET= 7 # export VAULT_TOKEN= 8 # export VAULT_ADDR= 9 10 data "hcp_vault_cluster" "e2e_shared_vault" { 11 cluster_id = var.hcp_vault_cluster_id 12 } 13 14 # Nomad servers configuration for Vault 15 16 resource "vault_policy" "nomad" { 17 name = "${local.random_name}-nomad-server" 18 policy = data.local_file.vault_policy_for_nomad.content 19 } 20 21 data "local_file" "vault_policy_for_nomad" { 22 filename = "${path.root}/etc/acls/vault/nomad-policy.hcl" 23 } 24 25 resource "vault_token" "nomad" { 26 policies = [vault_policy.nomad.name] 27 no_parent = true 28 renewable = true 29 ttl = "72h" 30 } 31 32 # this is the role that Nomad will use for derived tokens. It's not 33 # allowed access to nomad-policy so that only mint tokens for tasks, 34 # not for new clusters 35 resource "vault_token_auth_backend_role" "nomad_cluster" { 36 role_name = "nomad-tasks" 37 disallowed_policies = [vault_policy.nomad.name] 38 orphan = true 39 token_period = "259200" 40 renewable = true 41 token_max_ttl = "0" 42 } 43 44 resource "local_sensitive_file" "nomad_config_for_vault" { 45 content = templatefile("etc/nomad.d/vault.hcl", { 46 token = vault_token.nomad.client_token 47 url = data.hcp_vault_cluster.e2e_shared_vault.vault_private_endpoint_url 48 namespace = var.hcp_vault_namespace 49 }) 50 filename = "uploads/shared/nomad.d/vault.hcl" 51 file_permission = "0600" 52 }