This module is an example on how you can setup integration between Vault and Nomad. Refer to this page for more information.
This is intended to be used alongside the core.
You must have Terraformed the core module first. In addition, you must have at least initialised and unsealed the Vault servers.
You must also provision this with the aws-auth module. You must give the
nomad_server
token role in aws-auth
the nomad_server
policy.
You can use both modules in the same Terraform module to provision to satisfy the requirements. For example:
module "nomad_vault_integration" {
source = "..."
# ...
}
module "aws_auth" {
source = "..."
# ...
# Attach policy to allow creation of tokens for Nomad servers
nomad_server_policies = ["...", "${module.nomad_vault_integration.nomad_server_policy_name}"]
}
Refer to the documentation on the Terraform Vault provider for details on how you can provide a Vault token for this Terraform operation. In general, you might want to do this with a Root token.
Refer to the documentation on how to configure the ACL token for the provider if needed.
Instead of generating a Vault Token by hand while configuring Nomad, we instead choose to configure Vault to enable the AWS authentication method so that Nomad servers instance will be able to retrieve a token on first boot purely by authenticating with Vault via their Instance Profile.
This module first provisions two policies and token roles in Vault.
nomad_server_policy
: This policy allows the token holder to create a periodic token with thenomad_cluster_policy
using thenomad_server
token role.nomad_cluster_policy
: This policy allows Nomad to create child tokens for jobs that require it.
nomad_server
: This allows the creation of a token that is passed to Nomad for Nomad to create child tokens for use with jobs using thenomad_cluster
role.nomad_cluster
: This role is used by Nomad servers to create child tokens for use with jobs.
Using a source token obtained from the aws-auth
module that has the nomad_server_policy
, we
can create a new nomad_cluster
token using the nomad_cluster
role.
The nomad_cluster
token will then be passed to Nomad servers for Nomad to manage. This token will
be used by Nomad servers to create child tokens for use with jobs.
After you have applied this module, a key will be set in Consul's KV store. The default
user_data
scripts of the Core's Nomad servers and clients will check for the presence of this
key in Consul to configure themselves accordingly. Refer to the Core module's documentation on how
to update your Nomad cluster.
Refer to INOUT.md