Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Support the Nomad secrets backend #640

Closed
josemaia opened this issue Dec 23, 2019 · 6 comments
Closed

Feature Request: Support the Nomad secrets backend #640

josemaia opened this issue Dec 23, 2019 · 6 comments

Comments

@josemaia
Copy link

Much like is possible for SSH, AWS, Azure, etc., I would like to be able to provision and configure my Vault to provide Nomad authentication.

I believe currently you can only do the creation of the mount, with vault_mount, but not configure any of its details (lease time, Nomad cluster address, tokens, roles, etc.). Requiring us to introduce a shell script just for this part of the configuration, when everything else in our Vault is setup via Terraform, is kind of unfortunate.
@spuder
Copy link

spuder commented May 16, 2020

Would also like to have this feature. Nomad is a first class citizen in vault, would really like to be able to manage it with terraform.

Screenshot 2020-05-15 19 36 34

@spuder
Copy link

spuder commented May 17, 2020

It looks like this should be pretty similar to the Consul and RabbitMQ backends. I've started a branch in my fork that copies these resources. Assistance welcome

https://github.com/spuder/terraform-provider-vault/tree/nomad_secret_backend

@eidam
Copy link

eidam commented Jul 26, 2020

@spuder how is it going? do you still need help? would love to see that in place :)

@spuder spuder mentioned this issue Jul 26, 2020
Closed
@spuder
Copy link

spuder commented Jul 26, 2020
edited
Loading

I've slowed down the development on this feature due to a limitation on the vault api. There is no way to import an already created vault token, nor is there a way to read back the token if terraform dynamically creates it, which limits the usefulness of terraform here. Additionally the user will need to tread very carefully to not commit tokens to version control or terraform state files.

resource "vault_nomad_secret_backend" "test" {
  path        = "nomad"
  description = "Manages the Nomad backend"

  address = "127.0.0.1:4646"
  token   = "4240861b-ce3d-8530-115a-521ff070dd29"
}

I've created a WIP merge request where others can join in and contribute.
#831
Since this functionality has limited usefulness at my organization, it's unknown when/if I would be able to complete this.

Tasks where others can jump in:

  • Get tests passing (make testacc TESTARGS='-run= testNomadSecretBackendRole_initialConfig')
  • Create more tests
  • Improve documentation
  • Install plugin & Manually run to find bugs

@jrluis
Copy link

jrluis commented Oct 2, 2020

In the meantime is possible to use a null resource to invoke the vault cli to create the nomad role.

resource "null_resource" "nomad_role_foo" {

  provisioner "local-exec" {
    command = <<EOF
vault write nomad/role/foo policies=bar
EOF
  }

}

@swenson
Copy link
Contributor

swenson commented Aug 3, 2022

I believe this was added in #923.

Thanks!

@swenson swenson closed this as completed Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: Nomad secret backend spuder/terraform-provider-vault
5 participants
@swenson @spuder @jrluis @eidam @josemaia