Comments (5)
zhenik
commented on July 24, 2024
While deploying a module you might have the token from Vault with limited access rights. Like only "read" capabilities.
path "secret/data/dev/minio" {
capabilities = ["read"]
}
I would suggest avoiding coupling between module and managing Vault policies.
from terraform-nomad-trino.
zhenik
commented on July 24, 2024
As an additional idea, we could think about a separate module(s) for managing:
VaultpoliciesConsulpoliciesNomadpolicies
or
- Hashicorp policy manager module, just one common for Policy management for all 3 services at once.
Policies exist in separate contexts for each module, you have the opportunity to map policies with roles and make tokens via Vault.
The same idea for Consul intentions. Basically, avoid coupling.
NB even having these modules, we might end up with different access rights, who can manage policies, who can deploy modules with services, and it should be two different sets of identities, credentials, and rights to do so.
from terraform-nomad-trino.
pdmthorsrud
commented on July 24, 2024
We just had a discussion about this, here's my takeaway:
We both agree that putting something like this inside the presto-module is not necessarily a good thing, because this is not a "presto"-thing, meaning it doesn't belong in the presto-module. Therefore, Nikita's suggestion of putting the creation of secrets (and potentially other features) into its own terraform module makes a lot of sense. The same goes for the creation of intentions as well, which should potentially also be its own module.
However, in the context of the system we are about to use this module in, it might be beneficial to have some simple code bundled with the module that creates secrets in vault. This all depends on whether we will have to create our own credentials or not.
from terraform-nomad-trino.
pdmthorsrud
commented on July 24, 2024
We just had a discussion about this, here's my takeaway:
We both agree that putting something like this inside the presto-module is not necessarily a good thing, because this is not a "presto"-thing, meaning it doesn't belong in the presto-module. Therefore, Nikita's suggestion of putting the creation of secrets (and potentially other features) into its own terraform module makes a lot of sense. The same goes for the creation of intentions as well, which should potentially also be its own module.
However, in the context of the system we are about to use this module in, it might be beneficial to have some simple code bundled with the module that creates secrets in vault. This all depends on whether we will have to create our own credentials or not.
when all that is said and done, why don't we just create a tiny module that takes a path and keys as input, and create random strings, and output their paths? Maybe an hour of work, not even that
from terraform-nomad-trino.
pdmthorsrud
commented on July 24, 2024
I would like to start POC'ing a little on this one, so I can get my head around our credentials and policies
https://github.com/pdmthorsrud/terraform-vault-credentials
from terraform-nomad-trino.
Related Issues (20)
- Refactor variables and strings containing Presto to Trino
- Connect to other sources HOT 3
- Include updated Consul Connect plugin which enables service-mesh authentication between coordinator and workers
- Release 0.4.0
- Example trino_cluster failes [branch presto-to-trino-include-plugin]
- Bump versions
- Optional use of connector sources
- Migrate to trino HOT 2
- Fix trino_cluster example HOT 1
- Tests should also run when consul_acl & nomad_acl is true
- Add configuration parameters for jvm.config and config.properties
- Add possibility to use a memory connector with trino
- `Plugin exited`/`context canceled` error in pipeline HOT 5
- Toggle use of custom policy for vault provider HOT 1
- Unstable deletion of table in Trino, with underlyting structures in S3/MinIO HOT 4
- Typo i `conf/nomad/trino_standalone.hcl`
- Release 0.4.1
- Move secrets in nomad task to secrets folder
- Could this possibly be split out into a separate file? Will Nomad collate files?
- [Security] Workflow on_pr_push_master.yml is using vulnerable action actions/checkout
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-nomad-trino.