Try SpotterNomad ACL policy management for v0.7+
| "added in version" N/A of abaez.hashicluster"
Authors: Alejandro Baez (@abaez)
preview | supported by community
Install with ansible-galaxy collection install abaez.hashicluster:==1.2.3
collections:
- name: abaez.hashicluster
version: 1.2.3The module is to allow the ability to add an acl policy for nomad.
Uses the format introduced to nomad on v0.7.0.
For more information over nomad's acl, go here: https://nomadproject.io/guides/security/acl/
# Create a policy
- name: Create a new policy
consul_acl_policy:
address: '127.0.0.1:8500'
management_token: 85e55057-a260-44ed-961b-e05eaff181fc
state: present
description: Nice policy to give no access
name: hello world
rules: '{{ rules | to_json }}'
vars:
rules:
agent_prefix:
'':
policy: read
register: create_new_policy_result
# Read an existing policy
- name: Read an exising policy
consul_acl_policy:
address: '127.0.0.1:8500'
management_token: 85e55057-a260-44ed-961b-e05eaff181fc
state: present
policy_id: 19577e59-4928-4ff0-9be4-cf4c2fa44e71
register: read_policy_result
# Update an exisitng policy
- name: Update an exising policy
consul_acl_policy:
address: '127.0.0.1:8500'
management_token: 85e55057-a260-44ed-961b-e05eaff181fc
state: present
policy_id: 19577e59-4928-4ff0-9be4-cf4c2fa44e71
name: 'magical_unique_policy'
rules: '{{ rules | to_json }}'
vars:
rules:
agent_prefix:
'':
policy: deny
agent:
'foo':
policy: write
register: update_policy_result
# Delete an existing policy
- name: Update an exising policy
consul_acl_policy:
address: '127.0.0.1:8500'
management_token: 85e55057-a260-44ed-961b-e05eaff181fc
state: absent
policy_id: 19577e59-4928-4ff0-9be4-cf4c2fa44e71
register: delete_policy_result
name:
description:
- A unique name of the policy you wish to create or modify.
- Required when C(state=present)
required: false
type: str
rules:
description:
- A json string with ACL rules as defined in consul's guide here
- https://www.consul.io/docs/acl/acl-rules.html
- Required when C(state=present)
required: false
type: str
state:
choices:
- present
- absent
default: present
description:
- Whether the policy should be present or absent from consul
required: false
type: str
address:
default: The environment variable CONSUL_HTTP_ADDR
description:
- The url to connect to consul. Using '<schema>//<domain>:<port>'.
- For a unix domain socket, give 'unix:' with literal location.
- 'Example: ''unix:///var/run/consul/http.sock''.'
required: true
type: str
policy_id:
description:
- A UUID of an already existing policy.
- You must define when modifying an existing policy.
required: false
type: str
datacenters:
default: []
description:
- Limits what datacenters the policy can be used towards.
required: false
type: list()
description:
description:
- A readable short description of the policy.
required: false
type: str
management_token:
default: The environment variable CONSUL_HTTP_TOKEN
description:
- A token with permissions to create or modify the policy.
required: true
type: str
changed:
description: Whether the policy has been created or modified.
returned: always
type: bool
datacenters:
description: A list of datacenters to filter the policy.
returned: changed
sample:
- us-east-1
type: list()
description:
description: A short description of the policy.
returned: success and I(status) != "absent
type: str
policy_id:
description: A UUID for the given policy.
returned: success
sample: a2ec332f-04cf-6fba-e8b8-acf62444d3da
type: str
rules:
description: A jsont object of rules for the policy.
returned: success
sample:
key:
bar:
policy: deny
foo:
policy: write