create a secured cluster with ACL for validation

[jagedn]

If you provide the --secure argument when creating the local cluster the script will initialize it using ACL

The management token will be showed by console. You need to provide this token (i.e. NOMAD_TOKEN env) to run the pipeline

[abhi18av]

Looks good to merge ✅

Though I do suggest that we hold off a it before merging the PR/ or making a new release till we have had a sync regarding the next steps - what do you think? @jhaezebr @jagedn

Ideally we can also cover the HTTPS setup in this iteration together, since a prod cluster would actually make use of SSL certs.

[jagedn]

yes, good idea

[jhaezebr]

Looks good!
Later we can add some more specific policies to test with minimal permissions

[abhi18av]

Good then @jhaezebr , could you please setup HTTPS in the az-nomadlab setup? Then we can add then and test it immediately.

Also, quick reminder if you're going to change the terraform template, could you please make the manager node as a nomad server as well? This way we would not need to the SSH hopping for the portal.

[jhaezebr]

This would mean that the nomad cluster UI is open to the internet. Is that safe enough?

[tomiles]

Security wise I would not advise opening up the nomad server api ports. The added step to start an ssh tunnel isn't too much overhead during development. If the use case is automatic testing that can be managed by running a self-hosted runner since those only do outgoing long-poll requests over https and no incoming ports need to be opened.

[abhi18av]

Ah good point - then perhaps we can just

1. whitelist just one port from the vnet and make use of policies to control the accessibility.
2. whitelist our specific IPs in the vnet and remove the public access for unknown IPs

In case that's not secure or useful then please feel free to disagree and suggest what you feel is the best option, happy to go along with that 👍

The baseline idea is to have as less of a friction in dev-time iterations as possible :)