Merge pull request #1976 from grapl-security/twunderlich/dnsmasq-in-aws

Enable dnsmasq as a system job that runs everywhere
grapl-security · Sep 15, 2022 · 5e4c88a · 5e4c88a
2 parents 546b786 + b1a5b11
commit 5e4c88a
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 55 deletions.
diff --git a/nomad/dns.nomad b/nomad/dns.nomad
@@ -0,0 +1,59 @@
+job "dns" {
+  datacenters = ["dc1"]
+  type        = "system"
+
+  group "dnsmasq" {
+    network {
+      mode = "bridge"
+      port "dns" {
+        static = 53
+        to     = 53
+      }
+    }
+
+
+    task "dnsmasq" {
+      driver = "docker"
+
+      config {
+        #This is an alpine-based dnsmasq container
+        image = "4km3/dnsmasq:2.85-r2"
+        ports = ["dns"]
+        args = [
+          # Send all queries for .consul to the NOMAD_IP
+          "--server", "/consul/${NOMAD_IP_dns}#8600",
+          # log to standard out
+          "--log-facility=-",
+        ]
+        cap_add = [
+          "NET_BIND_SERVICE",
+        ]
+        logging {
+          type = "journald"
+          config {
+            tag = "DNSMASQ"
+          }
+        }
+      }
+
+      service {
+        name         = "dnsmasq"
+        port         = "dns"
+        address_mode = "driver"
+        tags         = ["dns"]
+
+        check {
+          type     = "tcp"
+          port     = "dns"
+          interval = "10s"
+          timeout  = "2s"
+        }
+      }
+
+      resources {
+        cpu    = 50
+        memory = 100
+      }
+    }
+  }
+}
diff --git a/nomad/local/grapl-local-infra.nomad b/nomad/local/grapl-local-infra.nomad
@@ -384,61 +384,6 @@ job "grapl-local-infra" {
     }
   }
 
-  group "dnsmasq" {
-    network {
-      mode = "bridge"
-      port "dns" {
-        static = 53
-        to     = 53
-      }
-    }
-
-
-    task "dnsmasq" {
-      driver = "docker"
-
-      config {
-        #This is an alpine-based dnsmasq container
-        image = "4km3/dnsmasq:2.85-r2"
-        ports = ["dns"]
-        args = [
-          # Send all queries for .consul to the NOMAD_IP
-          "--server", "/consul/${NOMAD_IP_dns}#8600",
-          # log to standard out
-          "--log-facility=-",
-        ]
-        cap_add = [
-          "NET_BIND_SERVICE",
-        ]
-        logging {
-          type = "journald"
-          config {
-            tag = "DNSMASQ"
-          }
-        }
-      }
-
-      service {
-        name         = "dnsmasq"
-        port         = "dns"
-        address_mode = "driver"
-        tags         = ["dns"]
-
-        check {
-          type     = "tcp"
-          port     = "dns"
-          interval = "10s"
-          timeout  = "2s"
-        }
-      }
-
-      resources {
-        cpu    = 50
-        memory = 100
-      }
-    }
-  }
-
   group "scylla" {
     network {
       mode = "bridge"

diff --git a/pulumi/grapl/__main__.py b/pulumi/grapl/__main__.py
@@ -314,6 +314,15 @@ def main() -> None:
 
     graph_db = ScyllaInstance("graph-db")
 
+    NomadJob(
+        "dns",
+        jobspec=repository_path("nomad/dns.nomad"),
+        vars=dict(),
+        opts=pulumi.ResourceOptions(
+            provider=nomad_provider,
+        ),
+    )
+
     # TODO migrate secret lookups to dynamic vault lookups inline Nomad.
     #  This requires Nomad to have been hooked up to Vault first
     lightstep_access_token = pulumi.Output.secret(