Open ripienaar opened 1 month ago
public_key
or just use that as the id
the way nsc does, it might be more useful to have a friendly ID and a specifically named public_key
dataresource "nats_operator" "DEVCO" {
service_url = "https://...." // optional
tags = [foo, bar] // optional
} // should export its public key as data
// this must output the public key as data somehow
// really we need to support some kind of descriptions
// for signing keys but we dont at the moment
resource "nats_operator_sk" "FOO" {
operator = "DEVCO"
depends_on = [
nats_operator.DEVCO
]
} // should export its public key as data
resource "nats_account" "WEATHER_SERVICE" {
operator = "DEVCO"
limits = { // optional
bearer_tokens = true
connections = 1000
leafnodes = 100
payload = 1024
subscriptions = 100000
}
tags = [foo, bar] // optional
expires = "2028-01-01 00:00:00" // optional
depends_on = [
nats_operator.DEVCO
]
} // should export its public key as data
resource "nats_account" "USERS" {
operator = "DEVCO"
depends_on = [
nats_operator.DEVCO
]
} // should export its public key as data
resource "nats_account_export" "WEATHER" {
operator = "DEVCO"
account = "WEATHER_SERVICE"
subject = "weather.v1.>"
depends_on = [
nats_operator.DEVCO
nats_account.USERS
]
// optional below
description = "V1 Weather Service"
url = "https://...."
token-position = 2
advertise = true
} // should export its public key as data
resource "nats_user", "BOB" {
operator = "DEVCO"
account = "USERS"
depends_on = [
nats_operator.DEVCO
nats_account.USERS
]
// optional below
signer = "ID_OF_SIGNINGLEY" // should be looked up by id, see comments below
tags = [ tags ]
limits = {
payload = 10000
bearer_tokens = true
subscriptions = 100
}
publish = {
allow = [ subjects ]
deny = [ subjects ]
}
subscribe = {
allow = [ subjects ]
deny = [ subjects ]
}
} // should export its public key as data
resource "nats_import" "USERS_WEATHER_SERVICE" {
operator = "DEVCO"
account = "USERS"
subject = "weather.v1.>"
local = "services.weather.v1.>"
// how to fetch the public key from the account resource automatically?
// else this couldnt converge in one run. We could set the public key
// as the resource id then it would be like nats_account.WEATHER_SERVICE.id
// to do the fetch here, that's probably the way to go. Probably this should
// be how all IDs are generated as we do that for the JWTs anyway
source = "WEATHER_SERVICE_PUBLIC_KEY"
depends_on = [
nats_operator.DEVCO
nats_account.USERS
]
// optional below
share = true
traceable = true
service = true
} // should export its public key as data
What motivated this proposal?
The new library that allows these things to be done from go
What is the proposed change?
Write new resources matching operators/accounts/users/imports/export etc
Who benefits from this change?
No response
What alternatives have you evaluated?
No response