operations/experimental/perm-service.yml

# Perm Service

- type: replace
  path: /instance_groups/-
  value:
    name: perm
    instances: 1
    azs: [z1]
    vm_type: minimal
    stemcell: default
    networks:
    - name: default
    jobs:
    - name: perm
      release: perm
      properties:
        log_level: debug
        tls: ((perm_tls))
        sql:
          db:
            driver: mysql
            username: perm
            password: ((perm_database_password))
            schema: perm
            host: sql-db.service.cf.internal
            port: 3306
          tls:
            required: true
            ca_certs:
            - ((pxc_server_ca.certificate))
        uaa:
          hostname: uaa.((system_domain))
          port: 443
          ca_certs:
          - ((router_ca.certificate))

# Changes to other instance groups
- type: replace
  path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/scim/users/name=admin/groups/-
  value:
   perm.admin

- type: replace
  path: /instance_groups/name=database/jobs/name=mysql/properties/cf_mysql/mysql/seeded_databases/-
  value:
    name: perm
    password: ((perm_database_password))
    username: perm

- type: replace
  path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/perm?
  value:
    enabled: true
    query_enabled: true
    ca_certs:
    - ((perm_tls_ca.certificate))

- type: replace
  path: /addons/name=bosh-dns/jobs/name=bosh-dns/properties/aliases/perm.service.cf.internal?
  value:
    - "*.perm.default.cf.bosh"

# Changes to releases
- type: replace
  path: /releases/-
  value:
    name: perm
    version: 0.0.7
    url: https://storage.googleapis.com/perm-releases/perm-release-0.0.7.tgz
    sha1: f1f7f0b36c1957aabc0dd478829418d04217a8d5

# Changes to variables
- type: replace
  path: /variables/-
  value:
    name: perm_tls_ca
    type: certificate
    options:
      is_ca: true
      common_name: perm_ca

- type: replace
  path: /variables/-
  value:
    name: perm_tls
    type: certificate
    options:
      ca: perm_tls_ca
      common_name: perm.service.cf.internal
      extended_key_usage:
      - client_auth
      - server_auth

- type: replace
  path: /variables/-
  value:
    name: perm_database_password
    type: password

- type: replace
  path: /variables/-
  value:
    name: perm_uaa_clients_cloud_controller_monitor_secret
    type: password

- type: replace
  path: /variables/-
  value:
    name: perm_uaa_clients_perm_monitor_secret
    type: password

- type: replace
  path: /variables/-
  value:
    name: perm_uaa_clients_cc_perm_secret
    type: password

# Perm Errands

- type: replace
  path: /instance_groups/-
  value:
    name: perm-drop-database
    instances: 1
    azs: [z1]
    lifecycle: errand
    vm_type: minimal
    stemcell: default
    networks:
    - name: default
    jobs:
    - name: perm-drop-db
      release: perm
      properties:
        sql:
          db:
            driver: mysql
            username: perm
            password: ((perm_database_password))
            schema: perm
            host: sql-db.service.cf.internal
            port: 3306

- type: replace
  path: /instance_groups/-
  value:
    name: capi-perm-migrator
    instances: 1
    azs: [z1]
    lifecycle: errand
    vm_type: minimal
    stemcell: default
    networks:
    - name: default
    jobs:
    - name: cc-to-perm-migrator
      release: perm
      properties:
        uaa:
          hostname: uaa.((system_domain))
          port: 443
          ca_certs:
          - ((router_ca.certificate))

        cloud_controller:
          hostname: api.((system_domain))
          port: 443
          client_id: cloud_controller_monitor
          client_secret: ((perm_uaa_clients_cloud_controller_monitor_secret))
          client_scopes:
          - cloud_controller.admin_read_only

        perm:
          ca_certs:
          - ((perm_tls_ca.certificate))
        sql:
          db:
            driver: mysql
            username: perm
            password: ((perm_database_password))
            schema: perm
            host: sql-db.service.cf.internal
            port: 3306

- type: replace
  path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/cloud_controller_monitor?
  value:
    authorities: cloud_controller.admin_read_only
    authorized-grant-types: client_credentials
    secret: ((perm_uaa_clients_cloud_controller_monitor_secret))

- type: replace
  path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/cc_perm?
  value:
    authorities: perm.admin
    authorized-grant-types: client_credentials
    secret: ((perm_uaa_clients_cc_perm_secret))

- type: replace
  path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/perm_monitor?
  value:
    authorities: perm.admin
    authorized-grant-types: client_credentials
    secret: ((perm_uaa_clients_perm_monitor_secret))