From 854f8640307cce35acdd52f32080c9033973d20c Mon Sep 17 00:00:00 2001 From: kumarkavish Date: Mon, 24 Jun 2024 12:32:47 +0530 Subject: [PATCH 1/8] [IND-369] - pack to run TFE on Nomad. --- packs/tfe_fdo_nomad/CHANGELOG.md | 3 + packs/tfe_fdo_nomad/README.md | 156 ++++++++++++ packs/tfe_fdo_nomad/metadata.hcl | 12 + packs/tfe_fdo_nomad/outputs.tpl | 6 + .../templates/tfe.agent.nomad.tpl | 57 +++++ packs/tfe_fdo_nomad/templates/tfe.nomad.tpl | 220 +++++++++++++++++ packs/tfe_fdo_nomad/variables.hcl | 227 ++++++++++++++++++ 7 files changed, 681 insertions(+) create mode 100644 packs/tfe_fdo_nomad/CHANGELOG.md create mode 100644 packs/tfe_fdo_nomad/README.md create mode 100644 packs/tfe_fdo_nomad/metadata.hcl create mode 100644 packs/tfe_fdo_nomad/outputs.tpl create mode 100644 packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl create mode 100644 packs/tfe_fdo_nomad/templates/tfe.nomad.tpl create mode 100644 packs/tfe_fdo_nomad/variables.hcl diff --git a/packs/tfe_fdo_nomad/CHANGELOG.md b/packs/tfe_fdo_nomad/CHANGELOG.md new file mode 100644 index 0000000..3fafbcd --- /dev/null +++ b/packs/tfe_fdo_nomad/CHANGELOG.md @@ -0,0 +1,3 @@ +# 0.1.0 + +- Initial release diff --git a/packs/tfe_fdo_nomad/README.md b/packs/tfe_fdo_nomad/README.md new file mode 100644 index 0000000..ade5cb1 --- /dev/null +++ b/packs/tfe_fdo_nomad/README.md @@ -0,0 +1,156 @@ +# Nomad pack for Terraform Enterprise FDO + + + +This pack deploys Terraform Enterprise on Nomad. This includes running a Terraform Enterprise service job and Terraform Enterprise agent batch job. + +## Pack Usage + +The pack expects certain prerequisites to be fulfilled before running. The list of prerequisites are: + +Interacting with the Nomad server will require +1. `NOMAD_ADDR` - The address of the Nomad server. +1. `NOMAD_TOKEN` - The SecretID of an ACL token to use to authenticate API requests with. +1. `NOMAD_CACERT` - Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. +1. `NOMAD_CLIENT_CERT` - Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify NOMAD_CLIENT_KEY. +1. `NOMAD_CLIENT_KEY` - Path to an unencrypted PEM encoded private key matching the client certificate from NOMAD_CLIENT_CERT. + +After setting up the environment variables, the pack can be setup using the following steps: + +1. Create Namespace for TFE job and TFE agent job. + + 1. Run `nomad namespace apply terraform-enterprise` to create the `terraform-enterprise` namespace. This is the default namespace that is used to bring up TFE Job. + 1. Run `nomad namespace apply tfe-agents` to create the `tfe-agents` namespace. This is the default namespace that is used to bring up TFE Agent Job. + + +2. Create a Nomad ACL policy file `terraform_enterprise_policy.hcl` with the content below: +```hcl + namespace "tfe-agents" { + capabilities = ["submit-job","dispatch-job", "list-jobs", "read-job", "read-logs" ] + } + ``` + +3. Apply the Nomad policy using: + ```bash + $ nomad acl policy apply \ + -namespace terraform-enterprise -job tfe-job \ + -group tfe-group -task tfe-task \ + terraform-enterprise-policy ./terraform_enterprise_policy.hcl + ``` + +4. Create the necessary Nomad Variables for each job. + + These contain sensitive data that are required like certs, licenses and passwords. + Create a variable specification file: + + ```hcl + # spec.nv.hcl + path = "nomad/jobs/tfe-job" + namespace = "terraform-enterprise" + + items { + # TFE DB password. Mapped to the TFE_DB_PASSWORD environment variable. + db_password = "" + + # The field should contain the base64 encoded value of the cert. Mappped to the TFE_TLS_CERT_FILE environment variable. + cert = "" + + # The field should contain the base64 encoded value of the bundle. Mapped to the TFE_TLS_CA_BUNDLE_FILE environment variable. + bundle = "" + + # The field should contain the base64 encoded value of the key. Mappped to the TFE_TLS_KEY_FILE environment variable. + key = "" + + # A valid TFE license. Mapped to the TFE_LICENSE environment variable. + tfe_license = "" + + # Object storage access key. Mapped to the TFE_OBJECT_STORAGE_S3_SECRET_ACCESS_KEY environment variable. + s3_secret_key = "" + + # The field should contain the base64 encoded value of the Nomad CA. Mapped to the TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CA_CERT environment variable. + nomad_ca_cert = "" + + # The field should contain the base64 encoded value of the Nomad cert. Mapped to the TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CLIENT_CERT environment variable. + nomad_cert = "" + + # The field should contain the base64 encoded value of the Nomad cert's key. Mapped to the TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CLIENT_KEY environment variable. + nomad_cert_key = "" + + # TFE Redis password. Mapped to the TFE_REDIS_PASSWORD environment variable. + redis_password = "" + + # TFE Vault encryption key. Mapped to the TFE_ENCRYPTION_PASSWORD environment variable. + tfe_encryption_password = "" + + # Password for the registry where the TFE image is hosted. Mapped to the TFE_IMAGE_REGISTRY_PASSWORD environment variable. + tfe_image_registry_password = "" + + } + ``` + + The variables can be created as below by passing the `spec.nv.hcl` file we create above: + + ```bash + $ nomad var put @spec.nv.hcl + ``` + + + + +# Pack Information + +After completing prerequisites, the pack can be run using the following command: +```bash +$nomad-pack run tfe_fdo_nomad -f var.hcl +``` + +The `var.hcl` file should contain the necessary variables required for the pack to run. The variables are listed below. + +## Variables + +These variables may be set to change the behavior of the TFE. Note that some of these variables come with default configuration while the rest need to provided for the pack deployment to succeed. + + +## Configuration + +| Name | Required | Default | Comments | +|----------------------------------------------|----------|----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------| +| `job_name` | no | `"tfe-job"` | Override the Nomad job name. | +| `datacenters` | no | `"dc1"` | Nomad datacenters where the task in the jobs will be spread. | +| `tfe_namespace` | no | `terraform-enterprise` | Nomad namespace where TFE image will be run as a Nomad task. | +| `tfe_port` | no | `8443` | HTTPS port to expose for TFE task. | +| `tfe_group_count` | no | `1` | Number of task groups to run in the job. | +| `tfe_http_port` | no | `8080` | HTTP port to expose for TFE task. | +| `tfe_service_name` | no | `tfe-service` | Name of the service to register in Nomad DNS. | +| `tfe_database_user` | no | `hashicorp` | TFE database user. | +| `tfe_database_host` | yes | `""` | The host name/IP of the postgres database being used. | +| `tfe_database_name` | no | `"tfe"` | TFE database name. | +| `tfe_database_parameters` | no | `sslmode=require` | TFE database server parameters for the connection URI. | +| `tfe_object_storage_type` | no | `s3` | Type of object storage to use. Must be one of s3, azure, or google. | +| `tfe_run_pipeline_nomad_address` | yes | `""` | The server address of Nomad where TFE is being deployed. | +| `tfe_object_storage_s3_bucket` | yes | `""` | The bucket name of the S3 compatible object storage being used. | +| `tfe_object_storage_s3_region` | no | `us-west-2` | S3 region. | +| `tfe_object_storage_s3_use_instance_profile` | no | `false` | Whether to use the instance profile for authentication. | +| `tfe_object_storage_s3_endpoint` | yes | `""` | The endpoint of the S3 compatible object storage being used. | +| `tfe_object_storage_s3_access_key_id` | yes | `""` | The access key id value to be used to query the S3 object storage bucket. | +| `tfe_redis_host` | yes | `""` | The Redis host name being used. | +| `tfe_redis_user` | no | `""` | Redis server user. | +| `tfe_redis_use_tls` | no | false | Indicates to use TLS to access Redis. | +| `tfe_redis_use_auth` | no | false | Indicates Redis server is configured to use TFE_REDIS_PASSWORD and TFE_REDIS_USER (optional) for authentication. | +| `tfe_hostname` | yes | `""` | The host name of the TFE instance to be used while deploying. | +| `tfe_tls_cert_mount_path` | no | `"/etc/ssl/private/terraform-enterprise"` | Mount path where the certificates and other files will be mounted inside TFE container. | +| `tfe_iact_subnets` | no | `""` | Comma-separated list of subnets in CIDR notation that are allowed to retrieve the initial admin creation token via the API . | +| `tfe_iact_time_limit` | no | `"60"` | Number of minutes that the initial admin creation token can be retrieved via the API after the application starts. | +| `tfe_vault_disable_mlock` | no | `"false"` | Disable mlock for internal Vault. | +| `tfe_resource_cpu` | no | `"750"` | CPU in MHz for TFE container. | +| `tfe_resource_memory` | no | `"1024"` | Memory in MB for TFE container. | +| `tfe_image` | no | `"images.releases.hashicorp.com/hashicorp/terraform-enterprise:v202401-2"` | TFE image and tag to download and run. | +| `tfe_image_registry_username` | yes | `""` | The user name for the registry where the TFE image is hosted. | +| `tfe_image_server_address` | yes | `""` | The server address of the registry where TFE image is hosted. | +| `tfe_run_pipeline_nomad_tls_config_insecure` | no | `"false"` | mTLS between Nomad and TFE when set to false. | +| `tfe_agent_namespace` | no | `"tfe-agents"` | Nomad namespace for TFE Agents to run. | +| `tfe_agent_image` | no | `"hashicorp/tfc-agent:latest"` | TFE Agent image and tag to download and run. | +| `tfe_vault_cluster_port` | no | `"8201"` | Vault cluster port which needs to exposed from the TFE container. | +| `tfe_vault_cluster_address` | no | `"http://$${NOMAD_HOST_ADDR_vault}"` | Cluster URL of the internal Vault server on this node (e.g., http://192.168.0.1:8201). Must be reachable across nodes. | +| `tfe_agent_resource_cpu` | no | `"750"` | CPU in MHz for TFE Agent container. | +| `tfe_agent_resource_memory` | no | `"1024"` | Memory in MB for TFE Agent container. | diff --git a/packs/tfe_fdo_nomad/metadata.hcl b/packs/tfe_fdo_nomad/metadata.hcl new file mode 100644 index 0000000..352e4f3 --- /dev/null +++ b/packs/tfe_fdo_nomad/metadata.hcl @@ -0,0 +1,12 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +app { + url = "https://developer.hashicorp.com/terraform/enterprise" +} +pack { + name = "tfe_fdo_nomad" + url = "https://github.com/hashicorp/nomad-pack-community-registry/tfe_fdo_nomad" + description = "Terraform Enterprise" + version = "0.1.0" +} diff --git a/packs/tfe_fdo_nomad/outputs.tpl b/packs/tfe_fdo_nomad/outputs.tpl new file mode 100644 index 0000000..3de6157 --- /dev/null +++ b/packs/tfe_fdo_nomad/outputs.tpl @@ -0,0 +1,6 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +Congrats! You deployed the terraform_enterprise_fdo pack on Nomad. + +You can view your instances of TFE running on the Nomad UI and reach it on the provided hostname. diff --git a/packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl b/packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl new file mode 100644 index 0000000..dcbf5af --- /dev/null +++ b/packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl @@ -0,0 +1,57 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +job "tfe-agent-job" { + type = "batch" + namespace = [[ .tfe_fdo_nomad.tfe_agent_namespace | quote ]] + constraint { + attribute = "${attr.kernel.name}" + value = "linux" + } + parameterized { + payload = "forbidden" + meta_required = [ + "TFC_AGENT_TOKEN", + "TFC_ADDRESS" + ] + meta_optional = [ + "TFE_RUN_PIPELINE_IMAGE", + "TFC_AGENT_AUTO_UPDATE", + "TFC_AGENT_CACHE_DIR", + "TFC_AGENT_SINGLE", + "HTTPS_PROXY", + "HTTP_PROXY", + "NO_PROXY" + ] + } + + group "tfe-agent-group" { + + task "tfc-agent-task" { + driver = "docker" + + config { + image = [[ .tfe_fdo_nomad.tfe_agent_image | quote ]] + } + env { + + TFC_ADDRESS = "${NOMAD_META_TFC_ADDRESS}" + TFC_AGENT_TOKEN = "${NOMAD_META_TFC_AGENT_TOKEN}" + TFC_AGENT_AUTO_UPDATE = "${NOMAD_META_TFC_AGENT_AUTO_UPDATE}" + TFC_AGENT_CACHE_DIR = "${NOMAD_META_TFC_AGENT_CACHE_DIR}" + TFC_AGENT_SINGLE = "${NOMAD_META_TFC_AGENT_SINGLE}" + HTTPS_PROXY = "${NOMAD_META_HTTPS_PROXY}" + https_proxy = "${NOMAD_META_HTTPS_PROXY}" + HTTP_PROXY = "${NOMAD_META_HTTP_PROXY}" + http_proxy = "${NOMAD_META_HTTP_PROXY}" + NO_PROXY = "${NOMAD_META_NO_PROXY}" + no_proxy = "${NOMAD_META_NO_PROXY}" + } + + resources { + cpu = [[ .tfe_fdo_nomad.tfe_agent_resource_cpu ]] + memory = [[ .tfe_fdo_nomad.tfe_agent_resource_memory ]] + } + } + } +} diff --git a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl new file mode 100644 index 0000000..fab75be --- /dev/null +++ b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl @@ -0,0 +1,220 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +job [[ .tfe_fdo_nomad.job_name | quote ]] { + datacenters = [[ .tfe_fdo_nomad.datacenters | toStringList ]] + namespace = [[ .tfe_fdo_nomad.tfe_namespace | quote ]] + type = "service" + + group "tfe-group" { + count = [[ .tfe_fdo_nomad.tfe_group_count ]] + + spread { + attribute = "${node.unique.id}" + } + + restart { + attempts = 3 + delay = "60s" + interval = "10m" + mode = "fail" + } + + update { + max_parallel = 1 + min_healthy_time = "30s" + healthy_deadline = "12m" + progress_deadline = "15m" + health_check = "checks" + } + + + network { + port "tfe" { + static = [[ .tfe_fdo_nomad.tfe_port ]] + } + port "http" { + static = [[ .tfe_fdo_nomad.tfe_http_port ]] + } + port "vault" { + static = [[ .tfe_fdo_nomad.tfe_vault_cluster_port ]] + } + } + + service { + name = [[ .tfe_fdo_nomad.tfe_service_name | quote ]] + port = "tfe" + provider = "nomad" + + check { + type = "http" + port = "http" + path = "/_health_check" + interval = "5s" + timeout = "2s" + } + } + + task "tfe-task" { + driver = "docker" + + identity { + env = true + } + + template { + destination = "/secrets/key.pem" + change_mode = "restart" + splay = "60s" + data = < Date: Tue, 25 Jun 2024 12:51:23 +0530 Subject: [PATCH 2/8] [IND-369] - NITs --- packs/tfe_fdo_nomad/README.md | 2 +- packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl | 4 ++-- packs/tfe_fdo_nomad/variables.hcl | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/packs/tfe_fdo_nomad/README.md b/packs/tfe_fdo_nomad/README.md index ade5cb1..a4e1515 100644 --- a/packs/tfe_fdo_nomad/README.md +++ b/packs/tfe_fdo_nomad/README.md @@ -145,7 +145,7 @@ These variables may be set to change the behavior of the TFE. Note that some of | `tfe_resource_cpu` | no | `"750"` | CPU in MHz for TFE container. | | `tfe_resource_memory` | no | `"1024"` | Memory in MB for TFE container. | | `tfe_image` | no | `"images.releases.hashicorp.com/hashicorp/terraform-enterprise:v202401-2"` | TFE image and tag to download and run. | -| `tfe_image_registry_username` | yes | `""` | The user name for the registry where the TFE image is hosted. | +| `tfe_image_registry_username` | no | `"terraform"` | The user name for the registry where the TFE image is hosted. | | `tfe_image_server_address` | yes | `""` | The server address of the registry where TFE image is hosted. | | `tfe_run_pipeline_nomad_tls_config_insecure` | no | `"false"` | mTLS between Nomad and TFE when set to false. | | `tfe_agent_namespace` | no | `"tfe-agents"` | Nomad namespace for TFE Agents to run. | diff --git a/packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl b/packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl index dcbf5af..fbfec23 100644 --- a/packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl +++ b/packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl @@ -33,8 +33,8 @@ job "tfe-agent-job" { config { image = [[ .tfe_fdo_nomad.tfe_agent_image | quote ]] } - env { - + + env { TFC_ADDRESS = "${NOMAD_META_TFC_ADDRESS}" TFC_AGENT_TOKEN = "${NOMAD_META_TFC_AGENT_TOKEN}" TFC_AGENT_AUTO_UPDATE = "${NOMAD_META_TFC_AGENT_AUTO_UPDATE}" diff --git a/packs/tfe_fdo_nomad/variables.hcl b/packs/tfe_fdo_nomad/variables.hcl index 56e0d13..5a86e19 100644 --- a/packs/tfe_fdo_nomad/variables.hcl +++ b/packs/tfe_fdo_nomad/variables.hcl @@ -171,6 +171,7 @@ variable "tfe_image" { variable "tfe_image_registry_username" { description = "The username to be used to fetch the terraform enterprise image from the registry." type = string + default = "terraform" } variable "tfe_image_server_address" { From 3550383a5909426dfc88470bbe8f1700b8443d41 Mon Sep 17 00:00:00 2001 From: kumarkavish Date: Tue, 25 Jun 2024 15:24:47 +0530 Subject: [PATCH 3/8] [IND-369] - resolving comments. --- packs/tfe_fdo_nomad/README.md | 92 +++++++++++---------- packs/tfe_fdo_nomad/templates/tfe.nomad.tpl | 6 +- packs/tfe_fdo_nomad/variables.hcl | 20 ++++- 3 files changed, 71 insertions(+), 47 deletions(-) diff --git a/packs/tfe_fdo_nomad/README.md b/packs/tfe_fdo_nomad/README.md index a4e1515..edd06d7 100644 --- a/packs/tfe_fdo_nomad/README.md +++ b/packs/tfe_fdo_nomad/README.md @@ -40,11 +40,13 @@ After setting up the environment variables, the pack can be setup using the foll 4. Create the necessary Nomad Variables for each job. - These contain sensitive data that are required like certs, licenses and passwords. + These contain sensitive data that are required like certs, licenses and passwords. Create a variable specification file: ```hcl # spec.nv.hcl + + # Path where Nomad variables will be stored, the same path will be used inside TFE job file rendered by tfe.nomad.tpl for TFE job to access. path = "nomad/jobs/tfe-job" namespace = "terraform-enterprise" @@ -87,7 +89,8 @@ After setting up the environment variables, the pack can be setup using the foll } ``` - + + Update the `path` variable if default value of `job_name` is overridden in the `var.hcl` file. The variables can be created as below by passing the `spec.nv.hcl` file we create above: ```bash @@ -113,44 +116,47 @@ These variables may be set to change the behavior of the TFE. Note that some of ## Configuration -| Name | Required | Default | Comments | -|----------------------------------------------|----------|----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------| -| `job_name` | no | `"tfe-job"` | Override the Nomad job name. | -| `datacenters` | no | `"dc1"` | Nomad datacenters where the task in the jobs will be spread. | -| `tfe_namespace` | no | `terraform-enterprise` | Nomad namespace where TFE image will be run as a Nomad task. | -| `tfe_port` | no | `8443` | HTTPS port to expose for TFE task. | -| `tfe_group_count` | no | `1` | Number of task groups to run in the job. | -| `tfe_http_port` | no | `8080` | HTTP port to expose for TFE task. | -| `tfe_service_name` | no | `tfe-service` | Name of the service to register in Nomad DNS. | -| `tfe_database_user` | no | `hashicorp` | TFE database user. | -| `tfe_database_host` | yes | `""` | The host name/IP of the postgres database being used. | -| `tfe_database_name` | no | `"tfe"` | TFE database name. | -| `tfe_database_parameters` | no | `sslmode=require` | TFE database server parameters for the connection URI. | -| `tfe_object_storage_type` | no | `s3` | Type of object storage to use. Must be one of s3, azure, or google. | -| `tfe_run_pipeline_nomad_address` | yes | `""` | The server address of Nomad where TFE is being deployed. | -| `tfe_object_storage_s3_bucket` | yes | `""` | The bucket name of the S3 compatible object storage being used. | -| `tfe_object_storage_s3_region` | no | `us-west-2` | S3 region. | -| `tfe_object_storage_s3_use_instance_profile` | no | `false` | Whether to use the instance profile for authentication. | -| `tfe_object_storage_s3_endpoint` | yes | `""` | The endpoint of the S3 compatible object storage being used. | -| `tfe_object_storage_s3_access_key_id` | yes | `""` | The access key id value to be used to query the S3 object storage bucket. | -| `tfe_redis_host` | yes | `""` | The Redis host name being used. | -| `tfe_redis_user` | no | `""` | Redis server user. | -| `tfe_redis_use_tls` | no | false | Indicates to use TLS to access Redis. | -| `tfe_redis_use_auth` | no | false | Indicates Redis server is configured to use TFE_REDIS_PASSWORD and TFE_REDIS_USER (optional) for authentication. | -| `tfe_hostname` | yes | `""` | The host name of the TFE instance to be used while deploying. | -| `tfe_tls_cert_mount_path` | no | `"/etc/ssl/private/terraform-enterprise"` | Mount path where the certificates and other files will be mounted inside TFE container. | -| `tfe_iact_subnets` | no | `""` | Comma-separated list of subnets in CIDR notation that are allowed to retrieve the initial admin creation token via the API . | -| `tfe_iact_time_limit` | no | `"60"` | Number of minutes that the initial admin creation token can be retrieved via the API after the application starts. | -| `tfe_vault_disable_mlock` | no | `"false"` | Disable mlock for internal Vault. | -| `tfe_resource_cpu` | no | `"750"` | CPU in MHz for TFE container. | -| `tfe_resource_memory` | no | `"1024"` | Memory in MB for TFE container. | -| `tfe_image` | no | `"images.releases.hashicorp.com/hashicorp/terraform-enterprise:v202401-2"` | TFE image and tag to download and run. | -| `tfe_image_registry_username` | no | `"terraform"` | The user name for the registry where the TFE image is hosted. | -| `tfe_image_server_address` | yes | `""` | The server address of the registry where TFE image is hosted. | -| `tfe_run_pipeline_nomad_tls_config_insecure` | no | `"false"` | mTLS between Nomad and TFE when set to false. | -| `tfe_agent_namespace` | no | `"tfe-agents"` | Nomad namespace for TFE Agents to run. | -| `tfe_agent_image` | no | `"hashicorp/tfc-agent:latest"` | TFE Agent image and tag to download and run. | -| `tfe_vault_cluster_port` | no | `"8201"` | Vault cluster port which needs to exposed from the TFE container. | -| `tfe_vault_cluster_address` | no | `"http://$${NOMAD_HOST_ADDR_vault}"` | Cluster URL of the internal Vault server on this node (e.g., http://192.168.0.1:8201). Must be reachable across nodes. | -| `tfe_agent_resource_cpu` | no | `"750"` | CPU in MHz for TFE Agent container. | -| `tfe_agent_resource_memory` | no | `"1024"` | Memory in MB for TFE Agent container. | +| Name | Required | Default | Comments | +|----------------------------------------------|----------|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `job_name` | no | `"tfe-job"` | Override the Nomad job name. | +| `datacenters` | no | `"dc1"` | Nomad datacenters where the task in the jobs will be spread. | +| `tfe_namespace` | no | `terraform-enterprise` | Nomad namespace where TFE image will be run as a Nomad task. | +| `tfe_port` | no | `8443` | HTTPS port to expose for TFE task. | +| `tfe_group_count` | no | `1` | Number of task groups to run in the job. | +| `tfe_http_port` | no | `8080` | HTTP port to expose for TFE task. | +| `tfe_service_name` | no | `tfe-service` | Name of the service to register in Nomad DNS. | +| `tfe_database_user` | no | `hashicorp` | TFE database user. | +| `tfe_database_host` | yes | `""` | The host name/IP of the postgres database being used. | +| `tfe_database_name` | no | `"tfe"` | TFE database name. | +| `tfe_database_parameters` | no | `sslmode=require` | TFE database server parameters for the connection URI. | +| `tfe_object_storage_type` | no | `s3` | Type of object storage to use. Must be one of s3, azure, or google. | +| `tfe_run_pipeline_nomad_address` | yes | `""` | The server address of Nomad where TFE is being deployed. | +| `tfe_object_storage_s3_bucket` | yes | `""` | The bucket name of the S3 compatible object storage being used. | +| `tfe_object_storage_s3_region` | no | `us-west-2` | S3 region. | +| `tfe_object_storage_s3_use_instance_profile` | no | `false` | Whether to use the instance profile for authentication. | +| `tfe_object_storage_s3_endpoint` | yes | `""` | The endpoint of the S3 compatible object storage being used. | +| `tfe_object_storage_s3_access_key_id` | yes | `""` | The access key id value to be used to query the S3 object storage bucket. | +| `tfe_redis_host` | yes | `""` | The Redis host name being used. | +| `tfe_redis_user` | no | `""` | Redis server user. | +| `tfe_redis_use_tls` | no | false | Indicates to use TLS to access Redis. | +| `tfe_redis_use_auth` | no | false | Indicates Redis server is configured to use TFE_REDIS_PASSWORD and TFE_REDIS_USER (optional) for authentication. | +| `tfe_hostname` | yes | `""` | The host name of the TFE instance to be used while deploying. | +| `tfe_tls_cert_mount_path` | no | `"/etc/ssl/private/terraform-enterprise"` | Mount path where the certificates and other files will be mounted inside TFE container. | +| `tfe_iact_subnets` | no | `""` | Comma-separated list of subnets in CIDR notation that are allowed to retrieve the initial admin creation token via the API . | +| `tfe_iact_time_limit` | no | `"60"` | Number of minutes that the initial admin creation token can be retrieved via the API after the application starts. | +| `tfe_vault_disable_mlock` | no | `"false"` | Disable mlock for internal Vault. | +| `tfe_resource_cpu` | no | `"750"` | CPU in MHz for TFE container. | +| `tfe_resource_memory` | no | `"1024"` | Memory in MB for TFE container. | +| `tfe_image` | no | `"hashicorp/terraform-enterprise:v202401-2"` | TFE image and tag to download and run. | +| `tfe_image_registry_username` | no | `"terraform"` | The user name for the registry where the TFE image is hosted. | +| `tfe_image_server_address` | yes | `"images.releases.hashicorp.com"` | The server address of the registry where TFE image is hosted. | +| `tfe_run_pipeline_nomad_tls_config_insecure` | no | `"false"` | mTLS between Nomad and TFE when set to false. | +| `tfe_agent_namespace` | no | `"tfe-agents"` | Nomad namespace for TFE Agents to run. | +| `tfe_agent_image` | no | `"hashicorp/tfc-agent:latest"` | TFE Agent image and tag to download and run. | +| `tfe_vault_cluster_port` | no | `"8201"` | Vault cluster port which needs to exposed from the TFE container. | +| `tfe_vault_cluster_address` | no | `"http://$${NOMAD_HOST_ADDR_vault}"` | Cluster URL of the internal Vault server on this node (e.g., http://192.168.0.1:8201). Must be reachable across nodes. | +| `tfe_agent_resource_cpu` | no | `"750"` | CPU in MHz for TFE Agent container. | +| `tfe_agent_resource_memory` | no | `"1024"` | Memory in MB for TFE Agent container. | +| `tfe_service_discovery_provider` | no | `"nomad"` | Specifies the service registration provider to use for service registrations. Valid options are either consul or nomad. All services within a single task group must utilise the same provider value. | +| `health_check_interval` | no | `"5s"` | Specifies the interval at which Nomad will call the health check API for TFE container. | +| `health_check_timeout` | no | `"2s"` | Specifies the timeout in case health check API of TFE container is not reachable from Nomad. | diff --git a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl index fab75be..f5ce966 100644 --- a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl +++ b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl @@ -44,14 +44,14 @@ job [[ .tfe_fdo_nomad.job_name | quote ]] { service { name = [[ .tfe_fdo_nomad.tfe_service_name | quote ]] port = "tfe" - provider = "nomad" + provider = [[ .tfe_fdo_nomad.tfe_service_discovery_provider | quote ]] check { type = "http" port = "http" path = "/_health_check" - interval = "5s" - timeout = "2s" + interval = [[ .tfe_fdo_nomad.health_check_interval | quote ]] + timeout = [[ .tfe_fdo_nomad.health_check_timeout | quote ]] } } diff --git a/packs/tfe_fdo_nomad/variables.hcl b/packs/tfe_fdo_nomad/variables.hcl index 5a86e19..b809575 100644 --- a/packs/tfe_fdo_nomad/variables.hcl +++ b/packs/tfe_fdo_nomad/variables.hcl @@ -165,7 +165,7 @@ variable "tfe_resource_memory" { variable "tfe_image" { description = "The terraform enterprise image that will be used to deploy TFE" type = string - default = "images.releases.hashicorp.com/hashicorp/terraform-enterprise:v202401-2" + default = "hashicorp/terraform-enterprise:v202401-2" } variable "tfe_image_registry_username" { @@ -226,3 +226,21 @@ variable "tfe_vault_disable_mlock" { type = string default = "false" } + +variable "tfe_service_discovery_provider" { + description = "Specifies the service registration provider to use for service registrations." + type = string + default = "nomad" +} + +variable "health_check_timeout" { + description = "Specifies the timeout in case health check API of TFE container is not reachable from Nomad." + type = string + default = "2s" +} + +variable "health_check_interval" { + description = "Specifies the interval at which Nomad will call the health check API for TFE container." + type = string + default = "5s" +} From fcb204c5fe436e8aca557df940e133c73cdb6326 Mon Sep 17 00:00:00 2001 From: Rahul Date: Thu, 27 Jun 2024 13:01:29 +0530 Subject: [PATCH 4/8] Update README.md --- packs/tfe_fdo_nomad/README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/packs/tfe_fdo_nomad/README.md b/packs/tfe_fdo_nomad/README.md index edd06d7..aa6bf3c 100644 --- a/packs/tfe_fdo_nomad/README.md +++ b/packs/tfe_fdo_nomad/README.md @@ -8,29 +8,28 @@ This pack deploys Terraform Enterprise on Nomad. This includes running a Terrafo The pack expects certain prerequisites to be fulfilled before running. The list of prerequisites are: -Interacting with the Nomad server will require +### Create Environment variables 1. `NOMAD_ADDR` - The address of the Nomad server. 1. `NOMAD_TOKEN` - The SecretID of an ACL token to use to authenticate API requests with. 1. `NOMAD_CACERT` - Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. 1. `NOMAD_CLIENT_CERT` - Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify NOMAD_CLIENT_KEY. 1. `NOMAD_CLIENT_KEY` - Path to an unencrypted PEM encoded private key matching the client certificate from NOMAD_CLIENT_CERT. -After setting up the environment variables, the pack can be setup using the following steps: - -1. Create Namespace for TFE job and TFE agent job. +### Create Namespace for TFE job and TFE agent job. 1. Run `nomad namespace apply terraform-enterprise` to create the `terraform-enterprise` namespace. This is the default namespace that is used to bring up TFE Job. 1. Run `nomad namespace apply tfe-agents` to create the `tfe-agents` namespace. This is the default namespace that is used to bring up TFE Agent Job. -2. Create a Nomad ACL policy file `terraform_enterprise_policy.hcl` with the content below: +### Create and apply Nomad ACL policy. +Create a file `terraform_enterprise_policy.hcl` with the content below: ```hcl namespace "tfe-agents" { capabilities = ["submit-job","dispatch-job", "list-jobs", "read-job", "read-logs" ] } ``` -3. Apply the Nomad policy using: +To apply the policy run following bash command: ```bash $ nomad acl policy apply \ -namespace terraform-enterprise -job tfe-job \ @@ -38,7 +37,7 @@ After setting up the environment variables, the pack can be setup using the foll terraform-enterprise-policy ./terraform_enterprise_policy.hcl ``` -4. Create the necessary Nomad Variables for each job. +### Create the Nomad Variables. These contain sensitive data that are required like certs, licenses and passwords. Create a variable specification file: @@ -96,25 +95,26 @@ After setting up the environment variables, the pack can be setup using the foll ```bash $ nomad var put @spec.nv.hcl ``` +**Note: At this point, this file can be deleted.** -# Pack Information +## Pack Information -After completing prerequisites, the pack can be run using the following command: +After completing prerequisites, the pack can be run using the following bash command: ```bash $nomad-pack run tfe_fdo_nomad -f var.hcl ``` The `var.hcl` file should contain the necessary variables required for the pack to run. The variables are listed below. -## Variables +### Variables These variables may be set to change the behavior of the TFE. Note that some of these variables come with default configuration while the rest need to provided for the pack deployment to succeed. -## Configuration +### Configuration | Name | Required | Default | Comments | |----------------------------------------------|----------|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| From fdfa330427be7711bc925a345fa73e7afe1475e2 Mon Sep 17 00:00:00 2001 From: kumarkavish Date: Thu, 27 Jun 2024 16:02:04 +0530 Subject: [PATCH 5/8] [IND-369] - resolving comments. --- packs/tfe_fdo_nomad/README.md | 105 ++++++++++---------- packs/tfe_fdo_nomad/metadata.hcl | 2 +- packs/tfe_fdo_nomad/templates/tfe.nomad.tpl | 15 +-- packs/tfe_fdo_nomad/variables.hcl | 5 +- 4 files changed, 57 insertions(+), 70 deletions(-) diff --git a/packs/tfe_fdo_nomad/README.md b/packs/tfe_fdo_nomad/README.md index aa6bf3c..fe6932e 100644 --- a/packs/tfe_fdo_nomad/README.md +++ b/packs/tfe_fdo_nomad/README.md @@ -1,6 +1,9 @@ -# Nomad pack for Terraform Enterprise FDO + + Running Terraform Enterprise on Nomad is still in beta. Do not deploy beta features in + production environments. + - +# Nomad pack for Terraform Enterprise FDO (Beta) This pack deploys Terraform Enterprise on Nomad. This includes running a Terraform Enterprise service job and Terraform Enterprise agent batch job. @@ -10,7 +13,7 @@ The pack expects certain prerequisites to be fulfilled before running. The list ### Create Environment variables 1. `NOMAD_ADDR` - The address of the Nomad server. -1. `NOMAD_TOKEN` - The SecretID of an ACL token to use to authenticate API requests with. +1. `NOMAD_TOKEN` - The SecretID of an ACL token to use to authenticate API requests with. You will need this to create Nomad namespaces, variables and ACLs. 1. `NOMAD_CACERT` - Path to a PEM encoded CA cert file to use to verify the Nomad server SSL certificate. 1. `NOMAD_CLIENT_CERT` - Path to a PEM encoded client certificate for TLS authentication to the Nomad server. Must also specify NOMAD_CLIENT_KEY. 1. `NOMAD_CLIENT_KEY` - Path to an unencrypted PEM encoded private key matching the client certificate from NOMAD_CLIENT_CERT. @@ -97,66 +100,62 @@ To apply the policy run following bash command: ``` **Note: At this point, this file can be deleted.** - - - ## Pack Information After completing prerequisites, the pack can be run using the following bash command: ```bash -$nomad-pack run tfe_fdo_nomad -f var.hcl +$ nomad-pack run tfe_fdo_nomad -f variables.hcl ``` -The `var.hcl` file should contain the necessary variables required for the pack to run. The variables are listed below. +The `variables.hcl` file should contain the necessary variables required for the pack to run. The variables are listed below. ### Variables These variables may be set to change the behavior of the TFE. Note that some of these variables come with default configuration while the rest need to provided for the pack deployment to succeed. - ### Configuration -| Name | Required | Default | Comments | -|----------------------------------------------|----------|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `job_name` | no | `"tfe-job"` | Override the Nomad job name. | -| `datacenters` | no | `"dc1"` | Nomad datacenters where the task in the jobs will be spread. | -| `tfe_namespace` | no | `terraform-enterprise` | Nomad namespace where TFE image will be run as a Nomad task. | -| `tfe_port` | no | `8443` | HTTPS port to expose for TFE task. | -| `tfe_group_count` | no | `1` | Number of task groups to run in the job. | -| `tfe_http_port` | no | `8080` | HTTP port to expose for TFE task. | -| `tfe_service_name` | no | `tfe-service` | Name of the service to register in Nomad DNS. | -| `tfe_database_user` | no | `hashicorp` | TFE database user. | -| `tfe_database_host` | yes | `""` | The host name/IP of the postgres database being used. | -| `tfe_database_name` | no | `"tfe"` | TFE database name. | -| `tfe_database_parameters` | no | `sslmode=require` | TFE database server parameters for the connection URI. | -| `tfe_object_storage_type` | no | `s3` | Type of object storage to use. Must be one of s3, azure, or google. | -| `tfe_run_pipeline_nomad_address` | yes | `""` | The server address of Nomad where TFE is being deployed. | -| `tfe_object_storage_s3_bucket` | yes | `""` | The bucket name of the S3 compatible object storage being used. | -| `tfe_object_storage_s3_region` | no | `us-west-2` | S3 region. | -| `tfe_object_storage_s3_use_instance_profile` | no | `false` | Whether to use the instance profile for authentication. | -| `tfe_object_storage_s3_endpoint` | yes | `""` | The endpoint of the S3 compatible object storage being used. | -| `tfe_object_storage_s3_access_key_id` | yes | `""` | The access key id value to be used to query the S3 object storage bucket. | -| `tfe_redis_host` | yes | `""` | The Redis host name being used. | -| `tfe_redis_user` | no | `""` | Redis server user. | -| `tfe_redis_use_tls` | no | false | Indicates to use TLS to access Redis. | -| `tfe_redis_use_auth` | no | false | Indicates Redis server is configured to use TFE_REDIS_PASSWORD and TFE_REDIS_USER (optional) for authentication. | -| `tfe_hostname` | yes | `""` | The host name of the TFE instance to be used while deploying. | -| `tfe_tls_cert_mount_path` | no | `"/etc/ssl/private/terraform-enterprise"` | Mount path where the certificates and other files will be mounted inside TFE container. | -| `tfe_iact_subnets` | no | `""` | Comma-separated list of subnets in CIDR notation that are allowed to retrieve the initial admin creation token via the API . | -| `tfe_iact_time_limit` | no | `"60"` | Number of minutes that the initial admin creation token can be retrieved via the API after the application starts. | -| `tfe_vault_disable_mlock` | no | `"false"` | Disable mlock for internal Vault. | -| `tfe_resource_cpu` | no | `"750"` | CPU in MHz for TFE container. | -| `tfe_resource_memory` | no | `"1024"` | Memory in MB for TFE container. | -| `tfe_image` | no | `"hashicorp/terraform-enterprise:v202401-2"` | TFE image and tag to download and run. | -| `tfe_image_registry_username` | no | `"terraform"` | The user name for the registry where the TFE image is hosted. | -| `tfe_image_server_address` | yes | `"images.releases.hashicorp.com"` | The server address of the registry where TFE image is hosted. | -| `tfe_run_pipeline_nomad_tls_config_insecure` | no | `"false"` | mTLS between Nomad and TFE when set to false. | -| `tfe_agent_namespace` | no | `"tfe-agents"` | Nomad namespace for TFE Agents to run. | -| `tfe_agent_image` | no | `"hashicorp/tfc-agent:latest"` | TFE Agent image and tag to download and run. | -| `tfe_vault_cluster_port` | no | `"8201"` | Vault cluster port which needs to exposed from the TFE container. | -| `tfe_vault_cluster_address` | no | `"http://$${NOMAD_HOST_ADDR_vault}"` | Cluster URL of the internal Vault server on this node (e.g., http://192.168.0.1:8201). Must be reachable across nodes. | -| `tfe_agent_resource_cpu` | no | `"750"` | CPU in MHz for TFE Agent container. | -| `tfe_agent_resource_memory` | no | `"1024"` | Memory in MB for TFE Agent container. | -| `tfe_service_discovery_provider` | no | `"nomad"` | Specifies the service registration provider to use for service registrations. Valid options are either consul or nomad. All services within a single task group must utilise the same provider value. | -| `health_check_interval` | no | `"5s"` | Specifies the interval at which Nomad will call the health check API for TFE container. | -| `health_check_timeout` | no | `"2s"` | Specifies the timeout in case health check API of TFE container is not reachable from Nomad. | +| Name | Required | Default | Comments | +|----------------------------------------------|----------|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `job_name` | no | `"tfe-job"` | Override the Nomad job name. | +| `datacenters` | no | `["*"]` | Nomad datacenters where the task in the jobs will be spread. | +| `tfe_namespace` | no | `"terraform-enterprise"` | Nomad namespace where TFE image will be run as a Nomad task. | +| `tfe_port` | no | `8443` | HTTPS port to expose for TFE task. | +| `tfe_group_count` | no | `1` | Number of task groups to run in the job. If this is set to more than 1, the `network.port` for `tfe` and `http` inside `tfe.nomad.tpl` needs to be changed from `static` to `to` and NGINX needs to be deployed so that traffic can be routed to any of the deployed TFE instances. | +| `tfe_http_port` | no | `8080` | HTTP port to expose for TFE task. | +| `tfe_service_name` | no | `"tfe-service"` | Name of the service to register in Nomad DNS. | +| `tfe_database_user` | no | `"hashicorp"` | TFE database user. | +| `tfe_database_host` | yes | `""` | The host name/IP of the postgres database being used. | +| `tfe_database_name` | no | `"tfe"` | TFE database name. | +| `tfe_database_parameters` | no | `"sslmode=require"` | TFE database server parameters for the connection URI. | +| `tfe_object_storage_type` | no | `"s3"` | Type of object storage to use. Must be one of s3, azure, or google. | +| `tfe_run_pipeline_nomad_address` | yes | `""` | The server address of Nomad where TFE is being deployed. | +| `tfe_object_storage_s3_bucket` | no | `"tfe"` | The bucket name of the S3 compatible object storage being used. | +| `tfe_object_storage_s3_region` | no | `"us-west-2"` | S3 region. | +| `tfe_object_storage_s3_use_instance_profile` | no | `"false"` | Whether to use the instance profile for authentication. | +| `tfe_object_storage_s3_endpoint` | yes | `""` | The endpoint of the S3 compatible object storage being used. | +| `tfe_object_storage_s3_access_key_id` | yes | `""` | The access key id value to be used to query the S3 object storage bucket. | +| `tfe_redis_host` | yes | `""` | The Redis host name being used. | +| `tfe_redis_user` | no | `""` | Redis server user. | +| `tfe_redis_use_tls` | no | `"false"` | Indicates to use TLS to access Redis. | +| `tfe_redis_use_auth` | no | `"false"` | Indicates Redis server is configured to use TFE_REDIS_PASSWORD and TFE_REDIS_USER (optional) for authentication. | +| `tfe_hostname` | yes | `""` | The host name of the TFE instance to be used while deploying. | +| `tfe_tls_cert_mount_path` | no | `"/etc/ssl/private/terraform-enterprise"` | Mount path where the certificates and other files will be mounted inside TFE container. | +| `tfe_iact_subnets` | no | `""` | Comma-separated list of subnets in CIDR notation that are allowed to retrieve the initial admin creation token via the API . | +| `tfe_iact_time_limit` | no | `"60"` | Number of minutes that the initial admin creation token can be retrieved via the API after the application starts. | +| `tfe_vault_disable_mlock` | no | `"false"` | Disable mlock for internal Vault. | +| `tfe_resource_cpu` | no | `750` | CPU in MHz for TFE container. | +| `tfe_resource_memory` | no | `1024` | Memory in MB for TFE container. | +| `tfe_image` | no | `"hashicorp/terraform-enterprise:v202401-2"` | TFE image and tag to download and run. | +| `tfe_image_registry_username` | no | `"terraform"` | The user name for the registry where the TFE image is hosted. | +| `tfe_image_server_address` | no | `"images.releases.hashicorp.com"` | The server address of the registry where TFE image is hosted. | +| `tfe_run_pipeline_nomad_tls_config_insecure` | no | `"false"` | mTLS between Nomad and TFE when set to false. | +| `tfe_agent_namespace` | no | `"tfe-agents"` | Nomad namespace for TFE Agents to run. | +| `tfe_agent_image` | no | `"hashicorp/tfc-agent:latest"` | TFE Agent image and tag to download and run. | +| `tfe_vault_cluster_port` | no | `8201` | Vault cluster port which needs to exposed from the TFE container. | +| `tfe_vault_cluster_address` | no | `"http://$${NOMAD_HOST_ADDR_vault}"` | Cluster URL of the internal Vault server on this node (e.g., http://192.168.0.1:8201). Must be reachable across nodes. | +| `tfe_agent_resource_cpu` | no | `750` | CPU in MHz for TFE Agent container. | +| `tfe_agent_resource_memory` | no | `1024` | Memory in MB for TFE Agent container. | +| `tfe_service_discovery_provider` | no | `"nomad"` | Specifies the service registration provider to use for service registrations. Valid options are either consul or nomad. All services within a single task group must utilise the same provider value. | +| `health_check_interval` | no | `"5s"` | Specifies the interval at which Nomad will call the health check API for TFE container. | +| `health_check_timeout` | no | `"2s"` | Specifies the timeout in case health check API of TFE container is not reachable from Nomad. | diff --git a/packs/tfe_fdo_nomad/metadata.hcl b/packs/tfe_fdo_nomad/metadata.hcl index 352e4f3..01495a3 100644 --- a/packs/tfe_fdo_nomad/metadata.hcl +++ b/packs/tfe_fdo_nomad/metadata.hcl @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 app { - url = "https://developer.hashicorp.com/terraform/enterprise" + url = "https://developer.hashicorp.com/terraform/enterprise" } pack { name = "tfe_fdo_nomad" diff --git a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl index f5ce966..69fa2b2 100644 --- a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl +++ b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl @@ -8,10 +8,6 @@ job [[ .tfe_fdo_nomad.job_name | quote ]] { group "tfe-group" { count = [[ .tfe_fdo_nomad.tfe_group_count ]] - - spread { - attribute = "${node.unique.id}" - } restart { attempts = 3 @@ -21,7 +17,6 @@ job [[ .tfe_fdo_nomad.job_name | quote ]] { } update { - max_parallel = 1 min_healthy_time = "30s" healthy_deadline = "12m" progress_deadline = "15m" @@ -62,7 +57,7 @@ job [[ .tfe_fdo_nomad.job_name | quote ]] { env = true } - template { + template { destination = "/secrets/key.pem" change_mode = "restart" splay = "60s" @@ -83,6 +78,7 @@ EOF {{- end -}} EOF } + template { destination = "/secrets/bundle.pem" change_mode = "restart" @@ -146,9 +142,7 @@ EOF config { image = [[ .tfe_fdo_nomad.tfe_image | quote ]] auth { - # User Input is mandatory. username = [[ .tfe_fdo_nomad.tfe_image_registry_username | quote ]] - # User Input is mandatory. password = "${TFE_IMAGE_REGISTRY_PASSWORD}" server_address = [[ .tfe_fdo_nomad.tfe_image_server_address | quote ]] } @@ -163,7 +157,6 @@ EOF env { TFE_RUN_PIPELINE_DRIVER = "nomad" - # User Input is mandatory. TFE_RUN_PIPELINE_NOMAD_ADDRESS = [[ .tfe_fdo_nomad.tfe_run_pipeline_nomad_address | quote ]] TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_INSECURE = [[ .tfe_fdo_nomad.tfe_run_pipeline_nomad_tls_config_insecure | quote ]] TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CA_CERT = "[[ .tfe_fdo_nomad.tfe_tls_cert_mount_path ]]/nomad_ca_cert.pem" @@ -174,7 +167,6 @@ EOF TFE_OPERATIONAL_MODE = "active-active" TFE_DATABASE_USER = [[ .tfe_fdo_nomad.tfe_database_user | quote ]] - # User Input is mandatory. TFE_DATABASE_HOST = [[ .tfe_fdo_nomad.tfe_database_host | quote ]] TFE_DATABASE_NAME = [[ .tfe_fdo_nomad.tfe_database_name | quote ]] TFE_DATABASE_PARAMETERS = [[ .tfe_fdo_nomad.tfe_database_parameters | quote ]] @@ -184,16 +176,13 @@ EOF TFE_OBJECT_STORAGE_S3_REGION = [[ .tfe_fdo_nomad.tfe_object_storage_s3_region | quote ]] TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE = [[ .tfe_fdo_nomad.tfe_object_storage_s3_use_instance_profile ]] TFE_OBJECT_STORAGE_S3_ENDPOINT = [[ .tfe_fdo_nomad.tfe_object_storage_s3_endpoint | quote ]] - # User Input is mandatory. TFE_OBJECT_STORAGE_S3_ACCESS_KEY_ID = [[ .tfe_fdo_nomad.tfe_object_storage_s3_access_key_id | quote ]] - # User Input is mandatory. TFE_REDIS_HOST = [[ .tfe_fdo_nomad.tfe_redis_host | quote ]] TFE_REDIS_USER = [[ .tfe_fdo_nomad.tfe_redis_user | quote ]] TFE_REDIS_USE_TLS = [[ .tfe_fdo_nomad.tfe_redis_use_tls | quote ]] TFE_REDIS_USE_AUTH = [[ .tfe_fdo_nomad.tfe_redis_use_auth | quote ]] - # User Input is mandatory. TFE_HOSTNAME = [[ .tfe_fdo_nomad.tfe_hostname | quote ]] TFE_TLS_CERT_FILE = "[[ .tfe_fdo_nomad.tfe_tls_cert_mount_path ]]/cert.pem" diff --git a/packs/tfe_fdo_nomad/variables.hcl b/packs/tfe_fdo_nomad/variables.hcl index b809575..0067737 100644 --- a/packs/tfe_fdo_nomad/variables.hcl +++ b/packs/tfe_fdo_nomad/variables.hcl @@ -43,7 +43,7 @@ variable "tfe_service_name" { variable "datacenters" { description = "A list of datacenters in the region which are eligible for task placement" type = list(string) - default = ["dc1"] + default = ["*"] } variable "tfe_database_user" { @@ -94,9 +94,8 @@ variable "tfe_object_storage_s3_use_instance_profile" { } variable "tfe_object_storage_s3_endpoint" { - description = "The ednpoint of the S3 compatible object storage to be used by TFE" + description = "The endpoint of the S3 compatible object storage to be used by TFE" type = string - default = "" } variable "tfe_object_storage_s3_access_key_id" { From bf0df6649beed2429834985f7d012e9fbb7aaf50 Mon Sep 17 00:00:00 2001 From: kumarkavish Date: Thu, 27 Jun 2024 19:29:14 +0530 Subject: [PATCH 6/8] [IND-369] - resolving comments. --- packs/tfe_fdo_nomad/templates/tfe.nomad.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl index 69fa2b2..88d2c11 100644 --- a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl +++ b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl @@ -96,7 +96,7 @@ EOF splay = "60s" data = < Date: Fri, 28 Jun 2024 21:35:50 +0530 Subject: [PATCH 7/8] [IND-369] - resolving comments. --- packs/tfe_fdo_nomad/README.md | 18 ++++++++++------ packs/tfe_fdo_nomad/templates/tfe.nomad.tpl | 4 ++-- packs/tfe_fdo_nomad/variables.hcl | 24 ++++++++++----------- 3 files changed, 25 insertions(+), 21 deletions(-) diff --git a/packs/tfe_fdo_nomad/README.md b/packs/tfe_fdo_nomad/README.md index fe6932e..437b74d 100644 --- a/packs/tfe_fdo_nomad/README.md +++ b/packs/tfe_fdo_nomad/README.md @@ -9,7 +9,11 @@ This pack deploys Terraform Enterprise on Nomad. This includes running a Terrafo ## Pack Usage -The pack expects certain prerequisites to be fulfilled before running. The list of prerequisites are: +The pack expects certain prerequisites to be fulfilled before running. The list of prerequisites are: + +### Installation Requirements + +Follow this page for [installation requirements](https://developer.hashicorp.com/terraform/enterprise/flexible-deployments/install/requirements). ### Create Environment variables 1. `NOMAD_ADDR` - The address of the Nomad server. @@ -132,24 +136,24 @@ These variables may be set to change the behavior of the TFE. Note that some of | `tfe_run_pipeline_nomad_address` | yes | `""` | The server address of Nomad where TFE is being deployed. | | `tfe_object_storage_s3_bucket` | no | `"tfe"` | The bucket name of the S3 compatible object storage being used. | | `tfe_object_storage_s3_region` | no | `"us-west-2"` | S3 region. | -| `tfe_object_storage_s3_use_instance_profile` | no | `"false"` | Whether to use the instance profile for authentication. | +| `tfe_object_storage_s3_use_instance_profile` | no | `false` | Whether to use the instance profile for authentication. | | `tfe_object_storage_s3_endpoint` | yes | `""` | The endpoint of the S3 compatible object storage being used. | | `tfe_object_storage_s3_access_key_id` | yes | `""` | The access key id value to be used to query the S3 object storage bucket. | | `tfe_redis_host` | yes | `""` | The Redis host name being used. | | `tfe_redis_user` | no | `""` | Redis server user. | -| `tfe_redis_use_tls` | no | `"false"` | Indicates to use TLS to access Redis. | -| `tfe_redis_use_auth` | no | `"false"` | Indicates Redis server is configured to use TFE_REDIS_PASSWORD and TFE_REDIS_USER (optional) for authentication. | +| `tfe_redis_use_tls` | no | `false` | Indicates to use TLS to access Redis. | +| `tfe_redis_use_auth` | no | `false` | Indicates Redis server is configured to use TFE_REDIS_PASSWORD and TFE_REDIS_USER (optional) for authentication. | | `tfe_hostname` | yes | `""` | The host name of the TFE instance to be used while deploying. | | `tfe_tls_cert_mount_path` | no | `"/etc/ssl/private/terraform-enterprise"` | Mount path where the certificates and other files will be mounted inside TFE container. | | `tfe_iact_subnets` | no | `""` | Comma-separated list of subnets in CIDR notation that are allowed to retrieve the initial admin creation token via the API . | -| `tfe_iact_time_limit` | no | `"60"` | Number of minutes that the initial admin creation token can be retrieved via the API after the application starts. | -| `tfe_vault_disable_mlock` | no | `"false"` | Disable mlock for internal Vault. | +| `tfe_iact_time_limit` | no | `60` | Number of minutes that the initial admin creation token can be retrieved via the API after the application starts. | +| `tfe_vault_disable_mlock` | no | `true` | Disable mlock for internal Vault. | | `tfe_resource_cpu` | no | `750` | CPU in MHz for TFE container. | | `tfe_resource_memory` | no | `1024` | Memory in MB for TFE container. | | `tfe_image` | no | `"hashicorp/terraform-enterprise:v202401-2"` | TFE image and tag to download and run. | | `tfe_image_registry_username` | no | `"terraform"` | The user name for the registry where the TFE image is hosted. | | `tfe_image_server_address` | no | `"images.releases.hashicorp.com"` | The server address of the registry where TFE image is hosted. | -| `tfe_run_pipeline_nomad_tls_config_insecure` | no | `"false"` | mTLS between Nomad and TFE when set to false. | +| `tfe_run_pipeline_nomad_tls_config_insecure` | no | `false` | mTLS between Nomad and TFE when set to false. | | `tfe_agent_namespace` | no | `"tfe-agents"` | Nomad namespace for TFE Agents to run. | | `tfe_agent_image` | no | `"hashicorp/tfc-agent:latest"` | TFE Agent image and tag to download and run. | | `tfe_vault_cluster_port` | no | `8201` | Vault cluster port which needs to exposed from the TFE container. | diff --git a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl index 88d2c11..cd02daf 100644 --- a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl +++ b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl @@ -162,7 +162,7 @@ EOF TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CA_CERT = "[[ .tfe_fdo_nomad.tfe_tls_cert_mount_path ]]/nomad_ca_cert.pem" TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CLIENT_CERT = "[[ .tfe_fdo_nomad.tfe_tls_cert_mount_path ]]/nomad_cert.pem" TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CLIENT_KEY = "[[ .tfe_fdo_nomad.tfe_tls_cert_mount_path ]]/nomad_cert_key.pem" - TFE_DISK_CACHE_VOLUME_NAME = "${NOMAD_TASK_DIR}/terraform-enterprise-cache-1" + TFE_DISK_CACHE_VOLUME_NAME = "${NOMAD_TASK_DIR}/terraform-enterprise-cache" TFE_OPERATIONAL_MODE = "active-active" @@ -174,7 +174,7 @@ EOF TFE_OBJECT_STORAGE_TYPE = [[ .tfe_fdo_nomad.tfe_object_storage_type | quote ]] TFE_OBJECT_STORAGE_S3_BUCKET = [[ .tfe_fdo_nomad.tfe_object_storage_s3_bucket | quote ]] TFE_OBJECT_STORAGE_S3_REGION = [[ .tfe_fdo_nomad.tfe_object_storage_s3_region | quote ]] - TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE = [[ .tfe_fdo_nomad.tfe_object_storage_s3_use_instance_profile ]] + TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE = [[ .tfe_fdo_nomad.tfe_object_storage_s3_use_instance_profile | quote ]] TFE_OBJECT_STORAGE_S3_ENDPOINT = [[ .tfe_fdo_nomad.tfe_object_storage_s3_endpoint | quote ]] TFE_OBJECT_STORAGE_S3_ACCESS_KEY_ID = [[ .tfe_fdo_nomad.tfe_object_storage_s3_access_key_id | quote ]] diff --git a/packs/tfe_fdo_nomad/variables.hcl b/packs/tfe_fdo_nomad/variables.hcl index 0067737..fbae207 100644 --- a/packs/tfe_fdo_nomad/variables.hcl +++ b/packs/tfe_fdo_nomad/variables.hcl @@ -89,8 +89,8 @@ variable "tfe_object_storage_s3_region" { variable "tfe_object_storage_s3_use_instance_profile" { description = "The instance profile setting for accessing the object storage bucket to be used by TFE" - type = string - default = "false" + type = bool + default = false } variable "tfe_object_storage_s3_endpoint" { @@ -116,14 +116,14 @@ variable "tfe_redis_user" { variable "tfe_redis_use_tls" { description = "The tls settings for redis to be used by TFE" - type = string - default = "false" + type = bool + default = false } variable "tfe_redis_use_auth" { description = "The auth settings to be used by redis" - type = string - default = "false" + type = bool + default = false } variable "tfe_hostname" { @@ -145,8 +145,8 @@ variable "tfe_iact_subnets" { variable "tfe_iact_time_limit" { description = "The IACT time limit value to be used by TFE" - type = string - default = "60" + type = number + default = 60 } variable "tfe_resource_cpu" { @@ -186,8 +186,8 @@ variable "tfe_run_pipeline_nomad_address" { variable "tfe_run_pipeline_nomad_tls_config_insecure" { description = "The tls config settings for communication between Nomad and TFE" - type = string - default = "false" + type = bool + default = false } variable "tfe_agent_namespace" { @@ -222,8 +222,8 @@ variable "tfe_vault_cluster_address" { variable "tfe_vault_disable_mlock" { description = "Disable mlock for internal Vault." - type = string - default = "false" + type = bool + default = true } variable "tfe_service_discovery_provider" { From 307763c30d5592b6296c6dbef79b6485c2096d85 Mon Sep 17 00:00:00 2001 From: kumarkavish Date: Mon, 1 Jul 2024 20:56:43 +0530 Subject: [PATCH 8/8] [IND-369] - resolving comments. --- packs/tfe_fdo_nomad/README.md | 1 - packs/tfe_fdo_nomad/templates/tfe.nomad.tpl | 30 +++++++++------------ packs/tfe_fdo_nomad/variables.hcl | 6 ----- 3 files changed, 13 insertions(+), 24 deletions(-) diff --git a/packs/tfe_fdo_nomad/README.md b/packs/tfe_fdo_nomad/README.md index 437b74d..a9a336e 100644 --- a/packs/tfe_fdo_nomad/README.md +++ b/packs/tfe_fdo_nomad/README.md @@ -144,7 +144,6 @@ These variables may be set to change the behavior of the TFE. Note that some of | `tfe_redis_use_tls` | no | `false` | Indicates to use TLS to access Redis. | | `tfe_redis_use_auth` | no | `false` | Indicates Redis server is configured to use TFE_REDIS_PASSWORD and TFE_REDIS_USER (optional) for authentication. | | `tfe_hostname` | yes | `""` | The host name of the TFE instance to be used while deploying. | -| `tfe_tls_cert_mount_path` | no | `"/etc/ssl/private/terraform-enterprise"` | Mount path where the certificates and other files will be mounted inside TFE container. | | `tfe_iact_subnets` | no | `""` | Comma-separated list of subnets in CIDR notation that are allowed to retrieve the initial admin creation token via the API . | | `tfe_iact_time_limit` | no | `60` | Number of minutes that the initial admin creation token can be retrieved via the API after the application starts. | | `tfe_vault_disable_mlock` | no | `true` | Disable mlock for internal Vault. | diff --git a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl index cd02daf..23f89ff 100644 --- a/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl +++ b/packs/tfe_fdo_nomad/templates/tfe.nomad.tpl @@ -58,7 +58,7 @@ job [[ .tfe_fdo_nomad.job_name | quote ]] { } template { - destination = "/secrets/key.pem" + destination = "${NOMAD_SECRETS_DIR}/key.pem" change_mode = "restart" splay = "60s" data = <