Skip to content

Latest commit

 

History

History
161 lines (132 loc) · 11.7 KB

README.md

File metadata and controls

161 lines (132 loc) · 11.7 KB
Raw

AWS Nomad Clients

This is a simple Terraform module to create Nomad clients for your CircleCI server application in AWS.

Usage

A basic example is as simple as this:

terraform {
  required_version = ">= 0.15.4"
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~>3.0"
    }
  }
}

provider "aws" {
  # Your region of choice here
  region = "us-west-1"
}

module "nomad_clients" {
  # We strongly recommend pinning the version using ref=<<release tag>> as is done here
  source = "git::https://github.com/CircleCI-Public/server-terraform.git//nomad-aws?ref=4.0.0"

  # Number of nomad clients to run
  nodes = 4

  subnet = "<< ID of subnet you want to run nomad clients in >>"
  vpc_id = "<< ID of VPC you want to run nomad client in >>"

  nomad_server_hostname = "<< hostname of server installation >>"

  dns_server = "<< ip address of your VPC DNS server >>"
  blocked_cidrs = [
    "<< cidr blocks you’d like to block access to e.g 10.0.1.0/24 >>"
  ]

  instance_tags = {
    "vendor" = "circleci"
    "team"   = "sre"
  }
  nomad_auto_scaler = false # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server.

  # enable_irsa input will allow K8s service account to use IAM roles, you have to replace REGION, ACCOUNT_ID, OIDC_ID and K8S_NAMESPACE with appropriate value
  # for more info, visit - https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
  enable_irsa = {}

  ssh_key = "<< public key to be placed on each nomad client >>"
  basename = "<< name prefix for nomad clients >>"

  enable_imdsv2 = "<< optional/required >>"
}

output "nomad" {
  value     = module.nomad_clients
  sensitive = true
}

There are more examples in the examples directory.

Requirements

Name Version
aws >=3.0
cloudinit >=2.0

Providers

Name Version
aws >=3.0
cloudinit >=2.0
random n/a

Modules

Name Source Version
nomad_tls ../shared/modules/tls n/a

Resources

Name Type
aws_autoscaling_group.clients_asg resource
aws_iam_access_key.nomad_asg_user resource
aws_iam_instance_profile.nomad_client_profile resource
aws_iam_role.nomad_role resource
aws_iam_user.nomad_asg_user resource
aws_iam_user_policy.nomad_asg_user resource
aws_key_pair.ssh_key resource
aws_launch_template.nomad_clients resource
aws_security_group.nomad_sg resource
aws_security_group.ssh_sg resource
random_string.key_suffix resource
aws_ami.ubuntu_focal data source
cloudinit_config.nomad_user_data data source

Inputs

Name Description Type Default Required
allowed_ips_circleci_server_nomad_access List of IPv4 ranges that are permitted to access nomad nodes; used for circleci-server-to-nomad communication list(string) 
[
  "0.0.0.0/0"
]
 no
allowed_ips_retry_ssh List of IPv4 ranges that are permitted to access nomad nodes for the retry-with-ssh feature list(string) 
[
  "0.0.0.0/0"
]
 no
basename Name used as prefix for AWS resources string "" no
blocked_cidrs List of CIDR blocks to block access to from within jobs, e.g. your K8s nodes.
You won't want to block access to external VMs here.
It's okay when your dns_server is within a blocked CIDR block, you can use var.dns_server to create an exemption.		 list(string) n/a yes
disk_size_gb The volume size, in GB to each nomad client's /dev/sda1 disk. number 100 no
dns_server If the IP address of your VPC DNS server is within one of the blocked CIDR blocks you can create an exemption by entering the IP address for it here string n/a yes
docker_network_cidr IP CIDR to be used in docker networks when running job on nomad client.
This CIDR block should not be the same as your VPC CIDR block.
i.e - "10.10.0.0/16" or "172.32.0.0/16" or "192.168.0.0/16"		 string "10.10.0.0/16" no
enable_imdsv2 Enable or Disable IMDSv2 on Nomad clients. Optional or Required. This is only supported on, or after, CircleCI Server 4.6.0 string "optional" no
enable_irsa If passed a valid OIDC MAP, terraform will create K8s Service Account Role to be used by nomad autoscaler. map(any) {} no
enable_mtls MTLS support for Nomad traffic. Modifying this can be dangerous and is not recommended. bool true no
instance_tags n/a map(string) 
{
  "vendor": "circleci"
}
 no
instance_type AWS Node type for instance. Must be Intel linux type string "t3.2xlarge" no
launch_template_version Specific version of the instance template string "$Latest" no
machine_image_names Strings to filter image names for nomad virtual machine images. list(string) 
[
  "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
]
 no
machine_image_owners List of AWS account IDs that own the images to be used for nomad virtual machines. list(string) 
[
  "099720109477",
  "513442679011"
]
 no
max_nodes Maximum number of nomad clients to create. Must be greater than or equal to nodes number 5 no
nodes Number of nomad clients to create number n/a yes
nomad_auto_scaler If set to true, A Nomad User or A Role will be created based on enable_irsa variable values bool false no
nomad_server_hostname Hostname of RPC service of Nomad control plane (e.g circleci.example.com) string n/a yes
nomad_server_port Port that the server endpoint listens on for nomad connections. number 4647 no
patched_nomad_version The version of CircleCI's fork Nomad to install string "1.4.568-bfc9a6ec4" no
role_name Name of the role to add to the instance profile string null no
security_group_id ID for the security group for Nomad clients.
See security documentation for recommendations.		 list(string) [] no
ssh_key SSH Public key to access nomad nodes string null no
subnet Subnet ID string "" no
subnets Subnet IDs list(string) 
[
  ""
]
 no
volume_type The EBS volume type of the node. If gp3 is not available in your desired region, switch to gp2 string "gp3" no
vpc_id VPC ID of VPC used for Nomad resources string n/a yes

Outputs

Name Description
mtls_enabled set this value for the nomad.server.rpc.mTLS.enabled key in the CircleCI Server's Helm values.yaml
nomad_asg_arn n/a
nomad_asg_name n/a
nomad_asg_user_access_key n/a
nomad_asg_user_secret_key n/a
nomad_role n/a
nomad_server_cert n/a
nomad_server_cert_base64 set this value for the nomad.server.rpc.mTLS.certificate key in the CircleCI Server's Helm values.yaml
nomad_server_key n/a
nomad_server_key_base64 set this value for the nomad.server.rpc.mTLS.privateKey key in the CircleCI Server's Helm values.yaml
nomad_sg_id n/a
nomad_tls_ca n/a
nomad_tls_ca_base64 set this value for the nomad.server.rpc.mTLS.CACertificate key in the CircleCI Server's Helm values.yaml