[IND-369] TFE FDO on Nomad

packs/tfe_fdo_nomad/CHANGELOG.md

@@ -0,0 +1,3 @@
+# 0.1.0
+
+- Initial release

packs/tfe_fdo_nomad/metadata.hcl

@@ -0,0 +1,12 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+app {
+  url = "https://developer.hashicorp.com/terraform/enterprise"
+}
+pack {
+  name        = "tfe_fdo_nomad"
+  url         = "https://github.com/hashicorp/nomad-pack-community-registry/tfe_fdo_nomad"
+  description = "Terraform Enterprise"
+  version     = "0.1.0"
+}

packs/tfe_fdo_nomad/outputs.tpl

@@ -0,0 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+Congrats! You deployed the terraform_enterprise_fdo pack on Nomad.    
+
+You can view your instances of TFE running on the Nomad UI and reach it on the provided hostname.

packs/tfe_fdo_nomad/templates/tfe.agent.nomad.tpl

@@ -0,0 +1,57 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+job "tfe-agent-job" {
+  type      = "batch"
+  namespace = [[ .tfe_fdo_nomad.tfe_agent_namespace | quote ]]
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+  parameterized {
+    payload       = "forbidden"
+    meta_required = [
+      "TFC_AGENT_TOKEN",
+      "TFC_ADDRESS"
+    ]
+    meta_optional = [
+      "TFE_RUN_PIPELINE_IMAGE",
+      "TFC_AGENT_AUTO_UPDATE",
+      "TFC_AGENT_CACHE_DIR",
+      "TFC_AGENT_SINGLE",
+      "HTTPS_PROXY",
+      "HTTP_PROXY",
+      "NO_PROXY"
+    ]
+  }  
+
+  group "tfe-agent-group" {
+
+    task "tfc-agent-task" {
+      driver = "docker"
+
+      config {
+        image = [[ .tfe_fdo_nomad.tfe_agent_image | quote ]]
+      }
+
+      env {
+        TFC_ADDRESS           = "${NOMAD_META_TFC_ADDRESS}"
+        TFC_AGENT_TOKEN       = "${NOMAD_META_TFC_AGENT_TOKEN}"
+        TFC_AGENT_AUTO_UPDATE = "${NOMAD_META_TFC_AGENT_AUTO_UPDATE}"
+        TFC_AGENT_CACHE_DIR   = "${NOMAD_META_TFC_AGENT_CACHE_DIR}"
+        TFC_AGENT_SINGLE      = "${NOMAD_META_TFC_AGENT_SINGLE}"
+        HTTPS_PROXY           = "${NOMAD_META_HTTPS_PROXY}"
+        https_proxy           = "${NOMAD_META_HTTPS_PROXY}"
+        HTTP_PROXY            = "${NOMAD_META_HTTP_PROXY}"
+        http_proxy            = "${NOMAD_META_HTTP_PROXY}"
+        NO_PROXY              = "${NOMAD_META_NO_PROXY}"
+        no_proxy              = "${NOMAD_META_NO_PROXY}"
+      }
+
+      resources {
+        cpu    = [[ .tfe_fdo_nomad.tfe_agent_resource_cpu ]]
+        memory = [[ .tfe_fdo_nomad.tfe_agent_resource_memory ]]
+      }
+    }
+  }
+}

packs/tfe_fdo_nomad/templates/tfe.nomad.tpl

@@ -0,0 +1,205 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+job [[ .tfe_fdo_nomad.job_name | quote ]] {
+  datacenters = [[ .tfe_fdo_nomad.datacenters  | toStringList ]]
+  namespace   = [[ .tfe_fdo_nomad.tfe_namespace | quote ]]
+  type        = "service"
+
+  group "tfe-group" {
+    count = [[ .tfe_fdo_nomad.tfe_group_count ]]
+
+    restart {
+      attempts = 3
+      delay    = "60s"
+      interval = "10m"
+      mode     = "fail"
+    }
+
+    update {
+      min_healthy_time  = "30s"
+      healthy_deadline  = "12m"
+      progress_deadline = "15m"
+      health_check      = "checks"
+    }
+
+
+    network {
+      port "tfe" {
+        static = [[ .tfe_fdo_nomad.tfe_port ]]
+      }
+      port "http" {
+        static = [[ .tfe_fdo_nomad.tfe_http_port ]]
+      }
+      port "vault" {
+        static = [[ .tfe_fdo_nomad.tfe_vault_cluster_port ]]
+      }
+    }
+
+    service {
+      name     = [[ .tfe_fdo_nomad.tfe_service_name | quote ]]
+      port     = "tfe"
+      provider = [[ .tfe_fdo_nomad.tfe_service_discovery_provider | quote ]]
+
+      check {
+        type     = "http"
+        port     = "http"
+        path     = "/_health_check"
+        interval = [[ .tfe_fdo_nomad.health_check_interval | quote ]]
+        timeout  = [[ .tfe_fdo_nomad.health_check_timeout | quote ]]
+      }
+    }
+
+    task "tfe-task" {
+      driver = "docker"
+
+      identity {
+         env = true
+      }
+
+      template {
+        destination = "${NOMAD_SECRETS_DIR}/key.pem"
+        change_mode = "restart"
+        splay       = "60s"
+        data        = <<EOF
+{{- with nomadVar "nomad/jobs/[[ .tfe_fdo_nomad.job_name ]]" -}}
+  {{ base64Decode .key.Value }}
+{{- end -}}
+EOF
+      }
+
+      template {
+        destination = "${NOMAD_SECRETS_DIR}/cert.pem"
+        change_mode = "restart"
+        splay       = "60s"
+        data        = <<EOF
+{{- with nomadVar "nomad/jobs/[[ .tfe_fdo_nomad.job_name ]]" -}}
+  {{ base64Decode .cert.Value }}
+{{- end -}}
+EOF
+      }
+
+      template {
+        destination = "${NOMAD_SECRETS_DIR}/bundle.pem"
+        change_mode = "restart"
+        splay       = "60s"
+        data        = <<EOF
+{{- with nomadVar "nomad/jobs/[[ .tfe_fdo_nomad.job_name ]]" -}}
+  {{ base64Decode .bundle.Value }}
+{{- end -}}
+EOF
+      }
+
+      template {
+        destination = "${NOMAD_SECRETS_DIR}/nomad_ca_cert.pem"
+        change_mode = "restart"
+        splay       = "60s"
+        data        = <<EOF
+{{- with nomadVar "nomad/jobs/[[ .tfe_fdo_nomad.job_name ]]" -}}
+  {{ base64Decode .nomad_ca_cert.Value }}
+{{- end -}}
+EOF
+      }
+
+      template {
+        destination = "${NOMAD_SECRETS_DIR}/nomad_cert.pem"
+        change_mode = "restart"
+        splay       = "60s"
+        data        = <<EOF
+{{- with nomadVar "nomad/jobs/[[ .tfe_fdo_nomad.job_name ]]" -}}
+  {{ base64Decode .nomad_cert.Value }}
+{{- end -}}
+EOF
+      }
+
+      template {
+        destination = "${NOMAD_SECRETS_DIR}/nomad_cert_key.pem"
+        change_mode = "restart"
+        splay       = "60s"
+        data        = <<EOF
+{{- with nomadVar "nomad/jobs/[[ .tfe_fdo_nomad.job_name ]]" -}}
+  {{ base64Decode .nomad_cert_key.Value }}
+{{- end -}}
+EOF
+      }
+
+      template {
+        destination = "${NOMAD_SECRETS_DIR}/secrets.env"
+        env         = true
+        change_mode = "restart"
+        data        = <<EOF
+{{- with nomadVar "nomad/jobs/[[ .tfe_fdo_nomad.job_name ]]" -}}
+TFE_LICENSE                             = {{ .tfe_license }}
+TFE_DATABASE_PASSWORD                   = {{ .db_password }}
+TFE_OBJECT_STORAGE_S3_SECRET_ACCESS_KEY = {{ .s3_secret_key }}
+TFE_REDIS_PASSWORD                      = {{ .redis_password }}
+TFE_ENCRYPTION_PASSWORD                 = {{ .tfe_encryption_password }}
+TFE_IMAGE_REGISTRY_PASSWORD             = {{ .tfe_image_registry_password }}
+{{- end -}}
+EOF
+      }
+
+      config {
+         image = [[ .tfe_fdo_nomad.tfe_image | quote ]]
+         auth {
+            username = [[ .tfe_fdo_nomad.tfe_image_registry_username | quote ]]
+            password       = "${TFE_IMAGE_REGISTRY_PASSWORD}"
+            server_address = [[ .tfe_fdo_nomad.tfe_image_server_address | quote ]]
+         }
+         ports = ["tfe", "http", "vault"]
+
+      }
+
+      env {
+
+        TFE_RUN_PIPELINE_DRIVER = "nomad"
+        TFE_RUN_PIPELINE_NOMAD_ADDRESS             = [[ .tfe_fdo_nomad.tfe_run_pipeline_nomad_address | quote ]]
+        TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_INSECURE = [[ .tfe_fdo_nomad.tfe_run_pipeline_nomad_tls_config_insecure | quote ]]
+        TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CA_CERT = "${NOMAD_SECRETS_DIR}/nomad_ca_cert.pem"
+        TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CLIENT_CERT = "${NOMAD_SECRETS_DIR}/nomad_cert.pem"
+        TFE_RUN_PIPELINE_NOMAD_TLS_CONFIG_CLIENT_KEY = "${NOMAD_SECRETS_DIR}/nomad_cert_key.pem"
+        TFE_DISK_CACHE_VOLUME_NAME                 = "${NOMAD_TASK_DIR}/terraform-enterprise-cache"
+
+        TFE_OPERATIONAL_MODE = "active-active"
+
+        TFE_DATABASE_USER = [[ .tfe_fdo_nomad.tfe_database_user | quote ]]
+        TFE_DATABASE_HOST       = [[ .tfe_fdo_nomad.tfe_database_host | quote ]]
+        TFE_DATABASE_NAME       = [[ .tfe_fdo_nomad.tfe_database_name | quote ]]
+        TFE_DATABASE_PARAMETERS = [[ .tfe_fdo_nomad.tfe_database_parameters | quote ]]
+
+        TFE_OBJECT_STORAGE_TYPE = [[ .tfe_fdo_nomad.tfe_object_storage_type | quote ]]
+        TFE_OBJECT_STORAGE_S3_BUCKET               = [[ .tfe_fdo_nomad.tfe_object_storage_s3_bucket | quote ]]
+        TFE_OBJECT_STORAGE_S3_REGION               = [[ .tfe_fdo_nomad.tfe_object_storage_s3_region | quote ]]
+        TFE_OBJECT_STORAGE_S3_USE_INSTANCE_PROFILE = [[ .tfe_fdo_nomad.tfe_object_storage_s3_use_instance_profile | quote ]]
+        TFE_OBJECT_STORAGE_S3_ENDPOINT             = [[ .tfe_fdo_nomad.tfe_object_storage_s3_endpoint | quote ]]
+        TFE_OBJECT_STORAGE_S3_ACCESS_KEY_ID = [[ .tfe_fdo_nomad.tfe_object_storage_s3_access_key_id | quote ]]
+
+        TFE_REDIS_HOST     = [[ .tfe_fdo_nomad.tfe_redis_host | quote ]]
+        TFE_REDIS_USER     = [[ .tfe_fdo_nomad.tfe_redis_user | quote ]]
+        TFE_REDIS_USE_TLS  = [[ .tfe_fdo_nomad.tfe_redis_use_tls | quote ]]
+        TFE_REDIS_USE_AUTH = [[ .tfe_fdo_nomad.tfe_redis_use_auth | quote ]]
+
+        TFE_HOSTNAME = [[ .tfe_fdo_nomad.tfe_hostname | quote ]]
+
+        TFE_TLS_CERT_FILE      = "${NOMAD_SECRETS_DIR}/cert.pem"
+        TFE_TLS_KEY_FILE       = "${NOMAD_SECRETS_DIR}/key.pem"
+        TFE_TLS_CA_BUNDLE_FILE = "${NOMAD_SECRETS_DIR}/bundle.pem"
+
+        TFE_IACT_SUBNETS    = [[ .tfe_fdo_nomad.tfe_iact_subnets | quote ]]
+        TFE_IACT_TIME_LIMIT = [[ .tfe_fdo_nomad.tfe_iact_time_limit | quote ]]
+
+        # Disabling mlock is recommended for TFE installations on Nomad. 
+        # Here is a link to the docuementation for more info https://developer.hashicorp.com/vault/docs/configuration#disable_mlock
+        TFE_VAULT_DISABLE_MLOCK   = [[ .tfe_fdo_nomad.tfe_vault_disable_mlock | quote ]]
+        TFE_VAULT_CLUSTER_ADDRESS = [[ .tfe_fdo_nomad.tfe_vault_cluster_address | quote ]]
+        TFE_HTTP_PORT             = [[ .tfe_fdo_nomad.tfe_http_port ]]
+        TFE_HTTPS_PORT            = [[ .tfe_fdo_nomad.tfe_port ]]
+      }
+
+      resources {
+        cpu    = [[ .tfe_fdo_nomad.tfe_resource_cpu ]]  # MHz
+        memory = [[ .tfe_fdo_nomad.tfe_resource_memory ]]  # MB
+      }
+    }
+  }
+}