This is a simple Terraform module to create Nomad clients for your CircleCI server application in AWS.
A basic example is as simple as this:
terraform {
required_version = ">= 0.15.4"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~>3.0"
}
}
}
provider "aws" {
# Your region of choice here
region = "us-west-1"
}
module "nomad_clients" {
# We strongly recommend pinning the version using ref=<<release tag>> as is done here
source = "git::https://github.com/CircleCI-Public/server-terraform.git//nomad-aws?ref=3.2.0"
# Number of nomad clients to run
nodes = 4
subnet = "<< ID of subnet you want to run nomad clients in >>"
vpc_id = "<< ID of VPC you want to run nomad client in >>"
server_endpoint = "<< hostname:port of nomad load balancer >>"
dns_server = "<< ip address of your VPC DNS server >>"
blocked_cidrs = [
"<< cidr blocks you’d like to block access to e.g 10.0.1.0/24 >>"
]
instance_tags = {
"vendor" = "circleci"
"team" = "sre"
}
}
output "nomad_server_cert" {
value = module.nomad_clients.nomad_server_cert
}
output "nomad_server_key" {
value = module.nomad_clients.nomad_server_key
}
output "nomad_ca" {
value = module.nomad_clients.nomad_tls_ca
}There are more examples in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| basename | Name used as prefix for AWS resources | string |
"" |
no |
| blocked_cidrs | List of CIDR blocks to block access to from within jobs, e.g. your K8s nodes. You won't want to block access to external VMs here. It's okay when your dns_server is within a blocked CIDR block, you can use var.dns_server to create an exemption. |
list(string) |
n/a | yes |
| dns_server | If the IP address of your VPC DNS server is within one of the blocked CIDR blocks you can create an exemption by entering the IP address for it here | string |
n/a | yes |
| enable_mtls | MTLS support for Nomad traffic. Modifying this can be dangerous and is not recommended. | bool |
true |
no |
| instance_type | AWS Node type for instance. Must be amd64 linux type. The instance type must be large enough to fit the resource classes required. Choosing smaller instance types is an opportunity for cost savings. | string |
"t3a.2xlarge" |
no |
| instance_tags | Tags to apply to all Nomad client EC2 instances | map(string) |
{ "vendor" = "circleci" } |
no |
| max_nodes | Maximum number of nomad client to create when scaling. Should always be greater than or equal to the node count | number |
5 | no |
| nodes | Number of nomad client to create | number |
n/a | yes |
| nomad_auto_scaler | If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server. The keys will be available in terraform's output | bool |
false | no |
| volume_type | The EBS volume type of the nomad nodes. If gp3 is not available in your desired region, switch to gp2 | string |
gp3 |
no |
| security_group_id | ID for the security group for Nomad clients. See security documentation for recommendations. |
list(string) |
[] |
no |
| server_endpoint | Domain and port of RPC service of Nomad control plane which is called "Nomad Load Balancer" in KOTs admin (e.g 127.0.0.1:4647) | string |
n/a | yes |
| ssh_key | SSH Public key to access nomad nodes | string |
null |
no |
| subnet | Subnet ID | string |
"" |
yes* |
| subnets | Subnet IDs | list(string) |
[""] |
yes* |
| vpc_id | VPC ID of VPC used for Nomad resources | string |
n/a | yes |
- Note:
subnetorsubnetsis required, but not both. The use ofsubnetwill supersedesubnets.
| Name | Description |
|---|---|
| mtls_enabled | n/a |
| nomad_server_cert | n/a |
| nomad_server_key | n/a |
| nomad_tls_ca | n/a |