Skip to content

nomad-acl

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

nomad-acl

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
INOUT.md
INOUT.md
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Nomad ACL

ACL can be enabled for Nomad so that only users with the necessary tokens can submit jobs. This module only enables the built-in access controls provided by the ACL facility in the Open Source version of Nomad. Additional controls provided by Sentinel in the Enterprise version is not enabled.

This module does not create the necessary Vault and Nomad policies. These policies are very specific to your use case and you should define them yourselves.

Integration with Core module

This module is integrated with the core module to enable you to use both in conjunction seamlessly.

Pre-requisites

You must have Terraformed the core module first. In addition, you must have at least initialised and unsealed the Vault servers.

Make sure you have properly configured Vault with the appropriate authentication methods so that your users can authenticate with Vault to get the necessary tokens and credentials.

Bootstrapping Nomad ACL

We have to manually bootstrap ACLs on the Nomad servers first.

Firstly, this requires the Nomad clients and servers to be configured with the acl stanza.

This can be automated with the Core module. Assuming that you have not modified the consul_prefix variable in this module or the nomad_acl_consul_prefix variable in the core module, we just need to put a value of true at the path terraform/nomad-acl/enabled.

For example, with the command line, we can do:

consul kv put \
    -http-addr https://consul.example.com \
    terraform/nomad-acl/enabled yes

# Read it back to check
consul kv get \
    -http-addr https://consul.example.com \
    terraform/nomad-acl/enabled

Alternatively, you can use Terraform too:

resource "consul_keys" "bootstrap" {
    key {
        path = "terraform/nomad-acl/enabled"
        value = "true"
        delete = true
    }
}

After this is done, update the Nomad servers first according to the instructions provided in the Core module. You might get permission denied if you try to use the nomad server members command to check if the servers are up.

You can use the status API instead which does not require any ACL.

Secondly, we will need to generate a Nomad Bootstrap token. Use the acl bootstrap command.

Important: Make sure you save the token somewhere safe. If you lose this and all other management tokens, you will have to reset the bootstrap manually.

After this is done, you can proceed to update the Nomad clients.

Nomad Provider

You will need to have a Nomad management ACL token to be able to Terraform this. The initial bootstrap will require the bootstrap token. Afterwards, you can use any management token. Provide a secret_id Nomad ACL token to the provider. Refer to the documentation for more information.

In general, you should provide this via the NOMAD_TOKEN environment variable.

For example, if you have saved the token in nomad-acl, you can simply do

NOMAD_PROVIDER=$(cat nomad-acl) terraform plan

Vault Provider

Refer to the documentation on the Terraform Vault provider for details on how you can provide a Vault token for this Terraform operation. In general, you might want to do this with a Root token.

Inputs and Outputs

Refer to INOUT.md