Deploy Terraform Enterprise to HashiCorp Nomad
This topic describes how to deploy Terraform Enterprise to a HashiCorp Nomad cluster.
Complete the following steps to deploy Terraform Enterprise to Nomad-orchestrated containers:
- Complete the prerequisites.
- Parameterize the Terraform Enterprise license, host, and TLS encryption settings by adding Nomad variables to your job specifications. This enable you to use the same job specification with different configurations. Refer to Job Specification in the Nomad documentation for additional information.
- Add Terraform Enterprise environment variables to your Nomad job specification to configure Terraform behavior. Refer to the Terraform Enterprise configuration reference for additional information.
- Create a Nomad job specification for operating the Terraform Enterprise agent. Refer to Custom Worker Image for additional information about the Terraform Enterprise agent.
- Run the Nomad command for pulling the Terraform Enterprise image and installing the binary.
Prerequisites
You can deploy Terraform Enterprise on Nomad version v1.5.0 and newer.
Complete the following prerequisites before installing Terraform Enterprise on Nomad.
Refer to the Nomad clusters on the cloud tutorial for instructions on how to setup a Nomad cluster.
Nomad requirements
You must provide the following Nomad items.
Please make sure you have the following environment variables set before running Nomad commands from CLI:
You can read more about the Nomad environment variables here.
Prepare the host environment
Provide a DNS hostname for Terraform Enterprise and the associated TLS certificate. Additionally, you must configure your network so that your host can receive and send traffic. Refer to Prepare the host environment for details about preparing the host environment.
Deploy external storage systems
Deploy the database and other storage devices so that Terraform can connect to them when the application starts. Refer to Data storage settings overview for additional information.
Terraform Enterprise requires the following external services to be present and accessible from the Nomad cluster:
- A PostgreSQL database. Refer to PostgreSQL Requirements for Terraform Enterprise for additional information.
- An S3-compatible storage service, such as AWS S3, Azure Cloud Storage, and Google Cloud Storage. Refer to External Services Mode for additional information.
- Redis version 6 or 7. Redis Cluster is not supported.
Create the deployment configuration
Create a custom YAML configuration file, for example /tmp/overrides.yaml
, to override the default values in the Terraform Enterprise Helm chart. The file contains settings for the operational mode, license, TLS certificates, and network configuration. Add any additional configurations necessary for your environment. Refer to Configuration file overview for additional information.
Create an ACL policy
Create a token that grants access to the namespace where the Terraform Enterprise agents will run. The Terraform Enterprise job must present the token to the Terraform Enterprise agent so that it can run the agent job that performs Terraform operations. Refer to the Nomad ACL system fundamentals tutorial for instructions on how to create ACL policies linked to tokens.
Create a policy file named terraform-enterprise-policy.hcl
with the following content, and apply it to the terraform-enterprise
namespace so that Terraform Enterprise has permission to run and manage agent jobs.
The following example applies the terraform-enterprise-policy
policy to the tfe-job-task
task within the tfe-job-group
of the tfe-job
job.
Refer to the Nomad documentation for additional information about applying ACL policies.
Enable a workload identity
Enable a workload identity on the Nomad cluster so that Nomad can inject the Nomad ACL token. The workload identity passes the token using the NOMAD_TOKEN
environment variable. Refer to Workload Identity for additional information.
Terraform Enterprise does not use workload identities on Nomad v1.4 and older. Instead, you must pass the NOMAD_TOKEN
directly in the Terraform Enterprise job specification. Refer to Configure Terraform Enterprise Nomad job specification for additional information.
Create namespaces
Create at least two separate Nomad namespaces to provide better isolation, security, and control over Nomad workloads. One namespace is for the Terraform Enterprise job and the second is for the Terraform Enterprise agent job. Refer to the Namespaces tutorial in the Nomad documentation for instructions on how to create a namespace.
Parameterize Terraform Enterprise settings
Add the following variables to your Terraform Enterprise Nomad job:
tfe_license
: Specifies the Terraform Enterprise license key.tfe_hostname
: Specifies the hostname of the Terraform Enterprise instance.tfe_tls_cert_file
: Specifies the base64 encoded TLS certificate file.tfe_tls_key_file
: Specifies the base64 encoded TLS key file.tfe_tls_ca_bundle_file
: Specifies the base64 encoded TLS CA bundle file.
Create file var.hcl
and add the following variables:
path
variable specifies the path where the Nomad variables will be stored.
Update the path
variable if default value of job_name
is overridden in the var.hcl
file.
Apply the Nomad variables to the job specification by running the following command:
Refer to Nomad Variables in the Nomad documentation for additional information.
Refer to the example Nomad job specification for additional guidance.
Configure Terraform Enterprise Nomad job specification
This job is responsible for running the Terraform Enterprise image on Nomad.
Refer to the example Nomad job specification for TFE for a template that you can copy and modify.
Pass the variables that you defined in the Parameterize Terraform Enterprise settings section. Refer to Assigning Values to job Variables in the Nomad documentation for instructions. The following variables are required:
The following variables are optional:
Terraform Enterprise does not use workload identities on Nomad v1.4 and older. If you are deploying to Nomad v1.4.x or older, complete the following steps:
- Manually create an ACL token. Refer to Command:
acl token create
in the Nomad documentation for instructions. - Remove the
identity
stanza. - Pass the ACL token to the Terraform Enterprise job. Export the token to the
NOMAD_TOKEN
environment variable and add it to theenv
stanza.
Refer to the example Nomad job specification for a template that you can copy and modify. Run the nomad job run
command and specify job configuration to submit the changes. Refer to Command: job run in the Nomad documentation for additional information about the command.
Configure a Nomad batch job to run the Terraform Enterprise agent
Terraform Enterprise creates ephemeral agent jobs to execute Terraform runs when operating in Remote execution mode. A run is an invocation of the terraform plan
or terraform apply
command. To enable this behavior, create a Nomad batch job specification that defines how Terraform Enterprise agents run on Nomad.
You can use the example Nomad batch job specification for TFE agent as a template to copy and change. After registering the batch job in Nomad, manual execution of batch jobs is not required. When Terraform executes a plan or apply, it automatically dispatches the jobs as Nomad batch jobs and completes the run.
Refer to Batch Job in the Nomad documentation for more information.
Run the Nomad jobs
1. Deploy Terraform Enterprise Instance
Run the nomad job run
command to pull the Terraform Enterprise image and install the application. Pass the Terraform Enterprise job specification as the command argument. You must also provide the credentials for the registry to download the image:
2. Register Terraform Agent Job
Run the nomad job run
command and pass the Terraform agent job specification to register the batch job in Nomad:
Alternatively, you can pull and install the Terraform Enterprise image using the Terraform Enterprise On Nomad Pack tool. Refer to the terraform-enterprise-fdo-nomad-pack
repository on GitHub for instructions.
Post installation tasks
Complete the following tasks after starting Terraform Enterprise.
Review startup checks
When you start Terraform Enterprise, several startup checks also run to prevent errors related to invalid configurations or certificates, as well as other issues that could prevent the application from running successfully or safely. Refer to the startup checks reference for additional information.
Create initial admin user
Provision your first administrative user and start using Terraform Enterprise.
Deploy a load balancer to the Nomad Cluster (Optional)
You can deploy a load balancer to the Nomad cluster so that you can manage external traffic loads. Refer to the load balancer tutorial in the Nomad documentation for instructions. Refer to the example NGINX configuration for additional guidance.
Examples
You can copy the following examples and modify the values to match your deployment.
Nomad job specification
The following example configuration defines a Terraform Enterprise job specification. You can copy the example and modify the values to match your deployment. This example uses minimal configuration options. Refer to Configuration Reference for a list of all the configuration options.
Nomad batch job specification
The following example configuration defines a Terraform Enterprise agent job for Remote execution mode, where Terraform creates an ephemeral batch job for each plan and apply operation. You can copy the example and change the values to match your deployment. The job name must match the TFE_RUN_PIPELINE_NOMAD_AGENT_JOB_ID
configuration you set in the Nomad TFE jobspec above.
In conjunction with the Nomad TFE job spec, this example configuration directs Nomad to dispatch Terraform Plan and Apply operations to a Nomad batch job named tfe-agent-job
. The job runs in the tfe-agents
namespace and associates with the node_pool_tfe_agents
node pool.
Nomad NGINX job for load balancing
The following example configuration defines an NGINX job.
Add the TLS certificate and key variables to the nomad/jobs/nginx/nginx/nginx
path before running the job.
Security
Terraform Enterprise calls the Nomad Task API to dispatch the parameterized jobs that run the TFE agents. Terraform Enterprise does not require mTLS information because the call occurs over Unix sockets.