This is a simple Terraform module to create Nomad clients for your CircleCI server application on Google Cloud Platform.
A basic example is as simple as this:
provider "google-beta" {
project = "<< GCP project id >>"
region = "<< GCP compute region to deploy nomad clients >>""
zone = "<< GCP compute zone to deploy nomad clients >>""
}
module "nomad_clients" {
# We strongly recommend pinning the version using ref=<<release tag>> as is done here
source = "git::https://github.com/CircleCI-Public/server-terraform.git//nomad-gcp?ref=4.0.0"
zone = "<< GCP compute zone to deploy nomad clients >>"
region = "<< GCP compute region to deploy nomad clients >>"
network = "default"
server_endpoint = "<< Hostname of server installation >>"
name = "<< name prefix of nomad clients >>
}
output "module" {
value = module.nomad_clients
}There are more examples in the examples directory.
| Name | Version |
|---|---|
| ~> 3.0 |
| Name | Version |
|---|---|
| ~> 3.0 | |
| local | n/a |
| Name | Source | Version |
|---|---|---|
| tls | ./../shared/modules/tls | n/a |
| Name | Type |
|---|---|
| google_compute_autoscaler.nomad | resource |
| google_compute_firewall.default | resource |
| google_compute_instance_group_manager.nomad | resource |
| google_compute_instance_template.nomad | resource |
| google_compute_target_pool.nomad | resource |
| google_project_iam_member.nomad_as_compute_autoscalers_get | resource |
| google_project_iam_member.nomad_as_work_identity | resource |
| google_service_account.nomad_as_service_account | resource |
| google_service_account_iam_binding.nomad_as_work_identity_k8s | resource |
| google_service_account_key.nomad-as-key | resource |
| local_file.nomad-as-key-file | resource |
| google_compute_image.machine_image | data source |
| google_project.project | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| add_server_join | Includes the 'server_join' block when setting up nomad clients. Should be disabled when the nomad server endpoint is not immediately known (eg, for dedicated nomad clients). | bool |
true |
no |
| assign_public_ip | Assign public IP | bool |
true |
no |
| autoscaling_mode | Autoscaler mode. Can be - "ON": Autoscaler will scale up and down to reach cpu target and react to cron schedules - "OFF": Autoscaler will never scale up or down - "ONLY_UP": Autoscaler will only scale up (default) Warning: jobs may be interrupted on scale down. Only select "ON" if interruptions are acceptible for your use case. |
string |
"ONLY_UP" |
no |
| autoscaling_schedules | Autoscaler scaling schedules. Accepts the same arguments are documented upstream here: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler#scaling_schedules |
list(object({ |
[] |
no |
| blocked_cidrs | List of CIDR blocks to block access to from inside nomad jobs | list(string) |
[] |
no |
| disk_size_gb | Size of the root disk for nomad clients in GB. | number |
300 |
no |
| disk_type | Root disk type. Can be 'pd-standard', 'pd-ssd', 'pd-balanced' or 'local-ssd' | string |
"pd-ssd" |
no |
| docker_network_cidr | IP CIDR block to be used in docker networks when running job on nomad client. This CIDR block should not be the same as your VPC CIDR block. i.e - "10.10.0.0/16" or "172.32.0.0/16" or "192.168.0.0/16" |
string |
"10.10.0.0/16" |
no |
| enable_workload_identity | If true, Workload Identity will be used rather than static credentials. Ensure Workload Identities are first enabled on your GKE cluster: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity | bool |
false |
no |
| k8s_namespace | If enable_workload_identity is true, provide application k8s namespace | string |
"circleci-server" |
no |
| machine_image_family | The family value used to retrieve the virtual machine image. | string |
"ubuntu-2004-lts" |
no |
| machine_image_project | The project value used to retrieve the virtual machine image. | string |
"ubuntu-os-cloud" |
no |
| machine_type | Instance type for nomad clients | string |
"n2-standard-8" |
no |
| max_replicas | Max number of nomad clients when scaled up | number |
4 |
no |
| min_replicas | Minimum number of nomad clients when scaled down | number |
1 |
no |
| name | VM instance name for nomad client | string |
"nomad" |
no |
| network | Network to deploy nomad clients into | string |
"default" |
no |
| nomad_auto_scaler | If true, terraform will create a service account to be used by nomad autoscaler. | bool |
false |
no |
| nomad_server_hostname | Hostname of RPC service of Nomad control plane (e.g circleci.example.com) | string |
n/a | yes |
| nomad_server_port | Port that the server endpoint listens on for nomad connections. | number |
4647 |
no |
| patched_nomad_version | The version of CircleCI's fork Nomad to install | string |
"1.4.568-bfc9a6ec4" |
no |
| preemptible | Whether or not to use preemptible nodes | bool |
false |
no |
| project_id | GCP project ID to deploy resources into. By default uses the data sourced GCP project ID. | string |
"" |
no |
| region | GCP region to deploy nomad clients into (e.g us-east1) | string |
n/a | yes |
| retry_with_ssh_allowed_cidr_blocks | List of source IP CIDR blocks that can use the 'retry with SSH' feature of CircleCI jobs | list(string) |
[ |
no |
| subnetwork | Subnetwork to deploy nomad clients into. NB. This is required if using custom subnets | string |
"" |
no |
| target_cpu_utilization | Target CPU utilization to trigger autoscaling | number |
0.5 |
no |
| unsafe_disable_mtls | Disables mTLS between nomad client and servers. Compromises the authenticity and confidentiality of client-server communication. Should not be set to true in any production setting | bool |
false |
no |
| zone | GCP compute zone to deploy nomad clients into (e.g us-east1-a) | string |
n/a | yes |
| Name | Description |
|---|---|
| managed_instance_group_name | n/a |
| managed_instance_group_region | n/a |
| managed_instance_group_type | n/a |
| managed_instance_group_zone | n/a |
| nomad_server_cert | n/a |
| nomad_server_cert_base64 | set this value for the nomad.server.rpc.mTLS.certificate key in the CircleCI Server's Helm values.yaml |
| nomad_server_key | n/a |
| nomad_server_key_base64 | set this value for the nomad.server.rpc.mTLS.privateKey key in the CircleCI Server's Helm values.yaml |
| nomad_tls_ca | n/a |
| nomad_tls_ca_base64 | set this value for the nomad.server.rpc.mTLS.CACertificate key in the CircleCI Server's Helm values.yaml |
| service_account_email | n/a |
| service_account_key | Base64 decoded service account key. |
| service_account_key_location | n/a |