terraform-provider-nomad icon indicating copy to clipboard operation
terraform-provider-nomad copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[request] support for Nomad 1.4 secure variables

Open shantanugadgil opened this issue 3 years ago • 2 comments

Terraform Version

1.2.9

Provider Version

1.4.18

Nomad Version

Nomad v1.4.0-beta.1 (d17021a366178a11b79353f13735389629102d6a)

Provider Configuration

N/A

When can we get the support for the secure variables in the terraform provider?

The secure variables are a very welcome addition (instead of setting up Vault only for the KV backend)

In our workflow, we would like to use Terraform to inject/update the secure variables into Nomad. NOTE: The access to the repo of secrets would of course be a "very limited access"

shantanugadgil avatar Sep 15 '22 18:09 shantanugadgil

Hi @shantanugadgil! We anticipate shipping TF support following 1.4.0 GA.

tgross avatar Sep 15 '22 18:09 tgross

@tgross any timeline on this? Looking forward to migrating from vault kv to nomad variables but need to control them with tf.

iluminae avatar Oct 10 '22 17:10 iluminae

Nomad 1.4.1 is already out, still no (documented) support? :(

HINT-SJ avatar Oct 27 '22 06:10 HINT-SJ

Hi @iluminae and @HINT-SJ, the team balances a lot of work-streams and priorities which has meant we have not had the time to start this work quite yet. We will update this issue once we have started work and appreciate your patience.

jrasell avatar Oct 27 '22 07:10 jrasell

For anyone reading this, for the meantime I'm using a little workaround:

resource "null_resource" "nomad_var_put" {
  triggers = {
    job_name    = local.nomad_job_name
    db_username = var.name
    db_password = random_string.pass.result
  }

  provisioner "local-exec" {
    command = "nomad var put nomad/jobs/${self.triggers.job_name} db_username=\"${self.triggers.db_username}\" db_password=\"${self.triggers.db_password}\""
  }

  provisioner "local-exec" {
    when    = destroy
    command = "nomad var purge nomad/jobs/${self.triggers.job_name}"
  }
}

Just make sure the current session is logged in to the correct nomad cluster :)

HINT-SJ avatar Oct 28 '22 11:10 HINT-SJ

In addition to setting the variables, it would be great to have the ability to pass Job ACLs as well. The base client supports this already.

IamTheFij avatar Nov 22 '22 20:11 IamTheFij

Hi @IamTheFij, would you be able to explain a little more what you mean by pass Job ACLs? Is this related to Nomad variables?

lgfa29 avatar Dec 01 '22 01:12 lgfa29

Yes, it's related to Variables. As far as I can tell, the ability to assign an ACL to a workload was added to provide Variable access to Jobs and Tasks. https://developer.hashicorp.com/nomad/docs/concepts/variables. The Go API already allows optionally passing this information along with an ACL, but it's not yet possible with Terraform.

IamTheFij avatar Dec 01 '22 01:12 IamTheFij

I didn't fully read the comments on this issue before creating a new issue, but what @IamTheFij is talking is the same thing I requested in #306.

regner avatar Feb 09 '23 12:02 regner

Still no progress on this? We're already on nomad 1.5 :'(

-edit- Looks like someone has been busy: https://github.com/hashicorp/terraform-provider-nomad/pull/325 :)

Borsty avatar May 05 '23 08:05 Borsty

Implemented in #325.

Thank you very much @regner and @iluminae 🙂

lgfa29 avatar Jun 05 '23 22:06 lgfa29