AWSTemplateFormatVersion: '2010-09-09' Description: "HashiCorp Nomad Client ASG(Please do not remove) Aug,28,2019 (qs-1nae6brn2)" Metadata: LintSpellExclude: - datacenter - xxxxxxxx - plugin SentenceCaseExclude: - Nomad - Consul QuickStartDocumentation: EntrypointName: "Launch into an existing VPC" LICENSE: "Apache License, Version 2.0" 'AWS::CloudFormation::Interface': ParameterGroups: - Label: {default: "VPC network configuration"} Parameters: - PrivateSubnet1ID - PrivateSubnet2ID - PrivateSubnet3ID - Label: {default: "Nomad client setup"} Parameters: - NomadClientSecurityGroup - NomadClientInstanceType - NomadClientNodeCount - NomadClientAMIOS - KeyPairName - NomadEc2RetryTagKey - NomadEc2RetryTagValue - NomadDatacenter - EnableRawExec - Label: {default: "Consul agent configuration"} Parameters: - ConsulEc2RetryTagKey - ConsulEc2RetryTagValue - ConsulDatacenter - EnableConsulServiceMesh - Label: {default: "AWS Quick Start configuration"} Parameters: - QSS3BucketName - QSS3KeyPrefix ParameterLabels: KeyPairName: default: Key name PrivateSubnet1ID: default: Private Subnet 1 ID PrivateSubnet2ID: default: Private Subnet 2 ID PrivateSubnet3ID: default: Private Subnet 3 ID NomadClientSecurityGroup: default: Nomad client node security group ID NomadClientInstanceType: default: Nomad client node instance type NomadClientNodeCount: default: Number of Nomad client nodes NomadClientAMIOS: default: Operating system for Nomad client nodes NomadEc2RetryTagKey: default: Tag key for Nomad cluster nodes NomadEc2RetryTagValue: default: Tag value for Nomad cluster nodes NomadDatacenter: default: "Nomad Config: datacenter" EnableRawExec: default: Enable raw_exec plugin on Nomad clients ConsulEc2RetryTagKey: default: Tag key for Consul server nodes ConsulEc2RetryTagValue: default: Tag value for Consul server nodes ConsulDatacenter: default: "Consul Config: datacenter" EnableConsulServiceMesh: default: Enable Consul service mesh for Nomad cluster QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix Parameters: # VPC network configuration PrivateSubnet1ID: Description: "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)." Type: "AWS::EC2::Subnet::Id" PrivateSubnet2ID: Description: "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)." Type: "AWS::EC2::Subnet::Id" PrivateSubnet3ID: Description: "ID of the private subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)." Type: "AWS::EC2::Subnet::Id" # Nomad cluster setup # -- Nomad Instance Configuration -- NomadClientSecurityGroup: Description: The security group to apply to client nodes at startup (e.g., sg-7f16e910). Type: "AWS::EC2::SecurityGroup::Id" NomadClientInstanceType: Type: String Description: The EC2 instance type for the Nomad instances. AllowedValues: - t2.micro - t2.small - t2.medium - t2.large - t3.micro - t3.small - t3.medium - t3.large - m5.large - m5.xlarge - m5.2xlarge - m4.large - m4.xlarge - m3.medium - m3.large - m3.xlarge - m3.2xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - c3.large - c3.xlarge - c3.2xlarge - c3.4xlarge - c3.8xlarge - r3.large - r3.xlarge - r3.2xlarge - r3.4xlarge - r3.8xlarge - i2.xlarge - i2.2xlarge - i2.4xlarge - i2.8xlarge ConstraintDescription: Choose an instance type. Default: m5.large NomadClientNodeCount: Type: String Description: The number of Nomad server nodes that will be created. You can choose 3, 5, or 7 nodes. Default: "3" NomadClientAMIOS: AllowedValues: - Amazon-Linux2-HVM - Amazon-Linux2-HVM-ARM - CentOS-7-HVM - Ubuntu-Server-20.04-LTS-HVM - SUSE-SLES-15-HVM Default: Ubuntu-Server-20.04-LTS-HVM Description: The Linux distribution for the AMI to be used for the Nomad server instances. Type: String KeyPairName: Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. Type: "AWS::EC2::KeyPair::KeyName" # MinLength: 1 ConstraintDescription: Must be the name of an existing EC2 KeyPair. # -- Nomad Application Configuration -- NomadEc2RetryTagKey: Description: The EC2 instance tag key to filter on when joining to other Nomad nodes. Type: String Default: "quickstart-nomad-cluster" ConstraintDescription: Must match EC2 Tag Name requirements. NomadEc2RetryTagValue: Description: The EC2 instance tag value to filter on when joining to other Nomad nodes. Type: String Default: "nomad-member-node" ConstraintDescription: Must match EC2 Tag Name requirements. NomadDatacenter: Description: The datacenter name to use for the Nomad cluster configuration. Type: String Default: "dc1" ConstraintDescription: Must be DNS-compatible. EnableRawExec: Description: Enable the raw_exec task driver on the Nomad clients. Type: String Default: "false" AllowedValues: - "true" - "false" # Consul agent configuration ConsulEc2RetryTagKey: Description: The EC2 instance tag key to filter on when joining a Consul cluster. Type: String Default: "" ConstraintDescription: Must match EC2 Tag Name requirements. ConsulEc2RetryTagValue: Description: The EC2 instance tag key to filter on when joining a Consul cluster. Type: String Default: "" ConstraintDescription: Must match EC2 Tag Name requirements. ConsulDatacenter: Description: The datacenter name to use for the Consul cluster configuration. Type: String Default: "dc1" ConstraintDescription: Must be DNS-compatible. EnableConsulServiceMesh: Description: Enable Consul service mesh on the Nomad clients. Type: String Default: "false" AllowedValues: - "true" - "false" # AWS Quick Start configuration QSS3BucketName: AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: "aws-quickstart" Description: >- S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3KeyPrefix: AllowedPattern: "^[0-9a-zA-Z-/]*$" ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: "quickstart-hashicorp-nomad/" Description: >- S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String Rules: ArmInstanceClient: RuleCondition: !Equals ["Amazon-Linux2-HVM-ARM", !Ref NomadClientAMIOS] Assertions: - Assert: !Contains - - t4g.nano - t4g.medium - t4g.large - t4g.micro - t4g.small - t4g.2xlarge - t4g.xlarge - !Ref 'NomadClientInstanceType' AssertDescription: This instance type must use NomadClientAMIOS type of Amazon-Linux2-HVM-ARM. Mappings: RegionELBAccountId: ap-east-1: AccountId: "754344448648" ap-northeast-1: AccountId: "582318560864" ap-northeast-2: AccountId: "600734575887" ap-northeast-3: AccountId: "383597477331" ap-southeast-1: AccountId: "114774131450" ap-southeast-2: AccountId: "783225319266" ap-south-1: AccountId: "718504428378" me-south-1: AccountId: "076674570225" ca-central-1: AccountId: "985666609251" eu-central-1: AccountId: "054676820928" eu-north-1: AccountId: "897822967062" eu-west-1: AccountId: "156460612806" eu-west-2: AccountId: "652711504416" eu-west-3: AccountId: "009996457667" sa-east-1: AccountId: "507241528517" us-east-1: AccountId: "127311923021" us-east-2: AccountId: "033677994240" us-west-1: AccountId: "027434742980" us-west-2: AccountId: "797873946194" AWSAMIRegionMap: af-south-1: AMZNLINUX2: ami-0936d2754993c364e AMZNLINUX2ARM: ami-01d326fa7db123542 US2004HVM: ami-022666956ad401a16 CENTOS7HVM: ami-0a2be7731769e6cc1 # SLES15HVM: ami-EXAMPLE ap-northeast-1: AMZNLINUX2: ami-0b276ad63ba2d6009 AMZNLINUX2ARM: ami-012d44a21cdc6962e US2004HVM: ami-0b0ccc06abc611fa0 CENTOS7HVM: ami-06a46da680048c8ae SLES15HVM: ami-056ac8ad44e6a7e1f ap-northeast-2: AMZNLINUX2: ami-0b827f3319f7447c6 AMZNLINUX2ARM: ami-065bbf792e2f70fd9 US2004HVM: ami-0f49ee52a88cc2435 CENTOS7HVM: ami-06e83aceba2cb0907 SLES15HVM: ami-0f81fff879bafe6b8 ap-northeast-3: AMZNLINUX2: ami-07420201371095f81 AMZNLINUX2ARM: ami-01a34fdc39c8106e0 US2004HVM: ami-01ae085ceefba2dbf CENTOS7HVM: ami-02d6b455335e3af14 SLES15HVM: ami-0d8518dd12d11dfc2 ap-south-1: AMZNLINUX2: ami-00bf4ae5a7909786c AMZNLINUX2ARM: ami-059d1007dcf297b22 US2004HVM: ami-0443fb07ed652c341 CENTOS7HVM: ami-026f33d38b6410e30 SLES15HVM: ami-01be89269d32f2a16 ap-southeast-1: AMZNLINUX2: ami-0e5182fad1edfaa68 AMZNLINUX2ARM: ami-0390917f7df0de28c US2004HVM: ami-0f0b17182b1d50c14 CENTOS7HVM: ami-07f65177cb990d65b SLES15HVM: ami-070356c21596ddc67 ap-southeast-2: AMZNLINUX2: ami-0c9fe0dec6325a30c AMZNLINUX2ARM: ami-03b50165937737652 US2004HVM: ami-04b1878ebf78f7370 CENTOS7HVM: ami-0b2045146eb00b617 SLES15HVM: ami-0c4245381c67efb39 ca-central-1: AMZNLINUX2: ami-0db72f413fc1ddb2a AMZNLINUX2ARM: ami-0858cdfa55eb68636 US2004HVM: ami-04673916e7c7aa985 CENTOS7HVM: ami-04a25c39dc7a8aebb SLES15HVM: ami-0c97d9b588207dad6 eu-central-1: AMZNLINUX2: ami-00f22f6155d6d92c5 AMZNLINUX2ARM: ami-0d1745d072234b13f US2004HVM: ami-05e1e66d082e56118 CENTOS7HVM: ami-0e8286b71b81c3cc1 SLES15HVM: ami-05dfd265ea534a3e9 me-south-1: AMZNLINUX2: ami-0880769bc15eeec4f AMZNLINUX2ARM: ami-001dc219c441b922d US2004HVM: ami-03cc0b5db8321f2e5 CENTOS7HVM: ami-011c71a894b10f35b SLES15HVM: ami-0252c6d3a59c7473b ap-east-1: AMZNLINUX2: ami-0aca22cb23f122f27 AMZNLINUX2ARM: ami-01f5cec80321bd86e US2004HVM: ami-0c7e5903bee96ef81 CENTOS7HVM: ami-0e5c29e6c87a9644f SLES15HVM: ami-0ad6e15bcbb2dbe38 eu-north-1: AMZNLINUX2: ami-00517306b63c4628c AMZNLINUX2ARM: ami-00ac6cda13789bb30 US2004HVM: ami-00888f2a5f9be4390 CENTOS7HVM: ami-05788af9005ef9a93 SLES15HVM: ami-0741fa1a008af40ad eu-south-1: AMZNLINUX2: ami-0f447354763f0eaac AMZNLINUX2ARM: ami-011d4067dedd119f5 US2004HVM: ami-035e213233577516f CENTOS7HVM: ami-03014b98e9665115a SLES15HVM: ami-051cbea0e7660063d eu-west-1: AMZNLINUX2: ami-058b1b7fe545997ae AMZNLINUX2ARM: ami-0f7de803d86d96283 US2004HVM: ami-0298c9e0d2c86b0ed CENTOS7HVM: ami-0b850cf02cc00fdc8 SLES15HVM: ami-0a58a1b152ba55f1d eu-west-2: AMZNLINUX2: ami-03ac5a9b225e99b02 AMZNLINUX2ARM: ami-0c11e20ede9c2bac5 US2004HVM: ami-0230a6736b38ae83e CENTOS7HVM: ami-09e5afc68eed60ef4 SLES15HVM: ami-01497522185aaa4ee eu-west-3: AMZNLINUX2: ami-062fdd189639d3e93 AMZNLINUX2ARM: ami-0e95ca4242883dbf3 US2004HVM: ami-06d3fffafe8d48b35 CENTOS7HVM: ami-0cb72d2e599cffbf9 SLES15HVM: ami-0f238bd4c6fdbefb0 sa-east-1: AMZNLINUX2: ami-05e809fbeee38dd5e AMZNLINUX2ARM: ami-06302d3edd8e2b804 US2004HVM: ami-04e56ee48b28650b3 CENTOS7HVM: ami-0b30f38d939dd4b54 SLES15HVM: ami-0772af912976aa692 us-east-1: AMZNLINUX2: ami-0dc2d3e4c0f9ebd18 AMZNLINUX2ARM: ami-008a8487adc2b32ec US2004HVM: ami-019212a8baeffb0fa CENTOS7HVM: ami-0affd4508a5d2481b SLES15HVM: ami-0b1764f3d7d2e2316 us-gov-west-1: AMZNLINUX2: ami-0bbf3595bb2fb39ec AMZNLINUX2ARM: ami-6bd0e80a SLES15HVM: ami-57c0ba36 us-gov-east-1: AMZNLINUX2: ami-0cc17d57bec8c6017 AMZNLINUX2ARM: ami-4a31d93b SLES15HVM: ami-05e4bedfad53425e9 us-east-2: AMZNLINUX2: ami-0233c2d874b811deb AMZNLINUX2ARM: ami-02de934ca4f3289e0 US2004HVM: ami-0117d177e96a8481c CENTOS7HVM: ami-01e36b7901e884a10 SLES15HVM: ami-05ea824317ffc0c20 us-west-1: AMZNLINUX2: ami-0ed05376b59b90e46 AMZNLINUX2ARM: ami-09027338004f91eb5 US2004HVM: ami-0b08e71a81ba4200f CENTOS7HVM: ami-098f55b4287a885ba SLES15HVM: ami-00e34a7624e5a7107 us-west-2: AMZNLINUX2: ami-0dc8f589abe99f538 AMZNLINUX2ARM: ami-01ee617c4327490d3 US2004HVM: ami-02868af3c3df4b3aa CENTOS7HVM: ami-0bc06212a56393ee1 SLES15HVM: ami-0f1e3b3fb0fec0361 cn-north-1: AMZNLINUX2: ami-0c52e2685c7218558 AMZNLINUX2ARM: ami-088cc0c104292da9c CENTOS7HVM: ami-08c16f7e830c0e393 SLES15HVM: ami-021392849b6221a81 cn-northwest-1: AMZNLINUX2: ami-05b9b6d6acf8ae9b6 AMZNLINUX2ARM: ami-0b5c6ceb80eb57861 CENTOS7HVM: ami-0f21aa96a61df8c44 SLES15HVM: ami-00e1de3ee6d0d28ea LinuxAMINameMap: Amazon-Linux2-HVM: Code: AMZNLINUX2 OS: Amazon Amazon-Linux2-HVM-ARM: Code: AMZNLINUX2ARM OS: Amazon CentOS-7-HVM: Code: CENTOS7HVM OS: CentOS Ubuntu-Server-18.04-LTS-HVM: Code: US1804HVM OS: Ubuntu Ubuntu-Server-20.04-LTS-HVM: Code: US2004HVM OS: Ubuntu SUSE-SLES-15-HVM: Code: SLES15HVM OS: SLES Conditions: GovCloudCondition: !Equals [!Ref AWS::Region, "us-gov-west-1"] ConfigureConsul: !And - !Not [!Equals [!Ref ConsulEc2RetryTagKey, ""]] - !Not [!Equals [!Ref ConsulEc2RetryTagValue, ""]] ConfigureConsulServiceMesh: !And - !Not [!Equals [!Ref ConsulEc2RetryTagKey, ""]] - !Not [!Equals [!Ref ConsulEc2RetryTagValue, ""]] - !Equals [!Ref EnableConsulServiceMesh, "true"] ConfigureRawExec: !Equals [!Ref EnableRawExec, "true"] Resources: NomadClientASG: Type: "AWS::AutoScaling::AutoScalingGroup" Properties: LaunchConfigurationName: !Ref NomadClientLC MinSize: !Ref NomadClientNodeCount MaxSize: !Ref NomadClientNodeCount DesiredCapacity: !Ref NomadClientNodeCount VPCZoneIdentifier: - !Ref PrivateSubnet1ID - !Ref PrivateSubnet2ID - !Ref PrivateSubnet3ID Tags: - Key: Name Value: !Sub "${AWS::StackName}-Nomad-Client" PropagateAtLaunch: true CreationPolicy: ResourceSignal: Count: !Ref NomadClientNodeCount Timeout: PT20M NomadClientLC: Type: AWS::AutoScaling::LaunchConfiguration Metadata: cfn-lint: config: ignore_checks: - E9101 #ignore warning about kill for Linux related command AWS::CloudFormation::Init: configSets: _base: - install_and_enable_cfn_hup - disable_motd - fetch_nomad - fetch_consul - fetch_vault - fetch_consul_template _consul: - consul_install - setup_coredns _nomad_client: - create_nomad_group_user_dir - fetch_cni_plugins - install_docker - nomad_install cs-nomad: - ConfigSet: _base - ConfigSet: _nomad_client cs-nomad-consul: - ConfigSet: _base - create_consul_group_user_dir - ConfigSet: _consul - ConfigSet: _nomad_client cs-nomad-consul-service-mesh: - ConfigSet: _base - create_consul_group_user_dir - enable_consul_service_mesh - ConfigSet: _consul - ConfigSet: _nomad_client cs-enable-rawexec: - enable_raw_exec install_and_enable_cfn_hup: files: /etc/cfn/cfn-hup.conf: content: !Sub | [main] stack=${AWS::StackId} region=${AWS::Region} mode: "000400" owner: root group: root /etc/cfn/hooks.d/cfn-auto-reloader.conf: content: !Sub "[cfn-auto-reloader-hook] triggers=post.update path=Resources.NomadClientLC.Metadata.AWS::CloudFormation::Init action=/usr/local/bin/cfn-init -v --stack ${AWS::StackName} --resource NomadClientLC --configsets cs_install --region ${AWS::Region} runas=root" /lib/systemd/system/cfn-hup.service: content: | [Unit] Description=cfn-hup daemon [Service] Type=simple ExecStart=/usr/local/bin/cfn-hup Restart=always [Install] WantedBy=multi-user.target commands: 01enable_cfn_hup: command: systemctl enable cfn-hup.service 02start_cfn_hup: command: systemctl start cfn-hup.service disable_motd: files: /home/ubuntu/.hushlogin: content: | # disable motd user: ubuntu group: ubuntu mode: "000400" create_nomad_group_user_dir: users: nomad: homeDir: /srv/nomad commands: 01_create_data_dir: command: mkdir -p /opt/nomad/data 02_set_data_dir_permissions: command: chown -R nomad:nomad /opt/nomad/data 03_create_config_dir: command: mkdir -p /opt/nomad/config 04_set_config_dir_permissions: command: chown -R root:nomad /opt/nomad/config create_consul_group_user_dir: users: consul: homeDir: /srv/consul commands: 01_create_data_dir: command: mkdir -p /opt/consul/data 02_set_data_dir_permissions: command: chown -R consul:consul /opt/consul/data 03_create_config_dir: command: mkdir -p /opt/consul/config 04_set_config_dir_permissions: command: chown -R root:consul /opt/consul/config fetch_nomad: sources: /usr/bin/: https://releases.hashicorp.com/nomad/1.2.6/nomad_1.2.6_linux_amd64.zip fetch_consul: sources: /usr/bin/: https://releases.hashicorp.com/consul/1.11.4/consul_1.11.4_linux_amd64.zip fetch_vault: sources: /usr/bin/: https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_amd64.zip fetch_consul_template: sources: /usr/bin/: https://releases.hashicorp.com/consul-template/0.28.0/consul-template_0.28.0_linux_amd64.zip nomad_install: files: /opt/nomad/config/nomad.hcl: content: !Sub | bind_addr = "0.0.0.0" data_dir = "/opt/nomad/data" datacenter = "${NomadDatacenter}" log_level = "WARN" advertise { http = "{{{InterfaceTemplate}}}" rpc = "{{{InterfaceTemplate}}}" serf = "{{{InterfaceTemplate}}}" } context: InterfaceTemplate: '{{ GetDefaultInterfaces | include \"type\" \"ipv4\" | attr \"address\" }}' user: root group: nomad /opt/nomad/config/client.hcl: content: !Sub | client { enabled = true server_join { retry_join = ["provider=aws region=${AWS::Region} tag_key=${NomadEc2RetryTagKey} tag_value=${NomadEc2RetryTagValue}"] } } user: root group: nomad /etc/systemd/system/nomad.service: content: | [Unit] Description=HashiCorp Nomad Documentation=https://nomadproject.io/docs/ Wants=network-online.target After=network-online.target ConditionFileNotEmpty=/opt/nomad/config/nomad.hcl ConditionFileNotEmpty=/opt/nomad/config/client.hcl # Start Consul before Nomad to avoid Nomad logging that Consul # is unavailable at startup. {{maybe_comment_consul}}Wants=consul.service {{maybe_comment_consul}}After=consul.service [Service] Type=simple User=root Group=root EnvironmentFile=-/opt/nomad/config/nomad.env ExecReload=/bin/kill -HUP $MAINPID ExecStart=/usr/bin/nomad agent -config /opt/nomad/config KillMode=process KillSignal=SIGINT LimitNOFILE=65536 LimitNPROC=infinity Restart=on-failure TimeoutSec=300s RestartSec=2 ## Configure unit start rate limiting. Units which are started more than ## *burst* times within an *interval* time span are not permitted to start any ## more. Use `StartLimitIntervalSec` or `StartLimitInterval` (depending on ## systemd version) to configure the checking interval and `StartLimitBurst` ## to configure how many starts per interval are allowed. The values in the ## commented lines are defaults. # StartLimitBurst = 5 ## StartLimitIntervalSec is used for systemd versions >= 230 # StartLimitIntervalSec = 10s ## StartLimitInterval is used for systemd versions < 230 # StartLimitInterval = 10s TasksMax=infinity OOMScoreAdjust=-1000 [Install] WantedBy=multi-user.target context: maybe_comment_consul: !If [ConfigureConsul, "", "#"] commands: 00_fill_nomad_config_nodename: command: echo "name = \"$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\"" > /opt/nomad/config/nodename.hcl 01_change_data_dir_owner: command: chown -R root:root /opt/nomad/data 02_change_config_dir_owner: command: chown -R root:nomad /opt/nomad/config 03_chmod_config_dir: command: chmod 755 /opt/nomad/config 04_chmod_config_files: command: chmod 644 /opt/nomad/config/*.hcl 05_reload_systemd: command: systemctl daemon-reload 06_enable_service: command: systemctl enable nomad 07_start_service: command: systemctl start nomad enable_consul_service_mesh: files: /opt/consul/config/connect.hcl: content: | ports { grpc = 8502 } connect { enabled = true } owner: root group: consul consul_install: files: /opt/consul/config/consul.hcl: content: !Sub | data_dir = "/opt/consul/data" client_addr = "0.0.0.0" bind_addr = "{{{InterfaceTemplate}}}" datacenter = "${ConsulDatacenter}" log_level = "WARN" ui_config { enabled = true } telemetry { disable_compat_1.9 = true } context: InterfaceTemplate: '{{ GetDefaultInterfaces | include \"type\" \"ipv4\" | attr \"address\" }}' owner: root group: consul /opt/consul/config/client.hcl: content: !Sub | retry_join = ["provider=aws region=${AWS::Region} tag_key=${ConsulEc2RetryTagKey} tag_value=${ConsulEc2RetryTagValue}"] owner: root group: consul /etc/systemd/system/consul.service: content: | [Unit] Description="HashiCorp Consul - A service mesh solution" Documentation=https://www.consul.io/ Requires=network-online.target After=network-online.target ConditionFileNotEmpty=/opt/consul/config/consul.hcl ConditionFileNotEmpty=/opt/consul/config/client.hcl [Service] Type=notify EnvironmentFile=-/opt/consul/config/consul.env User=consul Group=consul ExecStart=/usr/bin/consul agent -config-dir=/opt/consul/config ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGTERM Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target owner: root group: root commands: 00_fill_consul_config_nodename: command: echo "node_name = \"$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\"" > /opt/consul/config/nodename.hcl 01_change_data_dir_owner: command: chown -R consul:consul /opt/consul/data 02_change_config_dir_owner: command: chown -R root:consul /opt/consul/config 03_chmod_config_dir: command: chmod 755 /opt/consul/config 04_chmod_config_files: command: chmod 644 /opt/consul/config/*.hcl 05_reload_systemd: command: systemctl daemon-reload 06_enable_consul: command: systemctl enable consul 07_start_consul: command: systemctl start consul setup_dnsmasq: files: /etc/dnsmasq.d/consul: content: | server=/consul/127.0.0.1#8600 listen-address=127.0.0.1 bind-interfaces /usr/local/etc/dnsmasq.conf: content: | no-resolv packages: apt: dnsmasq-base: [] dnsmasq: [] jq: [] commands: 01_start_dnsmasq: command: service dnsmasq restart setup_coredns: users: coredns: homeDir: /srv/coredns sources: /usr/bin: https://github.com/coredns/coredns/releases/download/v1.8.4/coredns_1.8.4_linux_amd64.tgz files: /etc/systemd/system/coredns.service: content: | [Unit] Description=CoreDNS DNS server Documentation=https://coredns.io After=network.target [Service] PermissionsStartOnly=true LimitNOFILE=1048576 LimitNPROC=512 CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true User=coredns WorkingDirectory=~ ExecStart=/usr/bin/coredns -conf=/etc/coredns/Corefile ExecReload=/bin/kill -SIGUSR1 $MAINPID Restart=on-failure [Install] WantedBy=multi-user.target /etc/coredns/Corefile: content: | . { forward . /run/systemd/resolve/resolv.conf } consul { forward . dns://127.0.0.1:8600 } user: root group: root mode: "000644" /etc/resolv.conf: content: | nameserver 127.0.0.1 options edns0 trust-ad search ec2.internal user: root group: root mode: "000644" commands: 00_make_homedir: command: mkdir -p /srv/coredns 01_change_owner: command: chown -R coredns:coredns /srv/coredns 02_reload_systemd: command: systemctl daemon-reload 03_disable_resolved_DNSStubListener: command: echo "DNSStubListener=no" >> /etc/systemd/resolved.conf 04_restart_resolved: command: systemctl restart systemd-resolved.service 05_start_service: command: systemctl start coredns 06_enable_service: command: systemctl enable coredns install_docker: packages: apt: docker.io: [] fetch_cni_plugins: sources: /opt/cni/bin/: https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz enable_raw_exec: files: /opt/nomad/config/raw_exec.hcl: content: | plugin "raw_exec" { config { enabled = true } } user: root group: nomad mode: "000644" Properties: InstanceType: !Ref NomadClientInstanceType AssociatePublicIpAddress: false SecurityGroups: - !Ref NomadClientSecurityGroup KeyName: !Ref KeyPairName ImageId: !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - !FindInMap [LinuxAMINameMap, !Ref NomadClientAMIOS, Code] IamInstanceProfile: !Ref NomadClientProfile UserData: Fn::Base64: !Sub - | #!/bin/bash -x #CFN Functions function cfn_fail { cfn-signal -e 1 --stack ${AWS::StackName} --region ${AWS::Region} --resource NomadClientASG } function cfn_success { cfn-signal -e 0 --stack ${AWS::StackName} --region ${AWS::Region} --resource NomadClientASG exit 0 } function cfn_fail_log { journalctl -b --no-pager -u nomad for I in /opt/nomad/config/*.hcl do echo "## $I" echo ""; echo '```' cat $I echo ""; echo '```'; echo "" done systemctl status nomad.service } S3URI=https://${QSS3BucketName}.${S3Region}.amazonaws.com/${QSS3KeyPrefix} apt-get -y update # Install git apt-get install -y git jq #Load Linux utils until git clone https://github.com/aws-quickstart/quickstart-linux-utilities.git ; do echo "Retrying"; done cd /quickstart-linux-utilities && source quickstart-cfn-tools.source # Prep operating systems qs_update-os || qs_err qs_bootstrap_pip || qs_err qs_aws-cfn-bootstrap || qs_err #cfn-init echo "Executing config-sets" cfn-init -v --stack ${AWS::StackName} --resource NomadClientLC --configsets ${ConfigSets} --region ${AWS::Region} STATUS=$? echo signal cfn success/failure [ $STATUS == 0 ] || cfn_fail echo log info on failure [ $STATUS == 0 ] || cfn_fail_log # Signal cfn-init (final check) [ $(qs_status) == 0 ] && cfn_success || cfn_fail - ConfigSets: !Join - '' - - !If - ConfigureConsulServiceMesh - cs-nomad-consul-service-mesh - !If - ConfigureConsul - cs-nomad-consul - cs-nomad - !If [ConfigureRawExec, ',cs-enable-rawexec', ''] S3Region: !If [GovCloudCondition, s3-us-gov-west-1, s3] NomadClientRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: "sts:AssumeRole" Principal: Service: ec2.amazonaws.com Effect: Allow Sid: "" Policies: - PolicyDocument: Version: 2012-10-17 Statement: - Action: - "s3:GetObject" Resource: !Sub "arn:${AWS::Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*" Effect: Allow PolicyName: AuthenticatedS3GetObjects NomadClientPolicy: Type: AWS::IAM::Policy Properties: PolicyName: nomad-client PolicyDocument: Statement: - Effect: Allow Action: "ec2:DescribeInstances" Resource: "*" Roles: - !Ref NomadClientRole NomadClientProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref NomadClientRole NomadClientLogsBucket: Type: AWS::S3::Bucket DeletionPolicy: Retain UpdateReplacePolicy: Retain NomadClientLogsBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref NomadClientLogsBucket PolicyDocument: Version: 2012-10-17 Statement: - Sid: NomadQSGALBAccessLogs Action: - "s3:PutObject" Effect: Allow Resource: !Sub "arn:${AWS::Partition}:s3:::${NomadClientLogsBucket}/NomadALBLogs/*" Principal: AWS: !Sub - "arn:${AWS::Partition}:iam::${RegionELBAccountId}:root" - RegionELBAccountId: !FindInMap - RegionELBAccountId - !Ref "AWS::Region" - AccountId Outputs: NomadEc2RetryTagKey: Value: !Ref NomadEc2RetryTagKey Description: The EC2 instance tag key to filter on when joining to other Nomad nodes. NomadEc2RetryTagValue: Value: !Ref NomadEc2RetryTagValue Description: The EC2 instance tag value to filter on when joining to other Nomad nodes. NomadClientASG: Value: !Ref NomadClientASG Description: 'The Nomad client autoscaling group.' NomadClientLogsBucket: Value: !Ref NomadClientLogsBucket Description: 'The S3 Bucket created for Nomad client logs.'