GCP Nomad Clients

This is a simple Terraform module to create Nomad clients for your CircleCI server application on Google Cloud Platform.


A basic example is as simple as this:

provider "google-beta" {
  project = "<< GCP project id >>"
  region  = "<< GCP compute region to deploy nomad clients >>""
  zone    = "<< GCP compute zone to deploy nomad clients >>""

module "nomad_clients" {
  # We strongly recommend pinning the version using ref=<<release tag>> as is done here
  source = "git::"

  zone            = "<< GCP compute zone to deploy nomad clients >>"
  region          = "<< GCP compute region to deploy nomad clients >>"
  network         = "default"
  server_endpoint = "<< Hostname of server installation >>"
  name            = "<< name prefix of nomad clients >>

output "module" {
  value = module.nomad_clients

There are more examples in the examples directory.


Name Version
google ~> 3.0


Name Version
google ~> 3.0
local n/a


Name Source Version
tls ./../shared/modules/tls n/a


Name Type
google_compute_autoscaler.nomad resource
google_compute_firewall.default resource
google_compute_instance_group_manager.nomad resource
google_compute_instance_template.nomad resource
google_compute_target_pool.nomad resource
google_project_iam_member.nomad_as_compute_autoscalers_get resource
google_project_iam_member.nomad_as_work_identity resource
google_service_account.nomad_as_service_account resource
google_service_account_iam_binding.nomad_as_work_identity_k8s resource
google_service_account_key.nomad-as-key resource
local_file.nomad-as-key-file resource
google_compute_image.machine_image data source
google_project.project data source


Name Description Type Default Required
add_server_join Includes the 'server_join' block when setting up nomad clients. Should be disabled when the nomad server endpoint is not immediately known (eg, for dedicated nomad clients). bool true no
assign_public_ip Assign public IP bool true no
autoscaling_mode Autoscaler mode. Can be
- "ON": Autoscaler will scale up and down to reach cpu target and react to cron schedules
- "OFF": Autoscaler will never scale up or down
- "ONLY_UP": Autoscaler will only scale up (default)
Warning: jobs may be interrupted on scale down. Only select "ON" if
interruptions are acceptible for your use case.
string "ONLY_UP" no
autoscaling_schedules Autoscaler scaling schedules. Accepts the same arguments are documented
upstream here:
name = string
min_required_replicas = number
schedule = string
time_zone = string
duration_sec = number
disabled = bool
description = string
[] no
blocked_cidrs List of CIDR blocks to block access to from inside nomad jobs list(string) [] no
disk_size_gb Size of the root disk for nomad clients in GB. number 300 no
disk_type Root disk type. Can be 'pd-standard', 'pd-ssd', 'pd-balanced' or 'local-ssd' string "pd-ssd" no
docker_network_cidr IP CIDR block to be used in docker networks when running job on nomad client.
This CIDR block should not be the same as your VPC CIDR block.
i.e - "" or "" or ""
string "" no
enable_workload_identity If true, Workload Identity will be used rather than static credentials. Ensure Workload Identities are first enabled on your GKE cluster: bool false no
k8s_namespace If enable_workload_identity is true, provide application k8s namespace string "circleci-server" no
machine_image_family The family value used to retrieve the virtual machine image. string "ubuntu-2004-lts" no
machine_image_project The project value used to retrieve the virtual machine image. string "ubuntu-os-cloud" no
machine_type Instance type for nomad clients string "n2-standard-8" no
max_replicas Max number of nomad clients when scaled up number 4 no
min_replicas Minimum number of nomad clients when scaled down number 1 no
name VM instance name for nomad client string "nomad" no
network Network to deploy nomad clients into string "default" no
nomad_auto_scaler If true, terraform will create a service account to be used by nomad autoscaler. bool false no
nomad_server_hostname Hostname of RPC service of Nomad control plane (e.g string n/a yes
nomad_server_port Port that the server endpoint listens on for nomad connections. number 4647 no
patched_nomad_version The version of CircleCI's fork Nomad to install string "1.4.568-bfc9a6ec4" no
preemptible Whether or not to use preemptible nodes bool false no
project_id GCP project ID to deploy resources into. By default uses the data sourced GCP project ID. string "" no
region GCP region to deploy nomad clients into (e.g us-east1) string n/a yes
retry_with_ssh_allowed_cidr_blocks List of source IP CIDR blocks that can use the 'retry with SSH' feature of CircleCI jobs list(string)
subnetwork Subnetwork to deploy nomad clients into. NB. This is required if using custom subnets string "" no
target_cpu_utilization Target CPU utilization to trigger autoscaling number 0.5 no
unsafe_disable_mtls Disables mTLS between nomad client and servers. Compromises the authenticity and confidentiality of client-server communication. Should not be set to true in any production setting bool false no
zone GCP compute zone to deploy nomad clients into (e.g us-east1-a) string n/a yes


Name Description
managed_instance_group_name n/a
managed_instance_group_region n/a
managed_instance_group_type n/a
managed_instance_group_zone n/a
nomad_server_cert n/a
nomad_server_cert_base64 set this value for the nomad.server.rpc.mTLS.certificate key in the CircleCI Server's Helm values.yaml
nomad_server_key n/a
nomad_server_key_base64 set this value for the nomad.server.rpc.mTLS.privateKey key in the CircleCI Server's Helm values.yaml
nomad_tls_ca n/a
nomad_tls_ca_base64 set this value for the nomad.server.rpc.mTLS.CACertificate key in the CircleCI Server's Helm values.yaml
service_account_email n/a
service_account_key Base64 decoded service account key.
service_account_key_location n/a