feat: add support to enable mTLS

modules/nomad-clients/ec2.tf

@@ -31,6 +31,10 @@ resource "aws_instance" "nomad_client" {
   user_data_base64 = base64encode(templatefile("${path.module}/scripts/setup_client.tftpl.sh", {
     route_53_resolver_address = var.route_53_resolver_address
     enable_docker_plugin      = var.enable_docker_plugin
+    enable_tls                = var.enable_tls
+    tls_certificates          = var.tls_certificates
+    tls_http_enable           = var.tls_http_enable
+    tls_rpc_enable            = var.tls_rpc_enable
     nomad_join_tag_key        = "nomad_ec2_join"
     nomad_join_tag_value      = var.nomad_join_tag_value
     nomad_client_cfg = templatefile("${path.module}/templates/nomad.tftpl", {

modules/nomad-clients/launch_template.tf

@@ -12,6 +12,10 @@ resource "aws_launch_template" "nomad_client" {
   user_data = base64encode(templatefile("${path.module}/scripts/setup_client.tftpl.sh", {
     route_53_resolver_address = var.route_53_resolver_address
     enable_docker_plugin      = var.enable_docker_plugin
+    enable_tls                = var.enable_tls
+    tls_certificates          = var.tls_certificates
+    tls_http_enable           = var.tls_http_enable
+    tls_rpc_enable            = var.tls_rpc_enable
     nomad_join_tag_key        = "nomad_ec2_join"
     nomad_join_tag_value      = var.nomad_join_tag_value
     nomad_client_cfg = templatefile("${path.module}/templates/nomad.tftpl", {

modules/nomad-clients/scripts/setup_client.tftpl.sh

@@ -180,6 +180,31 @@ plugin "docker" {
 EOF
 }
 
+add_tls_to_nomad() {
+  cat <<EOF >/etc/nomad.d/nomad-agent-ca.pem
+  ${base64decode(tls_certificates.ca_file)}
+EOF
+  cat <<EOF >/etc/nomad.d/global-client-nomad.pem
+  ${base64decode(tls_certificates.cert_file)}
+EOF
+  cat <<EOF >/etc/nomad.d/global-client-nomad-key.pem
+  ${base64decode(tls_certificates.key_file)}
+EOF
+  cat <<EOF >>/etc/nomad.d/tls.hcl
+tls {
+  http = ${tls_http_enable}
+  rpc  = ${tls_rpc_enable}
+
+  ca_file   = "nomad-agent-ca.pem"
+  cert_file = "global-client-nomad.pem"
+  key_file  = "global-client-nomad-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = ${tls_http_enable}
+}
+EOF
+}
+
 log "INFO" "Fetching EC2 Tags from AWS"
 store_tags
 
@@ -197,6 +222,11 @@ log "INFO" "Adding docker config to Nomad"
 add_docker_to_nomad
 %{ endif }
 
+%{ if enable_tls }
+log "INFO" "Enabling TLS for Nomad Client"
+add_tls_to_nomad
+%{ endif }
+
 log "INFO" "Starting Nomad service"
 start_nomad
 

modules/nomad-clients/variables.tf

@@ -70,6 +70,38 @@ variable "enable_docker_plugin" {
   default     = true
 }
 
+variable "enable_tls" {
+  description = "Whether to enable TLS on client nodes"
+  type        = bool
+  default     = false
+}
+
+variable "tls_certificates" {
+  description = "Base64 encoded certificate files to use for Nomad Client TLS"
+  type = object({
+    ca_file   = string
+    cert_file = string
+    key_file  = string
+  })
+  default = {
+    ca_file   = ""
+    cert_file = ""
+    key_file  = ""
+  }
+}
+
+variable "tls_http_enable" {
+  description = "Enable TLS over HTTP for Nomad Client. Setting this option requires the end-user to set NOMAD_TLS* variables while accessing the CLI"
+  type        = bool
+  default     = false
+}
+
+variable "tls_rpc_enable" {
+  description = "Enable TLS over RPC for Nomad Clients. This is required for intra-client mTLS."
+  type        = bool
+  default     = true
+}
+
 variable "iam_instance_profile" {
   description = "Name of the existing IAM Instance Profile to use"
   type        = string

modules/nomad-servers/launch_template.tf

@@ -11,6 +11,10 @@ resource "aws_launch_template" "nomad_server" {
   user_data = base64encode(templatefile("${path.module}/scripts/setup_server.tftpl.sh", {
     nomad_acl_bootstrap_token = var.nomad_acl_bootstrap_token
     nomad_acl_enable          = var.nomad_acl_enable
+    enable_tls                = var.enable_tls
+    tls_certificates          = var.tls_certificates
+    tls_http_enable           = var.tls_http_enable
+    tls_rpc_enable            = var.tls_rpc_enable
     nomad_server_cfg = templatefile("${path.module}/templates/nomad.tftpl", {
       nomad_dc                 = var.cluster_name
       aws_region               = var.aws_region

modules/nomad-servers/scripts/setup_server.tftpl.sh

@@ -116,6 +116,31 @@ wait_for_leader() {
   return 1
 }
 
+add_tls_to_nomad() {
+  cat <<EOF >/etc/nomad.d/nomad-agent-ca.pem
+  ${base64decode(tls_certificates.ca_file)}
+EOF
+  cat <<EOF >/etc/nomad.d/global-server-nomad.pem
+  ${base64decode(tls_certificates.cert_file)}
+EOF
+  cat <<EOF >/etc/nomad.d/global-server-nomad-key.pem
+  ${base64decode(tls_certificates.key_file)}
+EOF
+  cat <<EOF >>/etc/nomad.d/tls.hcl
+tls {
+  http = ${tls_http_enable}
+  rpc  = ${tls_rpc_enable}
+
+  ca_file   = "nomad-agent-ca.pem"
+  cert_file = "global-server-nomad.pem"
+  key_file  = "global-server-nomad-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = ${tls_http_enable}
+}
+EOF
+}
+
 bootstrap_acl() {
   # Get the IP address of this node.
   local ip_address
@@ -155,6 +180,11 @@ start_nomad
 log "INFO" "Waiting for Nomad to be ready"
 wait_for_leader
 
+%{ if enable_tls }
+log "INFO" "Enabling TLS for Nomad Server"
+add_tls_to_nomad
+%{ endif }
+
 %{ if nomad_acl_enable }
 log "INFO" "Bootstrapping ACL for Nomad"
 bootstrap_acl

modules/nomad-servers/variables.tf

@@ -81,6 +81,38 @@ variable "ebs_encryption" {
   default     = true
 }
 
+variable "enable_tls" {
+  description = "Whether to enable TLS on client nodes"
+  type        = bool
+  default     = false
+}
+
+variable "tls_certificates" {
+  description = "Base64 encoded certificate files to use for Nomad Server TLS"
+  type = object({
+    ca_file   = string
+    cert_file = string
+    key_file  = string
+  })
+  default = {
+    ca_file   = ""
+    cert_file = ""
+    key_file  = ""
+  }
+}
+
+variable "tls_http_enable" {
+  description = "Enable TLS over HTTP for Nomad Server. Setting this option requires the end-user to set NOMAD_TLS* variables while accessing the CLI"
+  type        = bool
+  default     = false
+}
+
+variable "tls_rpc_enable" {
+  description = "Enable TLS over RPC for Nomad CLI. This is required for intra-client mTLS."
+  type        = bool
+  default     = true
+}
+
 variable "instance_count" {
   description = "Number of Nomad server instances to run"
   type        = number