Cloud backend fails to find nomad_token about terraform-hetzner-nomad-consul-module HOT 9 CLOSED

Hi @mapolu, this is due to the token being generated and fetched once at the initial deployment and not afterwards. I'll implement a fix to still only output the token on the first run, but workaround the behaviour for recurring applies as this is rather bad if you want to use the module properly. Thanks

from terraform-hetzner-nomad-consul-module.

The problem should be solved in the new release v0.4.1

from terraform-hetzner-nomad-consul-module.

Thanks for a quick fix\response @wenzel-felix!
It indeed fixes it in a way so it doesn't error during apply. But, it's vital for my use-case to have this nomad_token during each run. As I'm consuming it at later runs.
What about fetching it on every apply? Unfortunately, my tf knowledge is not yet enough to understand why fetch_nomad_token is not running every time on the current implementation.
Is it because of the dependency fetch_nomad_token -> wait_60_seconds -> deployment, where deployment has a trigger that is not triggered, therefore whole this chain is not reprovisioned?

from terraform-hetzner-nomad-consul-module.

@mapolu fetching the token multiple times is not possible as we are using the bootstrap token here and we don't want to store the token somewhere insecure. I would suggest using a sensitive workspace variable after the first run. And use this to reference the token value in your code.

from terraform-hetzner-nomad-consul-module.

Is it somehow possible to accomplish automatically?

from terraform-hetzner-nomad-consul-module.

It is, but I would not recommend it and will not adjust the module as the workaround would either result in the integration of a third-party community provider or the token lying somewhere on the deployed VMs. In general, it makes sense to isolate platform provisioning and application deployment. Therefore this module also only focuses on provisioning the infrastructure. Once this is deployed, you should set up a separate pipeline to deploy any applications via the nomad jobs.

I hope this makes sense to you.

from terraform-hetzner-nomad-consul-module.

Thank you for your explanation. I understand that the module is designed to focus solely on infrastructure provisioning. Thank you for making it loud and clear, I will go this way. However, I am just curious to get your professional opinion on how to potentially integrate a third-party community provider or handle token deployment securely without compromising the isolation of platform provisioning and application deployment.
The means I came up with:
First, execute terraform output nomad_token after an initial run.
Then, either:
a) use terraform cloud sdk to write the nomad token as a sensitive variable to a tf cloud workspace.
b) store it somewhere safe and pass during deployment stage as a cli var.

from terraform-hetzner-nomad-consul-module.

BTW, this is what I get during initial apply, when applying in a TF cloud.
nomad_token = "Could not find nomad token file from initial bootstrap. If this is your initial apply, please create a GitHub issue."
It can be fixed by setting cloud workspace Execution Mode from Remote to Local. But then you cannot use cloud workspace variables and variable sets, which is unacceptable.

from terraform-hetzner-nomad-consul-module.

Hi @mapolu, the newest version now has a bootstrap option - allowing you to either bootstrap the servers without ACLs, which means you don't require an access token or provision them with ACLs and extract the tokens yourself.

from terraform-hetzner-nomad-consul-module.