@pulumi/nomad
Version:
A Pulumi package for creating and managing nomad cloud resources.
689 lines (688 loc) • 23.7 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
export interface AclAuthMethodConfig {
/**
* `([]string: <optional>)` - A list of allowed values
* that can be used for the redirect URI.
*/
allowedRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `([]string: <optional>)` - List of auth claims that are
* valid for login.
*/
boundAudiences?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `([]string: <optional>)` - The value against which to match
* the iss claim in a JWT.
*/
boundIssuers?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Mappings of claims (key) that will be copied to a metadata field (value).
*/
claimMappings?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* `(string: <optional>)` - Duration of leeway when validating
* all claims in the form of a time duration such as "5m" or "1h".
*/
clockSkewLeeway?: pulumi.Input<string>;
/**
* `([]string: <optional>)` - PEM encoded CA certs for use
* by the TLS client used to talk with the OIDC Discovery URL.
*/
discoveryCaPems?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `(string: <optional>)` - Duration of leeway when validating
* expiration of a JWT in the form of a time duration such as "5m" or "1h".
*/
expirationLeeway?: pulumi.Input<string>;
/**
* `(string: <optional>)` - PEM encoded CA cert for use by the
* TLS client used to talk with the JWKS server.
*/
jwksCaCert?: pulumi.Input<string>;
/**
* `(string: <optional>)` - JSON Web Key Sets url for authenticating
* signatures.
*/
jwksUrl?: pulumi.Input<string>;
/**
* `([]string: <optional>)` - List of PEM-encoded
* public keys to use to authenticate signatures locally.
*/
jwtValidationPubKeys?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Mappings of list claims (key) that will be copied to a metadata field (value).
*/
listClaimMappings?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* `(string: <optional>)` - Duration of leeway when validating
* not before values of a token in the form of a time duration such as "5m" or "1h".
*/
notBeforeLeeway?: pulumi.Input<string>;
/**
* `(OIDCClientAssertion: <optional>)` - Optionally
* send a signed JWT ("[private key jwt][]") as a client assertion to the OIDC
* provider. Browse to the [OIDC concepts][concepts-assertions] page to learn
* more.
*/
oidcClientAssertion?: pulumi.Input<inputs.AclAuthMethodConfigOidcClientAssertion>;
/**
* `(string: <optional>)` - The OAuth Client ID configured
* with the OIDC provider.
*/
oidcClientId?: pulumi.Input<string>;
/**
* `(string: <optional>)` - The OAuth Client Secret
* configured with the OIDC provider.
*/
oidcClientSecret?: pulumi.Input<string>;
/**
* `(bool: false)` - When set to `true`, Nomad will
* not make a request to the identity provider to get OIDC `UserInfo`.
* You may wish to set this if your identity provider doesn't send any
* additional claims from the `UserInfo` endpoint.
*/
oidcDisableUserinfo?: pulumi.Input<boolean>;
/**
* `(string: <optional>)` - The OIDC Discovery URL,
* without any .well-known component (base path).
*/
oidcDiscoveryUrl?: pulumi.Input<string>;
/**
* `(bool: false)` - When set to `true`, Nomad will include
* [PKCE][] verification in the auth flow. Even with PKCE enabled in Nomad,
* you may still need to enable it in your OIDC provider.
*/
oidcEnablePkce?: pulumi.Input<boolean>;
/**
* `([]string: <optional>)` - List of OIDC scopes.
*/
oidcScopes?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `([]string: <optional>)` - A list of supported signing
* algorithms.
*/
signingAlgs?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Enable OIDC verbose logging on the Nomad server.
*/
verboseLogging?: pulumi.Input<boolean>;
}
export interface AclAuthMethodConfigOidcClientAssertion {
/**
* `([]string: optional)` - Who processes the assertion.
* Defaults to the auth method's `oidcDiscoveryUrl`.
*/
audiences?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `(map[string]string: optional)` - Add to the JWT headers,
* alongside "kid" and "type". Setting the "kid" header here is not allowed;
* use `private_key.key_id`.
*/
extraHeaders?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* `(string: <optional>)` is the key's algorithm.
* Its default values are based on the `keySource`:
* - "nomad": "RS256"; this is from Nomad's keyring and must not be changed
* - "privateKey": "RS256"; must be RS256, RS384, or RS512
* - "clientSecret": "HS256"; must be HS256, HS384, or HS512
*/
keyAlgorithm?: pulumi.Input<string>;
/**
* `(string: <required>)` - Specifies where to get the private
* key to sign the JWT.
* Available sources:
* - "nomad": Use current active key in Nomad's keyring
* - "privateKey": Use key material in the `privateKey` field
* - "clientSecret": Use the `oidcClientSecret` as an HMAC key
*/
keySource: pulumi.Input<string>;
/**
* `(OIDCClientAssertionKey: <optional>)` - External key
* to sign the JWT. `keySource` must be "privateKey" to enable this.
*/
privateKey?: pulumi.Input<inputs.AclAuthMethodConfigOidcClientAssertionPrivateKey>;
}
export interface AclAuthMethodConfigOidcClientAssertionPrivateKey {
/**
* `(string: optional)` - Becomes the JWT's "kid" header.
* Mutually exclusive with `pemCert` and `pemCertFile`.
* Allowed `keyIdHeader` values: "kid" (the default)
*/
keyId?: pulumi.Input<string>;
/**
* `(string: optional)` - Which header the provider uses
* to find the public key to verify the signed JWT.
* The default and allowed values depend on whether you set `keyId`,
* `pemCert`, or `pemCertFile`. You must set exactly one of those
* options, so refer to them for their requirements.
*/
keyIdHeader?: pulumi.Input<string>;
/**
* `(string: optional)` - An x509 certificate, signed by the
* private key or a CA, in pem format. Nomad uses this certificate to
* derive an [x5t#S256][] (or [x5t][]) key_id.
* Mutually exclusive with `pemCertFile` and `keyId`.
* Allowed `keyIdHeader` values: "x5t", "x5t#S256" (default "x5t#S256")
*/
pemCert?: pulumi.Input<string>;
/**
* `(string: optional)` - An absolute path to an x509
* certificate on Nomad servers' disk, signed by the private key or a CA,
* in pem format.
* Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][])
* header. Mutually exclusive with `pemCert` and key_id.
* Allowed `keyIdHeader` values: "x5t", "x5t#S256" (default "x5t#S256")
*/
pemCertFile?: pulumi.Input<string>;
/**
* `(string: <optional>)` - An RSA private key, in pem format.
* It is used to sign the JWT. Mutually exclusive with `pemKey`.
*/
pemKey?: pulumi.Input<string>;
/**
* `(string: optional)` - An absolute path to a private key
* on Nomad servers' disk, in pem format. It is used to sign the JWT.
* Mutually exclusive with `pemKeyFile`.
*/
pemKeyFile?: pulumi.Input<string>;
}
export interface AclPolicyJobAcl {
/**
* Group
*/
group?: pulumi.Input<string>;
/**
* Job
*/
jobId: pulumi.Input<string>;
/**
* Namespace
*/
namespace?: pulumi.Input<string>;
/**
* Task
*/
task?: pulumi.Input<string>;
}
export interface AclRolePolicy {
/**
* `(string: <required>)` - A human-friendly name for this ACL Role.
*/
name: pulumi.Input<string>;
}
export interface AclTokenRole {
/**
* The ID of the ACL role to link.
*/
id: pulumi.Input<string>;
/**
* `(string: "")` - A human-friendly name for this token.
*/
name?: pulumi.Input<string>;
}
export interface CsiVolumeCapability {
/**
* `(string: <required>)` - Defines whether a volume should be available concurrently. Possible values are:
* - `single-node-reader-only`
* - `single-node-writer`
* - `multi-node-reader-only`
* - `multi-node-single-writer`
* - `multi-node-multi-writer`
*/
accessMode: pulumi.Input<string>;
/**
* `(string: <required>)` - The storage API that will be used by the volume. Possible values are:
* - `block-device`
* - `file-system`
*/
attachmentMode: pulumi.Input<string>;
}
export interface CsiVolumeMountOptions {
/**
* `(string: optional)` - The file system type.
*/
fsType?: pulumi.Input<string>;
/**
* `[]string: optional` - The flags passed to `mount`.
*/
mountFlags?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface CsiVolumeRegistrationCapability {
/**
* `(string: <required>)` - Defines whether a volume should be available concurrently. Possible values are:
* - `single-node-reader-only`
* - `single-node-writer`
* - `multi-node-reader-only`
* - `multi-node-single-writer`
* - `multi-node-multi-writer`
*/
accessMode: pulumi.Input<string>;
/**
* `(string: <required>)` - The storage API that will be used by the volume. Possible values are:
* - `block-device`
* - `file-system`
*/
attachmentMode: pulumi.Input<string>;
}
export interface CsiVolumeRegistrationMountOptions {
/**
* `(string: <optional>)` - The file system type.
*/
fsType?: pulumi.Input<string>;
/**
* `([]string: <optional>)` - The flags passed to `mount`.
*/
mountFlags?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface CsiVolumeRegistrationTopology {
/**
* `(map[string]string)` - Define the attributes for the topology request.
*
* In addition to the above arguments, the following attributes are exported and
* can be referenced:
*/
segments?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface CsiVolumeRegistrationTopologyRequest {
/**
* `(``Topology``: <optional>)` - Required topologies indicate that the volume must be created in a location accessible from all the listed topologies.
*/
required?: pulumi.Input<inputs.CsiVolumeRegistrationTopologyRequestRequired>;
}
export interface CsiVolumeRegistrationTopologyRequestRequired {
/**
* Defines the location for the volume.
*/
topologies: pulumi.Input<pulumi.Input<inputs.CsiVolumeRegistrationTopologyRequestRequiredTopology>[]>;
}
export interface CsiVolumeRegistrationTopologyRequestRequiredTopology {
/**
* Define attributes for the topology request.
*/
segments: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface CsiVolumeTopology {
/**
* `(map[string]string)` - Define the attributes for the topology request.
*
* In addition to the above arguments, the following attributes are exported and
* can be referenced:
*/
segments?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface CsiVolumeTopologyRequest {
/**
* `(``Topology``: <optional>)` - Preferred topologies indicate that the volume should be created in a location accessible from some of the listed topologies.
*/
preferred?: pulumi.Input<inputs.CsiVolumeTopologyRequestPreferred>;
/**
* `(``Topology``: <optional>)` - Required topologies indicate that the volume must be created in a location accessible from all the listed topologies.
*/
required?: pulumi.Input<inputs.CsiVolumeTopologyRequestRequired>;
}
export interface CsiVolumeTopologyRequestPreferred {
/**
* Defines the location for the volume.
*/
topologies: pulumi.Input<pulumi.Input<inputs.CsiVolumeTopologyRequestPreferredTopology>[]>;
}
export interface CsiVolumeTopologyRequestPreferredTopology {
/**
* Define the attributes for the topology request.
*/
segments: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface CsiVolumeTopologyRequestRequired {
/**
* Defines the location for the volume.
*/
topologies: pulumi.Input<pulumi.Input<inputs.CsiVolumeTopologyRequestRequiredTopology>[]>;
}
export interface CsiVolumeTopologyRequestRequiredTopology {
/**
* Define the attributes for the topology request.
*/
segments: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface DynamicHostVolumeCapability {
/**
* `(string)` - How the volume can be mounted by
* allocations. Refer to the [`accessMode`][] documentation for details.
*/
accessMode: pulumi.Input<string>;
/**
* `(string)` - The storage API that will be used by the
* volume. Refer to the [`attachmentMode`][] documentation.
*/
attachmentMode: pulumi.Input<string>;
}
export interface DynamicHostVolumeConstraint {
/**
* `(string)` - The [node attribute][] to check for the constraint.
*/
attribute: pulumi.Input<string>;
/**
* `(string)`- The operator to use in the comparison.
*/
operator?: pulumi.Input<string>;
/**
* `(string)` - The value of the attribute to compare against.
*/
value?: pulumi.Input<string>;
}
export interface DynamicHostVolumeRegistrationCapability {
/**
* `(string)` - How the volume can be mounted by
* allocations. Refer to the [`accessMode`][] documentation for details.
*/
accessMode: pulumi.Input<string>;
/**
* `(string)` - The storage API that will be used by the
* volume. Refer to the [`attachmentMode`][] documentation.
*/
attachmentMode: pulumi.Input<string>;
}
export interface DynamicHostVolumeRegistrationConstraint {
/**
* An attribute to check to constrain volume placement
*/
attribute: pulumi.Input<string>;
/**
* The operator to use for comparison
*/
operator?: pulumi.Input<string>;
/**
* The requested value of the attribute
*/
value?: pulumi.Input<string>;
}
export interface ExternalVolumeCapability {
/**
* `(string: <required>)` - Defines whether a volume should be available concurrently. Possible values are:
* - `single-node-reader-only`
* - `single-node-writer`
* - `multi-node-reader-only`
* - `multi-node-single-writer`
* - `multi-node-multi-writer`
*/
accessMode: pulumi.Input<string>;
/**
* `(string: <required>)` - The storage API that will be used by the volume. Possible values are:
* - `block-device`
* - `file-system`
*/
attachmentMode: pulumi.Input<string>;
}
export interface ExternalVolumeMountOptions {
/**
* `(string: optional)` - The file system type.
*/
fsType?: pulumi.Input<string>;
/**
* `[]string: optional` - The flags passed to `mount`.
*/
mountFlags?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ExternalVolumeTopology {
/**
* `(map[string]string)` - Define the attributes for the topology request.
*
* In addition to the above arguments, the following attributes are exported and
* can be referenced:
*/
segments?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface ExternalVolumeTopologyRequest {
/**
* `(``Topology``: <optional>)` - Preferred topologies indicate that the volume should be created in a location accessible from some of the listed topologies.
*/
preferred?: pulumi.Input<inputs.ExternalVolumeTopologyRequestPreferred>;
/**
* `(``Topology``: <optional>)` - Required topologies indicate that the volume must be created in a location accessible from all the listed topologies.
*/
required?: pulumi.Input<inputs.ExternalVolumeTopologyRequestRequired>;
}
export interface ExternalVolumeTopologyRequestPreferred {
/**
* Defines the location for the volume.
*/
topologies: pulumi.Input<pulumi.Input<inputs.ExternalVolumeTopologyRequestPreferredTopology>[]>;
}
export interface ExternalVolumeTopologyRequestPreferredTopology {
/**
* Define the attributes for the topology request.
*/
segments: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface ExternalVolumeTopologyRequestRequired {
/**
* Defines the location for the volume.
*/
topologies: pulumi.Input<pulumi.Input<inputs.ExternalVolumeTopologyRequestRequiredTopology>[]>;
}
export interface ExternalVolumeTopologyRequestRequiredTopology {
/**
* Define the attributes for the topology request.
*/
segments: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface JobHcl2 {
/**
* `(boolean: false)` - Set this to `true` to be able to use
* HCL2 filesystem functions
*/
allowFs?: pulumi.Input<boolean>;
/**
* Additional variables to use when templating the job with HCL2
*/
vars?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface JobTaskGroup {
count?: pulumi.Input<number>;
meta?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
name?: pulumi.Input<string>;
tasks?: pulumi.Input<pulumi.Input<inputs.JobTaskGroupTask>[]>;
volumes?: pulumi.Input<pulumi.Input<inputs.JobTaskGroupVolume>[]>;
}
export interface JobTaskGroupTask {
driver?: pulumi.Input<string>;
meta?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
name?: pulumi.Input<string>;
volumeMounts?: pulumi.Input<pulumi.Input<inputs.JobTaskGroupTaskVolumeMount>[]>;
}
export interface JobTaskGroupTaskVolumeMount {
destination?: pulumi.Input<string>;
readOnly?: pulumi.Input<boolean>;
volume?: pulumi.Input<string>;
}
export interface JobTaskGroupVolume {
name?: pulumi.Input<string>;
readOnly?: pulumi.Input<boolean>;
source?: pulumi.Input<string>;
type?: pulumi.Input<string>;
}
export interface NamespaceCapabilities {
/**
* `([]string: <optional>)` - Network modes disabled for the namespace.
*/
disabledNetworkModes?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `([]string: <optional>)` - Task drivers disabled for the namespace.
*/
disabledTaskDrivers?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `([]string: <optional>)` - Network modes enabled for the namespace.
*/
enabledNetworkModes?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `([]string: <optional>)` - Task drivers enabled for the namespace.
*/
enabledTaskDrivers?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface NamespaceNodePoolConfig {
/**
* `([]string: <optional>)` - The list of node pools that are allowed to be used in this namespace.
*/
alloweds?: pulumi.Input<pulumi.Input<string>[]>;
/**
* `(string: <optional>)` - The default node pool for jobs that don't define one.
*/
default?: pulumi.Input<string>;
/**
* `([]string: <optional>)` - The list of node pools that are not allowed to be used in this namespace.
*/
denieds?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface NodePoolSchedulerConfig {
/**
* `(string)` - Whether or not memory
* oversubscription is enabled in the node pool. Possible values are
* `"enabled"` or `"disabled"`. If not defined the global cluster
* configuration is used.
*
* > This option differs from Nomad, where it's represented as a boolean, to
* allow distinguishing between memory oversubscription being disabled in the
* node pool and this property not being set.
*/
memoryOversubscription?: pulumi.Input<string>;
/**
* `(string)` - The scheduler algorithm used in the node
* pool. Possible values are `binpack` or `spread`. If not defined the global
* cluster configuration is used.
*/
schedulerAlgorithm?: pulumi.Input<string>;
}
export interface ProviderAuthJwt {
/**
* The name of the auth method to use for login.
*/
authMethod: pulumi.Input<string>;
/**
* The externally issued authentication token to be exchanged for a Nomad ACL Token.
*/
loginToken: pulumi.Input<string>;
}
export interface ProviderHeader {
/**
* The header name
*/
name: pulumi.Input<string>;
/**
* The header value
*/
value: pulumi.Input<string>;
}
export interface QuoteSpecificationLimit {
/**
* `(string: <required>)` - The region these limits should apply to.
*/
region: pulumi.Input<string>;
/**
* `(block: <required>)` - The limits to enforce. This block
* may only be specified once in the `limits` block. Its structure is
* documented below.
*/
regionLimit: pulumi.Input<inputs.QuoteSpecificationLimitRegionLimit>;
}
export interface QuoteSpecificationLimitRegionLimit {
/**
* `(int: 0)` - The amount of CPU to limit allocations to. A value of zero
* is treated as unlimited, and a negative value is treated as fully disallowed.
*/
cpu?: pulumi.Input<number>;
/**
* `(int: 0)` - The amount of memory (in megabytes) to limit
* allocations to. A value of zero is treated as unlimited, and a negative value
* is treated as fully disallowed.
*/
memoryMb?: pulumi.Input<number>;
}
export interface VolumeCapability {
/**
* `(string: <required>)` - Defines whether a volume should be available concurrently. Possible values are:
* - `single-node-reader-only`
* - `single-node-writer`
* - `multi-node-reader-only`
* - `multi-node-single-writer`
* - `multi-node-multi-writer`
*/
accessMode: pulumi.Input<string>;
/**
* `(string: <required>)` - The storage API that will be used by the volume. Possible values are:
* - `block-device`
* - `file-system`
*/
attachmentMode: pulumi.Input<string>;
}
export interface VolumeMountOptions {
/**
* `(string: <optional>)` - The file system type.
*/
fsType?: pulumi.Input<string>;
/**
* `([]string: <optional>)` - The flags passed to `mount`.
*/
mountFlags?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface VolumeTopology {
/**
* `(map[string]string)` - Define the attributes for the topology request.
*
* In addition to the above arguments, the following attributes are exported and
* can be referenced:
*/
segments?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export interface VolumeTopologyRequest {
/**
* `(``Topology``: <optional>)` - Required topologies indicate that the volume must be created in a location accessible from all the listed topologies.
*/
required?: pulumi.Input<inputs.VolumeTopologyRequestRequired>;
}
export interface VolumeTopologyRequestRequired {
/**
* Defines the location for the volume.
*/
topologies: pulumi.Input<pulumi.Input<inputs.VolumeTopologyRequestRequiredTopology>[]>;
}
export interface VolumeTopologyRequestRequiredTopology {
/**
* Define attributes for the topology request.
*/
segments: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
}
export declare namespace config {
}