Hashicorp's Nomad template explanation

Question

With Hashicorp Nomad one can define a template through which a file can be created on a Docker containers storage - provided that `driver="docker". The template looks like the following:

template {
        data = <<EOF
{{ source from parameter store }}
EOF
        destination   = "secrets/certificate.pem"
      }

How is Nomad able to do such a thing confuses me. I want to achieve the same thing using Terraform while creating an ECS container definition and the only option I have is to create an EFS manually where I should load manually the secrets from the parameter store and then bind that volume via container definitions.

How does Nomad achieve that?

Answer 1

The Nomad template block actually works somewhat similarly to the EFS solution you described.

Here's how Nomad does it:

1. When Nomad schedules an allocation, it creates several directories on the host
2. The Nomad agent on the host runs consul-template to render any templates within the task directories on the host.
3. When Nomad starts a Docker container, it mounts the task directories inside the container, e.g. /data/nomad/alloc/<alloc-uuid>/alloc would be at /alloc in the container.

If you manage the Docker images you use with ECS, you could achieve similar behavior by setting the container entrypoint to use consul-templates's exec flag to wrap the container process. This would require consul-template to be installed at a known path in your container.

Answer 2

How does Nomad achieve that?

• The template content {{ source from parameter store }} is sent from Nomad server to Nomad client after choosing it for scheduling.
• Then Nomad client process,
  • creates task directories local secrets etc.,
  • runs a go-template engine that generates the file content from template
  • the file content is written to proper location at secrets/certificate.pem
  • and then an allocation is executed with proper environment