HashiCorp Developer AI Private beta now available Sign up today
Nomad
Nomad Home

AWS AutoScaling Group Target

The aws-asg target plugin allows for the scaling of the Nomad cluster clients via manipulating AWS AutoScaling Groups.

Agent Configuration Options

To use the aws-asg target plugin, the agent configuration needs to be populated with the appropriate target block. Authentication to the AWS API can be supplied in a number of ways including EC2 instance roles.

It is recommended, if possible to use the Vault AWS Secrets engine for supplying access credentials to the plugin.

Credentials should be injected into the configuration via a template rather than as environment variables. This ensures the credentials are passed only to the plugin, rather than being available for all plugins and the agent process.

The IAM policy required for the AWS ASG plugin to function properly is detailed below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:CreateOrUpdateTags",
        "autoscaling:TerminateInstanceInAutoScalingGroup"
      ],
      "Resource": "*"
    }
  ]
}

target "aws-asg" {
  driver = "aws-asg"
  config = {
    aws_region            = "eu-west-3"
    aws_access_key_id     = "AKIAIOSFODNN7EXAMPLE"
    aws_secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  }
}

  • aws_region (string: "us-east-1") - The AWS region identifier to connect to and where resources should be managed.

  • aws_access_key_id (string: "") - The AWS access key ID used to authenticate with the AWS API. If empty, the IAM role attached to the EC2 instance will be used.

  • aws_secret_access_key (string: "") - The AWS secret key ID used to authenticate with the AWS API. If empty, the IAM role attached to the EC2 instance will be used.

  • aws_session_token (string: "") - The AWS session token used to authenticate with the AWS API.

  • aws_credential_provider (string: "") - The source of AWS credentials when aws_access_key_id and aws_secret_access_key are not defined. If empty, the [standard credential chain][aws_sdk_creds] will be followed. If set to "ec2_role" credentials will be retrieved from the EC2 instance role.

Nomad ACL

When using a Nomad cluster with ACLs enabled, the plugin will require an ACL token which provides the following permissions:

node {
  policy = "write"
}

Policy Configuration Options

check "hashistack-allocated-cpu" {
  # ...
  target "aws-asg" {
    aws_asg_name        = "hashistack-client-asg"
    node_class          = "hashistack"
    node_drain_deadline = "5m"
    node_purge          = "true"
  }
  # ...
}

  • aws_asg_name (string: <required>) - The name of the AWS AutoScaling Group to interact with when performing scaling actions.

  • datacenter (string: "") - The Nomad client datacenter identifier used to group nodes into a pool of resource.

  • node_class (string: "") - The Nomad client node class identifier used to group nodes into a pool of resource.

  • node_drain_deadline (duration: "15m") The Nomad drain deadline to use when performing node draining actions. Note that the default value for this setting differs from Nomad's default of 1h.

  • node_drain_ignore_system_jobs (bool: "false") A boolean flag used to control if system jobs should be stopped when performing node draining actions.

  • node_purge (bool: "false") A boolean flag to determine whether Nomad clients should be purged when performing scale in actions.

  • node_selector_strategy (string: "least_busy") The strategy to use when selecting nodes for termination. Refer to the node selector strategy documentation for more information.