--- layout: docs page_title: template Stanza - Job Specification description: |- The "template" block instantiates an instance of a template renderer. This creates a convenient way to ship configuration files that are populated from environment variables, Consul data, Vault secrets, or just general configurations within a Nomad task. --- # `template` Stanza The `template` block instantiates an instance of a template renderer. This creates a convenient way to ship configuration files that are populated from environment variables, Consul data, Vault secrets, or just general configurations within a Nomad task. ```hcl job "docs" { group "example" { task "server" { template { source = "local/redis.conf.tpl" destination = "local/redis.conf" change_mode = "signal" change_signal = "SIGINT" } } } } ``` Nomad utilizes [Go template][gt] and a tool called [Consul Template][ct], which adds a set of new functions that can be used to retrieve data from Consul and Vault. Since Nomad v0.5.3, the template can reference [Nomad's runtime environment variables][env], and since Nomad v0.5.6, the template can reference [Node attributes and metadata][nodevars]. Since Nomad v0.6.0, templates can be read as environment variables. For a full list of the API template functions, please refer to the [Consul Template documentation][ct_api]. For a an introduction to Go templates, please refer to the [Learn Go Template Syntax][gt_learn] guide. ## `template` Parameters - `change_mode` `(string: "restart")` - Specifies the behavior Nomad should take if the rendered template changes. Nomad will always write the new contents of the template to the specified destination. The possible values below describe Nomad's action after writing the template to disk. - `"noop"` - take no action (continue running the task) - `"restart"` - restart the task - `"signal"` - send a configurable signal to the task - `"script"` - run a script - `change_signal` `(string: "")` - Specifies the signal to send to the task as a string like `"SIGUSR1"` or `"SIGINT"`. This option is required if the `change_mode` is `signal`. - `change_script` ([ChangeScript][]: nil) - Configures the script triggered on template change. This option is required if the `change_mode` is `script`. - `data` `(string: "")` - Specifies the raw template to execute. One of `source` or `data` must be specified, but not both. This is useful for smaller templates, but we recommend using `source` for larger templates. - `destination` `(string: )` - Specifies the location where the resulting template should be rendered, relative to the [task working directory]. Only drivers without filesystem isolation (ex. `raw_exec`) or that build a chroot in the task working directory (ex. `exec`) can render templates outside of the `NOMAD_ALLOC_DIR`, `NOMAD_TASK_DIR`, or `NOMAD_SECRETS_DIR`. For more details on how `destination` interacts with task drivers, see the [Filesystem internals] documentation. - `env` `(bool: false)` - Specifies the template should be read back in as environment variables for the task ([see below](#environment-variables)). To update the environment on changes, you must set `change_mode` to `restart`. Setting `env` when the `change_mode` is `signal` will return a validation error. Setting `env` when the `change_mode` is `noop` is permitted but will not update the environment variables in the task. - `left_delimiter` `(string: "{{")` - Specifies the left delimiter to use in the template. The default is "{{" for some templates, it may be easier to use a different delimiter that does not conflict with the output file itself. - `perms` `(string: "644")` - Specifies the rendered template's permissions. File permissions are given as octal of the Unix file permissions `rwxrwxrwx`. - `uid` `(int: nil)` - Specifies the rendered template owner's user ID. If negative or not specified (`nil`) the ID of the Nomad agent user wil be used. ~> **Caveat:** Works only on Unix-based systems. Be careful when using containerized drivers, such as `docker` or `podman`, as groups and users inside the container may have different IDs than on the host system. This feature will also **not** work with Docker Desktop. - `gid` `(int: nil)` - Specifies the rendered template owner's group ID. If negative or not specified (`nil`) the ID of the Nomad agent group will be used. ~> **Caveat:** Works only on Unix-based systems. Be careful when using containerized drivers, such as `docker` or `podman`, as groups and users inside the container may have different IDs than on the host system. This feature will also **not** work with Docker Desktop. - `right_delimiter` `(string: "}}")` - Specifies the right delimiter to use in the template. The default is "}}" for some templates, it may be easier to use a different delimiter that does not conflict with the output file itself. - `source` `(string: "")` - Specifies the path to the template to be rendered. One of `source` or `data` must be specified, but not both. This source can optionally be fetched using an [`artifact`][artifact] resource. This template must exist on the machine prior to starting the task; it is not possible to reference a template inside a Docker container, for example. - `splay` `(string: "5s")` - Specifies a random amount of time to wait between 0 ms and the given splay value before invoking the change mode. This is specified using a label suffix like "30s" or "1h", and is often used to prevent a thundering herd problem where all task instances restart at the same time. - `wait` `(Code: nil)` - Defines the minimum and maximum amount of time to wait for the Consul cluster to reach a consistent state before rendering a template. This is useful to enable in systems where network connectivity to Consul is degraded, because it will reduce the number of times a template is rendered. This setting can be overridden by the [`client.template.wait_bounds`]. If the template configuration has a `min` lower than `client.template.wait_bounds.min` or a `max` greater than `client.template.wait_bounds.max`, the client's bounds will be enforced, and the template `wait` will be adjusted before being sent to `consul-template`. ```hcl wait { min = "5s" max = "10s" } ``` - `vault_grace` `(string: "15s")` - [Deprecated](https://github.com/hashicorp/consul-template/issues/1268) ## `template` Examples The following examples only show the `template` stanzas. Remember that the `template` stanza is only valid in the placements listed above. ### Inline Template This example uses an inline template to render a file to disk. This file watches various keys in Consul for changes: ```hcl template { data = "---\nkey: {{ key \"service/my-key\" }}" destination = "local/file.yml" } ``` It is also possible to use heredocs for multi-line templates, like: ```hcl template { data = < Nomad Services are new in Nomad 1.3. Nomad service registrations can be queried using the `nomadService` and `nomadServices` functions. The requests are tied to the same namespace as the job which contains the template stanza. ```hcl template { data = < Simple load balancing with Nomad Services is new in Nomad 1.3.2. The `nomadService` function now supports simple load balancing by selecting instances of a service via [rendezvous hashing][rhash]. To enable simple load balancing, the `nomadService` function requires 3 arguments. - The number of services to select - The hashing key (should be unique, but consistent per requester) - The service name By using `NOMAD_ALLOC_ID` as the hashing key, the selected instances will remain mostly stable for the allocation. Each time the template is run, `nomadService` will return the same set of instances for each allocation - unless N instances of the service are added or removed, in which case there is a 1/N chance of a selected instance being replaced. This helps maintain a more consistent output when rendering configuration files, triggering fewer restarts and signaling of Nomad tasks. ```hcl template { data = < **Note**: `generate_lease` must be set to `true` (non-default) on the Vault PKI role.

Failure to do so will cause the template to frequently render a new certificate, approximately every minute. This creates a significant number of certificates to be expired in Vault and could ultimately lead to Vault performance impacts and failures. #### As individual files For templates, all dependencies are mapped into a single list. This means that multiple templates watching the same path return the same data. ```hcl template { data = <