Add nomad_acl_bootstrap resource

[Mongey]

This adds the nomad_acl_bootstrap resource.

🤔 I need to figure out what I can do to get testing working in CI

[tgross]

Hi @Mongey, and thanks for this PR!

I've pulled this branch locally to try it out, and it doesn't work with either a user-generated bootstrap token or a server-generated token.

terraform configuration

provider "nomad" {
  address = "http://localhost:4646" #https://nomad3.local:4646"
  region  = "global"
}

# randomly generated bootstrap token
resource "nomad_acl_bootstrap" "root" {
  bootstrap_token = "876037d3-5c33-4241-aad4-48a43705232c"
}

output "message" {
  sensitive = true
  value = <<EOM

  accessor: ${resource.nomad_acl_bootstrap.root.accessor_id}
  secret: ${resource.nomad_acl_bootstrap.root.bootstrap_token}

EOM

}

In this case, I get errors like:

$ terraform apply -auto-approve
...
Terraform will perform the following actions:

  # nomad_acl_bootstrap.root will be created
  + resource "nomad_acl_bootstrap" "root" {
      + accessor_id     = (known after apply)
      + bootstrap_token = (sensitive value)
      + id              = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + message = (sensitive value)
nomad_acl_bootstrap.root: Creating...
╷
│ Error: error reading ACL token "92094971-0bd4-842d-010b-0cbd42201493": Unexpected response code: 403 (Permission denied)
│
│   with nomad_acl_bootstrap.root,
│   on main.tf line 7, in resource "nomad_acl_bootstrap" "root":
│    7: resource "nomad_acl_bootstrap" "root" {
│

If I take a look at the server logs, I see:

    2025-09-15T11:15:19.332-0400 [DEBUG] http: request complete: method=PUT path=/v1/acl/bootstrap?region=global duration="449.429µs"
    2025-09-15T11:15:19.333-0400 [DEBUG] http: request failed: method=GET path=/v1/acl/token/92094971-0bd4-842d-010b-0cbd42201493?region=global error="Permission denied" code=403
    2025-09-15T11:15:19.333-0400 [DEBUG] http: request complete: method=GET path=/v1/acl/token/92094971-0bd4-842d-010b-0cbd42201493?region=global duration="162.541µs"

I think the issue you've got here is that the subsequent request to read the token back is not being configured with the token you just created. But I'd also question whether we need to read the token back, as I'd expect any of the data we're going to persist to Terraform state already exists in the initial response.

I've left a handful of other minor comments. As far as CI goes, I see one of two options:

1. Have the scripts/start-nomad.sh use Terraform to bootstrap the cluster, making the unit test moot. (I think this would be preferable.)
2. Have a whole second test setup that doesn't bootstrap first.

[tgross]

We can probably leave this comment out, or at least remove the "as of Nomad 0.4.1" bit (I realize this is probably just copy-pasted from the other ACL resources but no need to keep adding it).

[tgross]

We can leave comments like this out, especially given the log following right behind it.

Suggested change

// create our token

[tgross]

Suggested change

	return fmt.Errorf("error reading ACL token %q: %s", accessor, err.Error())
	return fmt.Errorf("error reading ACL token %q: %w", accessor, err)

[tgross]

Suggested change

	return true, fmt.Errorf("error checking for ACL token %q: %#v", accessor, err)
	return true, fmt.Errorf("error checking for ACL token %q: %w", accessor, err)

[tgross]

We only support recent versions of Go, so any place we have interface{} we can use any now:

Suggested change

	func resourceACLBootstrapCreate(d *schema.ResourceData, meta interface{}) error {
	func resourceACLBootstrapCreate(d *schema.ResourceData, meta any) error {