agent/config, config/* mapstructure tags -> hcl tags

2026-01-05 01:45:44 +03:00 · 2019-04-04 14:16:08 -04:00
parent bac0d5f0ed
commit ae7a8da18c
6 changed files with 224 additions and 180 deletions
--- a/command/agent/config.go
+++ b/command/agent/config.go
@@ -26,344 +26,362 @@ import (
 // Config is the configuration for the Nomad agent.
 type Config struct {
 	// Region is the region this agent is in. Defaults to global.
-	Region string `mapstructure:"region"`
+	Region string `hcl:"region"`

 	// Datacenter is the datacenter this agent is in. Defaults to dc1
-	Datacenter string `mapstructure:"datacenter"`
+	Datacenter string `hcl:"datacenter"`

 	// NodeName is the name we register as. Defaults to hostname.
-	NodeName string `mapstructure:"name"`
+	NodeName string `hcl:"name"`

 	// DataDir is the directory to store our state in
-	DataDir string `mapstructure:"data_dir"`
+	DataDir string `hcl:"data_dir"`

 	// PluginDir is the directory to lookup plugins.
-	PluginDir string `mapstructure:"plugin_dir"`
+	PluginDir string `hcl:"plugin_dir"`

 	// LogLevel is the level of the logs to put out
-	LogLevel string `mapstructure:"log_level"`
+	LogLevel string `hcl:"log_level"`

 	// LogJson enables log output in a JSON format
-	LogJson bool `mapstructure:"log_json"`
+	LogJson bool `hcl:"log_json"`

 	// BindAddr is the address on which all of nomad's services will
 	// be bound. If not specified, this defaults to 127.0.0.1.
-	BindAddr string `mapstructure:"bind_addr"`
+	BindAddr string `hcl:"bind_addr"`

 	// EnableDebug is used to enable debugging HTTP endpoints
-	EnableDebug bool `mapstructure:"enable_debug"`
+	EnableDebug bool `hcl:"enable_debug"`

 	// Ports is used to control the network ports we bind to.
-	Ports *Ports `mapstructure:"ports"`
+	Ports *Ports `hcl:"ports"`

 	// Addresses is used to override the network addresses we bind to.
 	//
 	// Use normalizedAddrs if you need the host+port to bind to.
-	Addresses *Addresses `mapstructure:"addresses"`
+	Addresses *Addresses `hcl:"addresses"`

 	// normalizedAddr is set to the Address+Port by normalizeAddrs()
 	normalizedAddrs *Addresses

 	// AdvertiseAddrs is used to control the addresses we advertise.
-	AdvertiseAddrs *AdvertiseAddrs `mapstructure:"advertise"`
+	AdvertiseAddrs *AdvertiseAddrs `hcl:"advertise"`

 	// Client has our client related settings
-	Client *ClientConfig `mapstructure:"client"`
+	Client *ClientConfig `hcl:"client"`

 	// Server has our server related settings
-	Server *ServerConfig `mapstructure:"server"`
+	Server *ServerConfig `hcl:"server"`

 	// ACL has our acl related settings
-	ACL *ACLConfig `mapstructure:"acl"`
+	ACL *ACLConfig `hcl:"acl"`

 	// Telemetry is used to configure sending telemetry
-	Telemetry *Telemetry `mapstructure:"telemetry"`
+	Telemetry *Telemetry `hcl:"telemetry"`

 	// LeaveOnInt is used to gracefully leave on the interrupt signal
-	LeaveOnInt bool `mapstructure:"leave_on_interrupt"`
+	LeaveOnInt bool `hcl:"leave_on_interrupt"`

 	// LeaveOnTerm is used to gracefully leave on the terminate signal
-	LeaveOnTerm bool `mapstructure:"leave_on_terminate"`
+	LeaveOnTerm bool `hcl:"leave_on_terminate"`

 	// EnableSyslog is used to enable sending logs to syslog
-	EnableSyslog bool `mapstructure:"enable_syslog"`
+	EnableSyslog bool `hcl:"enable_syslog"`

 	// SyslogFacility is used to control the syslog facility used.
-	SyslogFacility string `mapstructure:"syslog_facility"`
+	SyslogFacility string `hcl:"syslog_facility"`

 	// DisableUpdateCheck is used to disable the periodic update
 	// and security bulletin checking.
-	DisableUpdateCheck *bool `mapstructure:"disable_update_check"`
+	DisableUpdateCheck *bool `hcl:"disable_update_check"`

 	// DisableAnonymousSignature is used to disable setting the
 	// anonymous signature when doing the update check and looking
 	// for security bulletins
-	DisableAnonymousSignature bool `mapstructure:"disable_anonymous_signature"`
+	DisableAnonymousSignature bool `hcl:"disable_anonymous_signature"`

 	// Consul contains the configuration for the Consul Agent and
 	// parameters necessary to register services, their checks, and
 	// discover the current Nomad servers.
-	Consul *config.ConsulConfig `mapstructure:"consul"`
+	Consul *config.ConsulConfig `hcl:"consul"`

 	// Vault contains the configuration for the Vault Agent and
 	// parameters necessary to derive tokens.
-	Vault *config.VaultConfig `mapstructure:"vault"`
+	Vault *config.VaultConfig `hcl:"vault"`

 	// NomadConfig is used to override the default config.
 	// This is largely used for testing purposes.
-	NomadConfig *nomad.Config `mapstructure:"-" json:"-"`
+	NomadConfig *nomad.Config `hcl:"-" json:"-"`

 	// ClientConfig is used to override the default config.
 	// This is largely used for testing purposes.
-	ClientConfig *client.Config `mapstructure:"-" json:"-"`
+	ClientConfig *client.Config `hcl:"-" json:"-"`

 	// DevMode is set by the -dev CLI flag.
-	DevMode bool `mapstructure:"-"`
+	DevMode bool `hcl:"-"`

 	// Version information is set at compilation time
 	Version *version.VersionInfo

 	// List of config files that have been loaded (in order)
-	Files []string `mapstructure:"-"`
+	Files []string `hcl:"-"`

 	// TLSConfig provides TLS related configuration for the Nomad server and
 	// client
-	TLSConfig *config.TLSConfig `mapstructure:"tls"`
+	TLSConfig *config.TLSConfig `hcl:"tls"`

 	// HTTPAPIResponseHeaders allows users to configure the Nomad http agent to
 	// set arbitrary headers on API responses
-	HTTPAPIResponseHeaders map[string]string `mapstructure:"http_api_response_headers"`
+	HTTPAPIResponseHeaders map[string]string `hcl:"http_api_response_headers"`

 	// Sentinel holds sentinel related settings
-	Sentinel *config.SentinelConfig `mapstructure:"sentinel"`
+	Sentinel *config.SentinelConfig `hcl:"sentinel"`

 	// Autopilot contains the configuration for Autopilot behavior.
-	Autopilot *config.AutopilotConfig `mapstructure:"autopilot"`
+	Autopilot *config.AutopilotConfig `hcl:"autopilot"`

 	// Plugins is the set of configured plugins
-	Plugins []*config.PluginConfig `hcl:"plugin,expand"`
+	Plugins []*config.PluginConfig `hcl:"plugin"`
+
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // ClientConfig is configuration specific to the client mode
 type ClientConfig struct {
 	// Enabled controls if we are a client
-	Enabled bool `mapstructure:"enabled"`
+	Enabled bool `hcl:"enabled"`

 	// StateDir is the state directory
-	StateDir string `mapstructure:"state_dir"`
+	StateDir string `hcl:"state_dir"`

 	// AllocDir is the directory for storing allocation data
-	AllocDir string `mapstructure:"alloc_dir"`
+	AllocDir string `hcl:"alloc_dir"`

 	// Servers is a list of known server addresses. These are as "host:port"
-	Servers []string `mapstructure:"servers"`
+	Servers []string `hcl:"servers"`

 	// NodeClass is used to group the node by class
-	NodeClass string `mapstructure:"node_class"`
+	NodeClass string `hcl:"node_class"`

 	// Options is used for configuration of nomad internals,
 	// like fingerprinters and drivers. The format is:
 	//
 	//  namespace.option = value
-	Options map[string]string `mapstructure:"options"`
+	Options map[string]string `hcl:"options"`

 	// Metadata associated with the node
-	Meta map[string]string `mapstructure:"meta"`
+	Meta map[string]string `hcl:"meta"`

 	// A mapping of directories on the host OS to attempt to embed inside each
 	// task's chroot.
-	ChrootEnv map[string]string `mapstructure:"chroot_env"`
+	ChrootEnv map[string]string `hcl:"chroot_env"`

 	// Interface to use for network fingerprinting
-	NetworkInterface string `mapstructure:"network_interface"`
+	NetworkInterface string `hcl:"network_interface"`

 	// NetworkSpeed is used to override any detected or default network link
 	// speed.
-	NetworkSpeed int `mapstructure:"network_speed"`
+	NetworkSpeed int `hcl:"network_speed"`

 	// CpuCompute is used to override any detected or default total CPU compute.
-	CpuCompute int `mapstructure:"cpu_total_compute"`
+	CpuCompute int `hcl:"cpu_total_compute"`

 	// MemoryMB is used to override any detected or default total memory.
-	MemoryMB int `mapstructure:"memory_total_mb"`
+	MemoryMB int `hcl:"memory_total_mb"`

 	// MaxKillTimeout allows capping the user-specifiable KillTimeout.
-	MaxKillTimeout string `mapstructure:"max_kill_timeout"`
+	MaxKillTimeout string `hcl:"max_kill_timeout"`

 	// ClientMaxPort is the upper range of the ports that the client uses for
 	// communicating with plugin subsystems
-	ClientMaxPort int `mapstructure:"client_max_port"`
+	ClientMaxPort int `hcl:"client_max_port"`

 	// ClientMinPort is the lower range of the ports that the client uses for
 	// communicating with plugin subsystems
-	ClientMinPort int `mapstructure:"client_min_port"`
+	ClientMinPort int `hcl:"client_min_port"`

 	// Reserved is used to reserve resources from being used by Nomad. This can
 	// be used to target a certain utilization or to prevent Nomad from using a
 	// particular set of ports.
-	Reserved *Resources `mapstructure:"reserved"`
+	Reserved *Resources `hcl:"reserved"`

 	// GCInterval is the time interval at which the client triggers garbage
 	// collection
-	GCInterval time.Duration `mapstructure:"gc_interval"`
+	GCInterval    time.Duration
+	GCIntervalHCL string `hcl:"gc_interval"`

 	// GCParallelDestroys is the number of parallel destroys the garbage
 	// collector will allow.
-	GCParallelDestroys int `mapstructure:"gc_parallel_destroys"`
+	GCParallelDestroys int `hcl:"gc_parallel_destroys"`

 	// GCDiskUsageThreshold is the disk usage threshold given as a percent
 	// beyond which the Nomad client triggers GC of terminal allocations
-	GCDiskUsageThreshold float64 `mapstructure:"gc_disk_usage_threshold"`
+	GCDiskUsageThreshold float64 `hcl:"gc_disk_usage_threshold"`

 	// GCInodeUsageThreshold is the inode usage threshold beyond which the Nomad
 	// client triggers GC of the terminal allocations
-	GCInodeUsageThreshold float64 `mapstructure:"gc_inode_usage_threshold"`
+	GCInodeUsageThreshold float64 `hcl:"gc_inode_usage_threshold"`

 	// GCMaxAllocs is the maximum number of allocations a node can have
 	// before garbage collection is triggered.
-	GCMaxAllocs int `mapstructure:"gc_max_allocs"`
+	GCMaxAllocs int `hcl:"gc_max_allocs"`

 	// NoHostUUID disables using the host's UUID and will force generation of a
 	// random UUID.
-	NoHostUUID *bool `mapstructure:"no_host_uuid"`
+	NoHostUUID *bool `hcl:"no_host_uuid"`

 	// ServerJoin contains information that is used to attempt to join servers
-	ServerJoin *ServerJoin `mapstructure:"server_join"`
+	ServerJoin *ServerJoin `hcl:"server_join"`
+
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // ACLConfig is configuration specific to the ACL system
 type ACLConfig struct {
 	// Enabled controls if we are enforce and manage ACLs
-	Enabled bool `mapstructure:"enabled"`
+	Enabled bool `hcl:"enabled"`

 	// TokenTTL controls how long we cache ACL tokens. This controls
 	// how stale they can be when we are enforcing policies. Defaults
 	// to "30s". Reducing this impacts performance by forcing more
 	// frequent resolution.
-	TokenTTL time.Duration `mapstructure:"token_ttl"`
+	TokenTTL    time.Duration
+	TokenTTLHCL string `hcl:"token_ttl"`

 	// PolicyTTL controls how long we cache ACL policies. This controls
 	// how stale they can be when we are enforcing policies. Defaults
 	// to "30s". Reducing this impacts performance by forcing more
 	// frequent resolution.
-	PolicyTTL time.Duration `mapstructure:"policy_ttl"`
+	PolicyTTL    time.Duration
+	PolicyTTLHCL string `hcl:"policy_ttl"`

 	// ReplicationToken is used by servers to replicate tokens and policies
 	// from the authoritative region. This must be a valid management token
 	// within the authoritative region.
-	ReplicationToken string `mapstructure:"replication_token"`
+	ReplicationToken string `hcl:"replication_token"`
+
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // ServerConfig is configuration specific to the server mode
 type ServerConfig struct {
 	// Enabled controls if we are a server
-	Enabled bool `mapstructure:"enabled"`
+	Enabled bool `hcl:"enabled"`

 	// AuthoritativeRegion is used to control which region is treated as
 	// the source of truth for global tokens and ACL policies.
-	AuthoritativeRegion string `mapstructure:"authoritative_region"`
+	AuthoritativeRegion string `hcl:"authoritative_region"`

 	// BootstrapExpect tries to automatically bootstrap the Consul cluster,
 	// by withholding peers until enough servers join.
-	BootstrapExpect int `mapstructure:"bootstrap_expect"`
+	BootstrapExpect int `hcl:"bootstrap_expect"`

 	// DataDir is the directory to store our state in
-	DataDir string `mapstructure:"data_dir"`
+	DataDir string `hcl:"data_dir"`

 	// ProtocolVersion is the protocol version to speak. This must be between
 	// ProtocolVersionMin and ProtocolVersionMax.
-	ProtocolVersion int `mapstructure:"protocol_version"`
+	ProtocolVersion int `hcl:"protocol_version"`

 	// RaftProtocol is the Raft protocol version to speak. This must be from [1-3].
-	RaftProtocol int `mapstructure:"raft_protocol"`
+	RaftProtocol int `hcl:"raft_protocol"`

 	// NumSchedulers is the number of scheduler thread that are run.
 	// This can be as many as one per core, or zero to disable this server
 	// from doing any scheduling work.
-	NumSchedulers *int `mapstructure:"num_schedulers"`
+	NumSchedulers *int `hcl:"num_schedulers"`

 	// EnabledSchedulers controls the set of sub-schedulers that are
 	// enabled for this server to handle. This will restrict the evaluations
 	// that the workers dequeue for processing.
-	EnabledSchedulers []string `mapstructure:"enabled_schedulers"`
+	EnabledSchedulers []string `hcl:"enabled_schedulers"`

 	// NodeGCThreshold controls how "old" a node must be to be collected by GC.
 	// Age is not the only requirement for a node to be GCed but the threshold
 	// can be used to filter by age.
-	NodeGCThreshold string `mapstructure:"node_gc_threshold"`
+	NodeGCThreshold string `hcl:"node_gc_threshold"`

 	// JobGCThreshold controls how "old" a job must be to be collected by GC.
 	// Age is not the only requirement for a Job to be GCed but the threshold
 	// can be used to filter by age.
-	JobGCThreshold string `mapstructure:"job_gc_threshold"`
+	JobGCThreshold string `hcl:"job_gc_threshold"`

 	// EvalGCThreshold controls how "old" an eval must be to be collected by GC.
 	// Age is not the only requirement for a eval to be GCed but the threshold
 	// can be used to filter by age.
-	EvalGCThreshold string `mapstructure:"eval_gc_threshold"`
+	EvalGCThreshold string `hcl:"eval_gc_threshold"`

 	// DeploymentGCThreshold controls how "old" a deployment must be to be
 	// collected by GC.  Age is not the only requirement for a deployment to be
 	// GCed but the threshold can be used to filter by age.
-	DeploymentGCThreshold string `mapstructure:"deployment_gc_threshold"`
+	DeploymentGCThreshold string `hcl:"deployment_gc_threshold"`

 	// HeartbeatGrace is the grace period beyond the TTL to account for network,
 	// processing delays and clock skew before marking a node as "down".
-	HeartbeatGrace time.Duration `mapstructure:"heartbeat_grace"`
+	HeartbeatGrace    time.Duration
+	HeartbeatGraceHCL string `hcl:"heartbeat_grace"`

 	// MinHeartbeatTTL is the minimum time between heartbeats. This is used as
 	// a floor to prevent excessive updates.
-	MinHeartbeatTTL time.Duration `mapstructure:"min_heartbeat_ttl"`
+	MinHeartbeatTTL    time.Duration
+	MinHeartbeatTTLHCL string `hcl:"min_heartbeat_ttl"`

 	// MaxHeartbeatsPerSecond is the maximum target rate of heartbeats
 	// being processed per second. This allows the TTL to be increased
 	// to meet the target rate.
-	MaxHeartbeatsPerSecond float64 `mapstructure:"max_heartbeats_per_second"`
+	MaxHeartbeatsPerSecond float64 `hcl:"max_heartbeats_per_second"`

 	// StartJoin is a list of addresses to attempt to join when the
 	// agent starts. If Serf is unable to communicate with any of these
 	// addresses, then the agent will error and exit.
 	// Deprecated in Nomad 0.10
-	StartJoin []string `mapstructure:"start_join"`
+	StartJoin []string `hcl:"start_join"`

 	// RetryJoin is a list of addresses to join with retry enabled.
 	// Deprecated in Nomad 0.10
-	RetryJoin []string `mapstructure:"retry_join"`
+	RetryJoin []string `hcl:"retry_join"`

 	// RetryMaxAttempts specifies the maximum number of times to retry joining a
 	// host on startup. This is useful for cases where we know the node will be
 	// online eventually.
 	// Deprecated in Nomad 0.10
-	RetryMaxAttempts int `mapstructure:"retry_max"`
+	RetryMaxAttempts int `hcl:"retry_max"`

 	// RetryInterval specifies the amount of time to wait in between join
 	// attempts on agent start. The minimum allowed value is 1 second and
 	// the default is 30s.
 	// Deprecated in Nomad 0.10
-	RetryInterval time.Duration `mapstructure:"retry_interval"`
+	RetryInterval    time.Duration
+	RetryIntervalHCL string `hcl:"retry_interval"`

 	// RejoinAfterLeave controls our interaction with the cluster after leave.
 	// When set to false (default), a leave causes Consul to not rejoin
 	// the cluster until an explicit join is received. If this is set to
 	// true, we ignore the leave, and rejoin the cluster on start.
-	RejoinAfterLeave bool `mapstructure:"rejoin_after_leave"`
+	RejoinAfterLeave bool `hcl:"rejoin_after_leave"`

 	// (Enterprise-only) NonVotingServer is whether this server will act as a
 	// non-voting member of the cluster to help provide read scalability.
-	NonVotingServer bool `mapstructure:"non_voting_server"`
+	NonVotingServer bool `hcl:"non_voting_server"`

 	// (Enterprise-only) RedundancyZone is the redundancy zone to use for this server.
-	RedundancyZone string `mapstructure:"redundancy_zone"`
+	RedundancyZone string `hcl:"redundancy_zone"`

 	// (Enterprise-only) UpgradeVersion is the custom upgrade version to use when
 	// performing upgrade migrations.
-	UpgradeVersion string `mapstructure:"upgrade_version"`
+	UpgradeVersion string `hcl:"upgrade_version"`

 	// Encryption key to use for the Serf communication
-	EncryptKey string `mapstructure:"encrypt" json:"-"`
+	EncryptKey string `hcl:"encrypt" json:"-"`

 	// ServerJoin contains information that is used to attempt to join servers
-	ServerJoin *ServerJoin `mapstructure:"server_join"`
+	ServerJoin *ServerJoin `hcl:"server_join"`
+
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // ServerJoin is used in both clients and servers to bootstrap connections to
@@ -372,21 +390,25 @@ type ServerJoin struct {
 	// StartJoin is a list of addresses to attempt to join when the
 	// agent starts. If Serf is unable to communicate with any of these
 	// addresses, then the agent will error and exit.
-	StartJoin []string `mapstructure:"start_join"`
+	StartJoin []string `hcl:"start_join"`

 	// RetryJoin is a list of addresses to join with retry enabled, or a single
 	// value to find multiple servers using go-discover syntax.
-	RetryJoin []string `mapstructure:"retry_join"`
+	RetryJoin []string `hcl:"retry_join"`

 	// RetryMaxAttempts specifies the maximum number of times to retry joining a
 	// host on startup. This is useful for cases where we know the node will be
 	// online eventually.
-	RetryMaxAttempts int `mapstructure:"retry_max"`
+	RetryMaxAttempts int `hcl:"retry_max"`

 	// RetryInterval specifies the amount of time to wait in between join
 	// attempts on agent start. The minimum allowed value is 1 second and
 	// the default is 30s.
-	RetryInterval time.Duration `mapstructure:"retry_interval"`
+	RetryInterval    time.Duration
+	RetryIntervalHCL string `hcl:"retry_interval"`
+
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 func (s *ServerJoin) Merge(b *ServerJoin) *ServerJoin {
@@ -423,38 +445,38 @@ func (s *ServerConfig) EncryptBytes() ([]byte, error) {

 // Telemetry is the telemetry configuration for the server
 type Telemetry struct {
-	StatsiteAddr             string        `mapstructure:"statsite_address"`
-	StatsdAddr               string        `mapstructure:"statsd_address"`
-	DataDogAddr              string        `mapstructure:"datadog_address"`
-	DataDogTags              []string      `mapstructure:"datadog_tags"`
-	PrometheusMetrics        bool          `mapstructure:"prometheus_metrics"`
-	DisableHostname          bool          `mapstructure:"disable_hostname"`
-	UseNodeName              bool          `mapstructure:"use_node_name"`
-	CollectionInterval       string        `mapstructure:"collection_interval"`
-	collectionInterval       time.Duration `mapstructure:"-"`
-	PublishAllocationMetrics bool          `mapstructure:"publish_allocation_metrics"`
-	PublishNodeMetrics       bool          `mapstructure:"publish_node_metrics"`
+	StatsiteAddr             string        `hcl:"statsite_address"`
+	StatsdAddr               string        `hcl:"statsd_address"`
+	DataDogAddr              string        `hcl:"datadog_address"`
+	DataDogTags              []string      `hcl:"datadog_tags"`
+	PrometheusMetrics        bool          `hcl:"prometheus_metrics"`
+	DisableHostname          bool          `hcl:"disable_hostname"`
+	UseNodeName              bool          `hcl:"use_node_name"`
+	CollectionInterval       string        `hcl:"collection_interval"`
+	collectionInterval       time.Duration `hcl:"-"`
+	PublishAllocationMetrics bool          `hcl:"publish_allocation_metrics"`
+	PublishNodeMetrics       bool          `hcl:"publish_node_metrics"`

 	// DisableTaggedMetrics disables a new version of generating metrics which
 	// uses tags
-	DisableTaggedMetrics bool `mapstructure:"disable_tagged_metrics"`
+	DisableTaggedMetrics bool `hcl:"disable_tagged_metrics"`

 	// BackwardsCompatibleMetrics allows for generating metrics in a simple
 	// key/value structure as done in older versions of Nomad
-	BackwardsCompatibleMetrics bool `mapstructure:"backwards_compatible_metrics"`
+	BackwardsCompatibleMetrics bool `hcl:"backwards_compatible_metrics"`

 	// PrefixFilter allows for filtering out metrics from being collected
-	PrefixFilter []string `mapstructure:"prefix_filter"`
+	PrefixFilter []string `hcl:"prefix_filter"`

 	// FilterDefault controls whether to allow metrics that have not been specified
 	// by the filter
-	FilterDefault *bool `mapstructure:"filter_default"`
+	FilterDefault *bool `hcl:"filter_default"`

 	// DisableDispatchedJobSummaryMetrics allows ignoring dispatched jobs when
 	// publishing Job summary metrics. This is useful in environments that produce
 	// high numbers of single count dispatch jobs as the metrics for each take up
 	// a small memory overhead.
-	DisableDispatchedJobSummaryMetrics bool `mapstructure:"disable_dispatched_job_summary_metrics"`
+	DisableDispatchedJobSummaryMetrics bool `hcl:"disable_dispatched_job_summary_metrics"`

 	// Circonus: see https://github.com/circonus-labs/circonus-gometrics
 	// for more details on the various configuration options.
@@ -472,46 +494,46 @@ type Telemetry struct {
 	// CirconusAPIToken is a valid API Token used to create/manage check. If provided,
 	// metric management is enabled.
 	// Default: none
-	CirconusAPIToken string `mapstructure:"circonus_api_token"`
+	CirconusAPIToken string `hcl:"circonus_api_token"`
 	// CirconusAPIApp is an app name associated with API token.
 	// Default: "nomad"
-	CirconusAPIApp string `mapstructure:"circonus_api_app"`
+	CirconusAPIApp string `hcl:"circonus_api_app"`
 	// CirconusAPIURL is the base URL to use for contacting the Circonus API.
 	// Default: "https://api.circonus.com/v2"
-	CirconusAPIURL string `mapstructure:"circonus_api_url"`
+	CirconusAPIURL string `hcl:"circonus_api_url"`
 	// CirconusSubmissionInterval is the interval at which metrics are submitted to Circonus.
 	// Default: 10s
-	CirconusSubmissionInterval string `mapstructure:"circonus_submission_interval"`
+	CirconusSubmissionInterval string `hcl:"circonus_submission_interval"`
 	// CirconusCheckSubmissionURL is the check.config.submission_url field from a
 	// previously created HTTPTRAP check.
 	// Default: none
-	CirconusCheckSubmissionURL string `mapstructure:"circonus_submission_url"`
+	CirconusCheckSubmissionURL string `hcl:"circonus_submission_url"`
 	// CirconusCheckID is the check id (not check bundle id) from a previously created
 	// HTTPTRAP check. The numeric portion of the check._cid field.
 	// Default: none
-	CirconusCheckID string `mapstructure:"circonus_check_id"`
+	CirconusCheckID string `hcl:"circonus_check_id"`
 	// CirconusCheckForceMetricActivation will force enabling metrics, as they are encountered,
 	// if the metric already exists and is NOT active. If check management is enabled, the default
 	// behavior is to add new metrics as they are encountered. If the metric already exists in the
 	// check, it will *NOT* be activated. This setting overrides that behavior.
 	// Default: "false"
-	CirconusCheckForceMetricActivation string `mapstructure:"circonus_check_force_metric_activation"`
+	CirconusCheckForceMetricActivation string `hcl:"circonus_check_force_metric_activation"`
 	// CirconusCheckInstanceID serves to uniquely identify the metrics coming from this "instance".
 	// It can be used to maintain metric continuity with transient or ephemeral instances as
 	// they move around within an infrastructure.
 	// Default: hostname:app
-	CirconusCheckInstanceID string `mapstructure:"circonus_check_instance_id"`
+	CirconusCheckInstanceID string `hcl:"circonus_check_instance_id"`
 	// CirconusCheckSearchTag is a special tag which, when coupled with the instance id, helps to
 	// narrow down the search results when neither a Submission URL or Check ID is provided.
 	// Default: service:app (e.g. service:nomad)
-	CirconusCheckSearchTag string `mapstructure:"circonus_check_search_tag"`
+	CirconusCheckSearchTag string `hcl:"circonus_check_search_tag"`
 	// CirconusCheckTags is a comma separated list of tags to apply to the check. Note that
 	// the value of CirconusCheckSearchTag will always be added to the check.
 	// Default: none
-	CirconusCheckTags string `mapstructure:"circonus_check_tags"`
+	CirconusCheckTags string `hcl:"circonus_check_tags"`
 	// CirconusCheckDisplayName is the name for the check which will be displayed in the Circonus UI.
 	// Default: value of CirconusCheckInstanceID
-	CirconusCheckDisplayName string `mapstructure:"circonus_check_display_name"`
+	CirconusCheckDisplayName string `hcl:"circonus_check_display_name"`
 	// CirconusBrokerID is an explicit broker to use when creating a new check. The numeric portion
 	// of broker._cid. If metric management is enabled and neither a Submission URL nor Check ID
 	// is provided, an attempt will be made to search for an existing check using Instance ID and
@@ -519,13 +541,16 @@ type Telemetry struct {
 	// Default: use Select Tag if provided, otherwise, a random Enterprise Broker associated
 	// with the specified API token or the default Circonus Broker.
 	// Default: none
-	CirconusBrokerID string `mapstructure:"circonus_broker_id"`
+	CirconusBrokerID string `hcl:"circonus_broker_id"`
 	// CirconusBrokerSelectTag is a special tag which will be used to select a broker when
 	// a Broker ID is not provided. The best use of this is to as a hint for which broker
 	// should be used based on *where* this particular instance is running.
 	// (e.g. a specific geo location or datacenter, dc:sfo)
 	// Default: none
-	CirconusBrokerSelectTag string `mapstructure:"circonus_broker_select_tag"`
+	CirconusBrokerSelectTag string `hcl:"circonus_broker_select_tag"`
+
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // PrefixFilters parses the PrefixFilter field and returns a list of allowed and blocked filters
@@ -549,33 +574,41 @@ func (t *Telemetry) PrefixFilters() (allowed, blocked []string, err error) {
 // Ports encapsulates the various ports we bind to for network services. If any
 // are not specified then the defaults are used instead.
 type Ports struct {
-	HTTP int `mapstructure:"http"`
-	RPC  int `mapstructure:"rpc"`
-	Serf int `mapstructure:"serf"`
+	HTTP int `hcl:"http"`
+	RPC  int `hcl:"rpc"`
+	Serf int `hcl:"serf"`
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // Addresses encapsulates all of the addresses we bind to for various
 // network services. Everything is optional and defaults to BindAddr.
 type Addresses struct {
-	HTTP string `mapstructure:"http"`
-	RPC  string `mapstructure:"rpc"`
-	Serf string `mapstructure:"serf"`
+	HTTP string `hcl:"http"`
+	RPC  string `hcl:"rpc"`
+	Serf string `hcl:"serf"`
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // AdvertiseAddrs is used to control the addresses we advertise out for
 // different network services. All are optional and default to BindAddr and
 // their default Port.
 type AdvertiseAddrs struct {
-	HTTP string `mapstructure:"http"`
-	RPC  string `mapstructure:"rpc"`
-	Serf string `mapstructure:"serf"`
+	HTTP string `hcl:"http"`
+	RPC  string `hcl:"rpc"`
+	Serf string `hcl:"serf"`
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 type Resources struct {
-	CPU           int    `mapstructure:"cpu"`
-	MemoryMB      int    `mapstructure:"memory"`
-	DiskMB        int    `mapstructure:"disk"`
-	ReservedPorts string `mapstructure:"reserved_ports"`
+	CPU           int    `hcl:"cpu"`
+	MemoryMB      int    `hcl:"memory"`
+	DiskMB        int    `hcl:"disk"`
+	ReservedPorts string `hcl:"reserved_ports"`
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // CanParseReserved returns if the reserved ports specification is parsable.
--- a/nomad/structs/config/autopilot.go
+++ b/nomad/structs/config/autopilot.go
@@ -9,32 +9,37 @@ import (
 type AutopilotConfig struct {
 	// CleanupDeadServers controls whether to remove dead servers when a new
 	// server is added to the Raft peers.
-	CleanupDeadServers *bool `mapstructure:"cleanup_dead_servers"`
+	CleanupDeadServers *bool `hcl:"cleanup_dead_servers"`

 	// ServerStabilizationTime is the minimum amount of time a server must be
 	// in a stable, healthy state before it can be added to the cluster. Only
 	// applicable with Raft protocol version 3 or higher.
-	ServerStabilizationTime time.Duration `mapstructure:"server_stabilization_time"`
+	ServerStabilizationTime    time.Duration
+	ServerStabilizationTimeHCL string `hcl:"server_stabilization_time"`

 	// LastContactThreshold is the limit on the amount of time a server can go
 	// without leader contact before being considered unhealthy.
-	LastContactThreshold time.Duration `mapstructure:"last_contact_threshold"`
+	LastContactThreshold    time.Duration
+	LastContactThresholdHCL string `hcl:"last_contact_threshold"`

 	// MaxTrailingLogs is the amount of entries in the Raft Log that a server can
 	// be behind before being considered unhealthy.
-	MaxTrailingLogs int `mapstructure:"max_trailing_logs"`
+	MaxTrailingLogs int `hcl:"max_trailing_logs"`

 	// (Enterprise-only) EnableRedundancyZones specifies whether to enable redundancy zones.
-	EnableRedundancyZones *bool `mapstructure:"enable_redundancy_zones"`
+	EnableRedundancyZones *bool `hcl:"enable_redundancy_zones"`

 	// (Enterprise-only) DisableUpgradeMigration will disable Autopilot's upgrade migration
 	// strategy of waiting until enough newer-versioned servers have been added to the
 	// cluster before promoting them to voters.
-	DisableUpgradeMigration *bool `mapstructure:"disable_upgrade_migration"`
+	DisableUpgradeMigration *bool `hcl:"disable_upgrade_migration"`

 	// (Enterprise-only) EnableCustomUpgrades specifies whether to enable using custom
 	// upgrade versions when performing migrations.
-	EnableCustomUpgrades *bool `mapstructure:"enable_custom_upgrades"`
+	EnableCustomUpgrades *bool `hcl:"enable_custom_upgrades"`
+
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // DefaultAutopilotConfig() returns the canonical defaults for the Nomad
--- a/nomad/structs/config/consul.go
+++ b/nomad/structs/config/consul.go
@@ -21,73 +21,77 @@ import (
 type ConsulConfig struct {
 	// ServerServiceName is the name of the service that Nomad uses to register
 	// servers with Consul
-	ServerServiceName string `mapstructure:"server_service_name"`
+	ServerServiceName string `hcl:"server_service_name"`

 	// ServerHTTPCheckName is the name of the health check that Nomad uses
 	// to register the server HTTP health check with Consul
-	ServerHTTPCheckName string `mapstructure:"server_http_check_name"`
+	ServerHTTPCheckName string `hcl:"server_http_check_name"`

 	// ServerSerfCheckName is the name of the health check that Nomad uses
 	// to register the server Serf health check with Consul
-	ServerSerfCheckName string `mapstructure:"server_serf_check_name"`
+	ServerSerfCheckName string `hcl:"server_serf_check_name"`

 	// ServerRPCCheckName is the name of the health check that Nomad uses
 	// to register the server RPC health check with Consul
-	ServerRPCCheckName string `mapstructure:"server_rpc_check_name"`
+	ServerRPCCheckName string `hcl:"server_rpc_check_name"`

 	// ClientServiceName is the name of the service that Nomad uses to register
 	// clients with Consul
-	ClientServiceName string `mapstructure:"client_service_name"`
+	ClientServiceName string `hcl:"client_service_name"`

 	// ClientHTTPCheckName is the name of the health check that Nomad uses
 	// to register the client HTTP health check with Consul
-	ClientHTTPCheckName string `mapstructure:"client_http_check_name"`
+	ClientHTTPCheckName string `hcl:"client_http_check_name"`

 	// AutoAdvertise determines if this Nomad Agent will advertise its
 	// services via Consul.  When true, Nomad Agent will register
 	// services with Consul.
-	AutoAdvertise *bool `mapstructure:"auto_advertise"`
+	AutoAdvertise *bool `hcl:"auto_advertise"`

 	// ChecksUseAdvertise specifies that Consul checks should use advertise
 	// address instead of bind address
-	ChecksUseAdvertise *bool `mapstructure:"checks_use_advertise"`
+	ChecksUseAdvertise *bool `hcl:"checks_use_advertise"`

 	// Addr is the address of the local Consul agent
-	Addr string `mapstructure:"address"`
+	Addr string `hcl:"address"`

 	// Timeout is used by Consul HTTP Client
-	Timeout time.Duration `mapstructure:"timeout"`
+	Timeout    time.Duration
+	TimeoutHCL string `hcl:"timeout"`

 	// Token is used to provide a per-request ACL token. This options overrides
 	// the agent's default token
-	Token string `mapstructure:"token"`
+	Token string `hcl:"token"`

 	// Auth is the information to use for http access to Consul agent
-	Auth string `mapstructure:"auth"`
+	Auth string `hcl:"auth"`

 	// EnableSSL sets the transport scheme to talk to the Consul agent as https
-	EnableSSL *bool `mapstructure:"ssl"`
+	EnableSSL *bool `hcl:"ssl"`

 	// VerifySSL enables or disables SSL verification when the transport scheme
 	// for the consul api client is https
-	VerifySSL *bool `mapstructure:"verify_ssl"`
+	VerifySSL *bool `hcl:"verify_ssl"`

 	// CAFile is the path to the ca certificate used for Consul communication
-	CAFile string `mapstructure:"ca_file"`
+	CAFile string `hcl:"ca_file"`

 	// CertFile is the path to the certificate for Consul communication
-	CertFile string `mapstructure:"cert_file"`
+	CertFile string `hcl:"cert_file"`

 	// KeyFile is the path to the private key for Consul communication
-	KeyFile string `mapstructure:"key_file"`
+	KeyFile string `hcl:"key_file"`

 	// ServerAutoJoin enables Nomad servers to find peers by querying Consul and
 	// joining them
-	ServerAutoJoin *bool `mapstructure:"server_auto_join"`
+	ServerAutoJoin *bool `hcl:"server_auto_join"`

 	// ClientAutoJoin enables Nomad servers to find addresses of Nomad servers
 	// and register with them
-	ClientAutoJoin *bool `mapstructure:"client_auto_join"`
+	ClientAutoJoin *bool `hcl:"client_auto_join"`
+
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 // DefaultConsulConfig() returns the canonical defaults for the Nomad
--- a/nomad/structs/config/plugins.go
+++ b/nomad/structs/config/plugins.go
@@ -7,6 +7,8 @@ type PluginConfig struct {
 	Name   string                 `hcl:",key"`
 	Args   []string               `hcl:"args"`
 	Config map[string]interface{} `hcl:"config"`
+	// ExtraKeysHCL is used by hcl to surface unexpected keys
+	ExtraKeysHCL []string `hcl:",unusedKeys"`
 }

 func (p *PluginConfig) Merge(o *PluginConfig) *PluginConfig {
--- a/nomad/structs/config/tls.go
+++ b/nomad/structs/config/tls.go
@@ -14,10 +14,10 @@ import (
 type TLSConfig struct {

 	// EnableHTTP enabled TLS for http traffic to the Nomad server and clients
-	EnableHTTP bool `mapstructure:"http"`
+	EnableHTTP bool `hcl:"http"`

 	// EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers
-	EnableRPC bool `mapstructure:"rpc"`
+	EnableRPC bool `hcl:"rpc"`

 	// VerifyServerHostname is used to enable hostname verification of servers. This
 	// ensures that the certificate presented is valid for server.<region>.nomad
@@ -25,15 +25,15 @@ type TLSConfig struct {
 	// intercepting request traffic as well as being added as a raft peer. This should be
 	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
 	// existing clients.
-	VerifyServerHostname bool `mapstructure:"verify_server_hostname"`
+	VerifyServerHostname bool `hcl:"verify_server_hostname"`

 	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
 	// or VerifyOutgoing to verify the TLS connection.
-	CAFile string `mapstructure:"ca_file"`
+	CAFile string `hcl:"ca_file"`

 	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
 	// Must be provided to serve TLS connections.
-	CertFile string `mapstructure:"cert_file"`
+	CertFile string `hcl:"cert_file"`

 	// KeyLoader is a helper to dynamically reload TLS configuration
 	KeyLoader *KeyLoader
@@ -42,15 +42,15 @@ type TLSConfig struct {

 	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
 	// Must be provided to serve TLS connections.
-	KeyFile string `mapstructure:"key_file"`
+	KeyFile string `hcl:"key_file"`

 	// RPCUpgradeMode should be enabled when a cluster is being upgraded
 	// to TLS. Allows servers to accept both plaintext and TLS connections and
 	// should only be a temporary state.
-	RPCUpgradeMode bool `mapstructure:"rpc_upgrade_mode"`
+	RPCUpgradeMode bool `hcl:"rpc_upgrade_mode"`

 	// Verify connections to the HTTPS API
-	VerifyHTTPSClient bool `mapstructure:"verify_https_client"`
+	VerifyHTTPSClient bool `hcl:"verify_https_client"`

 	// Checksum is a MD5 hash of the certificate CA File, Certificate file, and
 	// key file.
@@ -58,17 +58,17 @@ type TLSConfig struct {

 	// TLSCipherSuites are operator-defined ciphers to be used in Nomad TLS
 	// connections
-	TLSCipherSuites string `mapstructure:"tls_cipher_suites"`
+	TLSCipherSuites string `hcl:"tls_cipher_suites"`

 	// TLSMinVersion is used to set the minimum TLS version used for TLS
 	// connections. Should be either "tls10", "tls11", or "tls12".
-	TLSMinVersion string `mapstructure:"tls_min_version"`
+	TLSMinVersion string `hcl:"tls_min_version"`

 	// TLSPreferServerCipherSuites controls whether the server selects the
 	// client's most preferred ciphersuite, or the server's most preferred
 	// ciphersuite. If true then the server's preference, as expressed in
 	// the order of elements in CipherSuites, is used.
-	TLSPreferServerCipherSuites bool `mapstructure:"tls_prefer_server_cipher_suites"`
+	TLSPreferServerCipherSuites bool `hcl:"tls_prefer_server_cipher_suites"`
 }

 type KeyLoader struct {
--- a/nomad/structs/config/vault.go
+++ b/nomad/structs/config/vault.go
@@ -23,19 +23,19 @@ const (
 type VaultConfig struct {

 	// Enabled enables or disables Vault support.
-	Enabled *bool `mapstructure:"enabled"`
+	Enabled *bool `hcl:"enabled"`

 	// Token is the Vault token given to Nomad such that it can
 	// derive child tokens. Nomad will renew this token at half its lease
 	// lifetime.
-	Token string `mapstructure:"token"`
+	Token string `hcl:"token"`

 	// Role sets the role in which to create tokens from. The Token given to
 	// Nomad does not have to be created from this role but must have "update"
 	// capability on "auth/token/create/<create_from_role>". If this value is
 	// unset and the token is created from a role, the value is defaulted to the
 	// role the token is from.
-	Role string `mapstructure:"create_from_role"`
+	Role string `hcl:"create_from_role"`

 	// Namespace sets the Vault namespace used for all calls against the
 	// Vault API. If this is unset, then Nomad does not use Vault namespaces.
@@ -44,16 +44,16 @@ type VaultConfig struct {
 	// AllowUnauthenticated allows users to submit jobs requiring Vault tokens
 	// without providing a Vault token proving they have access to these
 	// policies.
-	AllowUnauthenticated *bool `mapstructure:"allow_unauthenticated"`
+	AllowUnauthenticated *bool `hcl:"allow_unauthenticated"`

 	// TaskTokenTTL is the TTL of the tokens created by Nomad Servers and used
 	// by the client.  There should be a minimum time value such that the client
 	// does not have to renew with Vault at a very high frequency
-	TaskTokenTTL string `mapstructure:"task_token_ttl"`
+	TaskTokenTTL string `hcl:"task_token_ttl"`

 	// Addr is the address of the local Vault agent. This should be a complete
 	// URL such as "http://vault.example.com"
-	Addr string `mapstructure:"address"`
+	Addr string `hcl:"address"`

 	// ConnectionRetryIntv is the interval to wait before re-attempting to
 	// connect to Vault.
@@ -61,23 +61,23 @@ type VaultConfig struct {

 	// TLSCaFile is the path to a PEM-encoded CA cert file to use to verify the
 	// Vault server SSL certificate.
-	TLSCaFile string `mapstructure:"ca_file"`
+	TLSCaFile string `hcl:"ca_file"`

 	// TLSCaFile is the path to a directory of PEM-encoded CA cert files to
 	// verify the Vault server SSL certificate.
-	TLSCaPath string `mapstructure:"ca_path"`
+	TLSCaPath string `hcl:"ca_path"`

 	// TLSCertFile is the path to the certificate for Vault communication
-	TLSCertFile string `mapstructure:"cert_file"`
+	TLSCertFile string `hcl:"cert_file"`

 	// TLSKeyFile is the path to the private key for Vault communication
-	TLSKeyFile string `mapstructure:"key_file"`
+	TLSKeyFile string `hcl:"key_file"`

 	// TLSSkipVerify enables or disables SSL verification
-	TLSSkipVerify *bool `mapstructure:"tls_skip_verify"`
+	TLSSkipVerify *bool `hcl:"tls_skip_verify"`

 	// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
-	TLSServerName string `mapstructure:"tls_server_name"`
+	TLSServerName string `hcl:"tls_server_name"`
 }

 // DefaultVaultConfig() returns the canonical defaults for the Nomad