diff --git a/deployment/nomad/README.md b/deployment/nomad/README.md
new file mode 100644
index 0000000..912aa7c
--- /dev/null
+++ b/deployment/nomad/README.md
@@ -0,0 +1,176 @@
+# Nomad Deployment
+
+This directory contains an example of deploying Boundary using Nomad
+
+## Deploy
+
+1. Create the nomad data directory
+
+    ```bash
+    $ sudo mkdir /opt/nomad
+    $ sudo chown $USER /opt/nomad
+    ```
+
+2. Start the nomad agent
+
+    ```bash
+    $ nomad agent -config nomad-config.hcl
+    ```
+
+3. Initialize Terraform:
+
+    ```bash
+    $ terraform init
+    ```
+
+4. Run terraform apply against the nomad terraform module:
+
+    ```bash
+    $ terraform apply -target module.nomad
+    ```
+
+    Once boundary is running and the `boundary-init` job has run. 
+    The controller service may restart a couple of times until the database initialization is finished.
+
+5. Run terraform apply against the boundary terraform module:
+    ```
+    $ terraform apply -target module.boundary \
+        -var "boundary_address=http://<public-ipv4-dns>:9200"
+        -var "target_ips=10.0.0.1"
+    ```
+   
+
+## Verify
+
+- You can launch the admin console at `http://<public-ipv4-dns>:9200`.
+You can verify what address it is by visiting the nomad admin console.
+![nomad console](img/nomad.png)
+- Select the `primary` org and then login with the user `admin` / `foofoofoo`.
+
+
+## Connect
+
+```bash
+export BOUNDARY_ADDR="http://<public-ipv4-dns>:9200"
+export BOUNDARY_AUTH_METHOD_ID="ampw_<some ID>"
+
+boundary authenticate password \
+  -login-name=admin \
+  -password foofoofoo
+
+boundary connect ssh \
+  -target-scope-name="core_infra" \
+  -target-name="backend_servers_ssh"
+```
+
+
+## Improvements
+
+### Using Vault for Secrets
+
+Since nomad has integration with vault, you can use it to store the database credentials.
+
+```hcl
+vault {
+ policies     = ["boundary"]
+}
+```
+
+```hcl
+
+task "boundary-controller" {
+   # ...
+   template {
+      data = <<EOF
+controller {
+  {{with secret "<kv-mount-point>/data/boundary/db"}}
+  database {
+      url = "postgresql://{{.Data.data.user}}:{{.Data.data.pass}}@127.0.0.1:5432/boundary?sslmode=disable"
+  }
+  {{end}}
+}
+   }
+}
+task "postgres" {
+   # ...
+   template {
+      data        = <<EOT
+{{ with secret "<kv-mount-point>/data/boundary/db" }}
+POSTGRES_DB = "boundary"
+POSTGRES_USER = "{{.Data.data.user}}"
+POSTGRES_PASSWORD = "{{.Data.data.pass}}"
+{{ end }}
+EOT
+      destination = "config.env"
+      env         = true
+   }
+}
+```
+
+### Using Vault for KMS
+
+Replace `kms "aead"` with `kms "vault"`.
+Create the transit engine at the `boundary_kms` mount point.
+
+```hcl
+kms "transit" {
+  purpose            = "root"
+  address            = "https://vault:8200"
+  disable_renewal    = "true"
+  key_name           = "boundary_root_key"
+  mount_path         = "boundary_kms/"
+}
+```
+
+Make sure the Vault role that the nomad job assumes has the following policy:
+
+```hcl
+path "boundary_kms/encrypt/*" {
+  capabilities = ["update"]
+}
+path "boundary_kms/decrypt/*" {
+  capabilities = ["update"]
+}
+```
+
+### Persistent data
+
+Use host volumes to store the database in persistent storage.
+
+In the `nomad-config.hcl` file, add:
+
+```hcl
+client {
+ host_volume "boundary_db" {
+      path      = "/opt/boundary/db"
+      read_only = false
+   }
+}
+```
+
+In the `boundary.hcl` job file, add:
+
+```hcl
+group "boundary-db" {
+   # ...
+   volume "boundary_db" {
+      type      = "host"
+      source    = "boundary_db"
+   }
+   # ...
+  task "postgres" {
+     # ...
+     volume_mount {
+        volume      = "boundary_db"
+        destination = "/var/lib/postgresql/data"
+     }
+     # ...
+  }
+}
+```
+
+### Other recommendations
+
+- Redundant controllers
+  - Increase the `count` property in the `boundary-controller` group.
+- Use Consul connect (mTLS) for communication between the database and the controller
diff --git a/deployment/nomad/boundary/auth.tf b/deployment/nomad/boundary/auth.tf
new file mode 100644
index 0000000..c731e88
--- /dev/null
+++ b/deployment/nomad/boundary/auth.tf
@@ -0,0 +1,6 @@
+resource "boundary_auth_method" "password" {
+  name        = "corp_password_auth_method"
+  description = "Password auth method for Corp org"
+  type        = "password"
+  scope_id    = boundary_scope.org.id
+}
diff --git a/deployment/nomad/boundary/boundary.tf b/deployment/nomad/boundary/boundary.tf
new file mode 100644
index 0000000..b23d2c2
--- /dev/null
+++ b/deployment/nomad/boundary/boundary.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    boundary = {
+      source  = "hashicorp/boundary"
+      version = "1.0.7"
+    }
+  }
+}
+
+provider "boundary" {
+  addr             = var.boundary_address
+  recovery_kms_hcl = <<EOT
+kms "aead" {
+  purpose = "recovery"
+  aead_type = "aes-gcm"
+  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+  key_id = "global_recovery"
+}
+EOT
+}
diff --git a/deployment/nomad/boundary/roles.tf b/deployment/nomad/boundary/roles.tf
new file mode 100644
index 0000000..c4f5a43
--- /dev/null
+++ b/deployment/nomad/boundary/roles.tf
@@ -0,0 +1,47 @@
+# Allows anonymous (un-authenticated) users to list and authenticate against any
+# auth method, list the global scope, and read and change password on their account ID
+# at the global and org level scope
+resource "boundary_role" "global_anon_listing" {
+  scope_id = boundary_scope.global.id
+  grant_strings = [
+    "id=*;type=auth-method;actions=list,authenticate",
+    "type=scope;actions=list",
+    "id={{account.id}};actions=read,change-password"
+  ]
+  principal_ids = ["u_anon"]
+}
+resource "boundary_role" "org_anon_listing" {
+  scope_id = boundary_scope.org.id
+  grant_strings = [
+    "id=*;type=auth-method;actions=list,authenticate",
+    "type=scope;actions=list",
+    "id={{account.id}};actions=read,change-password"
+  ]
+  principal_ids = ["u_anon"]
+}
+
+# Creates a role in the global scope that's granting administrative access to
+# resources in the org scope for the admin user
+resource "boundary_role" "org_admin" {
+  scope_id       = boundary_scope.global.id
+  grant_scope_id = boundary_scope.org.id
+  grant_strings = [
+    "id=*;type=*;actions=*"
+  ]
+  principal_ids = [
+    boundary_user.admin_user.id
+  ]
+}
+
+resource "boundary_role" "project_admin" {
+  name           = "core_infra_admin"
+  description    = "Administrator role for core infra"
+  scope_id       = boundary_scope.org.id
+  grant_scope_id = boundary_scope.core_infra.id
+  grant_strings = [
+    "id=*;type=*;actions=*"
+  ]
+  principal_ids = [
+    boundary_user.admin_user.id
+  ]
+}
diff --git a/deployment/nomad/boundary/scope.tf b/deployment/nomad/boundary/scope.tf
new file mode 100644
index 0000000..ccf0772
--- /dev/null
+++ b/deployment/nomad/boundary/scope.tf
@@ -0,0 +1,19 @@
+resource "boundary_scope" "global" {
+  global_scope = true
+  name         = "global"
+  scope_id     = "global"
+}
+
+resource "boundary_scope" "org" {
+  scope_id    = boundary_scope.global.id
+  name        = "primary"
+  description = "Primary organization scope"
+}
+
+resource "boundary_scope" "core_infra" {
+  name                     = "core_infra"
+  description              = "Backend infrastructure project"
+  scope_id                 = boundary_scope.org.id
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
diff --git a/deployment/nomad/boundary/targets.tf b/deployment/nomad/boundary/targets.tf
new file mode 100644
index 0000000..25b107b
--- /dev/null
+++ b/deployment/nomad/boundary/targets.tf
@@ -0,0 +1,35 @@
+resource "boundary_target" "backend_servers_ssh" {
+  type                     = "tcp"
+  name                     = "backend_servers_ssh"
+  description              = "Backend SSH target"
+  scope_id                 = boundary_scope.core_infra.id
+  session_connection_limit = -1
+  default_port             = 22
+  host_source_ids = [
+    boundary_host_set.backend_servers.id
+  ]
+}
+
+resource "boundary_host_catalog" "backend_servers" {
+  name        = "backend_servers"
+  description = "Web servers for backend team"
+  type        = "static"
+  scope_id    = boundary_scope.core_infra.id
+}
+
+resource "boundary_host" "backend_servers" {
+  for_each        = var.target_ips
+  type            = "static"
+  name            = "backend_server_${each.value}"
+  description     = "Backend server #${each.value}"
+  address         = each.key
+  host_catalog_id = boundary_host_catalog.backend_servers.id
+}
+
+resource "boundary_host_set" "backend_servers" {
+  type            = "static"
+  name            = "backend_servers"
+  description     = "Host set for backend servers"
+  host_catalog_id = boundary_host_catalog.backend_servers.id
+  host_ids        = [for host in boundary_host.backend_servers : host.id]
+}
diff --git a/deployment/nomad/boundary/users.tf b/deployment/nomad/boundary/users.tf
new file mode 100644
index 0000000..e7be087
--- /dev/null
+++ b/deployment/nomad/boundary/users.tf
@@ -0,0 +1,20 @@
+resource "boundary_user" "admin_user" {
+  name        = "admin"
+  account_ids = [boundary_account_password.admin_acct.id]
+  scope_id    = boundary_scope.org.id
+}
+
+resource "boundary_account_password" "admin_acct" {
+  name           = "admin"
+  type           = "password"
+  login_name     = "admin"
+  password       = "foofoofoo"
+  auth_method_id = boundary_auth_method.password.id
+}
+
+resource "boundary_group" "backend_core_infra" {
+  name        = "backend"
+  description = "Backend team group"
+  member_ids  = [boundary_user.admin_user.id]
+  scope_id    = boundary_scope.core_infra.id
+}
diff --git a/deployment/nomad/boundary/variables.tf b/deployment/nomad/boundary/variables.tf
new file mode 100644
index 0000000..7ca923b
--- /dev/null
+++ b/deployment/nomad/boundary/variables.tf
@@ -0,0 +1,8 @@
+variable "boundary_address" {
+  default = "http://localhost:9200"
+}
+
+variable "target_ips" {
+  type    = set(string)
+  default = ["127.0.0.1"]
+}
diff --git a/deployment/nomad/img/nomad.png b/deployment/nomad/img/nomad.png
new file mode 100644
index 0000000..486abe1
Binary files /dev/null and b/deployment/nomad/img/nomad.png differ
diff --git a/deployment/nomad/main.tf b/deployment/nomad/main.tf
new file mode 100644
index 0000000..1390823
--- /dev/null
+++ b/deployment/nomad/main.tf
@@ -0,0 +1,24 @@
+variable "boundary_address" {
+  default = "http://localhost:9200"
+}
+
+variable "nomad_address" {
+  default = "http://localhost:4646"
+}
+
+variable "target_ips" {
+  type = set(string)
+  description = "SSH Targets for Boundary to proxy"
+  default = ["127.0.0.1"]
+}
+
+module "nomad" {
+  source        = "./nomad"
+  nomad_address = var.nomad_address
+}
+
+module "boundary" {
+  source           = "./boundary"
+  boundary_address = var.boundary_address
+  target_ips       = var.target_ips
+}
diff --git a/deployment/nomad/nomad-config.hcl b/deployment/nomad/nomad-config.hcl
new file mode 100644
index 0000000..91b1e16
--- /dev/null
+++ b/deployment/nomad/nomad-config.hcl
@@ -0,0 +1,34 @@
+client {
+  enabled = true
+}
+
+server {
+  enabled = true
+  bootstrap_expect = 1
+}
+
+data_dir  = "/opt/nomad"
+bind_addr = "0.0.0.0"
+
+plugin "docker" {
+  config {
+    allow_caps = [
+      # Default caps
+      "audit_write",
+      "chown",
+      "dac_override",
+      "fowner",
+      "fsetid",
+      "kill",
+      "mknod",
+      "net_bind_service",
+      "setfcap",
+      "setgid",
+      "setpcap",
+      "setuid",
+      "sys_chroot",
+      # Needed for mlock
+      "ipc_lock"
+    ]
+  }
+}
diff --git a/deployment/nomad/nomad/boundary-init.hcl b/deployment/nomad/nomad/boundary-init.hcl
new file mode 100644
index 0000000..ce9e800
--- /dev/null
+++ b/deployment/nomad/nomad/boundary-init.hcl
@@ -0,0 +1,59 @@
+job "boundary-init" {
+  datacenters = ["dc1"]
+  type        = "batch"
+
+  group "boundary-init" {
+
+    task "boundary-init" {
+      driver = "docker"
+
+      config {
+        image = "hashicorp/boundary:0.8"
+
+        volumes = [
+          "local/boundary.hcl:/boundary/config.hcl"
+        ]
+        args = [
+          "database", "init",
+          "-skip-auth-method-creation",
+          "-skip-host-resources-creation",
+          "-skip-scopes-creation",
+          "-skip-target-creation",
+          "-config", "/boundary/config.hcl"
+        ]
+        cap_add = ["ipc_lock"]
+      }
+
+      template {
+        data = <<EOF
+controller {
+  # This name attr must be unique across all controller instances if running in HA mode
+  name = "{{env "NOMAD_ALLOC_ID"}}"
+  public_cluster_addr = "{{ env "NOMAD_IP_cluster" }}"
+  {{range nomadService "boundary-database"}}
+  database {
+      url = "postgresql://boundary:boundary@{{ .Address }}:{{ .Port }}/boundary?sslmode=disable"
+  }
+  {{end}}
+}
+# Root KMS configuration block: this is the root key for Boundary
+kms "aead" {
+  purpose = "root"
+  aead_type = "aes-gcm"
+  key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
+  key_id = "global_root"
+}
+# Recovery KMS block: configures the recovery key for Boundary
+kms "aead" {
+  purpose = "recovery"
+  aead_type = "aes-gcm"
+  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+  key_id = "global_recovery"
+}
+  EOF
+
+        destination = "local/boundary.hcl"
+      }
+    }
+  }
+}
diff --git a/deployment/nomad/nomad/boundary.hcl b/deployment/nomad/nomad/boundary.hcl
new file mode 100644
index 0000000..c7051d4
--- /dev/null
+++ b/deployment/nomad/nomad/boundary.hcl
@@ -0,0 +1,225 @@
+job "boundary" {
+  datacenters = ["dc1"]
+  type        = "service"
+
+  reschedule {
+    delay          = "30s"
+    delay_function = "constant"
+    unlimited      = true
+  }
+
+  update {
+    max_parallel      = 1
+    health_check      = "checks"
+    min_healthy_time  = "10s"
+    healthy_deadline  = "5m"
+    progress_deadline = "10m"
+    auto_revert       = true
+    canary            = 0
+    stagger           = "30s"
+  }
+
+  group "boundary-controller" {
+    count = 1
+
+    constraint {
+      operator = "distinct_hosts"
+      value    = "true"
+    }
+
+    restart {
+      interval = "10m"
+      attempts = 2
+      delay    = "15s"
+      mode     = "fail"
+    }
+
+    network {
+      port "api" {
+        static = 9200
+        to     = 9200
+      }
+
+      port "cluster" {
+        static = 9201
+        to     = 9201
+      }
+    }
+
+    service {
+      name     = "boundary-controller"
+      provider = "nomad"
+      port     = "api"
+    }
+
+    service {
+      name     = "boundary-cluster"
+      provider = "nomad"
+      port     = "cluster"
+    }
+
+    task "boundary-controller" {
+      driver = "docker"
+
+      config {
+        image = "hashicorp/boundary:0.8"
+
+        volumes = [
+          "local/boundary.hcl:/boundary/config.hcl"
+        ]
+        ports   = ["api", "cluster"]
+        cap_add = ["ipc_lock"]  # Needed for mlock
+      }
+
+      template {
+        data = <<EOF
+controller {
+  name = "{{env "NOMAD_ALLOC_ID"}}"
+  description = "Demo controller running on Nomad"
+  public_cluster_addr = "{{ env "NOMAD_IP_cluster" }}"
+  {{range nomadService "boundary-database"}}
+  database {
+      url = "postgresql://boundary:boundary@{{ .Address }}:{{ .Port }}/boundary?sslmode=disable"
+  }
+  {{end}}
+}
+# API listener configuration block
+listener "tcp" {
+  address = "0.0.0.0:9200"
+  purpose = "api"
+  cors_allowed_origins = ["serve://boundary"]
+  tls_disable = true
+}
+# Data-plane listener configuration block (used for worker coordination)
+listener "tcp" {
+  address = "0.0.0.0:9201"
+  purpose = "cluster"
+}
+# Root KMS configuration block: this is the root key for Boundary
+kms "aead" {
+  purpose = "root"
+  aead_type = "aes-gcm"
+  key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
+  key_id = "global_root"
+}
+# Worker authorization KMS
+kms "aead" {
+  purpose = "worker-auth"
+  aead_type = "aes-gcm"
+  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+  key_id = "global_worker-auth"
+}
+# Recovery KMS block: configures the recovery key for Boundary
+kms "aead" {
+  purpose = "recovery"
+  aead_type = "aes-gcm"
+  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+  key_id = "global_recovery"
+}
+EOF
+
+        destination = "local/boundary.hcl"
+      }
+
+      resources {
+        cpu    = 500
+        memory = 512
+      }
+    }
+  }
+
+  group "boundary-worker" {
+    count = 1
+
+    network {
+      port "proxy" {
+        static = 9202
+        to     = 9202
+      }
+    }
+
+    task "boundary-worker" {
+      driver = "docker"
+
+      config {
+        image = "hashicorp/boundary:0.8"
+
+        volumes = [
+          "local/boundary.hcl:/boundary/config.hcl",
+        ]
+        ports   = ["proxy"]
+        cap_add = ["ipc_lock"]
+      }
+
+      template {
+        data = <<EOF
+# Proxy listener configuration block
+listener "tcp" {
+  address = "0.0.0.0"
+  purpose = "proxy"
+}
+worker {
+  name = "{{ env "NOMAD_ALLOC_ID" }}"
+  description = "Worker on {{ env "attr.unique.hostname" }}"
+  public_addr = "{{ env "NOMAD_IP_proxy" }}"
+  controllers = [
+     {{ range nomadService "boundary-cluster" }}
+        "{{ .Address }}:{{ .Port }}",
+     {{ end }}
+  ]
+}
+# Worker authorization KMS
+kms "aead" {
+  purpose = "worker-auth"
+  aead_type = "aes-gcm"
+  key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
+  key_id = "global_worker-auth"
+}
+EOF
+
+        destination = "local/boundary.hcl"
+      }
+
+      resources {
+        cpu    = 1000
+        memory = 512
+      }
+    }
+  }
+
+  group "boundary-db" {
+    count = 1
+
+    network {
+      port "psql" {
+        to = 5432
+
+      }
+    }
+
+    service {
+      name     = "boundary-database"
+      provider = "nomad"
+      port     = "psql"
+    }
+
+    task "postgres" {
+      driver = "docker"
+
+      config {
+        image = "postgres"
+        ports = ["psql"]
+      }
+
+      template {
+        data        = <<EOT
+POSTGRES_DB = "boundary"
+POSTGRES_USER = "boundary"
+POSTGRES_PASSWORD = "boundary"
+EOT
+        destination = "config.env"
+        env         = true
+      }
+    }
+  }
+}
diff --git a/deployment/nomad/nomad/jobs.tf b/deployment/nomad/nomad/jobs.tf
new file mode 100644
index 0000000..978b6ff
--- /dev/null
+++ b/deployment/nomad/nomad/jobs.tf
@@ -0,0 +1,14 @@
+resource "nomad_job" "boundary" {
+  provider = nomad
+  jobspec  = file("${path.module}/boundary.hcl")
+}
+
+resource "nomad_job" "boundary_init" {
+  provider = nomad
+  jobspec  = file("${path.module}/boundary-init.hcl")
+}
+
+#resource "nomad_job" "mssql" {
+#  provider = nomad
+#  jobspec  = file("${path.module}/mssql.hcl")
+#}
diff --git a/deployment/nomad/nomad/nomad.tf b/deployment/nomad/nomad/nomad.tf
new file mode 100644
index 0000000..434eef2
--- /dev/null
+++ b/deployment/nomad/nomad/nomad.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    nomad = {
+      source  = "hashicorp/nomad"
+      version = "1.4.17"
+    }
+  }
+}
+
+provider "nomad" {
+  address = var.nomad_address
+}
diff --git a/deployment/nomad/nomad/variables.tf b/deployment/nomad/nomad/variables.tf
new file mode 100644
index 0000000..b317ab3
--- /dev/null
+++ b/deployment/nomad/nomad/variables.tf
@@ -0,0 +1,4 @@
+variable "nomad_address" {
+  description = "Address of HTTP(s) API endpoint of the Nomad agent"
+  default     = "https://localhost:4646"
+}