No way to set attributes on default namespace

[chrisjohnson]

Currently there's no way to set attributes on an existing namespace. The pattern for setting ACL policies on the built-in tokens is to use consul_acl_token_policy_attachment which allows you to specify a token that wasn't created by terraform.

A consul_namespace_policy_attachment resource seems appropriate here. You could specify namespace=default and attach policies and roles to it that way. The UI currently lets you do this but right now I'm having to use terraform to set default token policy/role on every other namespace and then manually manage it for default.

[chrisjohnson]

FWIW it does seem like consul lets you create a namespace with the name default and it merges into the default, however this can be problematic when attempting to destroy the resource later on as terraform errors out. You end up having to manually clean up state. So there is a hacky workaround, but ideally an _attachment type resource would be introduced

[remilapeyre]

Hi @chrisjohnson, thanks for raising this issue. This should indeed be fixed, I'm not sure a new resource would be the best way to go here though, perhaps we should just make the destroy a no-op for the default namespace?

[chrisjohnson]

I was just thinking for API consistency with the policy attachment type, but honestly I'm fine with either way

[remilapeyre]

Thinking about it it makes sense to both have a consul_namespace_policy_attachment resource and make consul_namespace importable so that is possible to import the default namespace in the configuration to manage it like the rest of the other ones, this is already what we do for the anonymous token for example.

#263 adds import support to consul_namespace. I will post anoother PR for consul_namespace_policy_attachment shortly.