-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Find a way to bootstrap Consul ACL support #95
Comments
Is there someone aware of a valid workaround? |
Hi @frederikbosch, we don't have a satisfactory way to securely bootstrap the ACL support without the master token ending up in the Terraform state in plaintext. Storing secrets in the Terraform state is a complicated issue, you can read more about it here : hashicorp/terraform#516
Did you try using a provisioner (https://www.terraform.io/docs/provisioners/local-exec.html) ? |
@remilapeyre Exactly, I understand. I used |
Hi everyone, I finally found a way to bootstrap the ACL system without having to write the management token in the Terraform state. hashicorp/vault#10751 makes it possible to use Vault to do the ACL bootstrapping securely. Once it has been merged in Vault I will write a guide to show how to do this and generate additional Consul token from Vault using Terraform. |
Being able to bootstrap the ACL system of Consul is something that has long been asked of its Terraform provider (hashicorp/terraform-provider-consul#95). We always refused to implement a solution that would save this token in the Terraform state has the new ACL system in 1.4 meant that we could finally referenced some token without having access to their secret ID. Storing the bootstrap token in the state would have made this useless and would potentially be a security issue. This change makes it possible to configure a new Consul secret engine without providing a token, in that case Vault knows that the ACL system has not yet been boostraped and do it itself. This means that will at last be able to have completely automatic and secure Consul cluster creation using Terraform, this has been wanted by our users for some time now.
Hello, @remilapeyre. Have you eventually written this guide? Is there anywhere we can see it? |
I can see that Vault 1.11.0 has been released which contains:
What changes are needed to the Consul provider to take advantage of this feature? |
Can this be done without Vault? I don't really like the idea of being required to add (and manage) Vault if I want to be able to fully automate the setup and management of a Consul cluster. |
Hi, support for bootstrapping ACLs with Vault as indeed officially landed. While I haven't had time to write in the Terraform provider there is documentation in the Vault project: https://www.vaultproject.io/docs/secrets/consul#setup. You will be able to do the same thing using the Vault Terraform provider.
I understand that having an extra system to manage may not be ideal but it is very important for the solution to bootstrap the cluster to be secure, as all the rest of the applications security depends on this. I will continue to look for an alternative solution but cannot promise finding onem nor a timeline. If you manage a small number of clusters I suppose doing manually might be best, or creating a small Vault cluster if you have a large number of Consul systems (one Vault cluster can bootstrap the ACLs of all your Consul clusters). If you are okay with an insecure solution, you should be able to use en external resource to do this in the meantime. |
We did it this way, looking forward to it being supported in the official provider (vault 1.11.0 is min version):
|
#60 introduces support for ACL with
consul_acl_policy
andconsul_acl_token
. Both require the ACL to have been previously bootstrapped manually to work.Bootstrapping ACLs requires to keep track of the master token given by https://www.consul.io/api/acl/acl.html#bootstrap-acls so it would be written as clear text in the terraform state.
The change in ACLs in Consul 1.4 was made so that the secret IDs would not need to be saved in unsecure situation and accessor IDs could be used instead.
Once ACLs are bootstrapped, the operator also needs to update the provider configuration and to set
token
or set theCONSUL_HTTP_TOKEN
environment variable.It would be nice to have a secure way to automate this.
Related: hashicorp/terraform#9556
The text was updated successfully, but these errors were encountered: