Consul provider, what are minimum ACL rules in policy? #97
Comments
ghost
mentioned this issue
|
Hi @vasilij-icabbi, if I understand correctly your question, this will depend on the resources and data-sources you want to use and the ACL configuration of your cluster. I would start with a token with all privileges removed and add them as you need them. If you want to know which ACL is needed for a given resource, you can look at the "ACL Required" in the corresponding Consul HTTP API documentation. Does this answer your question? |
|
@remilapeyre Thank you for your reply. I use Consul provider for configuration only, so it needed only for KV storage. I created policy with rule: Created token, assigned policy with role above and provided it to terraform consul provider. And here it fails with 403. Either I do something wrong or either consul provider does some API calls and requires more policy rules to function proper, this is why I ask if there are any minimal rules I have to set? Worth to mention that my Consul ACL policy is deny by default. |
|
Hello, |
|
Hi @vasilij-icabbi, thanks for the ping. Terraform currently needs to read the configuration of the agent to know which datacenter it is connected to. Can you confirm that it works with this policy? If so I will look into removing this restriction. |
|
Hello @remilapeyre , Thank you for your reply, that helped and I confirm that it works as intended, I can write into KV and read from it too. |
Most resources uses the datacenter of the agent Terraform is connected as default. This cause issues when Terraform does not have the agent:read authorization. For most operations, we can use an empty string and Consul will use the datacenter of the agent being queried. Fix hashicorp#97
Most resources uses the datacenter of the agent Terraform is connected as default. This cause issues when Terraform does not have the agent:read authorization. For most operations, we can use an empty string and Consul will use the datacenter of the agent being queried. Fix #97
Most resources uses the datacenter of the agent Terraform is connected as default. This cause issues when Terraform does not have the agent:read authorization. For most operations, we can use an empty string and Consul will use the datacenter of the agent being queried. Fix #97
This issue was originally opened by @vasilij-icabbi as hashicorp/terraform#20966. It was migrated here as a result of the provider split. The original body of the issue is below.
Hello,
I am using Consul provider with Terraform and I want it to be secured with Consul ACL token.
Question is: What are minimum required ACL rules for policy for Consul Provider to proper work?
Thank you
The text was updated successfully, but these errors were encountered: