Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consul provider, what are minimum ACL rules in policy? #97

Closed
ghost opened this issue Apr 9, 2019 · 5 comments · Fixed by #99
Closed

Consul provider, what are minimum ACL rules in policy? #97

ghost opened this issue Apr 9, 2019 · 5 comments · Fixed by #99

Comments

@ghost
Copy link

ghost commented Apr 9, 2019

This issue was originally opened by @vasilij-icabbi as hashicorp/terraform#20966. It was migrated here as a result of the provider split. The original body of the issue is below.

Hello,
I am using Consul provider with Terraform and I want it to be secured with Consul ACL token.

Question is: What are minimum required ACL rules for policy for Consul Provider to proper work?

Thank you
@ghost ghost mentioned this issue Apr 9, 2019
Closed
@remilapeyre
Copy link
Collaborator

Hi @vasilij-icabbi, if I understand correctly your question, this will depend on the resources and data-sources you want to use and the ACL configuration of your cluster.

I would start with a token with all privileges removed and add them as you need them. If you want to know which ACL is needed for a given resource, you can look at the "ACL Required" in the corresponding Consul HTTP API documentation.

Does this answer your question?

@vasilij-icabbi
Copy link

vasilij-icabbi commented Apr 10, 2019
edited
Loading

@remilapeyre Thank you for your reply. I use Consul provider for configuration only, so it needed only for KV storage.

I created policy with rule:

{
  "Name": "terraform-token",
  "Description": "Terraform Token Policy",
  "Rules": "key_prefix \"\" { policy = \"write\" }"
}

Created token, assigned policy with role above and provided it to terraform consul provider. And here it fails with 403.

Either I do something wrong or either consul provider does some API calls and requires more policy rules to function proper, this is why I ask if there are any minimal rules I have to set?

Worth to mention that my Consul ACL policy is deny by default.

@vasilij-icabbi
Copy link

Hello,
just checking if anyone can help me here?

@remilapeyre
Copy link
Collaborator

remilapeyre commented Apr 17, 2019
edited
Loading

Hi @vasilij-icabbi, thanks for the ping.

Terraform currently needs to read the configuration of the agent to know which datacenter it is connected to. Can you confirm that it works with this policy?

{
  "Name": "terraform-token",
  "Description": "Terraform Token Policy",
  "Rules": "key_prefix \"\" { policy = \"write\" } agent_prefix \"\" { policy = \"read\" }"
}

If so I will look into removing this restriction.

@vasilij-icabbi
Copy link

Hello @remilapeyre , Thank you for your reply, that helped and I confirm that it works as intended, I can write into KV and read from it too.

remilapeyre pushed a commit to remilapeyre/terraform-provider-consul that referenced this issue Apr 17, 2019
Default datacenter to "" if not readable in /agent/self
2a48757 
Most resources uses the datacenter of the agent Terraform is connected
as default. This cause issues when Terraform does not have the agent:read
authorization.

For most operations, we can use an empty string and Consul will use the
datacenter of the agent being queried.

Fix hashicorp#97
remilapeyre pushed a commit that referenced this issue Apr 17, 2019
Default datacenter to "" if not readable in /agent/self
fc78323 
Most resources uses the datacenter of the agent Terraform is connected
as default. This cause issues when Terraform does not have the agent:read
authorization.

For most operations, we can use an empty string and Consul will use the
datacenter of the agent being queried.

Fix #97
@remilapeyre remilapeyre mentioned this issue Apr 17, 2019
Merged
remilapeyre pushed a commit that referenced this issue Apr 17, 2019
Default datacenter to "" if not readable in /agent/self (#99)
069ec6e 
Most resources uses the datacenter of the agent Terraform is connected
as default. This cause issues when Terraform does not have the agent:read
authorization.

For most operations, we can use an empty string and Consul will use the
datacenter of the agent being queried.

Fix #97
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Default datacenter to "" if not readable in /agent/self remilapeyre/terraform-provider-consul
2 participants
@remilapeyre @vasilij-icabbi