Skip to content

Latest commit

 

History

History
113 lines (86 loc) · 3.88 KB

resource_consulacl_token.md

File metadata and controls

113 lines (86 loc) · 3.88 KB
Raw

resource "consulacl_token"

Overview

Uses pre-Consul 1.4 ACL API (deprecated) to manage Consul ACL tokens with embedded policies.

Arguments

The following arguments are supported:

  • name - (Required) String defining name for the token
  • type - (Required) String defining type of the token - either client or management
  • token - (Optional) If set, defines the token ID. If unset - a unique UUID will be generated by Consul and exported by the resource. It is a sensitive data.
  • rule - (Optional) Set of rules to assign to the token. Each rule is defined as a map with following fields:
    • scope - (Required) String defining a scope of the rule. One of: agent, event, key, node, query, service, session, keyring and operator.
    • policy - (Required) String defining a policy of the rule. One of: read, write.
    • prefix - (Optional) String defining a prefix limiting the rule's effect. Not allowed for keyring and operator scopes.

Attributes

The following attribute is exported:

  • token - String, the ACL token's value. Sensitive.
  • id - String, SHA256 hash of token attribute.

Usage Example

Configure

resource "consulacl_token" "token" {
  name  = "A demo token"
  token = "my-custom-token"
  type  = "client"

  rule { scope="key"      policy="write"  prefix="foo/bar/baz"  }
  rule { scope="service"  policy="read"   prefix=""             }
  rule { scope="operator" policy="read"                         }
}

Apply

$ terraform apply
  
  An execution plan has been generated and is shown below.
  Resource actions are indicated with the following symbols:
    + create
  
  Terraform will perform the following actions:
  
    + consulacl_token.token
        id:                     <computed>
        name:                   "A demo token"
        rule.#:                 "3"
        rule.1495889372.policy: "write"
        rule.1495889372.prefix: "foo/bar/baz"
        rule.1495889372.scope:  "key"
        rule.2015766991.policy: "read"
        rule.2015766991.prefix: ""
        rule.2015766991.scope:  "service"
        rule.4269786272.policy: "read"
        rule.4269786272.prefix: ""
        rule.4269786272.scope:  "operator"
        token:                  <sensitive>
        type:                   "client"
  
  
  Plan: 1 to add, 0 to change, 0 to destroy.
  
  Do you want to perform these actions?
    Terraform will perform the actions described above.
    Only 'yes' will be accepted to approve.
  
    Enter a value: yes
  
  consulacl_token.token: Creating...
    name:                   "" => "A demo token"
    rule.#:                 "0" => "3"
    rule.1495889372.policy: "" => "write"
    rule.1495889372.prefix: "" => "foo/bar/baz"
    rule.1495889372.scope:  "" => "key"
    rule.2015766991.policy: "" => "read"
    rule.2015766991.prefix: "" => ""
    rule.2015766991.scope:  "" => "service"
    rule.4269786272.policy: "" => "read"
    rule.4269786272.prefix: "" => ""
    rule.4269786272.scope:  "" => "operator"
    token:                  "<sensitive>" => "<sensitive>"
    type:                   "" => "client"
  consulacl_token.token: Creation complete after 0s (ID: 929a4284c36bdaa9ba4a96dbbcfd9839160258643e4d1beb9a15fff6c6bcd027)
  
  Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Import

$ terraform import consulacl_token.token "a694f2c0-20c8-902c-7d57-be10bd3edb1b"
  consulacl_token.token: Importing from ID "a694f2c0-20c8-902c-7d57-be10bd3edb1b"...
  consulacl_token.token: Import complete!
    Imported consulacl_token (ID: 929a4284c36bdaa9ba4a96dbbcfd9839160258643e4d1beb9a15fff6c6bcd027)
  consulacl_token.token: Refreshing state... (ID: 929a4284c36bdaa9ba4a96dbbcfd9839160258643e4d1beb9a15fff6c6bcd027)
  
  Import successful!
  
  The resources that were imported are shown above. These resources are now in
  your Terraform state and will henceforth be managed by Terraform.