[BLOG] Managing HashiCorp Consul Access Control Lists with Terraform & Vault

Consul
1

Check out our blog on managing Consul ACLs with Terraform and Vault! Please post questions or comments here.

3 Likes
2
2 Likes
3

Hello, Thanks for the blog. I am trying to replicate the steps at my environment and I am facing a strange error that I don’t know how to debug.

here are the steps that I execute:

main.tf

resource "vault_consul_secret_backend" "this" {
  path        = "consul"
  description = "Manages the Consul backend"

  token = data.aws_secretsmanager_secret_version.consul.secret_string

  address     = "consul.service.brain.consul:8500"
  scheme      = "https"
  ca_cert     = "/etc/core/runner_tls/cachain.pem"
  client_cert = "/etc/core/runner_tls/consul.pem"
  client_key  = "/etc/core/runner_tls/consul.key"
  default_lease_ttl_seconds = 3600
  max_lease_ttl_seconds     = 3600
}

resource "vault_consul_secret_backend_role" "this" {
  name    = "consul-admin-role"
  backend = vault_consul_secret_backend.this.path

  policies = [
    "consul-admin-policy",
  ]
}

list roles

curl \
    --header "X-Vault-Token: s.xxx" \
    --request LIST \
    https://vault.service.brain.consul:8200/v1/consul/roles \
        --key /opt/vault/tls/vault.key \
        --cert /opt/vault/tls/vault.pem \
        --cacert /opt/vault/tls/cachain.pem

output

{"request_id":"9c2ed5dd-c54e-a6d2-8020-4cfbe3d108d9","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["consul-admin-role"]},"wrap_info":null,"warnings":null,"auth":null}

show role

curl \
    --header "X-Vault-Token: s.xxx" \
    https://vault.service.brain.consul:8200/v1/consul/roles/consul-admin-role \
        --key /opt/vault/tls/vault.key \
        --cert /opt/vault/tls/vault.pem \
        --cacert /opt/vault/tls/cachain.pem

output

{"request_id":"76b01250-2ab3-0b61-6646-fe1dfa3eca5f","lease_id":"","renewable":false,"lease_duration":0,"data":{"lease":0,"local":false,"max_ttl":0,"policies":["consul-admin-policy"],"token_type":"client","ttl":0},"wrap_info":null,"warnings":null,"auth":null}

get role token

curl \
    --header "X-Vault-Token: s.xxx" \
    https://vault.service.brain.consul:8200/v1/consul/creds/consul-admin-role \
        --key /opt/vault/tls/vault.key \
        --cert /opt/vault/tls/vault.pem \
        --cacert /opt/vault/tls/cachain.pem

output (ERROR)

{"errors":["1 error occurred:\n\t* tls: failed to find any PEM data in certificate input\n\n"]}

The vault token that I am using;

Key                      Value
---                      -----
token                    n/a
token_accessor           n/a
token_duration           7h47m28s
token_renewable          true
token_policies           ["consul-secrets-policy" "default" "token-auth-policy" "vault-admin-policy"]
identity_policies        []
policies                 ["consul-secrets-policy" "default" "token-auth-policy" "vault-admin-policy"]
token_meta_account_id    xxx
token_meta_auth_type     iam
token_meta_role_id       x-x-x-x-x

consul-secrets-policy:

path "/consul/config/access" {
    capabilities = ["create","update"]
}
path "/consul/roles/*" {
    capabilities = ["create","update"]
}
path "/consul/roles/*" {
    capabilities = ["read"]
}
path "/consul/creds/*" {
    capabilities = ["read"]
}
path "/consul/roles" {
    capabilities = ["list"]
}
path "/consul/roles/*" {
    capabilities = ["delete"]
}

consul-admin-policy:

# https://www.consul.io/api-docs/agent#retrieve-host-information
operator = "write"
acl = "write"

# https://www.consul.io/api-docs/catalog#list-nodes-for-service

agent "" {
  policy = "write"
}

agent_prefix "" {
  policy = "write"
}

service "" {
  policy = "write"
}

service_prefix "" {
  policy = "write"
}

node "" {
  policy = "write"
}

node_prefix "" {
  policy = "write"
}

key_prefix "" {
  policy = "write"
}

any ideas how to solve this one?