Consul backend for Terraform - Minimum ACL policies

Hello,

I would like to know the minimum ACL rules to use consul as terraform backend.
For the moment I am using this one:

key_prefix "" {                                                                                                                                                                                                           
  policy = "read"                                                                                                                                                                                                         
}                                                                                                                                                                                                                         
                                                                                                                                                                                                                          
key_prefix "terraform/" {                                                                                                                                                                                                 
  policy = "write"                                                                                                                                                                                                        
}                                                                                                                                                                                                                         
                                                                                
session_prefix "" {                                                             
  policy = "write"                                                              
}

Can I reduce the session permission ?
Thanks.

Hi,

It looks like it is possible to reduce the permissions by making the policy more explicit.

For example, I created the following configuration to instruct Terraform to store my state using the consul backend.

# terraform-state-backend.tf
terraform {
  backend "consul" {
    path = "terraform/state"
  }
}

At a minimum, Terraform needs write access to the terraform/state key.

By default, the consul backend implements State Locking. Assuming this has not been disabled in the backend configuration by setting lock = false, Terraform will also need write access to two additional keys:

  • terraform/state/.lock - The lock created by Terraform, acquired by a session.
  • terraform/state/.lockinfo - Information about Terraform operation & client holding the lock.

If you’re curious, here’s an example of what is stored in .lockinfo during a terraform plan operation.

{
    "ID": "aad69961-747f-68bf-204a-6c70c13e3221",
    "Operation": "OperationTypePlan",
    "Info": "consul session: 6d218264-8c0f-ae67-45db-2e7dbb6a40d7",
    "Who": "blake@TheB.local",
    "Version": "0.12.18",
    "Created": "2019-12-23T03:46:47.66194Z",
    "Path": "terraform/state"
}

Anyway, I created the following Consul policy specifying the exact privleges required by Terraform to store its state.

# terraform-state-store-policy.hcl

// Allow writing the Terraform state file
key "terraform/state" {
  policy = "write"
}

// Allow writing the lock file
key "terraform/state/.lock" {
  policy = "write"
}

// Allow writing information about who currently holds the lock
key "terraform/state/.lockinfo" {
  policy = "write"
}

// Allow creating sessions on the Consul node 'consul-consul-server-1'
session "consul-consul-server-1" {
  policy = "write"
}

Session permissions are required to establish locks. However, because sessions are associated with nodes, the policy’s session permissions can be reduced to only allow session creation on specific nodes or node prefixes.

In my example, I am only allowing the session to be created through the node “consul-consul-server-1” – which means Terraform must use this node’s HTTP API endpoint when communicating with Consul. You could grant permission to create sessions on additional nodes, or node prefixes (i.e., session_prefix) as needed.

Hope this helps.