Consul HCP, automate ACL token configuration for clients


I am just getting started with Consul via HCP. I’m trying to get a consul client to connect to the Consul cluster running on HCP. My issue at the moment is how to handle the ACL tokens. (As additional context, I’m using Terraform’s nomad_cluster module with install-consul and install-nomad).

I am curious about best practises for configuring the Consul client automatically.

The Consul HCP cluster is provisioned via Terraform. I am storing the consul_client_config and consul_ca_file in AWS Secrets Manager.

When the Consul client starts up, it pulls this consul_ca_file and consul_client_config from AWS Secrets Manager. This part works well. The part I am struggling with is how to automate the configuration of the agent ACL token.

I’ve taken a look at auto_config but I am struggling with seeing how to set that up with Consul HCP. I’ve also considered just creating the ACL token manually, then putting this in another AWS secret, which the client can also pull on boot.

Any guidance is much appreciated.

Hi @jbye just some initial thoughts which come to mind after reading your scenario.

If you are using Terraform to create your HCP Consul cluster and generate the initial ACL root token, would it help in your use case/workflow, to then take that initial token to use with Consul Terraform Provider to generate the necessary ACLs tokens needed for your Consul clients using this resource and then pass the output to the resource which creates the client?

Utilizing the Consul Secrets Engine as part of the workflow could help too, the clients could request the token at startup time from Vault.