Skip to content
This repository has been archived by the owner on Jan 25, 2023. It is now read-only.

Enhancement to support ACL bootstrapping #221

Open
wants to merge 27 commits into
base: master
Choose a base branch
from

Conversation

yardbirdsax
Copy link
Contributor

@yardbirdsax yardbirdsax commented Apr 28, 2021

Fixes #119

Functional Changes

  • The consul-iam-policies module now includes permissions for reading / writing SSM parameters when a new variable named acl_store_type is set to "ssm".
  • The consul-cluster module now includes an input variable named acl_store_type, which is used to indicate where created ACL tokens should be stored. Currently this only supports the value "ssm", but could support other methods in the future. This value is only used to pass on to the consul-iam-policies module.
  • The example Packer file now includes a step to install the bash-commons library, which is used in cases where ACLs are enabled.
  • Several new common bash functions were created to enable creation of ACL tokens and reading / writing of SSM parameters in support of enabling ACLs in created Consul clusters.
  • The run-consul script now accepts a switch parameter --enable-acl, which if set will cause the script to generate a root ACL token upon cluster provision, and store it as a specially named SSM parameter. The bootstrap command is executed on only one of the server instances; other server instances and client instances will wait for the SSM parameter to become available, then use it to create their own agent tokens with minimal rights. (Note: while this currently only supports SSM, it was written internally in a way that future expansion to other stores would be possible.)
  • The run-consul script now accepts an argument --acl-storage-type, which is required when the --enable-acl flag is set. This allows the user to select how the bootstrap process stores generated ACL tokens. Currently the only supported value is 'ssm'.

Testing / Refactoring related changes

  • Multiple Terratest related functions have been refactored to support the testing of ACL enabled clusters.
  • Several bash functions have been moved to the new consul-commons.sh file so as to make testing them independent of running the run-consul script easier.

Known Issues

  • The enterprise tests are failing. I'm not sure how to test that since I don't have access to the enterprise binaries. Open to suggestions!
  • I was not able to test in versions older than 1.9.2 because of configuration mismatches (i.e. the conf file included options that weren't compatible with those versions).

Test results: https://gist.github.com/yardbirdsax/e08efec4799c7e286ce093b5dfee89c3

… dependencies with the new modular structure, as well as instructions on how to run tests without building an AMI each time.
… passing in an ACL token. This will allow the methods to be used for testing an ACL enabled cluster as well as the default setup.
…r SSM parameter read / write access if that option is selected at deployment time.
…if the cluster should be aset up to allow reading/writing ACL tokens to permitted stores (currently only SSM).
…er with ACL enabled, and an example added with appropriate options set. Tests still fail since this functionality is not implemented.
…to run Consul, as well as a function to calculate the name of the SSM parameter to store the bootstrap token in.
…h the run-consul file now sources. This makes testing functions easier and also follows the pattern of other repositories, such as the terraform-aws-couchbase one.
…er nodes to read / write appropriate SSM parameters.
…pe' parameter when writing the token to SSM by way of the 'aws ssm put-parameter' call.
…n-consul script with the '--enable-acl' flag set.
…nsul-commons.sh' file when installing Consul.
…ation, since agents currently pass through their token uand so will fail the test for empty members.
@yardbirdsax yardbirdsax requested a review from robmorgan as a code owner April 28, 2021 15:44
The steps to download and install the 'bash-commons' library have been moved to the 'install-consul' script so that it is not dependent upon the Packer configuration to include this required step.
The method used by the run-consul script to generate the agent token has been enhanced to use a newer method when the version of Consul is compatible with it.
- The run-consul script will now source a specific script file based on the value given by the new '--acl-storage-type' command line argument. This allows for easier addition of new methods of storing ACL tokens based on a set of common interface functions (write_acl_token, read_acl_token).

- An additional check to ensure that the token generated for the agent is not empty has been added, so that the script will properly throw an error and exit if the token cannot be generated.

- The install-consul script has been updated to include copying all '*.sh' files in the 'modules/run-consul' directory, so as to include any new common script files added from here on out.

- The example deployment with ACLs has been updated with the newly added command line arguments for the user data scripts.

- The test for ACL enabled clusters has been corrected so that it expects an empty response to 'consul members' when not passing in an ACL token.
- The function that generates the agent ACL token policy has been updated to remove un-necessary read permissions. It now matches the example given in the official Hashicorp tutorial (https://learn.hashicorp.com/tutorials/consul/access-control-setup-production\#create-the-agent-policy).
@yardbirdsax
Copy link
Contributor Author

yardbirdsax commented May 10, 2021

I think I've incorporated everything requested, please let me know if there's anything else required here? Thanks!

@yardbirdsax
Copy link
Contributor Author

Howdy, just wanted to ping here since I still have this PR outstanding. Was there anything else I need to do to get it closed out?

@hashicorp-cla
Copy link

hashicorp-cla commented Mar 12, 2022

CLA assistant check
All committers have signed the CLA.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add ACL system config on run_consul on consul >= 1.4.0
3 participants