Consul provider, what are minimum ACL rules in policy? about terraform-provider-consul HOT 5 CLOSED

Hello @remilapeyre , Thank you for your reply, that helped and I confirm that it works as intended, I can write into KV and read from it too.

from terraform-provider-consul.

Hi @vasilij-icabbi, if I understand correctly your question, this will depend on the resources and data-sources you want to use and the ACL configuration of your cluster.

I would start with a token with all privileges removed and add them as you need them. If you want to know which ACL is needed for a given resource, you can look at the "ACL Required" in the corresponding Consul HTTP API documentation.

Does this answer your question?

from terraform-provider-consul.

@remilapeyre Thank you for your reply. I use Consul provider for configuration only, so it needed only for KV storage.

I created policy with rule:

{
  "Name": "terraform-token",
  "Description": "Terraform Token Policy",
  "Rules": "key_prefix \"\" { policy = \"write\" }"
}

Created token, assigned policy with role above and provided it to terraform consul provider. And here it fails with 403.

Either I do something wrong or either consul provider does some API calls and requires more policy rules to function proper, this is why I ask if there are any minimal rules I have to set?

Worth to mention that my Consul ACL policy is deny by default.

from terraform-provider-consul.

Hello,
just checking if anyone can help me here?

from terraform-provider-consul.

Hi @vasilij-icabbi, thanks for the ping.

Terraform currently needs to read the configuration of the agent to know which datacenter it is connected to. Can you confirm that it works with this policy?

{
  "Name": "terraform-token",
  "Description": "Terraform Token Policy",
  "Rules": "key_prefix \"\" { policy = \"write\" } agent_prefix \"\" { policy = \"read\" }"
}

If so I will look into removing this restriction.

from terraform-provider-consul.