Enhancement: Declarative ACL directory #4020
Description
Description of the Feature
Idempotently change the acls of a cluster to match a set local of .hcl (and .json) files.
i.e.
config.json
{ ... "acl_directory" : "/etc/consul/acl" ...}
where /etc/consul/acl contains usertoken.hcl , MasterToken.hcl, Anonymous.hcl that define what the acl setup should be.
Description of our use case
On a project using Consul as a service registry/ kv store, we were spinning up different kinds of consul clusters which required different sets of consul acls to be applied to each one. Because we were making frequent changes to the rules as new use cases were added, we needed a better way to adjust our acls.
We made a tool using a remote consul client which interfaced with our consul cluster and managed its acls based on files we provisioned with the consul client itself.
Notes
The interaction style would ideally similar to what terraform apply does when changing infrastructure that it will adjust changed acls, add missing ones and remove ones not found in the local configuration directory.
I found this feature useful for my use case, but I thought I'd try my hand at implementing it myself in consul's source as an optional configuration flag for where to find a directory of acl files (i.e. ./acl.d/userToken.hcl )
Before going ahead I wanted to make sure that a feature like this isnt against the development plan for consul and make sure this would be useful for others.