Consul Azure Module

This is a Terraform module for provisioning Consul Enterprise on Azure. This module defaults to setting up a cluster with 5 Consul server nodes (as recommended by the Consul Reference Architecture).

About This Module

This module implements the Consul Reference Architecture on Azure using the Enterprise version of Consul 1.10+.

How to Use This Module

• Ensure Azure credentials are in place (e.g. az login and az account set --subscription="SUBSCRIPTION_ID" on your workstation)

  • Owner role or equivalent is required (to create the Azure roles for servers)

• Ensure pre-requisite resources are created:

  • Resource Group
    • See this Resource Group module for an example implementation
  • Virtual Network Subnet and associated Network Security Groups/Application Security Groups
    • See this Virtual Network module for an example implementation
  • Key Vault with a TLS Certificate bundle, gossip encryption key, and server acl token stored as individual Key Vault Secrets.
    • See this Key Vault module for an example implementation

• Create a Terraform configuration that pulls in this module and specifies values for the required variables:

provider "azurerm" {
  features {}
}

module "consul-ent" {
  source  = "hashicorp/consul-ent-starter/azure"
  version = "0.1.0"

  # ID of Key Vault Secret containing the server ACL token(s)
  acl_tokens_secret_id  = "https://mykeyvaultname.vault.azure.net/secrets/mykeyvaulttokenssecretname/12ab12ab12ab12ab12ab12ab12ab12ab"

  # List of application security groups to which the VMs' network interfaces will be associated
  application_security_group_ids = ["/subscriptions/.../resourceGroups/myresourcegroupname/providers/Microsoft.Network/applicationSecurityGroups/dev-consul-ingress", ...]

  # Certificate Authority public cert associated with TLS keypair in `tls_secret_id`
  ca_cert = file("./cacert.pem")

  # Path to the Consul Enterprise license file
  consul_license_filepath = "./consul.hclic"

  # ID of Key Vault Secret containing the gossip encryption key
  gossip_secret_id  = "https://mykeyvaultname.vault.azure.net/secrets/mykeyvaulttokenssecretname/12ab12ab12ab12ab12ab12ab12ab12ab"

  # Key Vault containing the secrets
  key_vault_id = "/subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/..."

  # Resource group object in which resources will be deployed
  resource_group = {
    id       = "/subscriptions/.../resourceGroups/myresourcegroupname"
    location = "eastus"
    name     = "myresourcegroupname"
  }

  # Prefix for resource names
  resource_name_prefix = "dev"

  # SSH public key (for authentication to Consul servers)
  ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADA..."

  # Virtual Network subnet for Consul VMs
  subnet_id = "/subscriptions/.../resourceGroups/myresourcegroupname/providers/Microsoft.Network/virtualNetworks/myvnetname/subnets/myconsulsubnetname"

  # ID of Key Vault Secret containing the server TLS bundle
  tls_secret_id  = "https://mykeyvaultname.vault.azure.net/secrets/mykeyvaulttlssecretname/12ab12ab12ab12ab12ab12ab12ab12ab"
}

• Run terraform init and terraform apply

• You must bootstrap your Consul cluster's ACL system after you create it. Begin by SSHing into your Consul cluster.

  • The example Virtual Network module deploys (optionally but enabled by default) the Azure Bastion Service to allow this via the Azure Portal.

• To bootstrap the Consul cluster, run the following commands:

consul acl bootstrap

• Please securely store the bootstrap token (shown as the SecretID) the Consul returns to you.
• Use the bootstrap token to create an appropriate policy for your Consul servers and associate their token with it. E.g., assuming dev as the module's resource_name_prefix:

export CONSUL_HTTP_TOKEN="<your bootstrap token>"
cat << EOF > consul-servers-policy.hcl
node_prefix "dev-consul-server" {
  policy = "write"
}

operator = "write"
EOF
consul acl policy create -name consul-servers -rules @consul-servers-policy.hcl
consul acl token create -policy-name consul-servers -secret "<your server token in acl_tokens_secret_id>"
unset CONSUL_HTTP_TOKEN

• To check the status of your Consul cluster, run the list-peers command:

consul operator raft list-peers

• Now clients can be configured to connect to the cluster. For an example, see the following code in the examples directory.

License

This code is released under the Mozilla Public License 2.0. Please see LICENSE for more details.