Support Consul ACL resources

[sheldonh]

I've love support for Consul ACL resources.

I've taken a quick look, and there's a bit of a decision to be made. Either I have to

• use Consul's /v1/acl/list endpoint to scroll through all tokens, looking for the one that matches the policy I have in tfstate, or
• save tokens to tfstate so I can use /v1/acl/info/<id>.

I'm keen to hear what people think of this trade-off. My instinct is that relying on /v1/acl/list will turn into a mess. In fact, it might not even be possible when there are multiple tokens with the same policy.

So we might be stuck with the less secure idea of saving tokens to tfstate?

[jamtur01]

When/If we can encrypt state (c.f. #516) then this feels a lot more palatable.

[apparentlymart]

Perhaps at some point Consul will get the idea of "token accessors" like Vault has, so that it's possible to talk about a token without holding a token. This was mentioned in passing in hashicorp/consul#2334 but I wasn't able to find a top-level issue about it.

I feel kinda inclined to just make sure that the Vault provider has reasonable support for Vault's Consul Backend and for now suggest that folks should be issuing Consul ACLs through that, but it does feel a little harsh to say "if you want to manage Consul ACLs with Terraform then you need to deploy Vault first".

[daveadams]

The Consul issue you're looking for, @apparentlymart, is hashicorp/consul#2027.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.