feat: implement consul ACL management with provider aliases

This commit message captures the major architectural change of implementing Consul ACL management
with proper provider aliasing, along with the supporting configuration files and policy definitions
for various terraform services.

- add consul_acl_management module to manage consul acl policies and roles
- add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault)
- add consul provider configuration to root.hcl
- add policies to generate credentials for each role
- simplify consul_secret_backend_role module to reference acl-managed roles
- switch to opentofu for provider foreach support
- update terragrunt configuration to support consul backend aliases
- update pre-commit hooks to use opentofu instead of terraform
- configure tflint exceptions for consul acl management module
This commit is contained in:
2026-02-08 15:55:30 +11:00
parent f8f1185b42
commit 5536869a38
30 changed files with 318 additions and 24 deletions
+18
View File
@@ -13,6 +13,11 @@ include "policies" {
expose = true
}
include "resources" {
path = "${get_repo_root()}/resources/resources.hcl"
expose = true
}
locals {
# Extract country and region from path
path_parts = split("/", dirname(get_terragrunt_dir()))
@@ -24,6 +29,16 @@ locals {
# Include policies from policies.hcl
policies = include.policies.locals
# Include resources from resources.hcl
resources = include.resources.locals
# Create sanitized backend name mapping for Consul providers
# Provider aliases can't contain slashes, so replace them with underscores
consul_backend_aliases = {
for backend_name, _ in local.config.consul_secret_backend :
backend_name => replace(backend_name, "/", "_")
}
}
terraform {
@@ -57,4 +72,7 @@ inputs = {
# Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map
policy_rules_map = local.policies.policy_rules_map
# Pass sanitized consul backend aliases for provider configuration
consul_backend_aliases = local.consul_backend_aliases
}
+4 -13
View File
@@ -3,27 +3,14 @@ generate "backend" {
path = "backend.tf"
if_exists = "overwrite"
contents = <<EOF
#-------------------------------------------
# locals
#-------------------------------------------
locals {
vault_addr = "https://vault.service.consul:8200"
}
#-----------------------------------------------------------------------------
# Configure this provider through the environment variables:
# - VAULT_ADDR
# - VAULT_TOKEN
#-----------------------------------------------------------------------------
provider "vault" {
address = local.vault_addr
}
#------------------------------------------------------------------------------
# Use remote state file and encrypt it since your state files may contains
# sensitive data.
# export CONSUL_HTTP_TOKEN=<your-token>
#------------------------------------------------------------------------------
terraform {
backend "consul" {
address = "https://consul.service.consul"
@@ -38,6 +25,10 @@ terraform {
source = "hashicorp/vault"
version = "5.6.0"
}
consul = {
source = "hashicorp/consul"
version = "2.23.0"
}
}
}
EOF