Help needed on integrating consul_acl

[jardleex]

Hello @mrlesmithjr

Trivia

I'm currently working a on Consul's ACL functions. While evaluating it I stumbled upon a this problem:

We currently have 6 datacenters running with Consul while one is the acl_datacenter. I wanted to find out what happens to ACL's wen the acl_datacenter gets crushed. So in the acl_datacenter I added a dummy ACL, stopped Consul, deleted the data folder on each server and started it again. As expected the ACL was gone there and in all other datacenters too. Activating ACL replication did not changed something here.

So I evaluated consul snapshot but was not happy with it as it can contain old data (kv, service, acl, ...) which was deleted some when after taking the snapshot.

Then I found (consul_acl)[https://docs.ansible.com/ansible/latest/consul_acl_module.html], a Ansible module to maintain Consul ACLs. It would allow the user to define all ACLs he needs in YAML as source of truth. This would ease the need of handling/stroing of json files and omitting curl commands on update/change, no non-producible ACL adjustments made via consul-ui.

Problem

I'm stuck at creating the ACL's in Consul with consul_acl. Each time it runs only the last rule defined wins. I guess I'm handling the with_ item wrong. With the example below, one ACL is created with name "Foo access" and the key "private/foo" + its policy is attached. The "foo" key gets overwritten.
Do you have an idea on that?

Code

# vars
---
consul_acl:
  - mgmt_token: 'secret_token'
    name: 'Foo access'
    token: 'a_token_i_want_to_have'
    rules:
      - key: "foo"
        policy: read
      - key: "private/foo"
        policy: deny

# playbook
- name: acl | deploy Consul ACL's
  consul_acl:
    host: "{{ item.0.host | default(ansible_hostname) }}"
    port: "{{ item.0.port | default(omit) }}"
    scheme: "{{ item.0.scheme | default(omit) }}"
    state: "{{ item.0.state | default(omit) }}"
    mgmt_token: "{{ item.0.mgmt_token }}"
    name: "{{ item.0.name }}"
    token: "{{ item.0.token | default(omit) }}"
    token_type: "{{ item.0.token_type | default(omit) }}"
    validate_certs: "{{ item.0.validate_certs | default(omit) }}"
    rules:
      - "{{ item.1 }}"
  with_subelements:
    - "{{ consul_acl }}"
    - rules

Additional tasks

• Install required modules on target system.
• Basically it would be sufficient to set the ACL's on only one server in acl_datacenter but the role currently does not allow that. All server's in a DC need to be in play in order to build the retry_join array.

Thank you for your help and

Best regards

Jard

[jardleex]

I just found out that consul-cli does not support newer ACL features. This includes the node ACL's which makes the tool currently useless for full range ACL config.

Meas this attempt here becomes more valuable as it uses native API calls.

[jardleex]

I was able to make it work. See the linked PR for details.