Starting with Consul 1.5.0, the consul_acl_auth_method
resource can be used to managed Consul ACL auth methods.
Define a kubernetes
auth method:
resource "consul_acl_auth_method" "minikube" {
name = "minikube"
type = "kubernetes"
description = "dev minikube cluster"
config_json = jsonencode({
Host = "https://192.0.2.42:8443"
CACert = "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n"
ServiceAccountJWT = "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
})
}
Define a jwt
auth method:
resource "consul_acl_auth_method" "oidc" {
name = "auth0"
type = "oidc"
max_token_ttl = "5m"
config_json = jsonencode({
AllowedRedirectURIs = [
"http://localhost:8550/oidc/callback",
"http://localhost:8500/ui/oidc/callback"
]
BoundAudiences = [
"V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt"
]
ClaimMappings = {
"http://example.com/first_name" = "first_name"
"http://example.com/last_name" = "last_name"
}
ListClaimMappings = {
"http://consul.com/groups" = "groups"
}
OIDCClientID = "V1RPi2MYptMV1RPi2MYptMV1RPi2MYpt"
OIDCClientSecret = "...(omitted)..."
OIDCDiscoveryURL = "https://my-corp-app-name.auth0.com/"
})
}
name
(String) The name of the ACL auth method.type
(String) The type of the ACL auth method.config
(Map of String, Deprecated) The raw configuration for this ACL auth method.config_json
(String) The raw configuration for this ACL auth method.description
(String) A free form human readable description of the auth method.display_name
(String) An optional name to use instead of the name attribute when displaying information about this auth method.max_token_ttl
(String) The maximum life of any token created by this auth method. This attribute is required and must be set to a nonzero for the OIDC auth method.namespace
(String) The namespace in which to create the auth method.namespace_rule
(Block List) A set of rules that control which namespace tokens created via this auth method will be created within. (see below for nested schema)partition
(String) The partition the ACL auth method is associated with.token_locality
(String) The kind of token that this auth method produces. This can be either 'local' or 'global'.id
(String) The ID of this resource.namespace_rule
Required:
bind_namespace
(String) If the namespace rule's selector
matches then this is used to control the namespace where the token is created.Optional:
selector
(String) Specifies the expression used to match this namespace rule against valid identities returned from an auth method validation.