The consul_namespace_policy_attachment
resource links a Consul Namespace and an ACL
policy. The link is implemented through an update to the Consul Namespace.
resource "consul_acl_policy" "agent" {
name = "agent"
rules = <<-RULE
node_prefix "" {
policy = "read"
}
RULE
}
resource "consul_namespace_policy_attachment" "attachment" {
namespace = "default"
policy = consul_acl_policy.agent.name
}
first_configuration/main.tf
resource "consul_namespace" "qa" {
name = "qa"
lifecycle {
ignore_changes = [policy_defaults]
}
}
second_configuration/main.tf
resource "consul_acl_policy" "agent" {
name = "agent"
rules = <<-RULE
node_prefix "" {
policy = "read"
}
RULE
}
resource "consul_namespace_policy_attachment" "attachment" {
namespace = "qa"
policy = consul_acl_policy.agent.name
}
NOTE: consul_acl_namespace would attempt to enforce an empty set of default
policies, because its policy_defaults
attribute is empty. For this reason it
is necessary to add the lifecycle clause to prevent Terraform from attempting to
empty the set of policies associated to the namespace.
The following arguments are supported:
namespace
- (Required) The namespace to attach the policy to.policy
- (Required) The name of the policy attached to the namespace.The following attributes are exported:
id
- The attachment ID.namespace
- The name of the namespace.policy
- The name of the policy attached to the namespace.consul_namespace_policy_attachment
can be imported. This is especially useful
to manage the policies attached to the default
namespace:
$ terraform import consul_namespace_policy_attachment.default default:policy_name