The consul_service_intentions_config_entry
resource configures service intentions that are configurations for controlling access between services in the service mesh. A single service intentions configuration entry specifies one destination service and one or more L4 traffic sources, L7 traffic sources, or combination of traffic sources.
resource "consul_config_entry" "jwt_provider" {
name = "okta"
kind = "jwt-provider"
config_json = jsonencode({
ClockSkewSeconds = 30
Issuer = "test-issuer"
JSONWebKeySet = {
Remote = {
URI = "https://127.0.0.1:9091"
FetchAsynchronously = true
}
}
})
}
resource "consul_config_entry_service_intentions" "web" {
name = "web"
jwt {
providers {
name = consul_config_entry.jwt_provider.name
verify_claims {
path = ["perms", "role"]
value = "admin"
}
}
}
sources {
name = "frontend-webapp"
type = "consul"
action = "allow"
}
sources {
name = "nightly-cronjob"
type = "consul"
action = "deny"
}
}
name
(String) Specifies a name of the destination service for all intentions defined in the configuration entry.jwt
(Block Set) Specifies a JSON Web Token provider configured in a JWT provider configuration entry, as well as additional configurations for verifying a service's JWT before authorizing communication between services (see below for nested schema)meta
(Map of String) Specifies key-value pairs to add to the KV store.namespace
(String) Specifies the namespace to apply the configuration entry.partition
(String) Specifies the admin partition to apply the configuration entry.sources
(Block List) List of configurations that define intention sources and the authorization granted to the sources. (see below for nested schema)id
(String) The ID of this resource.jwt
Optional:
providers
(Block List) Specifies the names of one or more previously configured JWT provider configuration entries, which include the information necessary to validate a JSON web token. (see below for nested schema)jwt.providers
Optional:
name
(String) Specifies the name of a JWT provider defined in the Name field of the jwt-provider configuration entry.verify_claims
(Block List) Specifies additional token information to verify beyond what is configured in the JWT provider configuration entry. (see below for nested schema)jwt.providers.verify_claims
Optional:
path
(List of String) Specifies the path to the claim in the JSON web token.value
(String) Specifies the value to match on when verifying the the claim designated in path.sources
Optional:
action
(String) Specifies the action to take when the source sends traffic to the destination service.description
(String) Specifies a description of the intention.name
(String) Specifies the name of the source that the intention allows or denies traffic from.namespace
(String) Specifies the traffic source namespace that the intention allows or denies traffic from.partition
(String) Specifies the name of an admin partition that the intention allows or denies traffic from.peer
(String) Specifies the name of a peered Consul cluster that the intention allows or denies traffic frompermissions
(Block List) Specifies a list of permissions for L7 traffic sources. The list contains one or more actions and a set of match criteria for each action. (see below for nested schema)precedence
(Number) The Precedence field contains a read-only integer. Consul generates the value based on name configurations for the source and destination services.sameness_group
(String) Specifies the name of a sameness group that the intention allows or denies traffic from.type
(String) Specifies the type of destination service that the configuration entry applies to.sources.permissions
Required:
action
(String) Specifies the action to take when the source sends traffic to the destination service. The value is either allow or deny.http
(Block Set, Min: 1) Specifies a set of HTTP-specific match criteria. (see below for nested schema)sources.permissions.http
Optional:
headers
(Block List) Specifies a header name and matching criteria for HTTP request headers. (see below for nested schema)methods
(List of String) Specifies a list of HTTP methods.path_exact
(String) Specifies an exact path to match on the HTTP request path.path_prefix
(String) Specifies a path prefix to match on the HTTP request path.path_regex
(String) Defines a regular expression to match on the HTTP request path.sources.permissions.http.headers
Required:
name
(String) Specifies the name of the header to match.Optional:
exact
(String) Specifies a value for the header key set in the Name field. If the request header value matches the Exact value, Consul applies the permission.invert
(Boolean) Inverts the matching logic configured in the Header.prefix
(String) Specifies a prefix value for the header key set in the Name field.present
(Boolean) Enables a match if the header configured in the Name field appears in the request. Consul matches on any value as long as the header key appears in the request.regex
(String) Specifies a regular expression pattern as the value for the header key set in the Name field.suffix
(String) Specifies a suffix value for the header key set in the Name field.