backend/consul: allow specifying various Consul client security options

These new options are equivalent to the consul CLI arguments -ca-file, -client-cert and -client-key.
2017-08-23 18:47:21 +02:00 · 2017-08-23 18:47:21 +02:00 · 21b287e919
parent 7b3f32f3de
commit 21b287e919
2 changed files with 42 additions and 0 deletions
--- a/backend/remote-state/consul/backend.go
+++ b/backend/remote-state/consul/backend.go
@ -2,6 +2,7 @@ package consul

 import (
 	"context"
+	"net/http"
 	"strings"

 	consulapi "github.com/hashicorp/consul/api"
@ -67,6 +68,27 @@ func New() backend.Backend {
 				Description: "Lock state access",
 				Default:     true,
 			},
+
+			"ca_file": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.",
+				DefaultFunc: schema.EnvDefaultFunc("CONSUL_CACERT", ""),
+			},
+
+			"cert_file": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "A path to a PEM-encoded certificate provided to the remote agent; requires use of key_file.",
+				DefaultFunc: schema.EnvDefaultFunc("CONSUL_CLIENT_CERT", ""),
+			},
+
+			"key_file": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "A path to a PEM-encoded private key, required if cert_file is specified.",
+				DefaultFunc: schema.EnvDefaultFunc("CONSUL_CLIENT_KEY", ""),
+			},
 		},
 	}

@ -112,6 +134,23 @@ func (b *Backend) clientRaw() (*consulapi.Client, error) {
 	if v, ok := data.GetOk("datacenter"); ok && v.(string) != "" {
 		config.Datacenter = v.(string)
 	}
+
+	tlsConfig := &consulapi.TLSConfig{}
+	if v, ok := data.GetOk("ca_file"); ok && v.(string) != "" {
+		tlsConfig.CAFile = v.(string)
+	}
+	if v, ok := data.GetOk("cert_file"); ok && v.(string) != "" {
+		tlsConfig.CertFile = v.(string)
+	}
+	if v, ok := data.GetOk("key_file"); ok && v.(string) != "" {
+		tlsConfig.KeyFile = v.(string)
+	}
+	cc, err := consulapi.SetupTLSConfig(tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+	config.HttpClient.Transport.(*http.Transport).TLSClientConfig = cc
+
 	if v, ok := data.GetOk("http_auth"); ok && v.(string) != "" {
 		auth := v.(string)

--- a/website/docs/backends/types/consul.html.md
+++ b/website/docs/backends/types/consul.html.md
@ -55,3 +55,6 @@ The following configuration options / environment variables are supported:
   communicating with Consul, in the format of either `user` or `user:pass`.
 * `gzip` - (Optional) `true` to compress the state data using gzip, or `false` (the default) to leave it uncompressed.
 * `lock` - (Optional) `false` to disable locking. This defaults to true, but will require session permissions with Consul to perform locking.
+ * `ca_file` / `CONSUL_CAFILE` - (Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.
+ * `cert_file` / `CONSUL_CLIENT_CERT` - (Optional) A path to a PEM-encoded certificate provided to the remote agent; requires use of `key_file`.
+ * `key_file` / `CONSUL_CLIENT_KEY` - (Optional) A path to a PEM-encoded private key, required if `cert_file` is specified.