mkeeler
commented
5 years ago @rnsc The API itself is overwrite only. The CLI when doing policy merging will first download the existing policy and use current values for defaults where none are specified to the CLI.
So unless I am not understanding your needs, I think the API already does what you want. You still have to check if it exists because Consul will not allow you to create two policies with the same name. But once you know that, you can use either the v1/acl/policy endpoint to create a new one or v1/acl/policy/:id to update an existing one (this is overwriting).
A couple improvements I could see us making are:
- Adding a
v1/acl/policy/name/:nameto lookup a policy by name. That way if you are not tracking the policy IDs you wouldn't have to list the policies and search for the matching name yourself. - Potentially adding a
overwritequery parameter to thev1/acl/policyendpoint to allow overwriting an existing policy if it exists.
rnsc
Feature Description
The Consul Agent CLI supports the no-merge feature when executing an UPDATE command on an existing ACL policy. (https://www.consul.io/docs/commands/acl/policy/update.html#no-merge) I'd like to have that feature also available on the API of Consul.
Use Case(s)
We're provisioning policies through the API and wanted to update policies in place but overwriting the old rules. Currently, we have to:
We'd just like to avoid having to delete an existing policy when we only want to overwrite rules.