Add support for enabling auto_encrypt on both server and client instances

hashicorp / terraform-aws-consul

A Terraform Module for how to run Consul on AWS using Terraform and Packer

Apache License 2.0

401 stars 484 forks source link

Add support for enabling auto_encrypt on both server and client instances #151

Open jinnko opened 5 years ago

jinnko commented 5 years ago

We get support for enabling auto_encryption at set up time, allowing client instances to get their TLS key/cert pairs from the consul servers.

In order to allow browsers to access the UI we also need to TLS on the HTTPS endponit, while keeping mTLS enabled for RPC connections.

There are a couple of special cases to be considered (see individual commits for details):

Workaround for v1.6.0 (hashicorp/consul#6391)
Workaround lack of support for HTTPS (hashicorp/consul#6403)

brikis98 commented 5 years ago

@Etiene Could you review this one?

Etiene commented 5 years ago

Thanks for the PR! How did you test this? I wonder if we should have an automated test to check this behavior

bigeasy commented 5 years ago

I created a Pull Request for this Pull request.

https://github.com/ixydo/terraform-aws-consul/pull/1

Enable auto encryption without requiring server key and certificate. My understand of auto-encryption is that the server will provide a PKI certificate to clients, you don't have to distribute them yourself. Adjusted to create a configuration similar to on in the Learning Consul documentation.

hashicorp-cla commented 2 years ago

All committers have signed the CLA.