search

hashicorp / terraform-aws-consul

A Terraform Module for how to run Consul on AWS using Terraform and Packer
Apache License 2.0
401 stars 484 forks source link

Enable Consul Connect on terraform-aws-consul #173

Closed 7hacker closed 3 years ago

7hacker commented 4 years ago

This PR addresses issue #165

Design

We add a flag, '--enable-connect' to the run-consul module that turns on Consul Connect while bootstrapping a new cluster. This flag creates the basic key-value pair in the servers configuration (default.json).

To use in production, we suggest overriding the default configuration as specified in the Readme. This enables the production deployments to:

  1. Adopt the best practices in ensuring secure communications, ACL as specified here: https://learn.hashicorp.com/consul/developer-mesh/connect-production

  2. Use an alternative CA provider like Vault or apply specific private_key and root_cert values to the default CA provider by Consul, as specified here: https://learn.hashicorp.com/consul/developer-mesh/connect-production

  3. Use Envoy as a proxy as specified here: https://www.consul.io/docs/connect/proxies/envoy

Examples

We also provide examples showing:

  1. How to setup a cluster with Consul Connect
  2. Deploying 3 Services with sidecar proxies
  3. Creating intentions between these 3 services and disabling communications from one of them to another

Test

Test include running through the example and verifying:

  1. A cluster comes up and the default Consul CA issues a root certificate
  2. Communication occurs via sidecar proxies (disabling a sidecar should disable communication)
  3. Intentions are respected. Services disallowed to communicate with other services, cannot.
hashicorp-cla commented 4 years ago

CLA assistant check
All committers have signed the CLA.

7hacker commented 4 years ago

This is ready for review for the Trial project day. There are some concrete next steps here, namely:

  1. Set up intentions in the consul clients
  2. Test that the proxies do route communications and the intentions are respected
  3. A better way to register services and sidecar proxies for clients. Right now this is done crudely in user-data-client script as shown in the example, however this is a challenge if there is more than 1 client and you want to control the placement of services and sidecar proxies
  4. Integration with Envoy & Vault is an obvious next request from folks who end up using this in production
  5. Better documentation on setting things up
MatthiasScholz commented 3 years ago

@7hacker - I would like to jump in and help getting the PR merged. Any support needed?

brikis98 commented 3 years ago

Closing this PR due to inactivity.