This PR adds a new resource consul_acl_token_role_attachment that operates in the same fashion as the existing consul_acl_token_policy_attachment. This allows for the attachment of service identity policies supported through the consul_acl_role resource to existing tokens.
The biggest use-case for me personally is to attach policy to terminating gateway tokens that have been provisioned externally to the code provisioning the service which wants to make use of the terminating gateway. This can already be achieved using the consul_acl_policy and consul_acl_token_policy_attachment resources. However, the consul_acl_role offers a nice shortcut to creating the service identity policy. This pattern is also recommended in
https://learn.hashicorp.com/tutorials/consul/service-mesh-terminating-gateways?in=consul/developer-mesh:
We suggest you implement this configuration by updating the service identities for the role attached to the
terminating gateway token. Role updates can be done centrally, and you will not need to distribute a new
token.
This PR adds a new resource
consul_acl_token_role_attachmentthat operates in the same fashion as the existingconsul_acl_token_policy_attachment. This allows for the attachment of service identity policies supported through theconsul_acl_roleresource to existing tokens.The biggest use-case for me personally is to attach policy to terminating gateway tokens that have been provisioned externally to the code provisioning the service which wants to make use of the terminating gateway. This can already be achieved using the
consul_acl_policyandconsul_acl_token_policy_attachmentresources. However, theconsul_acl_roleoffers a nice shortcut to creating the service identity policy. This pattern is also recommended in https://learn.hashicorp.com/tutorials/consul/service-mesh-terminating-gateways?in=consul/developer-mesh: