[Feature Request] Native support for TFE/TFC workload identity

Terraform Enterprise and Terraform Cloud now support native workload identity by injecting JWT into workspace runs/stages. This opens the door to JIT credentials when managing Consul with Terraform.

In testing, I have successfully been able to exchange Terraform Cloud JWT for a time-limited Consul access token, however it currently requires retrieving the token through an intermediary datasource from the Epp0/environment provider, then using the hashicorp/http provider to POST to a Consul auth method.

Ideally, the Consul provider should support natively retrieving the TFC_WORKLOAD_IDENTITY_TOKEN environment variable, and calling a named auth method to exchange the JWT for an ACL token.

Current workaround:

terraform {
  required_providers {
    consul = {
      source  = "hashicorp/consul"
      version = "2.17.0"
    }
    environment = {
      source  = "EppO/environment"
      version = "1.3.3"
    }
    http = {
      source  = "hashicorp/http"
      version = "3.2.1"
    }
  }
}

provider "consul" {
  address        = <...>
  token          = jsondecode(data.http.consul_token.response_body).SecretID
}

provider "environment" {}
provider "http" {}

# Note, this doesn't work if we set the data source to sensitive, so its results will not be redacted
data "environment_variables" "all" {}

data "http" "consul_token" {
  url      = "https://<...>/v1/acl/login"
  method   = "POST"
  request_body = jsonencode({
    AuthMethod  = "terraformcloud"
    BearerToken = data.environment_variables.all.items["TFC_WORKLOAD_IDENTITY_TOKEN"]
  })
}

Preferred workflow:

terraform {
  required_providers {
    consul = {
      source  = "hashicorp/consul"
      version = "2.17.0"
    }
  }
}

provider "consul" {
  address            = <...>
  jwt_auth_method    = "terraformcloud"
  jwt_auth_namespace = <optional>
}

hashicorp / terraform-provider-consul

[Feature Request] Native support for TFE/TFC workload identity #334