Terraform Enterprise and Terraform Cloud now support native workload identity by injecting JWT into workspace runs/stages. This opens the door to JIT credentials when managing Consul with Terraform.
In testing, I have successfully been able to exchange Terraform Cloud JWT for a time-limited Consul access token, however it currently requires retrieving the token through an intermediary datasource from the Epp0/environment provider, then using the hashicorp/http provider to POST to a Consul auth method.
Ideally, the Consul provider should support natively retrieving the TFC_WORKLOAD_IDENTITY_TOKEN environment variable, and calling a named auth method to exchange the JWT for an ACL token.
Current workaround:
terraform {
required_providers {
consul = {
source = "hashicorp/consul"
version = "2.17.0"
}
environment = {
source = "EppO/environment"
version = "1.3.3"
}
http = {
source = "hashicorp/http"
version = "3.2.1"
}
}
}
provider "consul" {
address = <...>
token = jsondecode(data.http.consul_token.response_body).SecretID
}
provider "environment" {}
provider "http" {}
# Note, this doesn't work if we set the data source to sensitive, so its results will not be redacted
data "environment_variables" "all" {}
data "http" "consul_token" {
url = "https://<...>/v1/acl/login"
method = "POST"
request_body = jsonencode({
AuthMethod = "terraformcloud"
BearerToken = data.environment_variables.all.items["TFC_WORKLOAD_IDENTITY_TOKEN"]
})
}
Terraform Enterprise and Terraform Cloud now support native workload identity by injecting JWT into workspace runs/stages. This opens the door to JIT credentials when managing Consul with Terraform.
In testing, I have successfully been able to exchange Terraform Cloud JWT for a time-limited Consul access token, however it currently requires retrieving the token through an intermediary datasource from the
Epp0/environment
provider, then using thehashicorp/http
provider to POST to a Consul auth method.Ideally, the Consul provider should support natively retrieving the
TFC_WORKLOAD_IDENTITY_TOKEN
environment variable, and calling a named auth method to exchange the JWT for an ACL token.Current workaround:
Preferred workflow: