backend/consul: allow specifying various Consul client security options

These new options are equivalent to the consul CLI arguments -ca-file, -client-cert and -client-key.
hashicorp · Aug 23, 2017 · 21b287e · 21b287e
1 parent 7b3f32f
commit 21b287e
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/backend/remote-state/consul/backend.go b/backend/remote-state/consul/backend.go
@@ -2,6 +2,7 @@ package consul
 
 import (
 	"context"
+	"net/http"
 	"strings"
 
 	consulapi "github.com/hashicorp/consul/api"
@@ -67,6 +68,27 @@ func New() backend.Backend {
 				Description: "Lock state access",
 				Default:     true,
 			},
+
+			"ca_file": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.",
+				DefaultFunc: schema.EnvDefaultFunc("CONSUL_CACERT", ""),
+			},
+
+			"cert_file": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "A path to a PEM-encoded certificate provided to the remote agent; requires use of key_file.",
+				DefaultFunc: schema.EnvDefaultFunc("CONSUL_CLIENT_CERT", ""),
+			},
+
+			"key_file": &schema.Schema{
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "A path to a PEM-encoded private key, required if cert_file is specified.",
+				DefaultFunc: schema.EnvDefaultFunc("CONSUL_CLIENT_KEY", ""),
+			},
 		},
 	}
 
@@ -112,6 +134,23 @@ func (b *Backend) clientRaw() (*consulapi.Client, error) {
 	if v, ok := data.GetOk("datacenter"); ok && v.(string) != "" {
 		config.Datacenter = v.(string)
 	}
+
+	tlsConfig := &consulapi.TLSConfig{}
+	if v, ok := data.GetOk("ca_file"); ok && v.(string) != "" {
+		tlsConfig.CAFile = v.(string)
+	}
+	if v, ok := data.GetOk("cert_file"); ok && v.(string) != "" {
+		tlsConfig.CertFile = v.(string)
+	}
+	if v, ok := data.GetOk("key_file"); ok && v.(string) != "" {
+		tlsConfig.KeyFile = v.(string)
+	}
+	cc, err := consulapi.SetupTLSConfig(tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+	config.HttpClient.Transport.(*http.Transport).TLSClientConfig = cc
+
 	if v, ok := data.GetOk("http_auth"); ok && v.(string) != "" {
 		auth := v.(string)
 

diff --git a/website/docs/backends/types/consul.html.md b/website/docs/backends/types/consul.html.md
@@ -55,3 +55,6 @@ The following configuration options / environment variables are supported:
    communicating with Consul, in the format of either `user` or `user:pass`.
  * `gzip` - (Optional) `true` to compress the state data using gzip, or `false` (the default) to leave it uncompressed.
  * `lock` - (Optional) `false` to disable locking. This defaults to true, but will require session permissions with Consul to perform locking.
+ * `ca_file` / `CONSUL_CAFILE` - (Optional) A path to a PEM-encoded certificate authority used to verify the remote agent's certificate.
+ * `cert_file` / `CONSUL_CLIENT_CERT` - (Optional) A path to a PEM-encoded certificate provided to the remote agent; requires use of `key_file`.
+ * `key_file` / `CONSUL_CLIENT_KEY` - (Optional) A path to a PEM-encoded private key, required if `cert_file` is specified.