WIP: Begin config to bootstrap ACLs

Following guide here: https://learn.hashicorp.com/tutorials/consul/vault-consul-secrets?in=consul/vault-secure

Unsure of how this will actually authenticate though.

acls/consul_vault.tf

@@ -0,0 +1,23 @@
+resource "vault_consul_secret_backend" "config" {
+  path        = "consul"
+  description = "Manages the Consul backend"
+
+  address = "http://127.0.0.1:8500"
+  token   = var.consul_token
+}
+
+resource "consul_acl_policy" "server_policy" {
+  name  = "consul-servers"
+  rules = <<EOH
+node_prefix "server-" {
+  policy = "write"
+}
+node_prefix "" {
+  policy = "read"
+}
+service_prefix "" {
+  policy = "read"
+}
+
+  EOH
+}

acls/vars.tf

@@ -3,15 +3,19 @@ variable "consul_address" {
   default = "http://n1.thefij:8500"
 }
 
+variable "consul_token" {
+  type        = string
+  description = "Token for setting up consul"
+  sensitive   = true
+}
+
 variable "nomad_secret_id" {
   type        = string
   description = "Secret ID for ACL bootstrapped Nomad"
   sensitive   = true
-  default     = ""
 }
 
 variable "vault_token" {
   type      = string
   sensitive = true
-  default   = ""
 }

setup-cluster.yml

@@ -3,9 +3,6 @@
   hosts: consul_instances
   any_errors_fatal: true
 
-  vars_files:
-    - consul_values.yml
-
   roles:
     - role: ansible-consul
       vars:
@@ -32,6 +29,9 @@
         consul_ports_grpc: 8502
         consul_client_address: "0.0.0.0"
 
+        consul_acl_enabled: true
+        consul_acl_default_policy: "deny"
+
         # Enable metrics
         consul_config_custom:
           telemetry:
@@ -52,6 +52,7 @@
       become: true
 
   tasks:
+    # Bootstrap ACLs
     - name: Start Consul
       systemd:
         state: started
@@ -61,35 +62,28 @@
     # If DNS is broken after dnsmasq, then need to set /etc/resolv.conf to something
     # pointing to 127.0.0.1 and possibly restart Docker and Nomad
 
-    - name: Add values
+    - name: Boostrap ACLs
+      command:
+        argv:
+          - "consul"
+          - "acl"
+          - "bootstrap"
+          - "-format=json"
+      run_once: true
+      ignore_errors: true
+      register: bootstrap_result
+
+    - name: Save bootstrap result
+      copy:
+        content: "{{ bootstrap_result.stdout }}"
+        dest: "./consul_bootstrap.json"
+      when: bootstrap_result is succeeded
       delegate_to: localhost
       run_once: true
-      block:
-        - name: Install python-consul
-          pip:
-            name: python-consul
-            extra_args: --index-url https://pypi.org/simple
-
-        - name: Set hostname
-          consul_kv:
-            host: "{{ inventory_hostname }}"
-            key: global/base_hostname
-            # TODO: propogate this through via Consul and Nomad templates rather than Terraform
-            value: dev.homelab
-
-        - name: Write values
-          consul_kv:
-            host: "{{ inventory_hostname }}"
-            key: "{{ item.key }}"
-            value: "{{ item.value }}"
-          loop: "{{ consul_values | default({}) | dict2items }}"
 
 - name: Setup Vault cluster
   hosts: vault_instances
 
-  vars_files:
-    - ./vault_hashi_vault_values.yml
-
   roles:
     - name: ansible-vault
       vars: