controller Stanza

The controller stanza configures Boundary controller-specific parameters.

  1. controller {
  2. name = "example-controller"
  3. description = "An example controller"
  4. database {
  5. url = "postgresql://<username>:<password>@10.0.0.1:5432/<database_name>"
  6. }
  7. }
  • name - Specifies a unique name of this controller within the Boundary controller cluster.

  • description - Specifies a friendly description of this controller.

  • database - Configuration block with two valid parameters for connecting to Postgres:

    • url - Configures the URL for connecting to Postgres

    • migration_url - Can be used to specify a different URL for migrations, as that usually requires higher privileges.

      Either can refer to a file on disk (file://) from which a URL will be read; an env var (env://) from which the URL will be read; or a direct database URL (postgres://).

Complete Configuration Example

  1. # Disable memory lock: https://www.man7.org/linux/man-pages/man2/mlock.2.html
  2. disable_mlock = true
  3. # Controller configuration block
  4. controller {
  5. # This name attr must be unique across all controller instances if running in HA mode
  6. name = "demo-controller-1"
  7. description = "A controller for a demo!"
  8. # Database URL for postgres. This can be a direct "postgres://"
  9. # URL, or it can be "file://" to read the contents of a file to
  10. # supply the url, or "env://" to name an environment variable
  11. # that contains the URL.
  12. database {
  13. url = "postgresql://boundary:boundarydemo@${aws_db_instance.boundary.endpoint}/boundary"
  14. }
  15. }
  16. # API listener configuration block
  17. listener "tcp" {
  18. # Should be the address of the NIC that the controller server will be reached on
  19. address = "10.0.0.1"
  20. # The purpose of this listener block
  21. purpose = "api"
  22. tls_disable = false
  23. # Uncomment to enable CORS for the Admin UI. Be sure to set the allowed origin(s)
  24. # to appropriate values.
  25. #cors_enabled = true
  26. #cors_allowed_origins = ["yourcorp.yourdomain.com"]
  27. }
  28. # Data-plane listener configuration block (used for worker coordination)
  29. listener "tcp" {
  30. # Should be the IP of the NIC that the worker will connect on
  31. address = "10.0.0.1"
  32. # The purpose of this listener
  33. purpose = "cluster"
  34. tls_disable = false
  35. }
  36. # Root KMS configuration block: this is the root key for Boundary
  37. # Use a production KMS such as AWS KMS in production installs
  38. kms "aead" {
  39. purpose = "root"
  40. aead_type = "aes-gcm"
  41. key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
  42. key_id = "global_root"
  43. }
  44. # Worker authorization KMS
  45. # Use a production KMS such as AWS KMS for production installs
  46. # This key is the same key used in the worker configuration
  47. kms "aead" {
  48. purpose = "worker-auth"
  49. aead_type = "aes-gcm"
  50. key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
  51. key_id = "global_worker-auth"
  52. }
  53. # Recovery KMS block: configures the recovery key for Boundary
  54. # Use a production KMS such as AWS KMS for production installs
  55. kms "aead" {
  56. purpose = "recovery"
  57. aead_type = "aes-gcm"
  58. key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
  59. key_id = "global_recovery"
  60. }