Secure Configuration for Consul on AWS Elastic Container Service (ECS) with Terraform

This topic describes how to enable Consul security features for your production workloads.

Overview

To enable security in your production workloads, you must deploy the ACL controller, which provisions tokens for other service mesh tasks. Refer to Architecture to learn more about the ACL controller.

The controller cannot provision tokens for itself, so you must create the token for the ACL controller. The following steps describe the overall process of enabling security features for your production workloads:

  1. Enable the security features on your Consul server cluster per the Prerequisites.
  2. Create the ACL token for the ACL controller in the datacenter.
  3. Create a Secrets Manager secret containing the ACL controller’s token.
  4. Create a Secrets Manager secret containing the Consul CA certificate.
  5. Deploy the ACL controller
  6. Deploy the other services on the mesh.

Prerequisites

Implement the following security features for your Consul server clusters before applying them to your workloads:

  1. TLS encryption for RPC communication between Consul clients and servers.
  2. Gossip encryption for encrypting gossip traffic.
  3. Access control lists (ACLs) for authentication and authorization for Consul clients and services on the mesh.

Auth Method

Consul on ECS uses the AWS IAM Auth Method to enable tasks to automatically obtain Consul ACL tokens during startup.

With the Terraform modules for Consul on ECS, the auth method is supported by default when ACLs are enabled. The ACL controller sets up the auth method on the Consul servers. The mesh-task module configures the ECS task definition to be compatible with the auth method.

A unique task IAM role is required for each ECS task family. Task IAM roles must not be shared by different task families. This is because the task family represents only one Consul service and the task IAM role must encode the Consul service name.

By default, the mesh-task module will create and configure the task IAM role for you.

Note: When passing an existing IAM role to the mesh-task module using the task_role input variable, you must configure the IAM role as described in ECS Task Role Configuration to be compatible with the AWS IAM auth method.

ACL controller

  1. Create a policy that grants acl:write and operator:write access for the controller. Refer to the ACL policies documentation for instructions.
  2. Create a token and link it to the ACL controller policy. Refer to the ACL tokens documentation for instructions.
  3. Create a Secrets Manager secret containing the ACL controller’s token and a Secrets Manager secret containing the Consul CA cert.
  1. resource "aws_secretsmanager_secret" "bootstrap_token" {
  2. name = "bootstrap-token"
  3. }
  4. resource "aws_secretsmanager_secret_version" "bootstrap_token" {
  5. secret_id = aws_secretsmanager_secret.bootstrap_token.id
  6. secret_string = "<bootstrap token>"
  7. }
  8. resource "aws_secretsmanager_secret" "ca_cert" {
  9. name = "server-ca-cert"
  10. }
  11. resource "aws_secretsmanager_secret_version" "ca_cert" {
  12. secret_id = aws_secretsmanager_secret.ca_cert.id
  13. secret_string = "<CA certificate for the Consul server's HTTPS endpoint>"
  14. }
  1. Use the acl-controller terraform module to deploy the controller. You must provide the ARN’s for the token and CA cert in the consul_bootstrap_token_secret_arn and consul_server_ca_cert_arn fields, respectively.

    1. module "acl_controller" {
    2. source = "hashicorp/consul-ecs/aws//modules/acl-controller"
    3. version = "<version>"
    4. consul_bootstrap_token_secret_arn = aws_secretsmanager_secret.bootstrap_token.arn
    5. consul_server_http_addr = "https://consul-server.example.com:8501"
    6. consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
    7. ecs_cluster_arn = "arn:aws:ecs:us-east-1:111111111111:cluster/consul-ecs"
    8. region = "us-east-1"
    9. subnets = ["subnet-abcdef123456789"]
    10. name_prefix = "consul-ecs"
    11. }

The following table describes the required input variables for the acl-controller module.

Input VariableTypeDescription
sourcestringThe location of the acl-controller module source.
versionstringThe version of the acl-controller module.
consul_bootstrap_token_secret_arnstringThe Secrets Manager secret containing an ACL token for the ACL controller. The ACL token must have acl:write and operator:write permissions.
consul_server_http_addrstringThe HTTP(S) address of the Consul servers.
consul_server_ca_cert_arnstring(Optional) The Secrets Manager secret containing the CA cert for HTTPS communication with Consul servers. Required if the server’s certificate is self-signed or signed by an internal CA. This is not required for Consul servers in HCP.
ecs_cluster_arnstringThe ECS cluster where the ACL controller will be deployed.
regionstringThe AWS region where the AWS resources will be created.
subnetslistThe AWS VPC subnet ids where the ACL controller will be deployed.
name_prefixstringAWS resources created by the acl-controller module will include this prefix in the resource name.

EnterpriseSecure Configuration - 图1Enterprise

If you are using Consul Enterprise, see the Admin Partitions and Namespaces requirements documentation for additional configuration required to support Consul Enterprise on ECS.

Deploy your services

Follow the instructions described in Create a task definition to create the basic configuration for the task module. Add the following additional configurations to make the configuration production-ready.

Create an AWS Secrets Manager secret

The secret stores the gossip encryption key that the Consul clients use.

  1. resource "aws_secretsmanager_secret" "gossip_key" {
  2. name = "gossip-encryption-key"
  3. }
  4. resource "aws_secretsmanager_secret_version" "gossip_key" {
  5. secret_id = aws_secretsmanager_secret.gossip_key.id
  6. secret_string = "<Gossip encryption key>"
  7. }

Enable secure deployment

To enable secure deployment, add the following configuration to the task module.

  1. module "my_task" {
  2. source = "hashicorp/consul-ecs/aws//modules/mesh-task"
  3. version = "<version>"
  4. ...
  5. tls = true
  6. consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
  7. gossip_key_secret_arn = aws_secretsmanager_secret.gossip_key.arn
  8. acls = true
  9. consul_http_addr = "https://consul-server.example.com:8501"
  10. consul_https_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
  11. audit_logging = true
  12. }

The following table explains the mesh-task input variables relevant to a secure configuration:

Input VariableTypeDescription
tlsbooleanIf true, TLS is enabled for RPC communication with the Consul servers.
consul_server_ca_cert_arnstringThe Secrets Manager secret containing the CA certificate for RPC communication with the Consul servers when TLS is enabled.
gossip_key_secret_arnstringThe Secrets Manager secret containing Consul’s gossip encryption key.
aclsbooleanIf true, ACLs are enabled.
consul_http_addrstringThe Consul server address. Required when acls = true in order to log in to Consul’s AWS IAM auth method to obtain ACL tokens.
consul_https_ca_cert_arnstring(optional) The Secrets Manager secret containing the CA cert for HTTPS communication with Consul servers. Required if the server’s certificate is self-signed or signed by an internal CA. This is not required for Consul servers in HCP.
audit_loggingbooleanEnterprise (optional) If true, ACL audit logging is enabled. Consul client is configured to print audit logs to stdout.

Complete the following steps described in the Installation with Terraform chapter to deploy and connect your services:

  1. Run Terraform
  2. Configure routes
  3. Configure the bind address