Variables updates

- Correct variable names
- Add token display variables
- Update documentation
- Remove deprecated variables

CHANGELOG.md

@@ -200,3 +200,10 @@
 - Streamline main tasks
 - Update documentation
 - Update variables
+
+## v1.3.1
+
+- Correct variable names
+- Add token display variables
+- Update documentation
+- Remove deprecated variables

README.md

@@ -25,7 +25,7 @@ software and versions:
 
 ## Role Variables
 
-The role specifies variables in `defaults/main.yml` and `vars/*.yml`.
+The role defines variables in `defaults/main.yml`:
 
 | Name           | Default Value | Description                        |
 | -------------- | ------------- | -----------------------------------|
@@ -58,6 +58,7 @@ The role specifies variables in `defaults/main.yml` and `vars/*.yml`.
 | `consul_acl_default_policy` | *allow* | Default ACL policy |
 | `consul_acl_down_policy` | *allow* | Default ACL down policy |
 | `consul_acl_master_token` | UUID | ACL master token |
+| `consul_acl_master_token_display` | *false* | Display generated ACL Master Token |
 | `consul_acl_replication_token` | UUID | ACL replication token |
 | `consul_atlas_enable` | *false* | Enable Atlas support |
 | `consul_atlas_infrastructure` | Environment variable | Atlas infrastructure name |
@@ -67,9 +68,7 @@ The role specifies variables in `defaults/main.yml` and `vars/*.yml`.
 
 The `consul` binary works on most Linux platforms and is not distribution
 specific. However, some distributions require installation of specific OS
-packages with different naming, so this role was built with support for
-popular Linux distributions and defines these variables to deal with the
-differences acros distros:
+packages with different package names.
 
 | Name           | Default Value | Description                        |
 | -------------- | ------------- | -----------------------------------|
@@ -93,7 +92,11 @@ differences acros distros:
 ## Dependencies
 
 Ansible requires GNU tar and this role performs some local use of the
-unarchive module, so ensure that your system has `gtar` installed.
+unarchive module, so ensure that your system has `gtar` installed and
+in the PATH.
+
+If you're on system with a different (i.e. BSD) `tar`, like macOS and you
+see odd errors during unarchive tasks, you could be missing `gtar`.
 
 ## Example Playbook
 
@@ -116,7 +119,42 @@ Be aware that for clustering, the included `site.yml` does the following:
 2. Reconfigures bootstrap node to run without bootstrap-expect setting
 3. Restarts bootstrap node
 
-### DNSMasq Forwarding Support
+### ACL Support
+
+Basic support for ACLs is included in the role. You can set the environment
+variables `CONSUL_ACL_ENABLE` to *true*, and also set the
+`CONSUL_ACL_DATACENTER` environment variable to its correct value for your
+environment prior to executing your playbook; for example:
+
+```
+CONSUL_ACL_ENABLE="true" CONSUL_ACL_DATACENTER="maui" \
+CONSUL_ACL_MASTER_TOKEN_DISPLAY="true" ansible-playbook -i uat_hosts aloha.yml
+```
+
+If you want the automatically generated ACL Master Token value emitted to
+standard out during the play, set the environment variable
+`CONSUL_ACL_MASTER_TOKEN_DISPLAY` to "true" as in the above example.
+
+There are a number of Ansible ACL variables you can override to further refine
+your initial ACL setup. They are not all currently picked up from environment
+variables, but do have some sensible defaults. Check `defaults/main.yml` to
+see how some of he defaults (i.e. tokens) are automatically generated.
+
+### Atlas Support
+
+Basic support for Atlas is included in the role. You can set the environment
+variables `CONSUL_ATLAS_ENABLE` to *true*, and also set the
+`CONSUL_ATLAS_INFRASTRUCTURE` and `CONSUL_ATLAS_TOKEN` environment variables
+to their correct values for your environment prior to executing your
+playbook; for example:
+
+```
+CONSUL_ATLAS_ENABLE="true" CONSUL_ATLAS_INFRASTRUCTURE="brianshumate/example" \
+CONSUL_ATLAS_TOKEN="00000000-000000000-000000000000-0000" \
+ansible-playbook -i uat_hosts site.yml
+```
+
+### Dnsmasq Forwarding Support
 
 The role now includes support for [DNS forwarding](https://www.consul.io/docs/guides/forwarding.html) with [Dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html).
 

defaults/main.yml

@@ -26,17 +26,21 @@ consul_bootstrap_address: "{{ hostvars[groups[consul_group_name][0]]['ansible_'+
 consul_node_name: "{{ inventory_hostname_short }}"
 
 ## ACL
-consul_acl_enable: "false"
-consul_acl_datacenter: "{{ consul_datacenter }}"
+consul_acl_enable: "{{ lookup('env','CONSUL_ACL_ENABLE') | default('false', true) }}"
+consul_acl_datacenter: "{{ lookup('env','CONSUL_ACL_DATACENTER') | default(consul_datacenter, true) }}"
 consul_acl_default_policy: "allow"
 consul_acl_down_policy: "allow"
-consul_acl_master_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}"
-consul_acl_replication_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}"
+consul_acl_master_token_display: "{{ lookup('env','CONSUL_ACL_MASTER_TOKEN_DISPLAY') | default('false', true) }}"
+consul_acl_replication_token_display: "{{ lookup('env','CONSUL_ACL_REPLICATION_TOKEN_DISPLAY') | default('false', true) }}"
+
+# TODO: deprecate?
+# consul_acl_master_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}"
+# consul_acl_replication_token: "{{ ansible_date_time.iso8601_micro | to_uuid }}"
 
 # Options
-consul_dnsmasq_enable: "false"
-consul_atlas_enable: "false"
-consul_atlas_infrastructure: "{{ lookup('env','ATLAS_INFRA') }}"
+consul_dnsmasq_enable: "{{ lookup('env','CONSUL_DNSQMASQ_ENABLE') | default('false', true) }}"
+consul_atlas_enable: "{{ lookup('env','CONSUL_ATLAS_ENABLE') | default('false', true) }}"
+consul_atlas_infrastructure: "{{ lookup('env','ATLAS_INFRASTRUCTURE') }}"
 consul_atlas_token: "{{ lookup('env','ATLAS_TOKEN') }}"
 
 ## Distribution
@@ -78,8 +82,3 @@ consul_ubuntu_sha256: "{{ consul_zip_sha256 }}"
 consul_ubuntu_os_packages:
   - git
   - unzip
-
-## Deprecated
-consul_ui_url: "https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_web_ui.zip"
-consul_ui_pkg: "{{ consul_version }}_web_ui.zip"
-consul_ui_sha256: "5f8841b51e0e3e2eb1f1dc66a47310ae42b0448e77df14c83bb49e0e0d5fa4b7"

examples/README_VAGRANT.md

@@ -115,7 +115,7 @@ The role includes support for DNS forwarding with Dnsmasq.
 Install like this:
 
 ```
-CONSUL_DNSMASQ="true" vagrant up
+CONSUL_DNSMASQ_ENABLE="true" vagrant up
 ```
 
 Then you can query any of the agents via DNS directly via port 53:

examples/Vagrantfile

@@ -8,8 +8,10 @@ ANSIBLE_PLAYBOOK = ENV['ANSIBLE_PLAYBOOK'] || "site.yml"
 BOX_MEM = ENV['BOX_MEM'] || "1536"
 BOX_NAME =  ENV['BOX_NAME'] || "debian/jessie64"
 CLUSTER_HOSTS = ENV['CLUSTER_HOSTS'] || "vagrant_hosts"
-DNSMASQ = ENV['CONSUL_DNSMASQ'] || "false"
-LOGLEVEL = ENV['CONSUL_LOGLEVEL'] || "INFO"
+CONSUL_ACL_ENABLE = ENV['CONSUL_ACL_ENABLE'] || "false"
+CONSUL_ATLAS_ENABLE = ENV['CONSUL_ATLAS_ENABLE'] || "false"
+CONSUL_DNSMASQ_ENABLE = ENV['CONSUL_DNSMASQ_ENABLE'] || "false"
+CONSUL_LOGLEVEL = ENV['CONSUL_LOGLEVEL'] || "INFO"
 VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.require_version ">= 1.5.0"
@@ -77,8 +79,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
       ansible.inventory_path = CLUSTER_HOSTS
       # Extra Ansible variables can be defined here
       ansible.extra_vars = {
-        consul_dnsmasq_enable: DNSMASQ,
-        consul_log_level: LOGLEVEL
+        consul_acl_enable: CONSUL_ACL_ENABLE,
+        consul_atlas_enable: CONSUL_ATLAS_ENABLE,
+        consul_dnsmasq_enable: CONSUL_DNSMASQ_ENABLE,
+        consul_log_level: CONSUL_LOGLEVEL
       }
       ansible.playbook = ANSIBLE_PLAYBOOK
       ansible.limit = "all"

tasks/main.yml

@@ -61,6 +61,32 @@
 - name: Server configuration
   template: src=server_config.json.j2 dest={{ consul_config_path }}/server/config.json
 
+- name: ACL Master Token
+  command: "echo {{ ansible_date_time.iso8601_micro | to_uuid }}"
+  connection: local
+  become: no
+  run_once: True
+  register: consul_acl_master_token
+  when: consul_acl_enable == "true"
+
+- name: Display ACL Master Token
+  debug: msg="{{ consul_acl_master_token['stdout'] }}"
+  run_once: True
+  when: consul_acl_enable == "true" and consul_acl_master_token_display == "true"
+
+- name: ACL Replication Token
+  command: "echo {{ ansible_date_time.iso8601_micro | to_uuid }}"
+  connection: local
+  become: no
+  run_once: True
+  register: consul_acl_replication_token
+  when: consul_acl_enable == "true"
+
+- name: Display ACL Replication Token
+  debug: msg="{{ consul_acl_replication_token['stdout'] }}"
+  run_once: True
+  when: consul_acl_enable == "true" and consul_acl_replication_token_display == "true"
+
 - name: ACL bootstrap configuration
   template: src=config_acl.json.j2 dest={{ consul_config_path }}/{{ item }}/config_acl.json
   with_items:
@@ -69,6 +95,14 @@
     - server
   when: consul_acl_enable == "true"
 
+- name: ACL policy configuration
+  template: src=config_acl_policy.hcl.j2 dest={{ consul_config_path }}/{{ item }}/config_acl_policy.hcl
+  with_items:
+    - bootstrap
+    - client
+    - server
+  when: consul_acl_enable == "true"
+
 - name: Atlas configuration
   template: src=config_atlas.json.j2 dest={{ consul_config_path }}/{{ item }}/config_atlas.json
   with_items:

templates/config_acl.json.j2

@@ -2,6 +2,5 @@
   "acl_datacenter": "{{ consul_acl_datacenter }}",
   "acl_default_policy": "{{ consul_acl_default_policy }}",
   "acl_down_policy": "{{ consul_acl_down_policy }}",
-  "acl_master_token": "{{ consul_acl_master_token }}",
-  "acl_replication_token": "{{ consul_acl_replication_token }}"
+  "acl_master_token": "{{ consul_acl_master_token['stdout'] }}"
 }

templates/config_acl_policy.hcl.j2

@@ -0,0 +1,44 @@
+# Default all keys to read-only
+key "" {
+  policy = "read"
+}
+key "foo/" {
+  policy = "write"
+}
+key "foo/private/" {
+  # Deny access to the dir "foo/private"
+  policy = "deny"
+}
+
+# Default all services to allow registration. Also permits all
+# services to be discovered.
+service "" {
+    policy = "write"
+}
+
+# Deny registration access to services prefixed "secure-".
+# Discovery of the service is still allowed in read mode.
+service "secure-" {
+    policy = "read"
+}
+
+# Allow firing any user event by default.
+event "" {
+    policy = "write"
+}
+
+# Deny firing events prefixed with "destroy-".
+event "destroy-" {
+    policy = "deny"
+}
+
+# Default prepared queries to read-only.
+query "" {
+    policy = "read"
+}
+
+# Read-only mode for the encryption keyring by default (list only)
+keyring = "read"
+
+# Read-only mode for Consul operator interfaces (list only)
+operator = "read"

version.txt

@@ -1 +1 @@
-v1.3.0
+v1.3.1