remote state in consul fails with acl / kv 403 error
1,828 views
Skip to first unread message
ja...@fpcomplete.com
Sep 12, 2015, 7:51:33 PM9/12/15
to Terraform
I would like to use consul as a remote backend state store for various environments managed with Terraform, but I am running into errors, and I'm unsure where to go from here.
The consul cluster has the default ACL policy set to deny, so I have added an ACL for a specific environment:
Loaded into consul: curl -X PUT -H "Content-Type: application/json" --data @tf-state-acl.json localhost:8500/v1/acl/create?token=$MASTER_TOKEN
Confirmed it looks good via the consul UI:
"key" "tf-states/dev" {
"policy" = "write"
}
Use the UI to create a node in k/v for "tf-states/dev/" - I tried both a path and a node for the "dev", but neither seemed to matter with the problem here.
Then I use the following to config terraform: tf remote config -backend=Consul -backend-config="path=/tfstates/dev" -backend-config="address=localhost:8600" -backend-config="access-token=$TOKEN"
Remote configuration updated
Error while performing the initial pull. The error message is shown
below. Note that remote state was properly configured, so you don't
need to reconfigure. You can now use `push` and `pull` directly.
Error reloading remote state: Unexpected response code: 403
I have tested with different tokens, paths, and every other which way to sensibly slice the pie (hcl vs json for rules/etc), but I still get the 403.
On the leader side, this looks like:
2015/09/12 23:36:54 [ERR] http: Request /v1/kv/tfstates/dev, error: rpc error: ACL not found
Any guidance / help is appreciated, thank you!
The consul cluster has the default ACL policy set to deny, so I have added an ACL for a specific environment:
{
"Name": "Terraform Remote State (dev)",
"Type": "client",
"Rules": "{ \"key\": { \"tf-states/dev\": { \"policy\": \"write\" } } }"
}Loaded into consul: curl -X PUT -H "Content-Type: application/json" --data @tf-state-acl.json localhost:8500/v1/acl/create?token=$MASTER_TOKEN
Confirmed it looks good via the consul UI:
"key" "tf-states/dev" {
"policy" = "write"
}
Use the UI to create a node in k/v for "tf-states/dev/" - I tried both a path and a node for the "dev", but neither seemed to matter with the problem here.
Then I use the following to config terraform: tf remote config -backend=Consul -backend-config="path=/tfstates/dev" -backend-config="address=localhost:8600" -backend-config="access-token=$TOKEN"
Remote configuration updated
Error while performing the initial pull. The error message is shown
below. Note that remote state was properly configured, so you don't
need to reconfigure. You can now use `push` and `pull` directly.
Error reloading remote state: Unexpected response code: 403
I have tested with different tokens, paths, and every other which way to sensibly slice the pie (hcl vs json for rules/etc), but I still get the 403.
On the leader side, this looks like:
2015/09/12 23:36:54 [ERR] http: Request /v1/kv/tfstates/dev, error: rpc error: ACL not found
Any guidance / help is appreciated, thank you!
ja...@fpcomplete.com
Sep 12, 2015, 8:03:48 PM9/12/15
to Terraform
When I try to push the state to consul via curl.. it succeeds:
curl -X PUT -d @terraform.tfstate "localhost:8600/v1/kv/tf-states/dev?token=0dae7e78-c969-641e-7b23-435711511d73"
true
Do i have the Terraform remote config specified incorrectly?
curl -X PUT -d @terraform.tfstate "localhost:8600/v1/kv/tf-states/dev?token=0dae7e78-c969-641e-7b23-435711511d73"
true
Do i have the Terraform remote config specified incorrectly?
Ryan Gahl
Sep 13, 2015, 9:54:12 AM9/13/15
to terrafo...@googlegroups.com
I am new to Consul so can't answer your question definitively, but in reading your post I just noticed you are using a hyphen in the Consul key "tf-states/dev", but have omitted the hyphen in your terraform config "tfstates/dev"
Like I said, I don't know if the problem will go away if you correct that or not (or if that was just a typo in your post to the group), but just thought I'd point it out.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/2341b8ab-a365-458f-81f3-415b68ff97fe%40googlegroups.com.
ja...@fpcomplete.com
Sep 13, 2015, 1:00:44 PM9/13/15
to Terraform
On Sunday, September 13, 2015 at 9:54:12 AM UTC-4, Ryan Gahl wrote:
I am new to Consul so can't answer your question definitively, but in reading your post I just noticed you are using a hyphen in the Consul key "tf-states/dev", but have omitted the hyphen in your terraform config "tfstates/dev"Like I said, I don't know if the problem will go away if you correct that or not (or if that was just a typo in your post to the group), but just thought I'd point it out.
Yes, thanks for the careful review. In this case I have tested a bunch of different paths, tokens, and any other buttons to flip.. I am able to confirm the ACL as good when I use curl to push the statefile JSON to consul, but terraform fails when using the same details.
ja...@fpcomplete.com
Sep 14, 2015, 7:13:43 PM9/14/15
to Terraform
I'm a bit stumped! If there was a bat phone at Hashicorp, I'd be calling it. I am especially confused by the fact my tests with curl succeed while (what i think is) the same with terraform fails.
Angelo San Ramon
Aug 31, 2017, 6:27:31 PM8/31/17
to Terraform
Is there a solution to this? I am having the same issue. I'm stuck.
Here is my ACL:
Thanks
"ID": "b95977a7-5197-db2f-669f-96f2742b0541",
"Name": "Terraform Token",
"Type": "client",
"Rules": "key \"terraform/states\" {policy = \"write\"} key \"terraform/states/*\" {policy = \"write\"}"
Here is my backend configuration:
terraform {
backend "consul" {
address = "http://96.119.8.39:8080"
path = "terraform/states"
access_token = "b95977a7-5197-db2f-669f-96f2742b0541"
datacenter = "zis-vault-ci"
}
}
I created the key "terraform/states" but keeps getting "Error loading state: failed to lock state in Consul: Unexpected response code: 403 (Permission denied)"
If I change the ACL type to management and remove the rules. It works fine.
Can anyone provide a working ACL sample I can model with?
Any help is appreciated.
Rui Moreira
Sep 12, 2017, 10:37:19 AM9/12/17
to Terraform
I just had the same problem and had to add session "" {policy = "write"} to the acl for that token .
It works now, I hope it helps, just thought sharing this would probably be a good idea
Reply all
Reply to author
Forward
0 new messages