open-consul/website/content/docs/ecs/terraform/secure-configuration.mdx

---
layout: docs
page_title: Secure Configuration - AWS ECS
description: >-
  Secure Configuration of the Consul Service Mesh on AWS ECS (Elastic Container Service) with Terraform.
---

# Secure Configuration

This topic describes how to enable Consul security features for your production workloads.

## Overview

To enable security in your production workloads, you must deploy the [ACL controller](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller), which provisions tokens for other service mesh tasks. Refer to [Architecture](/docs/ecs/architecture#acl-controller) to learn more about the ACL controller.

The controller cannot provision tokens for itself, so you must create the token for the ACL controller. The following steps describe the overall process of enabling security features for your production workloads:

1. Enable the security features on your Consul server cluster per the [Prerequisites](#prerequisites).
1. Create the ACL token for the ACL controller in the datacenter.
1. Create a Secrets Manager secret containing the ACL controller's token.
1. Create a Secrets Manager secret containing the Consul CA certificate.
1. Deploy the ACL controller
1. Deploy the other services on the mesh.

## Prerequisites

Implement the following security features for your Consul server clusters before applying them to your workloads:

1. [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
1. [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
1. [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.

## Auth Method

Consul on ECS uses the [AWS IAM Auth Method](/docs/ecs/architecture#aws-iam-auth-method) to enable
tasks to automatically obtain Consul ACL tokens during startup.

With the Terraform modules for Consul on ECS, the auth method is supported by default when ACLs are
enabled. The ACL controller sets up the auth method on the Consul servers. The `mesh-task` module
configures the ECS task definition to be compatible with the auth method.

A unique task IAM role is required for each ECS task family. Task IAM roles must not be shared by
different task families. This is because the task family represents only one Consul service and the
task IAM role must encode the Consul service name.

By default, the `mesh-task` module will create and configure the task IAM role for you.

-> **NOTE**: When passing an existing IAM role to the `mesh-task` module using the `task_role` input
variable, you must configure the IAM role as described in [ECS Task Role
Configuration](/docs/ecs/manual/secure-configuration#ecs-task-role-configuration) to be compatible with
the AWS IAM auth method.

## ACL controller

1. Create a policy that grants `acl:write` and `operator:write` access for the controller. Refer to the [ACL policies documentation](/docs/security/acl/acl-policies) for instructions.
1. Create a token and link it to the ACL controller policy. Refer to the [ACL tokens documentation](/docs/security/acl/acl-tokens) for instructions.
1. Create a Secrets Manager secret containing the ACL controller's token and a Secrets Manager secret containing the Consul CA cert.

  ```hcl
  resource "aws_secretsmanager_secret" "bootstrap_token" {
    name  = "bootstrap-token"
  }

  resource "aws_secretsmanager_secret_version" "bootstrap_token" {
    secret_id     = aws_secretsmanager_secret.bootstrap_token.id
    secret_string = "<bootstrap token>"
  }

  resource "aws_secretsmanager_secret" "ca_cert" {
    name  = "server-ca-cert"
  }

  resource "aws_secretsmanager_secret_version" "ca_cert" {
    secret_id     = aws_secretsmanager_secret.ca_cert.id
    secret_string = "<CA certificate for the Consul server's HTTPS endpoint>"
  }
  ```

1. Use the [`acl-controller` terraform module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller?tab=inputs) to deploy the controller. You must provide the ARN's for the token and CA cert in the `consul_bootstrap_token_secret_arn` and `consul_server_ca_cert_arn` fields, respectively.

    ```hcl
    module "acl_controller" {
      source                            = "hashicorp/consul-ecs/aws//modules/acl-controller"
      version                           = "<version>"

      consul_bootstrap_token_secret_arn = aws_secretsmanager_secret.bootstrap_token.arn
      consul_server_http_addr           = "https://consul-server.example.com:8501"
      consul_server_ca_cert_arn         = aws_secretsmanager_secret.ca_cert.arn
      ecs_cluster_arn                   = "arn:aws:ecs:us-east-1:111111111111:cluster/consul-ecs"
      region                            = "us-east-1"
      subnets                           = ["subnet-abcdef123456789"]
      name_prefix                       = "consul-ecs"
    }
    ```

The following table describes the required input variables for the `acl-controller` module.

| Input Variable                      | Type     | Description                                                                                                                                                                                                                                |
| ----------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `source`                            | string   | The location of the `acl-controller` module source.                                                                                                                                                                                        |
| `version`                           | string   | The version of the `acl-controller` module.                                                                                                                                                                                                |
| `consul_bootstrap_token_secret_arn` | string   | The Secrets Manager secret containing an ACL token for the ACL controller. The ACL token must have `acl:write` and `operator:write` permissions.                                                                                           |
| `consul_server_http_addr`           | string   | The HTTP(S) address of the Consul servers.                                                                                                                                                                                                 |
| `consul_server_ca_cert_arn`         | string   | (Optional) The Secrets Manager secret containing the CA cert for HTTPS communication with Consul servers. Required if the server's certificate is self-signed or signed by an internal CA. This is not required for Consul servers in HCP. |
| `ecs_cluster_arn`                   | string   | The ECS cluster where the ACL controller will be deployed.                                                                                                                                                                                 |
| `region`                            | string   | The AWS region where the AWS resources will be created.                                                                                                                                                                                    |
| `subnets`                           | list     | The AWS VPC subnet ids where the ACL controller will be deployed.                                                                                                                                                                          |
| `name_prefix`                       | string   | AWS resources created by the `acl-controller` module will include this prefix in the resource name.                                                                                                                                        |

<EnterpriseAlert>
If you are using Consul Enterprise, see <a href="/docs/ecs/enterprise#admin-partitions-and-namespaces">Admin Partitions and Namespaces</a> for
additional configuration required to support Consul Enterprise on ECS.
</EnterpriseAlert>

## Deploy your services

Follow the instructions described in [Create a task definition](/docs/ecs/terraform/install#create-the-task-definition) to create the basic configuration for the task module. Add the following additional configurations to make the configuration production-ready.

### Create an AWS Secrets Manager secret

The secret stores the gossip encryption key that the Consul clients use.

<CodeBlock>

```hcl
resource "aws_secretsmanager_secret" "gossip_key" {
  name  = "gossip-encryption-key"
}

resource "aws_secretsmanager_secret_version" "gossip_key" {
  secret_id     = aws_secretsmanager_secret.gossip_key.id
  secret_string = "<Gossip encryption key>"
}
```
</CodeBlock>

### Enable secure deployment

Add the following configurations to enable secure deployment. The `acl_secret_name_prefix`
should be the same as the `name_prefix` you provide to the ACL controller module.

```hcl
module "my_task" {
  source  = "hashicorp/consul-ecs/aws//modules/mesh-task"
  version = "<version>"

  ...

  tls                       = true
  consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
  gossip_key_secret_arn     = aws_secretsmanager_secret.gossip_key.arn

  acls                      = true
  consul_http_addr          = "https://consul-server.example.com:8501"
  consul_https_ca_cert_arn  = aws_secretsmanager_secret.ca_cert.arn
}
```

The following table explains the `mesh-task` input variables relevant to a secure configuration:

| Input Variable              | Type     | Description                                                                                                                                                                                                                                |
| -----------------------     | -------- | -------------------------------------------------------------------------------------------------------------------                                                                                                                        |
| `tls`                       | boolean  | If true, TLS is enabled for RPC communication with the Consul servers.                                                                                                                                                                     |
| `consul_server_ca_cert_arn` | string   | The Secrets Manager secret containing the CA certificate for RPC communication with the Consul servers when TLS is enabled.                                                                                                                |
| `gossip_key_secret_arn`     | string   | The Secrets Manager secret containing Consul's gossip encryption key.                                                                                                                                                                      |
| `acls`                      | boolean  | If true, ACLs are enabled.                                                                                                                                                                                                                 |
| `consul_http_addr`          | string   | The Consul server address. Required when `acls = true` in order to log in to Consul's AWS IAM auth method to obtain ACL tokens.                                                                                                            |
| `consul_https_ca_cert_arn`  | string   | (optional) The Secrets Manager secret containing the CA cert for HTTPS communication with Consul servers. Required if the server's certificate is self-signed or signed by an internal CA. This is not required for Consul servers in HCP. |

Complete the following steps described in the Installation with Terraform chapter to deploy and connect your services:

1. [Run Terraform](/docs/ecs/terraform/install#run-terraform)
1. [Configure routes](/docs/ecs/terraform/install#configure-routes)
1. [Configure the bind address](/docs/ecs/terraform/install#configure-the-bind-address)
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00			`---`
			`layout: docs`
docs: Manual secure configuration for ECS 2022-01-24 23:43:20 +00:00			`page_title: Secure Configuration - AWS ECS`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00			`description: >-`
docs: Manual secure configuration for ECS 2022-01-24 23:43:20 +00:00			`Secure Configuration of the Consul Service Mesh on AWS ECS (Elastic Container Service) with Terraform.`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00			`---`

docs: Manual secure configuration for ECS 2022-01-24 23:43:20 +00:00			`# Secure Configuration`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`This topic describes how to enable Consul security features for your production workloads.`
applied suggestions from review, udpates to TF secure configuration 2022-06-21 20:20:14 +00:00
			`## Overview`

docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`To enable security in your production workloads, you must deploy the [ACL controller](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller), which provisions tokens for other service mesh tasks. Refer to [Architecture](/docs/ecs/architecture#acl-controller) to learn more about the ACL controller.`
applied suggestions from review, udpates to TF secure configuration 2022-06-21 20:20:14 +00:00
			`The controller cannot provision tokens for itself, so you must create the token for the ACL controller. The following steps describe the overall process of enabling security features for your production workloads:`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00			`1. Enable the security features on your Consul server cluster per the [Prerequisites](#prerequisites).`
applied suggestions from review, udpates to TF secure configuration 2022-06-21 20:20:14 +00:00			`1. Create the ACL token for the ACL controller in the datacenter.`
			`1. Create a Secrets Manager secret containing the ACL controller's token.`
			`1. Create a Secrets Manager secret containing the Consul CA certificate.`
			`1. Deploy the ACL controller`
			`1. Deploy the other services on the mesh.`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00			`## Prerequisites`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`Implement the following security features for your Consul server clusters before applying them to your workloads:`
tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00
			`1. [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.`
			`1. [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.`
			`1. [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.`

docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`## Auth Method`

			`Consul on ECS uses the [AWS IAM Auth Method](/docs/ecs/architecture#aws-iam-auth-method) to enable`
			`tasks to automatically obtain Consul ACL tokens during startup.`

			`With the Terraform modules for Consul on ECS, the auth method is supported by default when ACLs are`
			enabled. The ACL controller sets up the auth method on the Consul servers. The `mesh-task` module
			`configures the ECS task definition to be compatible with the auth method.`

			`A unique task IAM role is required for each ECS task family. Task IAM roles must not be shared by`
			`different task families. This is because the task family represents only one Consul service and the`
			`task IAM role must encode the Consul service name.`

			By default, the `mesh-task` module will create and configure the task IAM role for you.

			-> NOTE: When passing an existing IAM role to the `mesh-task` module using the `task_role` input
			`variable, you must configure the IAM role as described in [ECS Task Role`
			`Configuration](/docs/ecs/manual/secure-configuration#ecs-task-role-configuration) to be compatible with`
			`the AWS IAM auth method.`

applied suggestions from review, udpates to TF secure configuration 2022-06-21 20:20:14 +00:00			`## ACL controller`

docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			1. Create a policy that grants `acl:write` and `operator:write` access for the controller. Refer to the [ACL policies documentation](/docs/security/acl/acl-policies) for instructions.
			`1. Create a token and link it to the ACL controller policy. Refer to the [ACL tokens documentation](/docs/security/acl/acl-tokens) for instructions.`
applied suggestions from review, udpates to TF secure configuration 2022-06-21 20:20:14 +00:00			`1. Create a Secrets Manager secret containing the ACL controller's token and a Secrets Manager secret containing the Consul CA cert.`

			```hcl
			`resource "aws_secretsmanager_secret" "bootstrap_token" {`
			`name = "bootstrap-token"`
			`}`

			`resource "aws_secretsmanager_secret_version" "bootstrap_token" {`
			`secret_id = aws_secretsmanager_secret.bootstrap_token.id`
			`secret_string = "<bootstrap token>"`
			`}`

			`resource "aws_secretsmanager_secret" "ca_cert" {`
			`name = "server-ca-cert"`
			`}`

			`resource "aws_secretsmanager_secret_version" "ca_cert" {`
			`secret_id = aws_secretsmanager_secret.ca_cert.id`
			`secret_string = "<CA certificate for the Consul server's HTTPS endpoint>"`
			`}`
			```

			1. Use the [`acl-controller` terraform module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller?tab=inputs) to deploy the controller. You must provide the ARN's for the token and CA cert in the `consul_bootstrap_token_secret_arn` and `consul_server_ca_cert_arn` fields, respectively.

docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			```hcl
			`module "acl_controller" {`
Docs: Fix path to consul-ecs Terraform modules (#13689) 2022-07-07 20:30:19 +00:00			`source = "hashicorp/consul-ecs/aws//modules/acl-controller"`
docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`version = "<version>"`

			`consul_bootstrap_token_secret_arn = aws_secretsmanager_secret.bootstrap_token.arn`
			`consul_server_http_addr = "https://consul-server.example.com:8501"`
			`consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn`
			`ecs_cluster_arn = "arn:aws:ecs:us-east-1:111111111111:cluster/consul-ecs"`
			`region = "us-east-1"`
			`subnets = ["subnet-abcdef123456789"]`
			`name_prefix = "consul-ecs"`
			`}`
			```

			The following table describes the required input variables for the `acl-controller` module.

			`\| Input Variable \| Type \| Description \|`
			`\| ----------------------------------- \| -------- \| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ \|`
			\| `source` \| string \| The location of the `acl-controller` module source. \|
			\| `version` \| string \| The version of the `acl-controller` module. \|
			\| `consul_bootstrap_token_secret_arn` \| string \| The Secrets Manager secret containing an ACL token for the ACL controller. The ACL token must have `acl:write` and `operator:write` permissions. \|
			\| `consul_server_http_addr` \| string \| The HTTP(S) address of the Consul servers. \|
			\| `consul_server_ca_cert_arn` \| string \| (Optional) The Secrets Manager secret containing the CA cert for HTTPS communication with Consul servers. Required if the server's certificate is self-signed or signed by an internal CA. This is not required for Consul servers in HCP. \|
			\| `ecs_cluster_arn` \| string \| The ECS cluster where the ACL controller will be deployed. \|
			\| `region` \| string \| The AWS region where the AWS resources will be created. \|
			\| `subnets` \| list \| The AWS VPC subnet ids where the ACL controller will be deployed. \|
			\| `name_prefix` \| string \| AWS resources created by the `acl-controller` module will include this prefix in the resource name. \|

			`<EnterpriseAlert>`
			`If you are using Consul Enterprise, see <a href="/docs/ecs/enterprise#admin-partitions-and-namespaces">Admin Partitions and Namespaces</a> for`
			`additional configuration required to support Consul Enterprise on ECS.`
			`</EnterpriseAlert>`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00			`## Deploy your services`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00			`Follow the instructions described in [Create a task definition](/docs/ecs/terraform/install#create-the-task-definition) to create the basic configuration for the task module. Add the following additional configurations to make the configuration production-ready.`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`### Create an AWS Secrets Manager secret`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> 2022-06-20 20:53:48 +00:00			`The secret stores the gossip encryption key that the Consul clients use.`
tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00
			`<CodeBlock>`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
			```hcl
			`resource "aws_secretsmanager_secret" "gossip_key" {`
			`name = "gossip-encryption-key"`
			`}`

			`resource "aws_secretsmanager_secret_version" "gossip_key" {`
			`secret_id = aws_secretsmanager_secret.gossip_key.id`
			`secret_string = "<Gossip encryption key>"`
			`}`
			```
tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00			`</CodeBlock>`

			`### Enable secure deployment`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00			Add the following configurations to enable secure deployment. The `acl_secret_name_prefix`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00			should be the same as the `name_prefix` you provide to the ACL controller module.

			```hcl
			`module "my_task" {`
Docs: Fix path to consul-ecs Terraform modules (#13689) 2022-07-07 20:30:19 +00:00			`source = "hashicorp/consul-ecs/aws//modules/mesh-task"`
docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`version = "<version>"`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
			`...`

docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`tls = true`
			`consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn`
			`gossip_key_secret_arn = aws_secretsmanager_secret.gossip_key.arn`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00
docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			`acls = true`
			`consul_http_addr = "https://consul-server.example.com:8501"`
			`consul_https_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn`
docs: Add production installation ECS docs (#11049) Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> 2021-09-16 16:28:05 +00:00			`}`
			```

docs: Update ECS docs for IAM auth method support (#13222) 2022-06-23 21:42:40 +00:00			The following table explains the `mesh-task` input variables relevant to a secure configuration:

			`\| Input Variable \| Type \| Description \|`
			`\| ----------------------- \| -------- \| ------------------------------------------------------------------------------------------------------------------- \|`
			\| `tls` \| boolean \| If true, TLS is enabled for RPC communication with the Consul servers. \|
			\| `consul_server_ca_cert_arn` \| string \| The Secrets Manager secret containing the CA certificate for RPC communication with the Consul servers when TLS is enabled. \|
			\| `gossip_key_secret_arn` \| string \| The Secrets Manager secret containing Consul's gossip encryption key. \|
			\| `acls` \| boolean \| If true, ACLs are enabled. \|
			\| `consul_http_addr` \| string \| The Consul server address. Required when `acls = true` in order to log in to Consul's AWS IAM auth method to obtain ACL tokens. \|
			\| `consul_https_ca_cert_arn` \| string \| (optional) The Secrets Manager secret containing the CA cert for HTTPS communication with Consul servers. Required if the server's certificate is self-signed or signed by an internal CA. This is not required for Consul servers in HCP. \|

tweaks to the secure TF install section 2022-06-17 21:42:51 +00:00			`Complete the following steps described in the Installation with Terraform chapter to deploy and connect your services:`

			`1. [Run Terraform](/docs/ecs/terraform/install#run-terraform)`
			`1. [Configure routes](/docs/ecs/terraform/install#configure-routes)`
			`1. [Configure the bind address](/docs/ecs/terraform/install#configure-the-bind-address)`