luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Add ECS audit logging docs (#13729)

This commit is contained in:
A.J. Sanon 2022-07-22 13:30:25 -04:00 committed by GitHub
parent b8131704ea
commit 9f9ac78243
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 69 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
website/content/docs/ecs/enterprise.mdx
View File

@ -56,7 +56,7 @@ If client support is required for any of the features, then you must use a Consu
| Network Segments | No | Currently there is no capability to configure the network segment Consul clients on ECS run in. |
| Namespaces | Yes | This feature requires Consul Enterprise servers. OSS clients can register into the `default` namespace. Registration into a non-default namespace requires a Consul Enterprise client. |
| Admin Partitions | Yes | This feature requires Consul Enterprise servers. OSS clients can register into the `default` admin partition. Registration into a non-default partition requires a Consul Enterprise client. |
| Audit Logging | No* | Audit logging can be enabled on Consul servers that run outside of ECS but is not currently supported on the Consul clients that run inside ECS. |
| Audit Logging | Yes | This feature requires Consul Enterprise clients. |
### Admin Partitions and Namespaces
@ -121,3 +121,29 @@ module "my_task" {
```
</CodeBlockConfig>
### Audit Logging
Consul on ECS supports [audit logging](/docs/enterprise/audit-logging) when using Consul Enterprise clients.
This feature has the following requirements:
- ACLs must be enabled.
- `mesh-task` must use a Consul Enterprise image.
- `gateway-task` must use a Consul Enterprise image.
To enable audit logging, set `audit_logging = true` when configuring the client.
<CodeBlockConfig highlight="7-8">
```hcl
module "my_task" {
source = "hashicorp/consul-ecs/aws//modules/mesh-task"
family = "my_task"
...
consul_image = "hashicorp/consul-enterprise:<version>-ent"
audit_logging = true
}
```
</CodeBlockConfig>

39
website/content/docs/ecs/manual/secure-configuration.mdx
View File

@ -472,6 +472,45 @@ The following table describes the additional fields that must be included in the
| [`acl.tokens.agent`](/docs/agent/config/config-files#acl_tokens_agent) | string | Consul client token which authorizes this agent with Consul servers. |
| [`partition`](/docs/agent/config/config-files#partition-1) | string | <EnterpriseAlert inline /> The Consul Enterprise admin partition this agent belongs to. |
### Configure Audit Logging <EnterpriseAlert inline />
[Audit logging](/docs/enterprise/audit-logging) is supported on clients running Consul Enterprise with ACLs enabled.
To enable audit logging, update the startup script to add an `audit` stanza to the Consul client configuration file.
The following example modifies the `consul-client` startup script to configure audit logs to be written to the `stdout` of the `consul-client` container.
<CodeBlockConfig highlight="9-17">
```shell
...
# Write the Consul agent configuration file.
cat << EOF > /consul/agent-defaults.hcl
...
partition = "<partition>"
audit {
enabled = true
sink "stdout" {
type = "file"
format = "json"
path = "/dev/stdout"
delivery_guarantee = "best-effort"
}
}
EOF
```
</CodeBlockConfig>
The following table describes the fields that must be included to configure audit logging.
| Field name | Type | Description |
| ------------------------------------------------------------------------------- | ------- | ------------------------------------------------------------------------------------ |
| [`audit.enabled`](/docs/agent/config/config-files#enabled) | boolean | Enable audit logging for this agent. |
| [`audit.sink`](/docs/agent/config/config-files#sink) | object | The audit logging sink for this agent. |
## Configure `consul-ecs-mesh-init` and `consul-ecs-health-sync`
The following *additional* options should be set in the [`CONSUL_ECS_CONFIG_JSON`](/docs/ecs/manual/install#consul_ecs_config_json) environment variable. When these options are specified, the `consul-ecs mesh-init` command will run the `consul login` command to obtain a service token from the Consul AWS IAM Auth method. The `consul-ecs health-sync` command is responsible for running a `consul logout` command for both the service and client tokens when the task shuts down.

5
website/content/docs/ecs/terraform/secure-configuration.mdx
View File

@ -136,8 +136,7 @@ resource "aws_secretsmanager_secret_version" "gossip_key" {
### Enable secure deployment
Add the following configurations to enable secure deployment. The `acl_secret_name_prefix`
should be the same as the `name_prefix` you provide to the ACL controller module.
To enable secure deployment, add the following configuration to the task module.
```hcl
module "my_task" {
@ -153,6 +152,7 @@ module "my_task" {
acls = true
consul_http_addr = "https://consul-server.example.com:8501"
consul_https_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
audit_logging = true
}
```
@ -166,6 +166,7 @@ The following table explains the `mesh-task` input variables relevant to a secur
| `acls` | boolean | If true, ACLs are enabled. |
| `consul_http_addr` | string | The Consul server address. Required when `acls = true` in order to log in to Consul's AWS IAM auth method to obtain ACL tokens. |
| `consul_https_ca_cert_arn` | string | (optional) The Secrets Manager secret containing the CA cert for HTTPS communication with Consul servers. Required if the server's certificate is self-signed or signed by an internal CA. This is not required for Consul servers in HCP. |
| `audit_logging` | boolean | <EnterpriseAlert inline /> (optional) If true, ACL audit logging is enabled. Consul client is configured to print audit logs to `stdout`. |
Complete the following steps described in the Installation with Terraform chapter to deploy and connect your services: