126 lines
5.6 KiB
Plaintext
126 lines
5.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Secure Configuration - AWS ECS
|
|
description: >-
|
|
Secure Configuration of the Consul Service Mesh on AWS ECS (Elastic Container Service) with Terraform.
|
|
---
|
|
|
|
# Secure Configuration
|
|
|
|
This topic describes how to enable Consul security features for your production workloads.
|
|
|
|
## Overview
|
|
|
|
To enable security in your production workloads, you must deploy the [ACL controller](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller), which provisions tokens for other service mesh tasks. Refer to [Automatic ACL Token Provisioning](/docs/ecs/architecture#automatic-acl-token-provisioning) to learn more about the ACL controller.
|
|
|
|
The controller cannot provision tokens for itself, so you must create the token for the ACL controller. The following steps describe the overall process of enabling security features for your production workloads:
|
|
|
|
1. Enable the security features on your Consul server cluster per the [Prerequisites](#prerequisites).
|
|
1. Create the ACL token for the ACL controller in the datacenter.
|
|
1. Create a Secrets Manager secret containing the ACL controller's token.
|
|
1. Create a Secrets Manager secret containing the Consul CA certificate.
|
|
1. Deploy the ACL controller
|
|
1. Deploy the other services on the mesh.
|
|
|
|
## Prerequisites
|
|
|
|
Implement the following security features for your Consul server clusters before applying them to your workloads:
|
|
|
|
1. [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
|
|
1. [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
|
|
1. [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
|
|
|
|
## ACL controller
|
|
|
|
1. Create a policy that grants `acl:write` and `operator:write` access for the controller. Refer to the [ACL policies documentation](/docs/security/acl/policies) for instructions.
|
|
1. Create a token and link it to the ACL controller policy. Refer to the [ACL tokens documentation](/docs/security/acl/tokens) for instructions.
|
|
1. Create a Secrets Manager secret containing the ACL controller's token and a Secrets Manager secret containing the Consul CA cert.
|
|
|
|
```hcl
|
|
resource "aws_secretsmanager_secret" "bootstrap_token" {
|
|
name = "bootstrap-token"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "bootstrap_token" {
|
|
secret_id = aws_secretsmanager_secret.bootstrap_token.id
|
|
secret_string = "<bootstrap token>"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret" "ca_cert" {
|
|
name = "server-ca-cert"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "ca_cert" {
|
|
secret_id = aws_secretsmanager_secret.ca_cert.id
|
|
secret_string = "<CA certificate for the Consul server's HTTPS endpoint>"
|
|
}
|
|
```
|
|
|
|
1. Use the [`acl-controller` terraform module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller?tab=inputs) to deploy the controller. You must provide the ARN's for the token and CA cert in the `consul_bootstrap_token_secret_arn` and `consul_server_ca_cert_arn` fields, respectively.
|
|
|
|
```hcl
|
|
module "acl_controller" {
|
|
source = "hashicorp/consul/aws-ecs//modules/acl-controller"
|
|
consul_bootstrap_token_secret_arn = aws_secretsmanager_secret.bootstrap_token.arn
|
|
consul_server_http_addr = "https://consul-server.example.com:8501"
|
|
consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
|
|
ecs_cluster_arn = "arn:aws:ecs:my-region:111111111111:cluster/consul-ecs"
|
|
region = "my-region"
|
|
subnets = ["subnet-abcdef123456789"]
|
|
name_prefix = "consul-ecs"
|
|
}
|
|
```
|
|
|
|
The `name_prefix` parameter is used to prefix any secrets that the ACL controller will
|
|
update in AWS Secrets Manager. The `name_prefix` parameter value must be unique for each ECS cluster where you deploy this controller.
|
|
|
|
## Deploy your services
|
|
|
|
Follow the instructions described in [Create a task definition](/docs/ecs/terraform/install#create-the-task-definition) to create the basic configuration for the task module. Add the following additional configurations to make the configuration production-ready.
|
|
|
|
### Create an AWS Secrets Manager secret
|
|
|
|
The secret stores the gossip encryption key that the Consul clients use.
|
|
|
|
<CodeBlock>
|
|
|
|
```hcl
|
|
resource "aws_secretsmanager_secret" "gossip_key" {
|
|
name = "gossip-encryption-key"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "gossip_key" {
|
|
secret_id = aws_secretsmanager_secret.gossip_key.id
|
|
secret_string = "<Gossip encryption key>"
|
|
}
|
|
```
|
|
</CodeBlock>
|
|
|
|
### Enable secure deployment
|
|
|
|
Add the following configurations to enable secure deployment. The `acl_secret_name_prefix`
|
|
should be the same as the `name_prefix` you provide to the ACL controller module.
|
|
|
|
```hcl
|
|
module "my_task" {
|
|
source = "hashicorp/consul/aws-ecs//modules/mesh-task"
|
|
family = "my_task"
|
|
|
|
...
|
|
|
|
tls = true
|
|
consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
|
|
gossip_key_secret_arn = aws_secretsmanager_secret.gossip_key.arn
|
|
|
|
acls = true
|
|
consul_client_token_secret_arn = module.acl_controller.client_token_secret_arn
|
|
acl_secret_name_prefix = "consul-ecs"
|
|
}
|
|
```
|
|
|
|
Complete the following steps described in the Installation with Terraform chapter to deploy and connect your services:
|
|
|
|
1. [Run Terraform](/docs/ecs/terraform/install#run-terraform)
|
|
1. [Configure routes](/docs/ecs/terraform/install#configure-routes)
|
|
1. [Configure the bind address](/docs/ecs/terraform/install#configure-the-bind-address)
|