Terraform module aligned with HashiCorp Validated Designs (HVD) to deploy Consul Enterprise on Google Cloud Platform (GCP) using Compute Engine instances.
This module requires the following resources to already be deployed to a GCP project:
- A VPC with a subnet in a region with 3+ zones
- GCP Secret Manager secrets with the following contents:
- Consul server agent certificate, PEM formatted and base64-encoded
- Consul server agent private key, PEM formatted and base64-encoded
- Root certificate of the agent's signing authority, PEM formatted and base64-encoded
- Consul gossip encryption key
- (Optional) A GCS bucket for backup snapshot storage
The examples/ubuntu-nlb-consul-primary directory contains a reference implementation of a root-level module sourcing this repository.
Suitable TLS certificates may be generated using the Consul CLI. See the Consul TLS page in the HashiCorp Developer Portal for more information.
The TLS certificate and private key data is expected to be provided via GCP Secret Manager secrets which contain PEM format x.509 certificates, further base64-encoded to eliminate newlines and special characters.
The Consul Enterprise license format is already suitable for storage in GCP Secret Manager and should be added without modification.
The ACL system will be automatically bootstrapped and configured with sane default policies for anonymous users, agent registration, and the snapshot agent.
ACL tokens are generated for the above policies, as well as the initial management token, and all are stored back to GCP Secret Manager for retrieval by the operator.
A Consul gossip encryption key may be generated using the consul keygen command. This command outputs the key material already base64 encoded, and may be added directly to Secret Manager without modification.
Additional documentation for customization and usage can be found in the docs folder.
This open source software is maintained by the HashiCorp Technical Field Organization, independently of our enterprise products. While our Support Engineering team provides dedicated support for our enterprise offerings, this open source software is not included.
- For help using this open source software, please engage your account team.
- To report bugs/issues with this open source software, please open them directly against this code repository using the GitHub issues feature.
Please note that there is no official Service Level Agreement (SLA) for support of this software as a HashiCorp customer. This software falls under the definition of Community Software/Versions in your Agreement. We appreciate your understanding and collaboration in improving our open source projects.
| Name | Version |
|---|---|
| ~> 5.33 |
| Name | Version |
|---|---|
| ~> 5.33 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| consul_gossip_key_sm_secret_name | Name of Secret Manager secret containing Consul gossip encryption key. | string |
n/a | yes |
| consul_license_sm_secret_name | Name of Secret Manager secret containing Consul license. | string |
n/a | yes |
| consul_tls_ca_cert_sm_secret_name | Name of Secret Manager containing Consul TLS CA certificate. | string |
n/a | yes |
| consul_tls_cert_sm_secret_name | Name of Secret Manager containing Consul TLS certificate. | string |
n/a | yes |
| consul_tls_privkey_sm_secret_name | Name of Secret Manager containing Consul TLS private key. | string |
n/a | yes |
| project_id | (required) The project ID to host the cluster in (required) | string |
n/a | yes |
| region | (optional) The region to host the cluster in | string |
n/a | yes |
| application_prefix | (optional) The prefix to give to cloud entities | string |
"consul" |
no |
| assign_public_ip | Whether instances should be assigned a public address. If false, they must be provisioned in a subnet with Cloud NAT deployed. | bool |
false |
no |
| auto_join_tag | (optional) A list of a tag which will be used by Consul to join other nodes to the cluster. If left blank, the module will use the first entry in tags |
list(string) |
null |
no |
| cidr_ingress_agent_allow | CIDR ranges to allow agent traffic (gossip, Consul RPC) inbound to Consul instance(s). Automatically includes the local subnet. | list(string) |
[] |
no |
| cidr_ingress_dns_allow | CIDR ranges to allow DNS traffic inbound to Consul instance(s). Automatically includes the local subnet. | list(string) |
[] |
no |
| cidr_ingress_grpctls_allow | CIDR ranges to allow gRPC-TLS (peering, dataplane) traffic inbound to Consul instance(s). Automatically includes the local subnet. | list(string) |
[] |
no |
| cidr_ingress_https_allow | CIDR ranges to allow HTTPS traffic inbound to Consul instance(s). | list(string) |
[ |
no |
| cidr_ingress_ssh_allow | CIDR ranges to allow SSH traffic inbound to Consul instance(s). | list(string) |
[ |
no |
| common_labels | (optional) Common labels to apply to GCP resources. | map(string) |
{} |
no |
| compute_image_family | (optional) The family name of the image, https://cloud.google.com/compute/docs/images/os-details,defaults to Ubuntu |
string |
"ubuntu-2204-lts" |
no |
| compute_image_project | (optional) The project name of the image, https://cloud.google.com/compute/docs/images/os-details, defaults to Ubuntu |
string |
"ubuntu-os-cloud" |
no |
| consul_datacenter | (optional) Consul datacenter name to configure | string |
"dc1" |
no |
| consul_dir_bin | Path to install Consul Enterprise binary | string |
"/usr/local/bin" |
no |
| consul_dir_config | Path to install Consul Enterprise configuration | string |
"/etc/consul.d" |
no |
| consul_dir_home | Path to hold data, plugins and license directories | string |
"/opt/consul" |
no |
| consul_dir_logs | Path to hold Consul file audit device logs | string |
"/var/log/consul" |
no |
| consul_fqdn | (optional) TLS servername to use when trying to connect to the cluster with HTTPS | string |
null |
no |
| consul_group_name | Name of group to own Consul files and processes | string |
"consul" |
no |
| consul_install_version | (optional) The version of Consul to use | string |
"1.19.1+ent" |
no |
| consul_metadata_template | (optional) Alternative template file to provide for instance template metadata script. place the file in your local ./templates folder no path required |
string |
"google_consul_metadata.sh.tpl" |
no |
| consul_nodes | (optional) The number of nodes to create in the pool | number |
6 |
no |
| consul_snapshot_dir_config | Path to install Consul snapshot agent configuration | string |
"/etc/consul-snapshot.d" |
no |
| consul_user_name | Name of system user to own Consul files and processes | string |
"consul" |
no |
| disk_size | (optional) The disk size (GB) to use to create the disk | number |
100 |
no |
| disk_type | (optional) The disk type to use to create the disk | string |
"pd-ssd" |
no |
| enable_auto_healing | (optional) Enable auto-healing on the Instance Group | bool |
false |
no |
| enable_iap | (Optional bool) Enable https://cloud.google.com/iap/docs/using-tcp-forwarding#console, defaults to true. |
bool |
true |
no |
| google_service_account_iam_roles | (optional) List of project-level IAM roles to give to the Consul service account | list(string) |
[ |
no |
| health_check_interval | (optional) How often, in seconds, to send a health check | number |
30 |
no |
| health_timeout | (optional) How long, in seconds, to wait before claiming failure | number |
15 |
no |
| initial_auto_healing_delay | (optional) The time, in seconds, that the managed instance group waits before it applies autohealing policies | number |
1200 |
no |
| load_balancing_scheme | (optional) Type of load balancer to use (INTERNAL, EXTERNAL, or NONE) | string |
"INTERNAL" |
no |
| machine_type | (optional) The machine type to use for the Consul nodes | string |
"e2-standard-2" |
no |
| metadata | (optional) Metadata to add to the Compute Instance template | map(string) |
null |
no |
| network | (optional) The VPC network to host the cluster in | string |
"default" |
no |
| network_project_id | (optional) The project that the VPC network lives in. Can be left blank if network is in the same project as provider | string |
null |
no |
| network_region | (optional) The region that the VPC network lives in. Can be left blank if network is in the same region as provider | string |
null |
no |
| packer_image | (optional) The packer image to use | string |
null |
no |
| snapshot_agent | Manage configuration of the Consul snapshot agent | object({ |
{ |
no |
| subnetwork | (optional) The subnet in the VPC network to host the cluster in | string |
"default" |
no |
| systemd_dir | Path to systemd directory for unit files | string |
"/etc/systemd/system" |
no |
| tags | (optional) A list containing tags to assign to all resources | list(string) |
[ |
no |
| Name | Description |
|---|---|
| consul_service_account | Member-format ID of the Consul server service account. |
| loadbalancer_ip | The external ip address of the forwarding rule. |