How to use Variables in Consul-template config file?

Question

How to use Variables in consul-template config file?

I have consul templates which I want to run and below is my consul-template configuration:

vault {

  address      = "http://$VAULT_ADDR:8200"
  token        = "sometoken"
  unwrap_token = false
  renew_token  = false
}


template {
  source      = "somepath/agent.crt.tpl"
  destination = "somepath/agent.key"
  command     = "sh -c 'date && systemctl restart consul'"
}

I've tried the whole day to put the vault address in dynamic way or pass it as variable or take it from env variable or by consul-template API without success.

In the end I ended up writing this sorcery in my service file:

ExecStart=/bin/sh -c "/usr/local/sbin/consul-template -config /opt/consul/templates/tls-consul.hcl \
-vault-addr http://$(curl -s -XGET $(hostname -I | awk '{ print $1 }'):8500/v1/health/service/vault | jq .[0].Node.Address -r):8200"

is there any convenient way to do this? Can I use environment variable for token part somehow or am I forced to hardcode it?

Answer 1

In addition to statically defining the Vault token in Consul template's configuration file, Consul template can also retrieve the Vault token from the VAULT_TOKEN environment variable, or from a file path defined by the -vault-agent-token-file command line flag or vault_agent_token_file configuration file option.

Example config token file config

vault {
  address      = "http://$VAULT_ADDR:8200"
  vault_agent_token_file = "/path/to/token_file"
  unwrap_token = false
  renew_token  = false
}

Either of these options would eliminate the need to hard code the value into the configuration file, while also giving you some additional flexibility in being able to populate the value of that file using a separate provisioning process.