»Tasks

A task is the translation of dynamic service information from the Consul Catalog into network infrastructure changes downstream. Consul-Terraform-Sync carries out automation for executing tasks using network drivers. For a Terraform driver, the scope of a task is a Terraform module.

Below is an example task configuration:

task {
  name = "frontend-firewall-policies"
  description = "Add firewall policy rules for frontend services"
  providers = ["fake-firewall", "null"]
  services = ["web", "image"]
  source = "example/firewall-policy/module"
  version = "1.0.0"
}
task {  name = "frontend-firewall-policies"  description = "Add firewall policy rules for frontend services"  providers = ["fake-firewall", "null"]  services = ["web", "image"]  source = "example/firewall-policy/module"  version = "1.0.0"}

In the example task above, the "fake-firewall" and "null" providers, listed in the providers field, are used. These providers themselves should be configured in their own separate terraform_provider blocks. These providers are used in the Terraform module "example/firewall-policy/module", configured in the source field, to create, update, and destroy resources. This module may do something like use the providers to create and destroy firewall policy objects based on IP addresses. The IP addresses come from the "web" and "image" service instances configured in the services field. This service-level information is retrieved by Consul-Terraform-Sync which watches Consul catalog for changes.

See task configuration for more details on how to configure a task.

A task can be either enabled or disabled using the task cli. When enabled, tasks are executed and automated as described in sections below. However, disabled tasks do not execute when changes are detected from Consul catalog. Since disabled tasks do not execute, they also do not store events until re-enabled.

»Task Execution

An enabled task can be configured to monitor and execute on different types of conditions. For example, on changes to services (services condition) or on service registration and deregistration (catalog-services condition).

A task can also monitor but not execute on other variables that are simply included to provide additional information to the task's module. For example, a task with a catalog-services condition may execute on registration changes but additionally monitor service instances for IP information. The details of what values are monitored and what values can execute the task are determined by the module.

Below are details on the types of execution conditions that Consul-Terraform-Sync supports.

»Services Condition

The services condition is the default condition to execute a task. Tasks with the services condition monitor and execute on changes to a list of configured services.

In order to configure a task with the services condition, the list of services to trigger the task must be configured in the task's services. The task's condition block can be left unconfigured since it is the default. See the Services Condition configuration section for more details.

The services condition operates by monitoring the Health List Nodes For Service API and executing the task on any change of information for services configured. These changes include one or more changes to service values, like IP address, added or removed service instance, or tags. A complete list of values that would cause a task to run are expanded below:

AttributeDescription
idA unique Consul ID for this service. This is unique per Consul agent.
nameThe logical name of the service. Many service instances may share the same logical service name.
addressIP address of the service host -- if empty, node address should be used.
portPort number of the service
metaList of user-defined metadata key/value pairs for the service
tagsList of tags for the service
namespaceConsul Enterprise namespace of the service instance
statusRepresentative status for the service instance based on an aggregate of the list of health checks
nodeName of the Consul node on which the service is registered
node_idID of the node on which the service is registered.
node_addressThe IP address of the Consul node on which the service is registered.
node_datacenterData center of the Consul node on which the service is registered.
node_tagged_addressesList of explicit LAN and WAN IP addresses for the agent
node_metaList of user-defined metadata key/value pairs for the node

»Catalog-Services Condition

Tasks with a catalog-services condition monitor and execute on service registration changes for services that satisfy the condition configuration. 'Service registration changes' specifically refers to service registration and deregistration where service registration occurs on the first service instance registration, and service deregistration occurs on the last service instance registration. Tasks with a catalog-services condition may, depending on the module, additionally monitor but not execute on service instance information.

The catalog-services condition operates by monitoring the Catalog List Services API and executing the task when services are added or removed in the list of registered services. Note, the task does not execute on changes to the tags of the list of services. This is similar to how changes to service instance information, mentioned above, also does not execute a task.

Below is an example configuration for a task that will execute when a service with a name that matches the "web.*" regular expression in datacenter "dc1" has a registration change. It additionally monitors but does not execute on service instance changes to "web-api" in datacenter "dc2".

task {
  name = "catalog_service_condition_task"
  source = "path/to/catalog-services-module"
  providers = ["my-provider"]
  services = ["web-api"]

  condition "catalog-services" {
    datacenter          = "dc1"
    regexp              = "web.*"
    source_includes_var = false
  }
}

service {
  name = "web-api"
  datacenter = "dc2"
}
task {  name = "catalog_service_condition_task"  source = "path/to/catalog-services-module"  providers = ["my-provider"]  services = ["web-api"]
  condition "catalog-services" {    datacenter          = "dc1"    regexp              = "web.*"    source_includes_var = false  }}
service {  name = "web-api"  datacenter = "dc2"}

The module selected for a task will likely determine whether the task should be configured with a catalog-services condition. Module authors have the option to include and use the catalog_services input variable in addition to the required services variable. When this variable is included in the module, the user of this module will need to configure the task condition's source_includes_var value to be true. Catalog-Services condition modules should have the condition type and source_includes_var configuration value documented for users to reference when configuring a task.

In addition to source_includes_var, a task's catalog-services condition has other configuration fields that can be used to specify which services' registration changes should execute the task. For example, registration changes can be filtered for services in a specific datacenter or namespace. See the Catalog-Services Condition configuration section for more details.

One particular condition configuration, regexp, filters service registration changes by services that have a name which matches the configured regular expression. When unconfigured, the regexp value will default to match on any service that has a name which matches the services listed in task.services. As such, either regexp or task.services must be configured. When both are configured, see example above, the task will monitor and execute on registration changes to services matching the regexp, and the task will additionally monitor but not execute on service instances listed in task.services to optionally provide additional service information to the module.

»Task Automation

Consul-Terraform-Sync will attempt to execute each enabled task once upon startup to synchronize infrastructure with the current state of Consul. The daemon will stop and exit if any error occurs while preparing the automation environment or executing a task for the first time. This helps ensure tasks have proper configuration and are executable before the daemon transitions into running tasks in full automation as service changes are discovered over time. As a result, it is not recommended to configure a task as disabled from the start. After all tasks have successfully executed once, task failures during automation will be logged and retried or attempted again after a subsequent change.

Tasks are executed near-real time when service changes are detected. For services or environments that are prone to flapping, it may be useful to configure a buffer period for a task to accumulate changes before it is executed. The buffer period would reduce the number of consecutive network calls to infrastructure by batching changes for a task over a short duration of time.

»Status Information

Status-related information is collected and offered via status API to provide visibility into what and how the tasks are running. Information is offered in three-levels (lowest to highest):

  • Event data
  • Task status
  • Overall status

These three levels form a hierarchy where each level of data informs the one higher. The lowest-level, event data, is collected each time a task runs to update network infrastructure. This event data is then aggregated to inform individual task statuses. The count distribution of all the task statuses inform the overall status's task summary.

»Event

Each time a task's services has an update, Consul-Terraform-Sync takes a series of steps in order to update network infrastructure. This process starts with updating the task's templates to fetch new service data from Consul and ends with any post-actions after modifying network infrastructure. An event is a data structure that captures information on this process of updating network infrastructure. It stores information to help understand if the update to network infrastructure was successful or not, and it stores any errors that occurred. Because disabled tasks do not update network infrastructures, they therefore do not have store events until re-enabled.

Sample event:

{
  "id": "ef202675-502f-431f-b133-ed64d15b0e0e",
  "success": false,
  "start_time": "2020-11-24T12:05:18.651231-05:00",
  "end_time": "2020-11-24T12:05:20.900115-05:00",
  "task_name": "task_b",
  "error": {
    "message": "example error: error while doing terraform-apply"
  },
  ...
}
{  "id": "ef202675-502f-431f-b133-ed64d15b0e0e",  "success": false,  "start_time": "2020-11-24T12:05:18.651231-05:00",  "end_time": "2020-11-24T12:05:20.900115-05:00",  "task_name": "task_b",  "error": {    "message": "example error: error while doing terraform-apply"  },  ...}

For complete information on the event structure, see events in our API documentation. Event information can be retrieved by using the include=events parameter with the task status API.

»Task Status

Each time a task runs to update network infrastructure, event data is stored for that run. 5 most recent events are stored for each task, and these stored events are used to determine task status. For example, if the most recent stored event is not successful but the others are, then the task's health status is "errored".

Sample task status:

{
    "task_name": "task_b",
    "status": "errored",
    "providers": [
      "null"
    ],
    "services": [
      "web",
    ],
    "events_url": "/v1/status/tasks/task_b?include=events",
}
{    "task_name": "task_b",    "status": "errored",    "providers": [      "null"    ],    "services": [      "web",    ],    "events_url": "/v1/status/tasks/task_b?include=events",}

Task status information can be retrieved with task status API. The API documentation includes details on what health statuses are available and how it is calculated based on events' success/failure information.

»Overall Status

Overall status returns a summary of the health statuses across all tasks. The summary is the count of tasks in each health status category.

Sample overall status:

{
  "task_summary": {
    "successful": 28,
    "errored": 5,
    "critical": 1
  }
}
{  "task_summary": {    "successful": 28,    "errored": 5,    "critical": 1  }}

Overall status information can be retrieved with overall status API. The API documentation includes details on what health statuses are available and how it is calculated based on task statuses' health status information.