Update to 2023-07-26 19:00

roles/consul/defaults/main.yml

@@ -10,9 +10,11 @@ consul_root_dir: /opt/consul
 # Used for example to grant access to cli cert with ACL
 consul_admin_groups: "{{ system_admin_groups | default([]) }}"
 
-# If ACL are enabled, you need to set a management token for ansible
-# to be able to manage Consul (eg snapshot before upgrades)
-# consul_mgm_token: XXXXXXXXX
+# An optional CONSUL_HTTP_TOKEN to use to take a snapshot of raft logs during pre-backup
+# for example:
+# consul_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651
+# or a more advanced use
+# # consul_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id consul/creds/admin ttl=1m)
 
 # List of consul servers name or IP
 consul_servers: []

roles/consul/tasks/install.yml

@@ -7,7 +7,7 @@
   tags: consul
 
 - name: Install backup hooks
-  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=755
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/consul mode=700
   loop:
     - pre
     - post

roles/consul/templates/pre-backup.j2

@@ -1,4 +1,15 @@
 #!/bin/sh
 
 set -eo pipefail
+{% if consul_conf.server %}
+if [ -e /etc/profile.d/vault.sh ]; then
+  source /etc/profile.d/vault.sh
+fi
+if [ -e /etc/profile.d/consul.sh ]; then
+  source /etc/profile.d/consul.sh
+fi
+{% if consul_conf.acl.enabled and consul_backup_token is defined %}
+export CONSUL_HTTP_TOKEN={{ consul_backup_token }}
+{% endif %}
+{% endif %}
 consul snapshot save {{ consul_root_dir }}/backup/consul.snap