steampipe plugin install consul

Table: consul_intention - Query Consul Intentions using SQL

Consul Intentions are a resource within HashiCorp Consul that allows you to define access controls, which dictate what services may communicate. They are used to control which services may establish connections, providing a way to manage service-to-service communication in a microservices architecture. Intentions are a crucial component of Consul's service mesh capabilities.

Table Usage Guide

The consul_intention table provides insights into Consul Intentions within HashiCorp Consul. As a network engineer or a security administrator, explore intention-specific details through this table, including source and destination services, action, and associated metadata. Utilize it to uncover information about intentions, such as those allowing or denying certain communication paths, and the verification of service-to-service access controls.

Examples

Basic info

Gain insights into the communication intentions between different services in your network. This query helps identify potential areas of improvement or points of failure, by analyzing the source and destination of each interaction.

select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention;
select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention;

List intentions with default source namespace

Explore which intentions have been set with the default source namespace. This can be useful for understanding the default configurations and identifying areas for potential adjustment or optimization.

select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention
where
source_ns = 'default';
select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention
where
source_ns = 'default';

List intentions in order of highest precedence

Explore the priorities of different intentions in your system by arranging them in descending order of importance. This can help you understand the hierarchy and manage your resources more effectively.

select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention
order by
precedence desc;
select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention
order by
precedence desc;

List intentions with destination applied to all namespaces

Discover the intentions that have a destination applied to all namespaces. This is useful for understanding the broad application of policies and permissions across your system.

select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention
where
destination_ns = '*';
select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention
where
destination_ns = '*';

List allowlist intentions

Discover the segments that have been given access permissions. This query is useful in identifying and analyzing the areas where access has been explicitly granted for better security management.

select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention
where
action = 'allow';
select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns
from
consul_intention
where
action = 'allow';

List intentions with deny permission

Discover the segments that have been denied access within your network infrastructure. This can be useful for security audits, identifying potential weak points, or understanding the overall security structure.

select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns,
jsonb_pretty(p) as permission
from
consul_intention,
jsonb_array_elements(permissions) as p
where
p ->> 'Action' = 'deny';
select
id,
created_at,
source_name,
source_ns,
destination_name,
destination_ns,
p.value as permission
from
consul_intention,
json_each(permissions) as p
where
json_extract(p.value, '$.Action') = 'deny';

Schema for consul_intention

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
actiontextAction is whether this is an allowlist or denylist intention.
address_urltextThe address URL.
create_indexbigintCreateIndex holds the index corresponding the creation of this intention.
created_attimestamp with time zoneThe create timestamp of the intention.
descriptiontextDescription is a human-friendly description of this intention.
destination_nametextThe name of the destination service.
destination_nstextThe destination namespace of the intention.
destination_partitiontextThe destination partition of the intention.
hashtextHash of the contents of the intention.
idtextID is the UUID-based ID for the intention, always generated by Consul.
metatextMeta is arbitrary metadata associated with the intention.
modify_indexbigintModifyIndex is the latest Raft index at which the intention was modified.
permissionsjsonbPermissions is the list of additional L7 attributes that extend the intention definition.
precedencebigintPrecedence is the order that the intention will be applied, with larger numbers being applied first. This is a read-only field, on any intention update it is updated.
source_nametext=The name of the source service.
source_nstextThe source namespace of the intention.
source_partitiontextThe source partition of the intention.
source_peertextThe source peer of the intention.
source_typetextThe source type of the intention.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextThe title of the intention.
updated_attimestamp with time zoneThe update timestamp of the intention.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- consul

You can pass the configuration to the command with the --config argument:

steampipe_export_consul --config '<your_config>' consul_intention