Table: consul_intention - Query Consul Intentions using SQL
Consul Intentions are a resource within HashiCorp Consul that allows you to define access controls, which dictate what services may communicate. They are used to control which services may establish connections, providing a way to manage service-to-service communication in a microservices architecture. Intentions are a crucial component of Consul's service mesh capabilities.
Table Usage Guide
The consul_intention table provides insights into Consul Intentions within HashiCorp Consul. As a network engineer or a security administrator, explore intention-specific details through this table, including source and destination services, action, and associated metadata. Utilize it to uncover information about intentions, such as those allowing or denying certain communication paths, and the verification of service-to-service access controls.
Examples
Basic info
Gain insights into the communication intentions between different services in your network. This query helps identify potential areas of improvement or points of failure, by analyzing the source and destination of each interaction.
select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intention;select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intention;List intentions with default source namespace
Explore which intentions have been set with the default source namespace. This can be useful for understanding the default configurations and identifying areas for potential adjustment or optimization.
select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intentionwhere source_ns = 'default';select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intentionwhere source_ns = 'default';List intentions in order of highest precedence
Explore the priorities of different intentions in your system by arranging them in descending order of importance. This can help you understand the hierarchy and manage your resources more effectively.
select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intentionorder by precedence desc;select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intentionorder by precedence desc;List intentions with destination applied to all namespaces
Discover the intentions that have a destination applied to all namespaces. This is useful for understanding the broad application of policies and permissions across your system.
select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intentionwhere destination_ns = '*';select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intentionwhere destination_ns = '*';List allowlist intentions
Discover the segments that have been given access permissions. This query is useful in identifying and analyzing the areas where access has been explicitly granted for better security management.
select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intentionwhere action = 'allow';select id, created_at, source_name, source_ns, destination_name, destination_nsfrom consul_intentionwhere action = 'allow';List intentions with deny permission
Discover the segments that have been denied access within your network infrastructure. This can be useful for security audits, identifying potential weak points, or understanding the overall security structure.
select id, created_at, source_name, source_ns, destination_name, destination_ns, jsonb_pretty(p) as permissionfrom consul_intention, jsonb_array_elements(permissions) as pwhere p ->> 'Action' = 'deny';select id, created_at, source_name, source_ns, destination_name, destination_ns, p.value as permissionfrom consul_intention, json_each(permissions) as pwhere json_extract(p.value, '$.Action') = 'deny';Schema for consul_intention
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| action | text | Action is whether this is an allowlist or denylist intention. | |
| create_index | bigint | CreateIndex holds the index corresponding the creation of this intention. | |
| created_at | timestamp with time zone | The create timestamp of the intention. | |
| description | text | Description is a human-friendly description of this intention. | |
| destination_name | text | The name of the destination service. | |
| destination_ns | text | The destination namespace of the intention. | |
| destination_partition | text | The destination partition of the intention. | |
| hash | text | Hash of the contents of the intention. | |
| id | text | ID is the UUID-based ID for the intention, always generated by Consul. | |
| meta | text | Meta is arbitrary metadata associated with the intention. | |
| modify_index | bigint | ModifyIndex is the latest Raft index at which the intention was modified. | |
| permissions | jsonb | Permissions is the list of additional L7 attributes that extend the intention definition. | |
| precedence | bigint | Precedence is the order that the intention will be applied, with larger numbers being applied first. This is a read-only field, on any intention update it is updated. | |
| source_name | text | = | The name of the source service. |
| source_ns | text | The source namespace of the intention. | |
| source_partition | text | The source partition of the intention. | |
| source_peer | text | The source peer of the intention. | |
| source_type | text | The source type of the intention. | |
| title | text | The title of the intention. | |
| updated_at | timestamp with time zone | The update timestamp of the intention. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- consulYou can pass the configuration to the command with the --config argument:
steampipe_export_consul --config '<your_config>' consul_intention