controller Stanza

The controller stanza configures Boundary controller-specific parameters.

  1. controller {
  2.   name = "example-controller"
  3.   description = "An example controller"
  4.   database {
  5.     url = "postgresql://<username>:<password>@10.0.0.1:5432/<database_name>"
  6.   }
  7. }

  • name - Specifies a unique name of this controller within the Boundary controller cluster.

  • description - Specifies a friendly description of this controller.

  • database - Configuration block with two valid parameters for connecting to Postgres:

    • url - Configures the URL for connecting to Postgres

    • migration_url - Can be used to specify a different URL for migrations, as that usually requires higher privileges.

      Either can refer to a file on disk (file://) from which a URL will be read; an env var (env://) from which the URL will be read; or a direct database URL (postgres://).

Complete Configuration Example

  1. # Disable memory lock: https://www.man7.org/linux/man-pages/man2/mlock.2.html
  2. disable_mlock = true
  4. # Controller configuration block
  5. controller {
  6.   # This name attr must be unique across all controller instances if running in HA mode
  7.   name = "demo-controller-1"
  8.   description = "A controller for a demo!"
  10.   # Database URL for postgres. This can be a direct "postgres://"
  11.   # URL, or it can be "file://" to read the contents of a file to
  12.   # supply the url, or "env://" to name an environment variable
  13.   # that contains the URL.
  14.   database {
  15.       url = "postgresql://boundary:boundarydemo@${aws_db_instance.boundary.endpoint}/boundary"
  16.   }
  17. }
  19. # API listener configuration block
  20. listener "tcp" {
  21.   # Should be the address of the NIC that the controller server will be reached on
  22.   address = "10.0.0.1"
  23.   # The purpose of this listener block
  24.   purpose = "api"
  26.   tls_disable = false
  28.   # Uncomment to enable CORS for the Admin UI. Be sure to set the allowed origin(s)
  29.   # to appropriate values.
  30.   #cors_enabled = true
  31.   #cors_allowed_origins = ["yourcorp.yourdomain.com"]
  32. }
  34. # Data-plane listener configuration block (used for worker coordination)
  35. listener "tcp" {
  36.   # Should be the IP of the NIC that the worker will connect on
  37.   address = "10.0.0.1"
  38.   # The purpose of this listener
  39.   purpose = "cluster"
  41.   tls_disable = false
  42. }
  44. # Root KMS configuration block: this is the root key for Boundary
  45. # Use a production KMS such as AWS KMS in production installs
  46. kms "aead" {
  47.   purpose = "root"
  48.   aead_type = "aes-gcm"
  49.   key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
  50.   key_id = "global_root"
  51. }
  53. # Worker authorization KMS
  54. # Use a production KMS such as AWS KMS for production installs
  55. # This key is the same key used in the worker configuration
  56. kms "aead" {
  57.   purpose = "worker-auth"
  58.   aead_type = "aes-gcm"
  59.   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
  60.   key_id = "global_worker-auth"
  61. }
  63. # Recovery KMS block: configures the recovery key for Boundary
  64. # Use a production KMS such as AWS KMS for production installs
  65. kms "aead" {
  66.   purpose = "recovery"
  67.   aead_type = "aes-gcm"
  68.   key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
  69.   key_id = "global_recovery"
  70. }