config: Deprecate EnableACLReplication

replaced by ACL.TokenReplication

agent/config/builder.go

@@ -865,7 +865,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 		ACLEnableKeyListPolicy: boolValWithDefault(c.ACL.EnableKeyListPolicy, boolVal(c.ACLEnableKeyListPolicy)),
 		ACLMasterToken:         stringVal(c.ACL.Tokens.Master),
 
-		ACLTokenReplication: boolValWithDefault(c.ACL.TokenReplication, boolVal(c.EnableACLReplication)),
+		ACLTokenReplication: boolVal(c.ACL.TokenReplication),
 
 		ACLTokens: token.Config{
 			DataDir:             dataDir,

agent/config/config.go

@@ -180,7 +180,6 @@ type Config struct {
 	DisableUpdateCheck               *bool               `mapstructure:"disable_update_check"`
 	DiscardCheckOutput               *bool               `mapstructure:"discard_check_output"`
 	DiscoveryMaxStale                *string             `mapstructure:"discovery_max_stale"`
-	EnableACLReplication             *bool               `mapstructure:"enable_acl_replication"`
 	EnableAgentTLSForChecks          *bool               `mapstructure:"enable_agent_tls_for_checks"`
 	EnableCentralServiceConfig       *bool               `mapstructure:"enable_central_service_config"`
 	EnableDebug                      *bool               `mapstructure:"enable_debug"`

agent/config/deprecated.go

@@ -14,6 +14,8 @@ type DeprecatedConfig struct {
 	ACLMasterToken *string `mapstructure:"acl_master_token"`
 	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
 	ACLReplicationToken *string `mapstructure:"acl_replication_token"`
+	// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.enable_token_replication"
+	EnableACLReplication *bool `mapstructure:"enable_acl_replication"`
 
 	// DEPRECATED (ACL-Legacy-Compat) - moved to "primary_datacenter"
 	ACLDatacenter *string `mapstructure:"acl_datacenter"`
@@ -59,6 +61,13 @@ func applyDeprecatedConfig(d *decodeTarget) (Config, []string) {
 		warns = append(warns, deprecationWarning("acl_replication_token", "acl.tokens.replication"))
 	}
 
+	if dep.EnableACLReplication != nil {
+		if d.Config.ACL.TokenReplication == nil {
+			d.Config.ACL.TokenReplication = dep.EnableACLReplication
+		}
+		warns = append(warns, deprecationWarning("enable_acl_replication", "acl.enable_token_replication"))
+	}
+
 	if dep.ACLDatacenter != nil {
 		if d.Config.PrimaryDatacenter == nil {
 			d.Config.PrimaryDatacenter = dep.ACLDatacenter

agent/config/deprecated_test.go

@@ -50,3 +50,29 @@ acl_replication_token = "token5"
 	require.Equal(t, "token4", rt.ACLMasterToken)
 	require.Equal(t, "token5", rt.ACLTokens.ACLReplicationToken)
 }
+
+func TestLoad_DeprecatedConfig_ACLReplication(t *testing.T) {
+	opts := LoadOpts{
+		HCL: []string{`
+data_dir = "/foo"
+
+enable_acl_replication = true
+
+`},
+	}
+	patchLoadOptsShims(&opts)
+	result, err := Load(opts)
+	require.NoError(t, err)
+
+	expectWarns := []string{
+		deprecationWarning("enable_acl_replication", "acl.enable_token_replication"),
+	}
+	sort.Strings(result.Warnings)
+	require.Equal(t, expectWarns, result.Warnings)
+	// Ideally this would compare against the entire result.RuntimeConfig, but
+	// we have so many non-zero defaults in that response that the noise of those
+	// defaults makes this test difficult to read. So as a workaround, compare
+	// specific values.
+	rt := result.RuntimeConfig
+	require.Equal(t, true, rt.ACLTokenReplication)
+}

agent/config/runtime_test.go

@@ -5920,6 +5920,7 @@ func TestLoad_FullConfig(t *testing.T) {
 		deprecationWarning("acl_token", "acl.tokens.default"),
 		deprecationWarning("acl_master_token", "acl.tokens.master"),
 		deprecationWarning("acl_replication_token", "acl.tokens.replication"),
+		deprecationWarning("enable_acl_replication", "acl.enable_token_replication"),
 		`bootstrap_expect > 0: expecting 53 servers`,
 	}
 	expectedWarns = append(expectedWarns, enterpriseConfigKeyWarnings...)

website/content/docs/agent/options.mdx

@@ -752,10 +752,10 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
   running Consul 0.7 or later. When provided, this will enable [ACL replication](https://learn.hashicorp.com/tutorials/consul/access-control-replication-multiple-datacenters)
   using this ACL replication using this token to retrieve and replicate the ACLs
   to the non-authoritative local datacenter. In Consul 0.9.1 and later you can enable
-  ACL replication using [`enable_acl_replication`](#enable_acl_replication) and then
+  ACL replication using [`acl.enable_token_replication`](#acl_enable_token_replication) and then
   set the token later using the [agent token API](/api/agent#update-acl-tokens)
   on each server. If the `acl_replication_token` is set in the config, it will automatically
-  set [`enable_acl_replication`](#enable_acl_replication) to true for backward compatibility.
+  set [`acl.enable_token_replication`](#acl_enable_token_replication) to true for backward compatibility.
 
   If there's a partition or other outage affecting the authoritative datacenter, and the
   [`acl_down_policy`](/docs/agent/options#acl_down_policy) is set to "extend-cache", tokens not
@@ -1439,7 +1439,8 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
 
 - `domain` Equivalent to the [`-domain` command-line flag](#_domain).
 
-- `enable_acl_replication` When set on a Consul server, enables ACL replication without having to set
+- `enable_acl_replication` **Deprecated in Consul 1.11. Use the [`acl.enable_token_replication`](#acl_enable_token_replication) field instead.**
+  When set on a Consul server, enables ACL replication without having to set
   the replication token via [`acl_replication_token`](#acl_replication_token). Instead, enable ACL replication
   and then introduce the token using the [agent token API](/api/agent#update-acl-tokens) on each server.
   See [`acl_replication_token`](#acl_replication_token) for more details.