Fixup acl.EnterpriseMeta

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
2022-04-05 14:10:06 -07:00 · 2022-04-05 14:10:06 -07:00 · 98a2e282be
parent b667c5fed8
commit 98a2e282be
165 changed files with 717 additions and 586 deletions
--- a/agent/acl_test.go
+++ b/agent/acl_test.go
@ -92,7 +92,7 @@ func (a *TestACLAgent) ResolveToken(secretID string) (acl.Authorizer, error) {
 	return authz, err
 }
-func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (consul.ACLResolveResult, error) {
+func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (consul.ACLResolveResult, error) {
 	authz, err := a.ResolveToken(secretID)
 	if err != nil {
 		return consul.ACLResolveResult{}, err
@ -133,10 +133,10 @@ func (a *TestACLAgent) LANMembers(f consul.LANMemberFilter) ([]serf.Member, erro
 func (a *TestACLAgent) AgentLocalMember() serf.Member {
 	return serf.Member{}
 }
-func (a *TestACLAgent) JoinLAN(addrs []string, entMeta *structs.EnterpriseMeta) (n int, err error) {
+func (a *TestACLAgent) JoinLAN(addrs []string, entMeta *acl.EnterpriseMeta) (n int, err error) {
 	return 0, fmt.Errorf("Unimplemented")
 }
-func (a *TestACLAgent) RemoveFailedNode(node string, prune bool, entMeta *structs.EnterpriseMeta) error {
+func (a *TestACLAgent) RemoveFailedNode(node string, prune bool, entMeta *acl.EnterpriseMeta) error {
 	return fmt.Errorf("Unimplemented")
 }
 func (a *TestACLAgent) RPC(method string, args interface{}, reply interface{}) error {
--- a/agent/agent.go
+++ b/agent/agent.go
@ -164,16 +164,16 @@ type delegate interface {
 	// JoinLAN is used to have Consul join the inner-DC pool The target address
 	// should be another node inside the DC listening on the Serf LAN address
-	JoinLAN(addrs []string, entMeta *structs.EnterpriseMeta) (n int, err error)
+	JoinLAN(addrs []string, entMeta *acl.EnterpriseMeta) (n int, err error)
 	// RemoveFailedNode is used to remove a failed node from the cluster.
-	RemoveFailedNode(node string, prune bool, entMeta *structs.EnterpriseMeta) error
+	RemoveFailedNode(node string, prune bool, entMeta *acl.EnterpriseMeta) error
 	// ResolveTokenAndDefaultMeta returns an acl.Authorizer which authorizes
 	// actions based on the permissions granted to the token.
 	// If either entMeta or authzContext are non-nil they will be populated with the
 	// default partition and namespace from the token.
-	ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (consul.ACLResolveResult, error)
+	ResolveTokenAndDefaultMeta(token string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (consul.ACLResolveResult, error)
 	RPC(method string, args interface{}, reply interface{}) error
 	SnapshotRPC(args *structs.SnapshotRequest, in io.Reader, out io.Writer, replyFn structs.SnapshotReplyFn) error
@ -1536,7 +1536,7 @@ func (a *Agent) ShutdownCh() <-chan struct{} {
 }
 // JoinLAN is used to have the agent join a LAN cluster
-func (a *Agent) JoinLAN(addrs []string, entMeta *structs.EnterpriseMeta) (n int, err error) {
+func (a *Agent) JoinLAN(addrs []string, entMeta *acl.EnterpriseMeta) (n int, err error) {
 	a.logger.Info("(LAN) joining", "lan_addresses", addrs)
 	n, err = a.delegate.JoinLAN(addrs, entMeta)
 	if err == nil {
@ -1603,7 +1603,7 @@ func (a *Agent) RefreshPrimaryGatewayFallbackAddresses(addrs []string) error {
 }
 // ForceLeave is used to remove a failed node from the cluster
-func (a *Agent) ForceLeave(node string, prune bool, entMeta *structs.EnterpriseMeta) error {
+func (a *Agent) ForceLeave(node string, prune bool, entMeta *acl.EnterpriseMeta) error {
 	a.logger.Info("Force leaving node", "node", node)
 	err := a.delegate.RemoveFailedNode(node, prune, entMeta)
@ -1617,7 +1617,7 @@ func (a *Agent) ForceLeave(node string, prune bool, entMeta *structs.EnterpriseM
 }
 // ForceLeaveWAN is used to remove a failed node from the WAN cluster
-func (a *Agent) ForceLeaveWAN(node string, prune bool, entMeta *structs.EnterpriseMeta) error {
+func (a *Agent) ForceLeaveWAN(node string, prune bool, entMeta *acl.EnterpriseMeta) error {
 	a.logger.Info("(WAN) Force leaving node", "node", node)
 	srv, ok := a.delegate.(*consul.Server)
@ -1923,7 +1923,7 @@ func (a *Agent) purgeCheck(checkID structs.CheckID) error {
 type persistedServiceConfig struct {
 	ServiceID string
 	Defaults  *structs.ServiceConfigResponse
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 func (a *Agent) makeServiceConfigFilePath(serviceID structs.ServiceID) string {
@ -2017,7 +2017,7 @@ func (a *Agent) readPersistedServiceConfigs() (map[structs.ServiceID]*structs.Se
 			}
 		}
-		if !structs.EqualPartitions(a.AgentEnterpriseMeta().PartitionOrDefault(), p.PartitionOrDefault()) {
+		if !acl.EqualPartitions(a.AgentEnterpriseMeta().PartitionOrDefault(), p.PartitionOrDefault()) {
 			a.logger.Info("Purging service config file in wrong partition",
 				"file", file,
 				"partition", p.PartitionOrDefault(),
@ -3390,7 +3390,7 @@ func (a *Agent) loadServices(conf *config.RuntimeConfig, snap map[structs.CheckI
 			}
 		}
-		if !structs.EqualPartitions(a.AgentEnterpriseMeta().PartitionOrDefault(), p.Service.PartitionOrDefault()) {
+		if !acl.EqualPartitions(a.AgentEnterpriseMeta().PartitionOrDefault(), p.Service.PartitionOrDefault()) {
 			a.logger.Info("Purging service file in wrong partition",
 				"file", file,
 				"partition", p.Service.EnterpriseMeta.PartitionOrDefault(),
@ -3546,7 +3546,7 @@ func (a *Agent) loadChecks(conf *config.RuntimeConfig, snap map[structs.CheckID]
 			}
 		}
-		if !structs.EqualPartitions(a.AgentEnterpriseMeta().PartitionOrDefault(), p.Check.PartitionOrDefault()) {
+		if !acl.EqualPartitions(a.AgentEnterpriseMeta().PartitionOrDefault(), p.Check.PartitionOrDefault()) {
 			a.logger.Info("Purging check file in wrong partition",
 				"file", file,
 				"partition", p.Check.PartitionOrDefault(),
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@ -308,7 +308,7 @@ func (s *HTTPHandlers) AgentServices(resp http.ResponseWriter, req *http.Request
 	var token string
 	s.parseToken(req, &token)
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
 		return nil, err
 	}
@ -397,7 +397,7 @@ func (s *HTTPHandlers) AgentService(resp http.ResponseWriter, req *http.Request)
 	var token string
 	s.parseToken(req, &token)
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
 		return nil, err
 	}
@ -471,7 +471,7 @@ func (s *HTTPHandlers) AgentChecks(resp http.ResponseWriter, req *http.Request)
 	var token string
 	s.parseToken(req, &token)
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
 		return nil, err
 	}
@ -576,7 +576,7 @@ func (s *HTTPHandlers) AgentMembers(resp http.ResponseWriter, req *http.Request)
 			// Older 'consul members' calls will default to adding segment=_all
 			// so we only choose to use that request argument in the case where
 			// the partition is also the default and ignore it the rest of the time.
-			if structs.IsDefaultPartition(filter.Partition) {
+			if acl.IsDefaultPartition(filter.Partition) {
 				filter.AllSegments = true
 			}
 		} else {
@ -984,7 +984,7 @@ func (s *HTTPHandlers) AgentHealthServiceByID(resp http.ResponseWriter, req *htt
 		return nil, &BadRequestError{Reason: "Missing serviceID"}
 	}
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
 		return nil, err
 	}
@ -1046,7 +1046,7 @@ func (s *HTTPHandlers) AgentHealthServiceByName(resp http.ResponseWriter, req *h
 		return nil, &BadRequestError{Reason: "Missing service Name"}
 	}
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
 		return nil, err
 	}
--- a/agent/agent_endpoint_oss.go
+++ b/agent/agent_endpoint_oss.go
@ -6,9 +6,9 @@ package agent
 import (
 	"net/http"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
-func (s *HTTPHandlers) validateRequestPartition(_ http.ResponseWriter, _ *structs.EnterpriseMeta) bool {
+func (s *HTTPHandlers) validateRequestPartition(_ http.ResponseWriter, _ *acl.EnterpriseMeta) bool {
 	return true
 }
--- a/agent/agent_endpoint_test.go
+++ b/agent/agent_endpoint_test.go
@ -1640,7 +1640,7 @@ type fakeResolveTokenDelegate struct {
 	authorizer acl.Authorizer
 }
-func (f fakeResolveTokenDelegate) ResolveTokenAndDefaultMeta(_ string, _ *structs.EnterpriseMeta, _ *acl.AuthorizerContext) (consul.ACLResolveResult, error) {
+func (f fakeResolveTokenDelegate) ResolveTokenAndDefaultMeta(_ string, _ *acl.EnterpriseMeta, _ *acl.AuthorizerContext) (consul.ACLResolveResult, error) {
 	return consul.ACLResolveResult{Authorizer: f.authorizer}, nil
 }
--- a/agent/agent_oss.go
+++ b/agent/agent_oss.go
@ -6,6 +6,7 @@ package agent
 import (
 	"context"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/config"
 	"github.com/hashicorp/consul/agent/consul"
 	"github.com/hashicorp/consul/agent/structs"
@ -16,10 +17,10 @@ import (
 type enterpriseAgent struct{}
 // fillAgentServiceEnterpriseMeta is a noop stub for the func defined agent_ent.go
-func fillAgentServiceEnterpriseMeta(_ *api.AgentService, _ *structs.EnterpriseMeta) {}
+func fillAgentServiceEnterpriseMeta(_ *api.AgentService, _ *acl.EnterpriseMeta) {}
 // fillHealthCheckEnterpriseMeta is a noop stub for the func defined agent_ent.go
-func fillHealthCheckEnterpriseMeta(_ *api.HealthCheck, _ *structs.EnterpriseMeta) {}
+func fillHealthCheckEnterpriseMeta(_ *api.HealthCheck, _ *acl.EnterpriseMeta) {}
 // initEnterprise is a noop stub for the func defined agent_ent.go
 func (a *Agent) initEnterprise(consulCfg *consul.Config) error {
@ -52,7 +53,7 @@ func (a *Agent) enterpriseStats() map[string]map[string]string {
 	return nil
 }
-func (a *Agent) AgentEnterpriseMeta() *structs.EnterpriseMeta {
+func (a *Agent) AgentEnterpriseMeta() *acl.EnterpriseMeta {
 	return structs.NodeEnterpriseMetaInDefaultPartition()
 }
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@ -11,6 +11,7 @@ import (
 	"github.com/mitchellh/hashstructure"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/lib"
 	"github.com/hashicorp/consul/agent/cache"
@ -672,7 +673,7 @@ type ConnectCALeafRequest struct {
 	MaxQueryTime   time.Duration
 	MustRevalidate bool
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 func (r *ConnectCALeafRequest) Key() string {
--- a/agent/cache-types/service_checks.go
+++ b/agent/cache-types/service_checks.go
@ -5,11 +5,13 @@ import (
 	"strconv"
 	"time"
 	"github.com/hashicorp/go-memdb"
 	"github.com/mitchellh/hashstructure"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/cache"
 	"github.com/hashicorp/consul/agent/local"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/go-memdb"
 	"github.com/mitchellh/hashstructure"
 )
 // Recommended name for registration.
@ -103,7 +105,7 @@ type ServiceHTTPChecksRequest struct {
 	ServiceID     string
 	MinQueryIndex uint64
 	MaxQueryTime  time.Duration
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 func (s *ServiceHTTPChecksRequest) CacheInfo() cache.RequestInfo {
--- a/agent/check.go
+++ b/agent/check.go
@ -1,6 +1,7 @@
 package agent
 import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/types"
 )
@ -23,5 +24,5 @@ type persistedCheckState struct {
 	Output  string
 	Status  string
 	Expires int64
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
--- a/agent/checks/alias.go
+++ b/agent/checks/alias.go
@ -6,6 +6,7 @@ import (
 	"sync"
 	"time"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
 )
@ -35,7 +36,7 @@ type CheckAlias struct {
 	stopLock sync.Mutex
 	stopWg   sync.WaitGroup
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // AliasNotifier is a CheckNotifier specifically for the Alias check.
@ -46,7 +47,7 @@ type AliasNotifier interface {
 	AddAliasCheck(structs.CheckID, structs.ServiceID, chan<- struct{}) error
 	RemoveAliasCheck(structs.CheckID, structs.ServiceID)
-	Checks(*structs.EnterpriseMeta) map[structs.CheckID]*structs.HealthCheck
+	Checks(*acl.EnterpriseMeta) map[structs.CheckID]*structs.HealthCheck
 }
 // Start is used to start the check, runs until Stop() func (c *CheckAlias) Start() {
--- a/agent/checks/alias_test.go
+++ b/agent/checks/alias_test.go
@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/mock"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
@ -523,7 +524,7 @@ func (m *mockAliasNotify) AddAliasCheck(chkID structs.CheckID, serviceID structs
 func (m *mockAliasNotify) RemoveAliasCheck(chkID structs.CheckID, serviceID structs.ServiceID) {
 }
-func (m *mockAliasNotify) Checks(*structs.EnterpriseMeta) map[structs.CheckID]*structs.HealthCheck {
+func (m *mockAliasNotify) Checks(*acl.EnterpriseMeta) map[structs.CheckID]*structs.HealthCheck {
 	return nil
 }
--- a/agent/config/config_oss.go
+++ b/agent/config/config_oss.go
@ -3,11 +3,14 @@
 package config
-import "github.com/hashicorp/consul/agent/structs"
+import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
 // EnterpriseMeta stub
 type EnterpriseMeta struct{}
-func (_ *EnterpriseMeta) ToStructs() structs.EnterpriseMeta {
+func (_ *EnterpriseMeta) ToStructs() acl.EnterpriseMeta {
 	return *structs.DefaultEnterpriseMetaInDefaultPartition()
 }
--- a/agent/config_endpoint.go
+++ b/agent/config_endpoint.go
@ -6,6 +6,7 @@ import (
 	"strconv"
 	"strings"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -148,7 +149,7 @@ func (s *HTTPHandlers) ConfigApply(resp http.ResponseWriter, req *http.Request)
 	}
 	// Parse enterprise meta.
-	var meta structs.EnterpriseMeta
+	var meta acl.EnterpriseMeta
 	if err := s.parseEntMetaForConfigEntryKind(args.Entry.GetKind(), req, &meta); err != nil {
 		return nil, err
 	}
@ -172,7 +173,7 @@ func (s *HTTPHandlers) ConfigApply(resp http.ResponseWriter, req *http.Request)
 	return reply, nil
 }
-func (s *HTTPHandlers) parseEntMetaForConfigEntryKind(kind string, req *http.Request, entMeta *structs.EnterpriseMeta) error {
+func (s *HTTPHandlers) parseEntMetaForConfigEntryKind(kind string, req *http.Request, entMeta *acl.EnterpriseMeta) error {
 	if kind == structs.ServiceIntentions {
 		return s.parseEntMeta(req, entMeta)
 	}
--- a/agent/config_endpoint_test.go
+++ b/agent/config_endpoint_test.go
@ -10,6 +10,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/testrpc"
 )
@ -119,7 +120,7 @@ func TestConfig_Get(t *testing.T) {
 		// Set indexes and EnterpriseMeta to expected values for assertions
 		ce.CreateIndex = 12
 		ce.ModifyIndex = 13
-		ce.EnterpriseMeta = structs.EnterpriseMeta{}
+		ce.EnterpriseMeta = acl.EnterpriseMeta{}
 		out, err := a.srv.marshalJSON(req, obj)
 		require.NoError(t, err)
--- a/agent/configentry/config_entry.go
+++ b/agent/configentry/config_entry.go
@ -1,6 +1,7 @@
 package configentry
 import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -11,7 +12,7 @@ import (
 type KindName struct {
 	Kind string
 	Name string
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NewKindName returns a new KindName. The EnterpriseMeta values will be
@ -19,7 +20,7 @@ type KindName struct {
 //
 // Any caller which modifies the EnterpriseMeta field must call Normalize
 // before persisting or using the value as a map key.
-func NewKindName(kind, name string, entMeta *structs.EnterpriseMeta) KindName {
+func NewKindName(kind, name string, entMeta *acl.EnterpriseMeta) KindName {
 	ret := KindName{
 		Kind: kind,
 		Name: name,
--- a/agent/connect/authz.go
+++ b/agent/connect/authz.go
@ -1,6 +1,7 @@
 package connect
 import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -18,7 +19,7 @@ func AuthorizeIntentionTarget(
 	switch matchType {
 	case structs.IntentionMatchDestination:
-		if structs.PartitionOrDefault(ixn.DestinationPartition) != structs.PartitionOrDefault(targetAP) {
+		if acl.PartitionOrDefault(ixn.DestinationPartition) != acl.PartitionOrDefault(targetAP) {
 			return false, false
 		}
@ -33,7 +34,7 @@ func AuthorizeIntentionTarget(
 		}
 	case structs.IntentionMatchSource:
-		if structs.PartitionOrDefault(ixn.SourcePartition) != structs.PartitionOrDefault(targetAP) {
+		if acl.PartitionOrDefault(ixn.SourcePartition) != acl.PartitionOrDefault(targetAP) {
 			return false, false
 		}
--- a/agent/connect/uri_agent.go
+++ b/agent/connect/uri_agent.go
@ -3,7 +3,7 @@ package connect
 import (
 	"net/url"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
 // SpiffeIDService is the structure to represent the SPIFFE ID for an agent.
@ -15,7 +15,7 @@ type SpiffeIDAgent struct {
 }
 func (id SpiffeIDAgent) PartitionOrDefault() string {
-	return structs.PartitionOrDefault(id.Partition)
+	return acl.PartitionOrDefault(id.Partition)
 }
 // URI returns the *url.URL for this SPIFFE ID.
--- a/agent/connect/uri_agent_oss.go
+++ b/agent/connect/uri_agent_oss.go
@ -6,13 +6,13 @@ package connect
 import (
 	"fmt"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
 // GetEnterpriseMeta will synthesize an EnterpriseMeta struct from the SpiffeIDAgent.
 // in OSS this just returns an empty (but never nil) struct pointer
-func (id SpiffeIDAgent) GetEnterpriseMeta() *structs.EnterpriseMeta {
+func (id SpiffeIDAgent) GetEnterpriseMeta() *acl.EnterpriseMeta {
-	return &structs.EnterpriseMeta{}
+	return &acl.EnterpriseMeta{}
 }
 func (id SpiffeIDAgent) uriPath() string {
--- a/agent/connect/uri_service.go
+++ b/agent/connect/uri_service.go
@ -3,7 +3,7 @@ package connect
 import (
 	"net/url"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
 // SpiffeIDService is the structure to represent the SPIFFE ID for a service.
@ -16,15 +16,15 @@ type SpiffeIDService struct {
 }
 func (id SpiffeIDService) NamespaceOrDefault() string {
-	return structs.NamespaceOrDefault(id.Namespace)
+	return acl.NamespaceOrDefault(id.Namespace)
 }
 func (id SpiffeIDService) MatchesPartition(partition string) bool {
-	return id.PartitionOrDefault() == structs.PartitionOrDefault(partition)
+	return id.PartitionOrDefault() == acl.PartitionOrDefault(partition)
 }
 func (id SpiffeIDService) PartitionOrDefault() string {
-	return structs.PartitionOrDefault(id.Partition)
+	return acl.PartitionOrDefault(id.Partition)
 }
 // URI returns the *url.URL for this SPIFFE ID.
--- a/agent/connect/uri_service_oss.go
+++ b/agent/connect/uri_service_oss.go
@ -6,13 +6,13 @@ package connect
 import (
 	"fmt"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
 // GetEnterpriseMeta will synthesize an EnterpriseMeta struct from the SpiffeIDService.
 // in OSS this just returns an empty (but never nil) struct pointer
-func (id SpiffeIDService) GetEnterpriseMeta() *structs.EnterpriseMeta {
+func (id SpiffeIDService) GetEnterpriseMeta() *acl.EnterpriseMeta {
-	return &structs.EnterpriseMeta{}
+	return &acl.EnterpriseMeta{}
 }
 func (id SpiffeIDService) uriPath() string {
--- a/agent/connect_auth.go
+++ b/agent/connect_auth.go
@ -72,7 +72,7 @@ func (a *Agent) ConnectAuthorize(token string,
 	if !uriService.MatchesPartition(req.TargetPartition()) {
 		reason = fmt.Sprintf("Mismatched partitions: %q != %q",
 			uriService.PartitionOrDefault(),
-			structs.PartitionOrDefault(req.TargetPartition()))
+			acl.PartitionOrDefault(req.TargetPartition()))
 		return false, reason, nil, nil
 	}
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@ -108,7 +108,7 @@ func (id *missingIdentity) IsLocal() bool {
 	return false
 }
-func (id *missingIdentity) EnterpriseMetadata() *structs.EnterpriseMeta {
+func (id *missingIdentity) EnterpriseMetadata() *acl.EnterpriseMeta {
 	return structs.DefaultEnterpriseMetaInDefaultPartition()
 }
@ -182,7 +182,7 @@ type ACLResolverSettings struct {
 	ACLsEnabled    bool
 	Datacenter     string
 	NodeName       string
-	EnterpriseMeta structs.EnterpriseMeta
+	EnterpriseMeta acl.EnterpriseMeta
 	// ACLPolicyTTL is used to control the time-to-live of cached ACL policies. This has
 	// a major impact on performance. By default, it is set to 30 seconds.
@ -264,7 +264,7 @@ type ACLResolver struct {
 	agentRecoveryAuthz acl.Authorizer
 }
-func agentRecoveryAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
+func agentRecoveryAuthorizer(nodeName string, entMeta *acl.EnterpriseMeta, aclConf *acl.Config) (acl.Authorizer, error) {
 	var conf acl.Config
 	if aclConf != nil {
 		conf = *aclConf
@ -638,7 +638,7 @@ func (r *ACLResolver) resolvePoliciesForIdentity(identity structs.ACLIdentity) (
 	return filtered, nil
 }
-func (r *ACLResolver) synthesizePoliciesForServiceIdentities(serviceIdentities []*structs.ACLServiceIdentity, entMeta *structs.EnterpriseMeta) []*structs.ACLPolicy {
+func (r *ACLResolver) synthesizePoliciesForServiceIdentities(serviceIdentities []*structs.ACLServiceIdentity, entMeta *acl.EnterpriseMeta) []*structs.ACLPolicy {
 	if len(serviceIdentities) == 0 {
 		return nil
 	}
@ -651,7 +651,7 @@ func (r *ACLResolver) synthesizePoliciesForServiceIdentities(serviceIdentities [
 	return syntheticPolicies
 }
-func (r *ACLResolver) synthesizePoliciesForNodeIdentities(nodeIdentities []*structs.ACLNodeIdentity, entMeta *structs.EnterpriseMeta) []*structs.ACLPolicy {
+func (r *ACLResolver) synthesizePoliciesForNodeIdentities(nodeIdentities []*structs.ACLNodeIdentity, entMeta *acl.EnterpriseMeta) []*structs.ACLPolicy {
 	if len(nodeIdentities) == 0 {
 		return nil
 	}
@ -676,7 +676,7 @@ type plainACLResolver struct {
 func (r plainACLResolver) ResolveTokenAndDefaultMeta(
 	token string,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	authzContext *acl.AuthorizerContext,
 ) (acl.Authorizer, error) {
 	// ACLResolver.ResolveTokenAndDefaultMeta returns a ACLResolveResult which
@ -1174,14 +1174,14 @@ func (r *ACLResolver) ACLsEnabled() bool {
 	return true
 }
-func (r *ACLResolver) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (ACLResolveResult, error) {
+func (r *ACLResolver) ResolveTokenAndDefaultMeta(token string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (ACLResolveResult, error) {
 	result, err := r.ResolveToken(token)
 	if err != nil {
 		return ACLResolveResult{}, err
 	}
 	if entMeta == nil {
-		entMeta = &structs.EnterpriseMeta{}
+		entMeta = &acl.EnterpriseMeta{}
 	}
 	// Default the EnterpriseMeta based on the Tokens meta or actual defaults
@ -1279,7 +1279,7 @@ func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) bool {
 // filterServices is used to filter a set of services based on ACLs. Returns
 // true if any elements were removed.
-func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.EnterpriseMeta) bool {
+func (f *aclFilter) filterServices(services structs.Services, entMeta *acl.EnterpriseMeta) bool {
 	var authzContext acl.AuthorizerContext
 	entMeta.FillAuthzContext(&authzContext)
--- a/agent/consul/acl_authmethod.go
+++ b/agent/consul/acl_authmethod.go
@ -3,9 +3,11 @@ package consul
 import (
 	"fmt"
 	"github.com/hashicorp/go-bexpr"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/consul/authmethod"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/go-bexpr"
 	// register these as a builtin auth method
 	_ "github.com/hashicorp/consul/agent/consul/authmethod/awsauth"
@ -51,8 +53,8 @@ type aclBindings struct {
 func (s *Server) evaluateRoleBindings(
 	validator authmethod.Validator,
 	verifiedIdentity *authmethod.Identity,
-	methodMeta *structs.EnterpriseMeta,
+	methodMeta *acl.EnterpriseMeta,
-	targetMeta *structs.EnterpriseMeta,
+	targetMeta *acl.EnterpriseMeta,
 ) (*aclBindings, error) {
 	// Only fetch rules that are relevant for this method.
 	_, rules, err := s.fsm.State().ACLBindingRuleList(nil, validator.Name(), methodMeta)
--- a/agent/consul/acl_endpoint.go
+++ b/agent/consul/acl_endpoint.go
@ -1000,7 +1000,7 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
 	}
 	var authzContext acl.AuthorizerContext
-	var requestMeta structs.EnterpriseMeta
+	var requestMeta acl.EnterpriseMeta
 	authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &requestMeta, &authzContext)
 	if err != nil {
 		return err
@ -1012,7 +1012,7 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
 		return err
 	}
-	var methodMeta *structs.EnterpriseMeta
+	var methodMeta *acl.EnterpriseMeta
 	if args.AuthMethod != "" {
 		methodMeta = args.ACLAuthMethodEnterpriseMeta.ToEnterpriseMeta()
 		// attempt to merge in the overall meta, wildcards will not be merged
@ -2449,7 +2449,7 @@ func (a *ACL) Login(args *structs.ACLLoginRequest, reply *structs.ACLToken) erro
 func (a *ACL) tokenSetFromAuthMethod(
 	method *structs.ACLAuthMethod,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	tokenDescriptionPrefix string,
 	tokenMetadata map[string]string,
 	validator authmethod.Validator,
--- a/agent/consul/acl_endpoint_oss.go
+++ b/agent/consul/acl_endpoint_oss.go
@ -4,10 +4,12 @@
 package consul
 import (
 	memdb "github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/consul/authmethod"
 	"github.com/hashicorp/consul/agent/consul/state"
 	"github.com/hashicorp/consul/agent/structs"
 	memdb "github.com/hashicorp/go-memdb"
 )
 func (a *ACL) tokenUpsertValidateEnterprise(token *structs.ACLToken, existing *structs.ACLToken) error {
@ -36,10 +38,10 @@ func enterpriseAuthMethodValidation(method *structs.ACLAuthMethod, validator aut
 func computeTargetEnterpriseMeta(
 	method *structs.ACLAuthMethod,
 	verifiedIdentity *authmethod.Identity,
-) (*structs.EnterpriseMeta, error) {
+) (*acl.EnterpriseMeta, error) {
-	return &structs.EnterpriseMeta{}, nil
+	return &acl.EnterpriseMeta{}, nil
 }
-func getTokenNamespaceDefaults(ws memdb.WatchSet, state *state.Store, entMeta *structs.EnterpriseMeta) ([]string, []string, error) {
+func getTokenNamespaceDefaults(ws memdb.WatchSet, state *state.Store, entMeta *acl.EnterpriseMeta) ([]string, []string, error) {
 	return nil, nil, nil
 }
--- a/agent/consul/acl_endpoint_test.go
+++ b/agent/consul/acl_endpoint_test.go
@ -9,12 +9,13 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	uuid "github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/square/go-jose.v2/jwt"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/consul/authmethod/kubeauth"
 	"github.com/hashicorp/consul/agent/consul/authmethod/testauth"
@ -5415,7 +5416,7 @@ func TestValidateBindingRuleBindName(t *testing.T) {
 // upsertTestToken creates a token for testing purposes
 func upsertTestTokenInEntMeta(codec rpc.ClientCodec, initialManagementToken string, datacenter string,
-	tokenModificationFn func(token *structs.ACLToken), entMeta *structs.EnterpriseMeta) (*structs.ACLToken, error) {
+	tokenModificationFn func(token *structs.ACLToken), entMeta *acl.EnterpriseMeta) (*structs.ACLToken, error) {
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
 	}
@ -5455,7 +5456,7 @@ func upsertTestToken(codec rpc.ClientCodec, initialManagementToken string, datac
 		tokenModificationFn, structs.DefaultEnterpriseMetaInDefaultPartition())
 }
-func upsertTestTokenWithPolicyRulesInEntMeta(codec rpc.ClientCodec, initialManagementToken string, datacenter string, rules string, entMeta *structs.EnterpriseMeta) (*structs.ACLToken, error) {
+func upsertTestTokenWithPolicyRulesInEntMeta(codec rpc.ClientCodec, initialManagementToken string, datacenter string, rules string, entMeta *acl.EnterpriseMeta) (*structs.ACLToken, error) {
 	policy, err := upsertTestPolicyWithRulesInEntMeta(codec, initialManagementToken, datacenter, rules, entMeta)
 	if err != nil {
 		return nil, err
@ -5585,7 +5586,7 @@ func upsertTestPolicyWithRules(codec rpc.ClientCodec, initialManagementToken str
 	return upsertTestPolicyWithRulesInEntMeta(codec, initialManagementToken, datacenter, rules, structs.DefaultEnterpriseMetaInDefaultPartition())
 }
-func upsertTestPolicyWithRulesInEntMeta(codec rpc.ClientCodec, initialManagementToken string, datacenter string, rules string, entMeta *structs.EnterpriseMeta) (*structs.ACLPolicy, error) {
+func upsertTestPolicyWithRulesInEntMeta(codec rpc.ClientCodec, initialManagementToken string, datacenter string, rules string, entMeta *acl.EnterpriseMeta) (*structs.ACLPolicy, error) {
 	return upsertTestCustomizedPolicy(codec, initialManagementToken, datacenter, func(policy *structs.ACLPolicy) {
 		if entMeta == nil {
 			entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
--- a/agent/consul/acl_oss.go
+++ b/agent/consul/acl_oss.go
@ -13,7 +13,7 @@ import (
 // EnterpriseACLResolverDelegate stub
 type EnterpriseACLResolverDelegate interface{}
-func (s *Server) replicationEnterpriseMeta() *structs.EnterpriseMeta {
+func (s *Server) replicationEnterpriseMeta() *acl.EnterpriseMeta {
 	return structs.ReplicationEnterpriseMeta()
 }
@ -48,4 +48,4 @@ func (_ *ACLResolver) resolveLocallyManagedEnterpriseToken(_ string) (structs.AC
 	return nil, nil, false
 }
-func setEnterpriseConf(entMeta *structs.EnterpriseMeta, conf *acl.Config) {}
+func setEnterpriseConf(entMeta *acl.EnterpriseMeta, conf *acl.Config) {}
--- a/agent/consul/acl_test.go
+++ b/agent/consul/acl_test.go
@ -9,12 +9,13 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/agent/token"
--- a/agent/consul/authmethod/authmethods.go
+++ b/agent/consul/authmethod/authmethods.go
@ -6,9 +6,11 @@ import (
 	"sort"
 	"sync"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/go-hclog"
 	"github.com/mitchellh/mapstructure"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
 type Cache interface {
@ -62,7 +64,7 @@ type Identity struct {
 	// in a bind name within a binding rule.
 	ProjectedVars map[string]string
-	*structs.EnterpriseMeta
+	*acl.EnterpriseMeta
 }
 // ProjectedVarNames returns just the keyspace of the ProjectedVars map.
--- a/agent/consul/authmethod/kubeauth/k8s_oss.go
+++ b/agent/consul/authmethod/kubeauth/k8s_oss.go
@ -3,7 +3,10 @@
 package kubeauth
-import "github.com/hashicorp/consul/agent/structs"
+import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
 type enterpriseConfig struct{}
@ -11,6 +14,6 @@ func enterpriseValidation(method *structs.ACLAuthMethod, config *Config) error {
 	return nil
 }
-func (v *Validator) k8sEntMetaFromFields(fields map[string]string) *structs.EnterpriseMeta {
+func (v *Validator) k8sEntMetaFromFields(fields map[string]string) *acl.EnterpriseMeta {
 	return nil
 }
--- a/agent/consul/authmethod/ssoauth/sso_oss.go
+++ b/agent/consul/authmethod/ssoauth/sso_oss.go
@ -6,7 +6,7 @@ package ssoauth
 import (
 	"fmt"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/internal/go-sso/oidcauth"
 )
@ -17,7 +17,7 @@ func validateType(typ string) error {
 	return nil
 }
-func (v *Validator) ssoEntMetaFromClaims(_ *oidcauth.Claims) *structs.EnterpriseMeta {
+func (v *Validator) ssoEntMetaFromClaims(_ *oidcauth.Claims) *acl.EnterpriseMeta {
 	return nil
 }
--- a/agent/consul/authmethod/testauth/testing.go
+++ b/agent/consul/authmethod/testauth/testing.go
@ -5,11 +5,12 @@ import (
 	"fmt"
 	"sync"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/consul/authmethod"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-uuid"
 )
 func init() {
--- a/agent/consul/authmethod/testauth/testing_oss.go
+++ b/agent/consul/authmethod/testauth/testing_oss.go
@ -3,12 +3,10 @@
 package testauth
-import (
+import "github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
 type enterpriseConfig struct{}
-func (v *Validator) testAuthEntMetaFromFields(fields map[string]string) *structs.EnterpriseMeta {
+func (v *Validator) testAuthEntMetaFromFields(fields map[string]string) *acl.EnterpriseMeta {
 	return nil
 }
--- a/agent/consul/auto_config_backend.go
+++ b/agent/consul/auto_config_backend.go
@ -6,6 +6,7 @@ import (
 	"net"
 	"time"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/metadata"
 	"github.com/hashicorp/consul/agent/structs"
@ -40,7 +41,7 @@ func (b autoConfigBackend) DatacenterJoinAddresses(partition, segment string) ([
 		if segment != "" {
 			return nil, fmt.Errorf("Failed to retrieve members for segment %s: %w", segment, err)
 		}
-		return nil, fmt.Errorf("Failed to retrieve members for partition %s: %w", structs.PartitionOrDefault(partition), err)
+		return nil, fmt.Errorf("Failed to retrieve members for partition %s: %w", acl.PartitionOrDefault(partition), err)
 	}
 	var joinAddrs []string
--- a/agent/consul/auto_config_endpoint.go
+++ b/agent/consul/auto_config_endpoint.go
@ -30,7 +30,7 @@ type AutoConfigOptions struct {
 }
 func (opts AutoConfigOptions) PartitionOrDefault() string {
-	return structs.PartitionOrDefault(opts.Partition)
+	return acl.PartitionOrDefault(opts.Partition)
 }
 type AutoConfigAuthorizer interface {
@ -99,7 +99,7 @@ func (a *jwtAuthorizer) Authorize(req *pbautoconf.AutoConfigRequest) (AutoConfig
 			return AutoConfigOptions{}, err
 		}
-		if id.Agent != req.Node || !structs.EqualPartitions(id.Partition, req.Partition) {
+		if id.Agent != req.Node || !acl.EqualPartitions(id.Partition, req.Partition) {
 			return AutoConfigOptions{},
 				fmt.Errorf("Spiffe ID agent name (%s) of the certificate signing request is not for the correct node (%s)",
 					printNodeName(id.Agent, id.Partition),
@ -392,7 +392,7 @@ func parseAutoConfigCSR(csr string) (*x509.CertificateRequest, *connect.SpiffeID
 }
 func printNodeName(nodeName, partition string) string {
-	if structs.IsDefaultPartition(partition) {
+	if acl.IsDefaultPartition(partition) {
 		return nodeName
 	}
 	return partition + "/" + nodeName
--- a/agent/consul/catalog_endpoint_test.go
+++ b/agent/consul/catalog_endpoint_test.go
@ -9,11 +9,12 @@ import (
 	"github.com/hashicorp/go-uuid"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
--- a/agent/consul/client.go
+++ b/agent/consul/client.go
@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/serf/serf"
 	"golang.org/x/time/rate"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/pool"
 	"github.com/hashicorp/consul/agent/router"
 	"github.com/hashicorp/consul/agent/structs"
@ -192,7 +193,7 @@ func (c *Client) Leave() error {
 // JoinLAN is used to have Consul join the inner-DC pool The target address
 // should be another node inside the DC listening on the Serf LAN address
-func (c *Client) JoinLAN(addrs []string, entMeta *structs.EnterpriseMeta) (int, error) {
+func (c *Client) JoinLAN(addrs []string, entMeta *acl.EnterpriseMeta) (int, error) {
 	// Partitions definitely have to match.
 	if c.config.AgentEnterpriseMeta().PartitionOrDefault() != entMeta.PartitionOrDefault() {
 		return 0, fmt.Errorf("target partition %q must match client agent partition %q",
@ -240,7 +241,7 @@ func (c *Client) LANMembers(filter LANMemberFilter) ([]serf.Member, error) {
 }
 // RemoveFailedNode is used to remove a failed node from the cluster.
-func (c *Client) RemoveFailedNode(node string, prune bool, entMeta *structs.EnterpriseMeta) error {
+func (c *Client) RemoveFailedNode(node string, prune bool, entMeta *acl.EnterpriseMeta) error {
 	// Partitions definitely have to match.
 	if c.config.AgentEnterpriseMeta().PartitionOrDefault() != entMeta.PartitionOrDefault() {
 		return fmt.Errorf("client agent in partition %q cannot remove node in different partition %q",
@ -418,7 +419,7 @@ func (c *Client) ReloadConfig(config ReloadableConfig) error {
 	return nil
 }
-func (c *Client) AgentEnterpriseMeta() *structs.EnterpriseMeta {
+func (c *Client) AgentEnterpriseMeta() *acl.EnterpriseMeta {
 	return c.config.AgentEnterpriseMeta()
 }
--- a/agent/consul/config_endpoint_test.go
+++ b/agent/consul/config_endpoint_test.go
@ -7,10 +7,11 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	hashstructure_v2 "github.com/mitchellh/hashstructure/v2"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/configentry"
 	"github.com/hashicorp/consul/agent/structs"
--- a/agent/consul/config_oss.go
+++ b/agent/consul/config_oss.go
@ -3,8 +3,11 @@
 package consul
-import "github.com/hashicorp/consul/agent/structs"
+import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
-func (c *Config) AgentEnterpriseMeta() *structs.EnterpriseMeta {
+func (c *Config) AgentEnterpriseMeta() *acl.EnterpriseMeta {
 	return structs.NodeEnterpriseMetaInDefaultPartition()
 }
--- a/agent/consul/connect_ca_endpoint_test.go
+++ b/agent/consul/connect_ca_endpoint_test.go
@ -9,10 +9,11 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/connect"
 	ca "github.com/hashicorp/consul/agent/connect/ca"
--- a/agent/consul/coordinate_endpoint_test.go
+++ b/agent/consul/coordinate_endpoint_test.go
@ -9,11 +9,12 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/serf/coordinate"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/lib"
--- a/agent/consul/discovery_chain_endpoint_test.go
+++ b/agent/consul/discovery_chain_endpoint_test.go
@ -6,9 +6,10 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/structs"
--- a/agent/consul/discoverychain/compile_oss.go
+++ b/agent/consul/discoverychain/compile_oss.go
@ -3,8 +3,11 @@
 package discoverychain
-import "github.com/hashicorp/consul/agent/structs"
+import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
-func (c *compiler) GetEnterpriseMeta() *structs.EnterpriseMeta {
+func (c *compiler) GetEnterpriseMeta() *acl.EnterpriseMeta {
 	return structs.DefaultEnterpriseMetaInDefaultPartition()
 }
--- a/agent/consul/enterprise_server_oss.go
+++ b/agent/consul/enterprise_server_oss.go
@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/go-version"
 	"github.com/hashicorp/serf/serf"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/pool"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -56,7 +57,7 @@ func (s *Server) revokeEnterpriseLeadership() error {
 	return nil
 }
-func (s *Server) validateEnterpriseRequest(entMeta *structs.EnterpriseMeta, write bool) error {
+func (s *Server) validateEnterpriseRequest(entMeta *acl.EnterpriseMeta, write bool) error {
 	return nil
 }
@ -109,6 +110,6 @@ func (s *Server) shutdownSerfLAN() {
 	}
 }
-func addEnterpriseSerfTags(_ map[string]string, _ *structs.EnterpriseMeta) {
+func addEnterpriseSerfTags(_ map[string]string, _ *acl.EnterpriseMeta) {
 	// do nothing
 }
--- a/agent/consul/federation_state_endpoint_test.go
+++ b/agent/consul/federation_state_endpoint_test.go
@ -5,11 +5,12 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	uuid "github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
--- a/agent/consul/fsm/snapshot_oss_test.go
+++ b/agent/consul/fsm/snapshot_oss_test.go
@ -6,10 +6,11 @@ import (
 	"testing"
 	"time"
 	"github.com/hashicorp/consul-net-rpc/go-msgpack/codec"
 	"github.com/hashicorp/go-raftchunking"
 	"github.com/stretchr/testify/require"
 	"github.com/hashicorp/consul-net-rpc/go-msgpack/codec"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/consul/state"
--- a/agent/consul/health_endpoint_test.go
+++ b/agent/consul/health_endpoint_test.go
@ -5,10 +5,11 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/lib"
--- a/agent/consul/helper_test.go
+++ b/agent/consul/helper_test.go
@ -6,12 +6,14 @@ import (
 	"net"
 	"testing"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/raft"
 	"github.com/hashicorp/serf/serf"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/sdk/testutil/retry"
@ -116,9 +118,9 @@ func joinAddrWAN(s *Server) string {
 }
 type clientOrServer interface {
-	JoinLAN(addrs []string, entMeta *structs.EnterpriseMeta) (int, error)
+	JoinLAN(addrs []string, entMeta *acl.EnterpriseMeta) (int, error)
 	LANMembersInAgentPartition() []serf.Member
-	AgentEnterpriseMeta() *structs.EnterpriseMeta
+	AgentEnterpriseMeta() *acl.EnterpriseMeta
 	agentSegmentName() string
 }
--- a/agent/consul/intention_endpoint.go
+++ b/agent/consul/intention_endpoint.go
@ -101,7 +101,7 @@ func (s *Intention) Apply(args *structs.IntentionRequest, reply *string) error {
 	}
 	// Get the ACL token for the request for the checks below.
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	authz, err := s.srv.ACLResolver.ResolveTokenAndDefaultMeta(args.Token, &entMeta, nil)
 	if err != nil {
 		return err
@ -162,7 +162,7 @@ func (s *Intention) Apply(args *structs.IntentionRequest, reply *string) error {
 func (s *Intention) computeApplyChangesLegacyCreate(
 	accessorID string,
 	authz acl.Authorizer,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	args *structs.IntentionRequest,
 ) (*structs.IntentionMutation, error) {
 	// This variant is just for legacy UUID-based intentions.
@ -232,7 +232,7 @@ func (s *Intention) computeApplyChangesLegacyCreate(
 func (s *Intention) computeApplyChangesLegacyUpdate(
 	accessorID string,
 	authz acl.Authorizer,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	args *structs.IntentionRequest,
 ) (*structs.IntentionMutation, error) {
 	// This variant is just for legacy UUID-based intentions.
@ -292,7 +292,7 @@ func (s *Intention) computeApplyChangesLegacyUpdate(
 func (s *Intention) computeApplyChangesUpsert(
 	accessorID string,
 	authz acl.Authorizer,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	args *structs.IntentionRequest,
 ) (*structs.IntentionMutation, error) {
 	// This variant is just for config-entry based intentions.
@ -355,7 +355,7 @@ func (s *Intention) computeApplyChangesUpsert(
 func (s *Intention) computeApplyChangesLegacyDelete(
 	accessorID string,
 	authz acl.Authorizer,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	args *structs.IntentionRequest,
 ) (*structs.IntentionMutation, error) {
 	_, _, ixn, err := s.srv.fsm.State().IntentionGet(nil, args.Intention.ID)
@ -380,7 +380,7 @@ func (s *Intention) computeApplyChangesLegacyDelete(
 func (s *Intention) computeApplyChangesDelete(
 	accessorID string,
 	authz acl.Authorizer,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	args *structs.IntentionRequest,
 ) (*structs.IntentionMutation, error) {
 	args.Intention.FillPartitionAndNamespace(entMeta, true)
@ -425,7 +425,7 @@ func (s *Intention) Get(args *structs.IntentionQueryRequest, reply *structs.Inde
 	}
 	// Get the ACL token for the request for the checks below.
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &entMeta, nil)
 	if err != nil {
 		return err
@ -574,7 +574,7 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In
 	}
 	// Get the ACL token for the request for the checks below.
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &entMeta, nil)
 	if err != nil {
 		return err
@ -695,7 +695,7 @@ func (s *Intention) Check(args *structs.IntentionQueryRequest, reply *structs.In
 	}
 	// Get the ACL token for the request for the checks below.
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &entMeta, nil)
 	if err != nil {
 		return err
--- a/agent/consul/intention_endpoint_test.go
+++ b/agent/consul/intention_endpoint_test.go
@ -6,9 +6,10 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/sdk/testutil"
--- a/agent/consul/internal_endpoint.go
+++ b/agent/consul/internal_endpoint.go
@ -362,7 +362,7 @@ func (m *Internal) GatewayIntentions(args *structs.IntentionQueryRequest, reply
 	}
 	// Get the ACL token for the request for the checks below.
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	var authzContext acl.AuthorizerContext
 	authz, err := m.srv.ResolveTokenAndDefaultMeta(args.Token, &entMeta, &authzContext)
--- a/agent/consul/internal_endpoint_test.go
+++ b/agent/consul/internal_endpoint_test.go
@ -8,10 +8,11 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
--- a/agent/consul/kvs_endpoint_test.go
+++ b/agent/consul/kvs_endpoint_test.go
@ -5,9 +5,10 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@ -883,7 +883,7 @@ func (s *Server) bootstrapConfigEntries(entries []structs.ConfigEntry) error {
 // reconcileReaped is used to reconcile nodes that have failed and been reaped
 // from Serf but remain in the catalog. This is done by looking for unknown nodes with serfHealth checks registered.
 // We generate a "reap" event to cause the node to be cleaned up.
-func (s *Server) reconcileReaped(known map[string]struct{}, nodeEntMeta *structs.EnterpriseMeta) error {
+func (s *Server) reconcileReaped(known map[string]struct{}, nodeEntMeta *acl.EnterpriseMeta) error {
 	if nodeEntMeta == nil {
 		nodeEntMeta = structs.NodeEnterpriseMetaInDefaultPartition()
 	}
@ -1016,7 +1016,7 @@ func (s *Server) shouldHandleMember(member serf.Member) bool {
 // handleAliveMember is used to ensure the node
 // is registered, with a passing health check.
-func (s *Server) handleAliveMember(member serf.Member, nodeEntMeta *structs.EnterpriseMeta) error {
+func (s *Server) handleAliveMember(member serf.Member, nodeEntMeta *acl.EnterpriseMeta) error {
 	if nodeEntMeta == nil {
 		nodeEntMeta = structs.NodeEnterpriseMetaInDefaultPartition()
 	}
@ -1122,7 +1122,7 @@ AFTER_CHECK:
 // handleFailedMember is used to mark the node's status
 // as being critical, along with all checks as unknown.
-func (s *Server) handleFailedMember(member serf.Member, nodeEntMeta *structs.EnterpriseMeta) error {
+func (s *Server) handleFailedMember(member serf.Member, nodeEntMeta *acl.EnterpriseMeta) error {
 	if nodeEntMeta == nil {
 		nodeEntMeta = structs.NodeEnterpriseMetaInDefaultPartition()
 	}
@ -1184,18 +1184,18 @@ func (s *Server) handleFailedMember(member serf.Member, nodeEntMeta *structs.Ent
 // handleLeftMember is used to handle members that gracefully
 // left. They are deregistered if necessary.
-func (s *Server) handleLeftMember(member serf.Member, nodeEntMeta *structs.EnterpriseMeta) error {
+func (s *Server) handleLeftMember(member serf.Member, nodeEntMeta *acl.EnterpriseMeta) error {
 	return s.handleDeregisterMember("left", member, nodeEntMeta)
 }
 // handleReapMember is used to handle members that have been
 // reaped after a prolonged failure. They are deregistered.
-func (s *Server) handleReapMember(member serf.Member, nodeEntMeta *structs.EnterpriseMeta) error {
+func (s *Server) handleReapMember(member serf.Member, nodeEntMeta *acl.EnterpriseMeta) error {
 	return s.handleDeregisterMember("reaped", member, nodeEntMeta)
 }
 // handleDeregisterMember is used to deregister a member of a given reason
-func (s *Server) handleDeregisterMember(reason string, member serf.Member, nodeEntMeta *structs.EnterpriseMeta) error {
+func (s *Server) handleDeregisterMember(reason string, member serf.Member, nodeEntMeta *acl.EnterpriseMeta) error {
 	if nodeEntMeta == nil {
 		nodeEntMeta = structs.NodeEnterpriseMetaInDefaultPartition()
 	}
--- a/agent/consul/leader_connect_ca.go
+++ b/agent/consul/leader_connect_ca.go
@ -1439,7 +1439,7 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne
 		return nil, fmt.Errorf("SPIFFE ID in CSR must be a service or agent ID")
 	}
-	var entMeta structs.EnterpriseMeta
+	var entMeta acl.EnterpriseMeta
 	if isService {
 		if !signingID.CanSign(spiffeID) {
 			return nil, fmt.Errorf("SPIFFE ID in CSR from a different trust domain: %s, "+
--- a/agent/consul/operator_autopilot_endpoint_test.go
+++ b/agent/consul/operator_autopilot_endpoint_test.go
@ -5,11 +5,12 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/raft"
 	autopilot "github.com/hashicorp/raft-autopilot"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/sdk/testutil/retry"
--- a/agent/consul/operator_raft_endpoint_test.go
+++ b/agent/consul/operator_raft_endpoint_test.go
@ -7,10 +7,11 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/raft"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/sdk/freeport"
--- a/agent/consul/prepared_query_endpoint_test.go
+++ b/agent/consul/prepared_query_endpoint_test.go
@ -10,13 +10,14 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/serf/coordinate"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul-net-rpc/net/rpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	tokenStore "github.com/hashicorp/consul/agent/token"
--- a/agent/consul/rpc_test.go
+++ b/agent/consul/rpc_test.go
@ -995,7 +995,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) {
 	// Wait for it to replicate
 	retry.Run(t, func(r *retry.R) {
-		_, p, err := s2.fsm.State().ACLPolicyGetByID(nil, kvPolicy.ID, &structs.EnterpriseMeta{})
+		_, p, err := s2.fsm.State().ACLPolicyGetByID(nil, kvPolicy.ID, &acl.EnterpriseMeta{})
 		require.Nil(r, err)
 		require.NotNil(r, p)
 	})
@ -1128,7 +1128,7 @@ func TestRPC_LocalTokenStrippedOnForward_GRPC(t *testing.T) {
 	// Wait for it to replicate
 	retry.Run(t, func(r *retry.R) {
-		_, p, err := s2.fsm.State().ACLPolicyGetByID(nil, policy.ID, &structs.EnterpriseMeta{})
+		_, p, err := s2.fsm.State().ACLPolicyGetByID(nil, policy.ID, &acl.EnterpriseMeta{})
 		require.Nil(r, err)
 		require.NotNil(r, p)
 	})
--- a/agent/consul/serf_filter.go
+++ b/agent/consul/serf_filter.go
@ -3,7 +3,7 @@ package consul
 import (
 	"fmt"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
 type LANMemberFilter struct {
@ -16,12 +16,12 @@ func (f LANMemberFilter) Validate() error {
 	if f.AllSegments && f.Segment != "" {
 		return fmt.Errorf("cannot specify both allSegments and segment filters")
 	}
-	if (f.AllSegments || f.Segment != "") && !structs.IsDefaultPartition(f.Partition) {
+	if (f.AllSegments || f.Segment != "") && !acl.IsDefaultPartition(f.Partition) {
 		return fmt.Errorf("segments do not exist outside of the default partition")
 	}
 	return nil
 }
 func (f LANMemberFilter) PartitionOrDefault() string {
-	return structs.PartitionOrDefault(f.Partition)
+	return acl.PartitionOrDefault(f.Partition)
 }
--- a/agent/consul/server.go
+++ b/agent/consul/server.go
@ -1230,7 +1230,7 @@ func (s *Server) WANMembers() []serf.Member {
 }
 // RemoveFailedNode is used to remove a failed node from the cluster.
-func (s *Server) RemoveFailedNode(node string, prune bool, entMeta *structs.EnterpriseMeta) error {
+func (s *Server) RemoveFailedNode(node string, prune bool, entMeta *acl.EnterpriseMeta) error {
 	var removeFn func(*serf.Serf, string) error
 	if prune {
 		removeFn = (*serf.Serf).RemoveFailedNodePrune
@ -1250,7 +1250,7 @@ func (s *Server) RemoveFailedNode(node string, prune bool, entMeta *structs.Ente
 }
 // RemoveFailedNodeWAN is used to remove a failed node from the WAN cluster.
-func (s *Server) RemoveFailedNodeWAN(wanNode string, prune bool, entMeta *structs.EnterpriseMeta) error {
+func (s *Server) RemoveFailedNodeWAN(wanNode string, prune bool, entMeta *acl.EnterpriseMeta) error {
 	var removeFn func(*serf.Serf, string) error
 	if prune {
 		removeFn = (*serf.Serf).RemoveFailedNodePrune
@ -1283,7 +1283,7 @@ func (s *Server) KeyManagerWAN() *serf.KeyManager {
 	return s.serfWAN.KeyManager()
 }
-func (s *Server) AgentEnterpriseMeta() *structs.EnterpriseMeta {
+func (s *Server) AgentEnterpriseMeta() *acl.EnterpriseMeta {
 	return s.config.AgentEnterpriseMeta()
 }
--- a/agent/consul/server_oss.go
+++ b/agent/consul/server_oss.go
@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/serf/serf"
 	"google.golang.org/grpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/lib"
 )
@ -26,7 +27,7 @@ func (s *Server) enterpriseValidateJoinWAN() error {
 // JoinLAN is used to have Consul join the inner-DC pool The target address
 // should be another node inside the DC listening on the Serf LAN address
-func (s *Server) JoinLAN(addrs []string, entMeta *structs.EnterpriseMeta) (int, error) {
+func (s *Server) JoinLAN(addrs []string, entMeta *acl.EnterpriseMeta) (int, error) {
 	return s.serfLAN.Join(addrs, true)
 }
@ -36,7 +37,7 @@ func (s *Server) JoinLAN(addrs []string, entMeta *structs.EnterpriseMeta) (int,
 func (s *Server) removeFailedNode(
 	removeFn func(*serf.Serf, string) error,
 	node, wanNode string,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) error {
 	maybeRemove := func(s *serf.Serf, node string) (bool, error) {
 		if !isSerfMember(s, node) {
@ -155,6 +156,6 @@ func (s *Server) addEnterpriseStats(stats map[string]map[string]string) {
 	// no-op
 }
-func getSerfMemberEnterpriseMeta(member serf.Member) *structs.EnterpriseMeta {
+func getSerfMemberEnterpriseMeta(member serf.Member) *acl.EnterpriseMeta {
 	return structs.NodeEnterpriseMetaInDefaultPartition()
 }
--- a/agent/consul/server_overview.go
+++ b/agent/consul/server_overview.go
@ -7,10 +7,12 @@ import (
 	"sync"
 	"time"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/consul/usagemetrics"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-hclog"
 )
 type OverviewManager struct {
@ -69,7 +71,7 @@ func getCatalogOverview(catalog *structs.CatalogContents) *structs.CatalogSummar
 	serviceInstanceChecks := make(map[string][]*structs.HealthCheck)
 	checkSummaries := make(map[string]structs.HealthSummary)
-	entMetaIDString := func(id string, entMeta structs.EnterpriseMeta) string {
+	entMetaIDString := func(id string, entMeta acl.EnterpriseMeta) string {
 		return fmt.Sprintf("%s/%s/%s", id, entMeta.PartitionOrEmpty(), entMeta.NamespaceOrEmpty())
 	}
--- a/agent/consul/session_endpoint_test.go
+++ b/agent/consul/session_endpoint_test.go
@ -5,9 +5,10 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/lib/stringslice"
--- a/agent/consul/session_ttl.go
+++ b/agent/consul/session_ttl.go
@ -7,6 +7,7 @@ import (
 	"github.com/armon/go-metrics"
 	"github.com/armon/go-metrics/prometheus"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -82,7 +83,7 @@ func (s *Server) resetSessionTimer(session *structs.Session) error {
 	return nil
 }
-func (s *Server) createSessionTimer(id string, ttl time.Duration, entMeta *structs.EnterpriseMeta) {
+func (s *Server) createSessionTimer(id string, ttl time.Duration, entMeta *acl.EnterpriseMeta) {
 	// Reset the session timer
 	// Adjust the given TTL by the TTL multiplier. This is done
 	// to give a client a grace period and to compensate for network
@ -95,7 +96,7 @@ func (s *Server) createSessionTimer(id string, ttl time.Duration, entMeta *struc
 // invalidateSession is invoked when a session TTL is reached and we
 // need to invalidate the session.
-func (s *Server) invalidateSession(id string, entMeta *structs.EnterpriseMeta) {
+func (s *Server) invalidateSession(id string, entMeta *acl.EnterpriseMeta) {
 	defer metrics.MeasureSince([]string{"session_ttl", "invalidate"}, time.Now())
 	// Clear the session timer
--- a/agent/consul/snapshot_endpoint_test.go
+++ b/agent/consul/snapshot_endpoint_test.go
@ -7,10 +7,11 @@ import (
 	"testing"
 	"time"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	autopilot "github.com/hashicorp/raft-autopilot"
 	"github.com/stretchr/testify/require"
 	msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
--- a/agent/consul/state/acl.go
+++ b/agent/consul/state/acl.go
@ -6,6 +6,7 @@ import (
 	memdb "github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	pbacl "github.com/hashicorp/consul/proto/pbacl"
 )
@ -571,17 +572,17 @@ func aclTokenSetTxn(tx WriteTxn, idx uint64, token *structs.ACLToken, opts ACLTo
 }
 // ACLTokenGetBySecret is used to look up an existing ACL token by its SecretID.
-func (s *Store) ACLTokenGetBySecret(ws memdb.WatchSet, secret string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLToken, error) {
+func (s *Store) ACLTokenGetBySecret(ws memdb.WatchSet, secret string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error) {
 	return s.aclTokenGet(ws, secret, "id", entMeta)
 }
 // ACLTokenGetByAccessor is used to look up an existing ACL token by its AccessorID.
-func (s *Store) ACLTokenGetByAccessor(ws memdb.WatchSet, accessor string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLToken, error) {
+func (s *Store) ACLTokenGetByAccessor(ws memdb.WatchSet, accessor string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error) {
 	return s.aclTokenGet(ws, accessor, indexAccessor, entMeta)
 }
 // aclTokenGet looks up a token using one of the indexes provided
-func (s *Store) aclTokenGet(ws memdb.WatchSet, value, index string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLToken, error) {
+func (s *Store) aclTokenGet(ws memdb.WatchSet, value, index string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -616,7 +617,7 @@ func (s *Store) ACLTokenBatchGet(ws memdb.WatchSet, accessors []string) (uint64,
 	return idx, tokens, nil
 }
-func aclTokenGetTxn(tx ReadTxn, ws memdb.WatchSet, value, index string, entMeta *structs.EnterpriseMeta) (*structs.ACLToken, error) {
+func aclTokenGetTxn(tx ReadTxn, ws memdb.WatchSet, value, index string, entMeta *acl.EnterpriseMeta) (*structs.ACLToken, error) {
 	watchCh, rawToken, err := aclTokenGetFromIndex(tx, value, index, entMeta)
 	if err != nil {
 		return nil, fmt.Errorf("failed acl token lookup: %v", err)
@ -640,7 +641,7 @@ func aclTokenGetTxn(tx ReadTxn, ws memdb.WatchSet, value, index string, entMeta
 }
 // ACLTokenList return a list of ACL Tokens that match the policy, role, and method.
-func (s *Store) ACLTokenList(ws memdb.WatchSet, local, global bool, policy, role, methodName string, methodMeta, entMeta *structs.EnterpriseMeta) (uint64, structs.ACLTokens, error) {
+func (s *Store) ACLTokenList(ws memdb.WatchSet, local, global bool, policy, role, methodName string, methodMeta, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLTokens, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -799,7 +800,7 @@ func (s *Store) expiresIndexName(local bool) string {
 // ACLTokenDeleteByAccessor is used to remove an existing ACL from the state store. If
 // the ACL does not exist this is a no-op and no error is returned.
-func (s *Store) ACLTokenDeleteByAccessor(idx uint64, accessor string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) ACLTokenDeleteByAccessor(idx uint64, accessor string, entMeta *acl.EnterpriseMeta) error {
 	return s.aclTokenDelete(idx, accessor, indexAccessor, entMeta)
 }
@ -816,7 +817,7 @@ func (s *Store) ACLTokenBatchDelete(idx uint64, tokenIDs []string) error {
 	return tx.Commit()
 }
-func (s *Store) aclTokenDelete(idx uint64, value, index string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) aclTokenDelete(idx uint64, value, index string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -827,7 +828,7 @@ func (s *Store) aclTokenDelete(idx uint64, value, index string, entMeta *structs
 	return tx.Commit()
 }
-func aclTokenDeleteTxn(tx WriteTxn, idx uint64, value, index string, entMeta *structs.EnterpriseMeta) error {
+func aclTokenDeleteTxn(tx WriteTxn, idx uint64, value, index string, entMeta *acl.EnterpriseMeta) error {
 	// Look up the existing token
 	_, token, err := aclTokenGetFromIndex(tx, value, index, entMeta)
 	if err != nil {
@ -845,7 +846,7 @@ func aclTokenDeleteTxn(tx WriteTxn, idx uint64, value, index string, entMeta *st
 	return aclTokenDeleteWithToken(tx, token.(*structs.ACLToken), idx)
 }
-func aclTokenDeleteAllForAuthMethodTxn(tx WriteTxn, idx uint64, methodName string, methodGlobalLocality bool, methodMeta *structs.EnterpriseMeta) error {
+func aclTokenDeleteAllForAuthMethodTxn(tx WriteTxn, idx uint64, methodName string, methodGlobalLocality bool, methodMeta *acl.EnterpriseMeta) error {
 	// collect all the tokens linked with the given auth method.
 	iter, err := aclTokenListByAuthMethod(tx, methodName, methodMeta, methodMeta.WithWildcardNamespace())
 	if err != nil {
@ -966,15 +967,15 @@ func aclPolicySetTxn(tx WriteTxn, idx uint64, policy *structs.ACLPolicy) error {
 	return aclPolicyInsert(tx, policy)
 }
-func (s *Store) ACLPolicyGetByID(ws memdb.WatchSet, id string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLPolicy, error) {
+func (s *Store) ACLPolicyGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error) {
 	return s.aclPolicyGet(ws, id, aclPolicyGetByID, entMeta)
 }
-func (s *Store) ACLPolicyGetByName(ws memdb.WatchSet, name string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLPolicy, error) {
+func (s *Store) ACLPolicyGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error) {
 	return s.aclPolicyGet(ws, name, aclPolicyGetByName, entMeta)
 }
-func aclPolicyGetByName(tx ReadTxn, name string, entMeta *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
+func aclPolicyGetByName(tx ReadTxn, name string, entMeta *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
 	// todo: accept non-pointer value
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
@ -1006,9 +1007,9 @@ func (s *Store) ACLPolicyBatchGet(ws memdb.WatchSet, ids []string) (uint64, stru
 	return idx, policies, nil
 }
-type aclPolicyGetFn func(ReadTxn, string, *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error)
+type aclPolicyGetFn func(ReadTxn, string, *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error)
-func getPolicyWithTxn(tx ReadTxn, ws memdb.WatchSet, value string, fn aclPolicyGetFn, entMeta *structs.EnterpriseMeta) (*structs.ACLPolicy, error) {
+func getPolicyWithTxn(tx ReadTxn, ws memdb.WatchSet, value string, fn aclPolicyGetFn, entMeta *acl.EnterpriseMeta) (*structs.ACLPolicy, error) {
 	watchCh, policy, err := fn(tx, value, entMeta)
 	if err != nil {
 		return nil, fmt.Errorf("failed acl policy lookup: %v", err)
@ -1022,7 +1023,7 @@ func getPolicyWithTxn(tx ReadTxn, ws memdb.WatchSet, value string, fn aclPolicyG
 	return policy.(*structs.ACLPolicy), nil
 }
-func (s *Store) aclPolicyGet(ws memdb.WatchSet, value string, fn aclPolicyGetFn, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLPolicy, error) {
+func (s *Store) aclPolicyGet(ws memdb.WatchSet, value string, fn aclPolicyGetFn, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1036,7 +1037,7 @@ func (s *Store) aclPolicyGet(ws memdb.WatchSet, value string, fn aclPolicyGetFn,
 	return idx, policy, nil
 }
-func (s *Store) ACLPolicyList(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.ACLPolicies, error) {
+func (s *Store) ACLPolicyList(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLPolicies, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1057,11 +1058,11 @@ func (s *Store) ACLPolicyList(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta
 	return idx, result, nil
 }
-func (s *Store) ACLPolicyDeleteByID(idx uint64, id string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) ACLPolicyDeleteByID(idx uint64, id string, entMeta *acl.EnterpriseMeta) error {
 	return s.aclPolicyDelete(idx, id, aclPolicyGetByID, entMeta)
 }
-func (s *Store) ACLPolicyDeleteByName(idx uint64, name string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) ACLPolicyDeleteByName(idx uint64, name string, entMeta *acl.EnterpriseMeta) error {
 	return s.aclPolicyDelete(idx, name, aclPolicyGetByName, entMeta)
 }
@ -1077,7 +1078,7 @@ func (s *Store) ACLPolicyBatchDelete(idx uint64, policyIDs []string) error {
 	return tx.Commit()
 }
-func (s *Store) aclPolicyDelete(idx uint64, value string, fn aclPolicyGetFn, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) aclPolicyDelete(idx uint64, value string, fn aclPolicyGetFn, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -1088,7 +1089,7 @@ func (s *Store) aclPolicyDelete(idx uint64, value string, fn aclPolicyGetFn, ent
 	return tx.Commit()
 }
-func aclPolicyDeleteTxn(tx WriteTxn, idx uint64, value string, fn aclPolicyGetFn, entMeta *structs.EnterpriseMeta) error {
+func aclPolicyDeleteTxn(tx WriteTxn, idx uint64, value string, fn aclPolicyGetFn, entMeta *acl.EnterpriseMeta) error {
 	// Look up the existing token
 	_, rawPolicy, err := fn(tx, value, entMeta)
 	if err != nil {
@ -1197,17 +1198,17 @@ func aclRoleSetTxn(tx WriteTxn, idx uint64, role *structs.ACLRole, allowMissing
 	return aclRoleInsert(tx, role)
 }
-type aclRoleGetFn func(ReadTxn, string, *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error)
+type aclRoleGetFn func(ReadTxn, string, *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error)
-func (s *Store) ACLRoleGetByID(ws memdb.WatchSet, id string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLRole, error) {
+func (s *Store) ACLRoleGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error) {
 	return s.aclRoleGet(ws, id, aclRoleGetByID, entMeta)
 }
-func (s *Store) ACLRoleGetByName(ws memdb.WatchSet, name string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLRole, error) {
+func (s *Store) ACLRoleGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error) {
 	return s.aclRoleGet(ws, name, aclRoleGetByName, entMeta)
 }
-func aclRoleGetByName(tx ReadTxn, name string, entMeta *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
+func aclRoleGetByName(tx ReadTxn, name string, entMeta *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
 	// TODO: accept non-pointer value
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
@ -1237,7 +1238,7 @@ func (s *Store) ACLRoleBatchGet(ws memdb.WatchSet, ids []string) (uint64, struct
 	return idx, roles, nil
 }
-func getRoleWithTxn(tx ReadTxn, ws memdb.WatchSet, value string, fn aclRoleGetFn, entMeta *structs.EnterpriseMeta) (*structs.ACLRole, error) {
+func getRoleWithTxn(tx ReadTxn, ws memdb.WatchSet, value string, fn aclRoleGetFn, entMeta *acl.EnterpriseMeta) (*structs.ACLRole, error) {
 	watchCh, rawRole, err := fn(tx, value, entMeta)
 	if err != nil {
 		return nil, fmt.Errorf("failed acl role lookup: %v", err)
@ -1256,7 +1257,7 @@ func getRoleWithTxn(tx ReadTxn, ws memdb.WatchSet, value string, fn aclRoleGetFn
 	return nil, nil
 }
-func (s *Store) aclRoleGet(ws memdb.WatchSet, value string, fn aclRoleGetFn, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLRole, error) {
+func (s *Store) aclRoleGet(ws memdb.WatchSet, value string, fn aclRoleGetFn, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1270,7 +1271,7 @@ func (s *Store) aclRoleGet(ws memdb.WatchSet, value string, fn aclRoleGetFn, ent
 	return idx, role, nil
 }
-func (s *Store) ACLRoleList(ws memdb.WatchSet, policy string, entMeta *structs.EnterpriseMeta) (uint64, structs.ACLRoles, error) {
+func (s *Store) ACLRoleList(ws memdb.WatchSet, policy string, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLRoles, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1310,11 +1311,11 @@ func (s *Store) ACLRoleList(ws memdb.WatchSet, policy string, entMeta *structs.E
 	return idx, result, nil
 }
-func (s *Store) ACLRoleDeleteByID(idx uint64, id string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) ACLRoleDeleteByID(idx uint64, id string, entMeta *acl.EnterpriseMeta) error {
 	return s.aclRoleDelete(idx, id, aclRoleGetByID, entMeta)
 }
-func (s *Store) ACLRoleDeleteByName(idx uint64, name string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) ACLRoleDeleteByName(idx uint64, name string, entMeta *acl.EnterpriseMeta) error {
 	return s.aclRoleDelete(idx, name, aclRoleGetByName, entMeta)
 }
@ -1330,7 +1331,7 @@ func (s *Store) ACLRoleBatchDelete(idx uint64, roleIDs []string) error {
 	return tx.Commit()
 }
-func (s *Store) aclRoleDelete(idx uint64, value string, fn aclRoleGetFn, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) aclRoleDelete(idx uint64, value string, fn aclRoleGetFn, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -1341,7 +1342,7 @@ func (s *Store) aclRoleDelete(idx uint64, value string, fn aclRoleGetFn, entMeta
 	return tx.Commit()
 }
-func aclRoleDeleteTxn(tx WriteTxn, idx uint64, value string, fn aclRoleGetFn, entMeta *structs.EnterpriseMeta) error {
+func aclRoleDeleteTxn(tx WriteTxn, idx uint64, value string, fn aclRoleGetFn, entMeta *acl.EnterpriseMeta) error {
 	// Look up the existing role
 	_, rawRole, err := fn(tx, value, entMeta)
 	if err != nil {
@ -1417,11 +1418,11 @@ func aclBindingRuleSetTxn(tx WriteTxn, idx uint64, rule *structs.ACLBindingRule)
 	return aclBindingRuleInsert(tx, rule)
 }
-func (s *Store) ACLBindingRuleGetByID(ws memdb.WatchSet, id string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLBindingRule, error) {
+func (s *Store) ACLBindingRuleGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLBindingRule, error) {
 	return s.aclBindingRuleGet(ws, id, entMeta)
 }
-func (s *Store) aclBindingRuleGet(ws memdb.WatchSet, value string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLBindingRule, error) {
+func (s *Store) aclBindingRuleGet(ws memdb.WatchSet, value string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLBindingRule, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1441,7 +1442,7 @@ func (s *Store) aclBindingRuleGet(ws memdb.WatchSet, value string, entMeta *stru
 	return idx, rule, nil
 }
-func (s *Store) ACLBindingRuleList(ws memdb.WatchSet, methodName string, entMeta *structs.EnterpriseMeta) (uint64, structs.ACLBindingRules, error) {
+func (s *Store) ACLBindingRuleList(ws memdb.WatchSet, methodName string, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLBindingRules, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1471,7 +1472,7 @@ func (s *Store) ACLBindingRuleList(ws memdb.WatchSet, methodName string, entMeta
 	return idx, result, nil
 }
-func (s *Store) ACLBindingRuleDeleteByID(idx uint64, id string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) ACLBindingRuleDeleteByID(idx uint64, id string, entMeta *acl.EnterpriseMeta) error {
 	return s.aclBindingRuleDelete(idx, id, entMeta)
 }
@ -1485,7 +1486,7 @@ func (s *Store) ACLBindingRuleBatchDelete(idx uint64, bindingRuleIDs []string) e
 	return tx.Commit()
 }
-func (s *Store) aclBindingRuleDelete(idx uint64, id string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) aclBindingRuleDelete(idx uint64, id string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -1496,7 +1497,7 @@ func (s *Store) aclBindingRuleDelete(idx uint64, id string, entMeta *structs.Ent
 	return tx.Commit()
 }
-func aclBindingRuleDeleteTxn(tx WriteTxn, idx uint64, id string, entMeta *structs.EnterpriseMeta) error {
+func aclBindingRuleDeleteTxn(tx WriteTxn, idx uint64, id string, entMeta *acl.EnterpriseMeta) error {
 	// Look up the existing binding rule
 	_, rawRule, err := aclBindingRuleGetByID(tx, id, entMeta)
 	if err != nil {
@ -1515,7 +1516,7 @@ func aclBindingRuleDeleteTxn(tx WriteTxn, idx uint64, id string, entMeta *struct
 	return nil
 }
-func aclBindingRuleDeleteAllForAuthMethodTxn(tx WriteTxn, idx uint64, methodName string, entMeta *structs.EnterpriseMeta) error {
+func aclBindingRuleDeleteAllForAuthMethodTxn(tx WriteTxn, idx uint64, methodName string, entMeta *acl.EnterpriseMeta) error {
 	// collect them all
 	iter, err := aclBindingRuleListByAuthMethod(tx, methodName, entMeta)
 	if err != nil {
@ -1596,11 +1597,11 @@ func aclAuthMethodSetTxn(tx WriteTxn, idx uint64, method *structs.ACLAuthMethod)
 	return aclAuthMethodInsert(tx, method)
 }
-func (s *Store) ACLAuthMethodGetByName(ws memdb.WatchSet, name string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLAuthMethod, error) {
+func (s *Store) ACLAuthMethodGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLAuthMethod, error) {
 	return s.aclAuthMethodGet(ws, name, entMeta)
 }
-func (s *Store) aclAuthMethodGet(ws memdb.WatchSet, name string, entMeta *structs.EnterpriseMeta) (uint64, *structs.ACLAuthMethod, error) {
+func (s *Store) aclAuthMethodGet(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLAuthMethod, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1614,7 +1615,7 @@ func (s *Store) aclAuthMethodGet(ws memdb.WatchSet, name string, entMeta *struct
 	return idx, method, nil
 }
-func getAuthMethodWithTxn(tx ReadTxn, ws memdb.WatchSet, name string, entMeta *structs.EnterpriseMeta) (*structs.ACLAuthMethod, error) {
+func getAuthMethodWithTxn(tx ReadTxn, ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (*structs.ACLAuthMethod, error) {
 	watchCh, rawMethod, err := aclAuthMethodGetByName(tx, name, entMeta)
 	if err != nil {
 		return nil, fmt.Errorf("failed acl auth method lookup: %v", err)
@ -1628,7 +1629,7 @@ func getAuthMethodWithTxn(tx ReadTxn, ws memdb.WatchSet, name string, entMeta *s
 	return nil, nil
 }
-func (s *Store) ACLAuthMethodList(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.ACLAuthMethods, error) {
+func (s *Store) ACLAuthMethodList(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLAuthMethods, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1650,11 +1651,11 @@ func (s *Store) ACLAuthMethodList(ws memdb.WatchSet, entMeta *structs.Enterprise
 	return idx, result, nil
 }
-func (s *Store) ACLAuthMethodDeleteByName(idx uint64, name string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) ACLAuthMethodDeleteByName(idx uint64, name string, entMeta *acl.EnterpriseMeta) error {
 	return s.aclAuthMethodDelete(idx, name, entMeta)
 }
-func (s *Store) ACLAuthMethodBatchDelete(idx uint64, names []string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) ACLAuthMethodBatchDelete(idx uint64, names []string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -1669,7 +1670,7 @@ func (s *Store) ACLAuthMethodBatchDelete(idx uint64, names []string, entMeta *st
 	return tx.Commit()
 }
-func (s *Store) aclAuthMethodDelete(idx uint64, name string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) aclAuthMethodDelete(idx uint64, name string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -1680,7 +1681,7 @@ func (s *Store) aclAuthMethodDelete(idx uint64, name string, entMeta *structs.En
 	return tx.Commit()
 }
-func aclAuthMethodDeleteTxn(tx WriteTxn, idx uint64, name string, entMeta *structs.EnterpriseMeta) error {
+func aclAuthMethodDeleteTxn(tx WriteTxn, idx uint64, name string, entMeta *acl.EnterpriseMeta) error {
 	// Look up the existing method
 	_, rawMethod, err := aclAuthMethodGetByName(tx, name, entMeta)
 	if err != nil {
@ -1704,7 +1705,7 @@ func aclAuthMethodDeleteTxn(tx WriteTxn, idx uint64, name string, entMeta *struc
 	return aclAuthMethodDeleteWithMethod(tx, method, idx)
 }
-func aclTokenList(tx ReadTxn, entMeta *structs.EnterpriseMeta, locality bool) (memdb.ResultIterator, error) {
+func aclTokenList(tx ReadTxn, entMeta *acl.EnterpriseMeta, locality bool) (memdb.ResultIterator, error) {
 	// TODO: accept non-pointer value
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
--- a/agent/consul/state/acl_oss.go
+++ b/agent/consul/state/acl_oss.go
@ -9,17 +9,18 @@ import (
 	memdb "github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
-func updateTableIndexEntries(tx WriteTxn, tableName string, modifyIndex uint64, _ *structs.EnterpriseMeta) error {
+func updateTableIndexEntries(tx WriteTxn, tableName string, modifyIndex uint64, _ *acl.EnterpriseMeta) error {
 	if err := indexUpdateMaxTxn(tx, modifyIndex, tableName); err != nil {
 		return fmt.Errorf("failed updating %s index: %v", tableName, err)
 	}
 	return nil
 }
-func aclPolicyGetByID(tx ReadTxn, id string, _ *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
+func aclPolicyGetByID(tx ReadTxn, id string, _ *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
 	return tx.FirstWatch(tableACLPolicies, indexID, id)
 }
@ -36,7 +37,7 @@ func aclPolicyDeleteWithPolicy(tx WriteTxn, policy *structs.ACLPolicy, idx uint6
 	return nil
 }
-func aclPolicyMaxIndex(tx ReadTxn, _ *structs.ACLPolicy, _ *structs.EnterpriseMeta) uint64 {
+func aclPolicyMaxIndex(tx ReadTxn, _ *structs.ACLPolicy, _ *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableACLPolicies)
 }
@ -52,23 +53,23 @@ func (s *Store) ACLPolicyUpsertValidateEnterprise(*structs.ACLPolicy, *structs.A
 /////                        ACL Token Functions                          /////
 ///////////////////////////////////////////////////////////////////////////////
-func aclTokenGetFromIndex(tx ReadTxn, id string, index string, entMeta *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
+func aclTokenGetFromIndex(tx ReadTxn, id string, index string, entMeta *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
 	return tx.FirstWatch(tableACLTokens, index, id)
 }
-func aclTokenListAll(tx ReadTxn, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func aclTokenListAll(tx ReadTxn, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableACLTokens, indexID)
 }
-func aclTokenListByPolicy(tx ReadTxn, policy string, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func aclTokenListByPolicy(tx ReadTxn, policy string, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableACLTokens, indexPolicies, Query{Value: policy})
 }
-func aclTokenListByRole(tx ReadTxn, role string, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func aclTokenListByRole(tx ReadTxn, role string, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableACLTokens, indexRoles, Query{Value: role})
 }
-func aclTokenListByAuthMethod(tx ReadTxn, authMethod string, _, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func aclTokenListByAuthMethod(tx ReadTxn, authMethod string, _, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableACLTokens, indexAuthMethod, AuthMethodQuery{Value: authMethod})
 }
@ -85,7 +86,7 @@ func aclTokenDeleteWithToken(tx WriteTxn, token *structs.ACLToken, idx uint64) e
 	return nil
 }
-func aclTokenMaxIndex(tx ReadTxn, _ *structs.ACLToken, entMeta *structs.EnterpriseMeta) uint64 {
+func aclTokenMaxIndex(tx ReadTxn, _ *structs.ACLToken, entMeta *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableACLTokens)
 }
@ -101,7 +102,7 @@ func (s *Store) ACLTokenUpsertValidateEnterprise(token *structs.ACLToken, existi
 /////                         ACL Role Functions                          /////
 ///////////////////////////////////////////////////////////////////////////////
-func aclRoleGetByID(tx ReadTxn, id string, _ *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
+func aclRoleGetByID(tx ReadTxn, id string, _ *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
 	return tx.FirstWatch(tableACLRoles, indexID, id)
 }
@ -118,7 +119,7 @@ func aclRoleDeleteWithRole(tx WriteTxn, role *structs.ACLRole, idx uint64) error
 	return nil
 }
-func aclRoleMaxIndex(tx ReadTxn, _ *structs.ACLRole, _ *structs.EnterpriseMeta) uint64 {
+func aclRoleMaxIndex(tx ReadTxn, _ *structs.ACLRole, _ *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableACLRoles)
 }
@ -134,15 +135,15 @@ func (s *Store) ACLRoleUpsertValidateEnterprise(role *structs.ACLRole, existing
 /////                     ACL Binding Rule Functions                      /////
 ///////////////////////////////////////////////////////////////////////////////
-func aclBindingRuleGetByID(tx ReadTxn, id string, _ *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
+func aclBindingRuleGetByID(tx ReadTxn, id string, _ *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
 	return tx.FirstWatch(tableACLBindingRules, indexID, id)
 }
-func aclBindingRuleList(tx ReadTxn, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func aclBindingRuleList(tx ReadTxn, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableACLBindingRules, indexID)
 }
-func aclBindingRuleListByAuthMethod(tx ReadTxn, method string, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func aclBindingRuleListByAuthMethod(tx ReadTxn, method string, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableACLBindingRules, indexAuthMethod, Query{Value: method})
 }
@ -159,7 +160,7 @@ func aclBindingRuleDeleteWithRule(tx WriteTxn, rule *structs.ACLBindingRule, idx
 	return nil
 }
-func aclBindingRuleMaxIndex(tx ReadTxn, _ *structs.ACLBindingRule, entMeta *structs.EnterpriseMeta) uint64 {
+func aclBindingRuleMaxIndex(tx ReadTxn, _ *structs.ACLBindingRule, entMeta *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableACLBindingRules)
 }
@ -175,11 +176,11 @@ func (s *Store) ACLBindingRuleUpsertValidateEnterprise(rule *structs.ACLBindingR
 /////                     ACL Auth Method Functions                       /////
 ///////////////////////////////////////////////////////////////////////////////
-func aclAuthMethodGetByName(tx ReadTxn, method string, _ *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
+func aclAuthMethodGetByName(tx ReadTxn, method string, _ *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
 	return tx.FirstWatch(tableACLAuthMethods, indexID, Query{Value: method})
 }
-func aclAuthMethodList(tx ReadTxn, entMeta *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func aclAuthMethodList(tx ReadTxn, entMeta *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableACLAuthMethods, indexID)
 }
@ -196,7 +197,7 @@ func aclAuthMethodDeleteWithMethod(tx WriteTxn, method *structs.ACLAuthMethod, i
 	return nil
 }
-func aclAuthMethodMaxIndex(tx ReadTxn, _ *structs.ACLAuthMethod, entMeta *structs.EnterpriseMeta) uint64 {
+func aclAuthMethodMaxIndex(tx ReadTxn, _ *structs.ACLAuthMethod, entMeta *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableACLAuthMethods)
 }
--- a/agent/consul/state/acl_oss_test.go
+++ b/agent/consul/state/acl_oss_test.go
@ -3,7 +3,10 @@
 package state
-import "github.com/hashicorp/consul/agent/structs"
+import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
 func testIndexerTableACLPolicies() map[string]indexerTestCase {
 	obj := &structs.ACLPolicy{
@ -177,7 +180,7 @@ func testIndexerTableACLBindingRules() map[string]indexerTestCase {
 func testIndexerTableACLAuthMethods() map[string]indexerTestCase {
 	obj := &structs.ACLAuthMethod{
 		Name:           "ThEAuthMethod",
-		EnterpriseMeta: structs.EnterpriseMeta{},
+		EnterpriseMeta: acl.EnterpriseMeta{},
 	}
 	encodedName := []byte{0x74, 0x68, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x0}
 	return map[string]indexerTestCase{
--- a/agent/consul/state/acl_schema.go
+++ b/agent/consul/state/acl_schema.go
@ -6,6 +6,7 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -227,9 +228,9 @@ func indexFromUUIDQuery(raw interface{}) ([]byte, error) {
 func prefixIndexFromUUIDQuery(arg interface{}) ([]byte, error) {
 	switch v := arg.(type) {
-	case *structs.EnterpriseMeta:
+	case *acl.EnterpriseMeta:
 		return nil, nil
-	case structs.EnterpriseMeta:
+	case acl.EnterpriseMeta:
 		return nil, nil
 	case Query:
 		return variableLengthUUIDStringToBytes(v.Value)
--- a/agent/consul/state/catalog.go
+++ b/agent/consul/state/catalog.go
@ -57,7 +57,7 @@ func (s *Snapshot) Nodes() (memdb.ResultIterator, error) {
 // Services is used to pull the full list of services for a given node for use
 // during snapshots.
-func (s *Snapshot) Services(node string, entMeta *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func (s *Snapshot) Services(node string, entMeta *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	// TODO: accept non-pointer value
 	if entMeta == nil {
 		entMeta = structs.NodeEnterpriseMetaInDefaultPartition()
@ -70,7 +70,7 @@ func (s *Snapshot) Services(node string, entMeta *structs.EnterpriseMeta) (memdb
 // Checks is used to pull the full list of checks for a given node for use
 // during snapshots.
-func (s *Snapshot) Checks(node string, entMeta *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func (s *Snapshot) Checks(node string, entMeta *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	// TODO: accept non-pointer value
 	if entMeta == nil {
 		entMeta = structs.NodeEnterpriseMetaInDefaultPartition()
@ -136,7 +136,7 @@ func (s *Store) ensureCheckIfNodeMatches(
 	nodePartition string,
 	check *structs.HealthCheck,
 ) error {
-	if !strings.EqualFold(check.Node, node) || !structs.EqualPartitions(nodePartition, check.PartitionOrDefault()) {
+	if !strings.EqualFold(check.Node, node) || !acl.EqualPartitions(nodePartition, check.PartitionOrDefault()) {
 		return fmt.Errorf("check node %q does not match node %q",
 			printNodeName(check.Node, check.PartitionOrDefault()),
 			printNodeName(node, nodePartition),
@ -149,7 +149,7 @@ func (s *Store) ensureCheckIfNodeMatches(
 }
 func printNodeName(nodeName, partition string) string {
-	if structs.IsDefaultPartition(partition) {
+	if acl.IsDefaultPartition(partition) {
 		return nodeName
 	}
 	return partition + "/" + nodeName
@ -396,7 +396,7 @@ func (s *Store) ensureNodeTxn(tx WriteTxn, idx uint64, preserveIndexes bool, nod
 }
 // GetNode is used to retrieve a node registration by node name ID.
-func (s *Store) GetNode(nodeNameOrID string, entMeta *structs.EnterpriseMeta) (uint64, *structs.Node, error) {
+func (s *Store) GetNode(nodeNameOrID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.Node, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -416,7 +416,7 @@ func (s *Store) GetNode(nodeNameOrID string, entMeta *structs.EnterpriseMeta) (u
 	return idx, node, nil
 }
-func getNodeTxn(tx ReadTxn, nodeNameOrID string, entMeta *structs.EnterpriseMeta) (*structs.Node, error) {
+func getNodeTxn(tx ReadTxn, nodeNameOrID string, entMeta *acl.EnterpriseMeta) (*structs.Node, error) {
 	node, err := tx.First(tableNodes, indexID, Query{
 		Value:          nodeNameOrID,
 		EnterpriseMeta: *entMeta,
@ -430,7 +430,7 @@ func getNodeTxn(tx ReadTxn, nodeNameOrID string, entMeta *structs.EnterpriseMeta
 	return nil, nil
 }
-func getNodeIDTxn(tx ReadTxn, id types.NodeID, entMeta *structs.EnterpriseMeta) (*structs.Node, error) {
+func getNodeIDTxn(tx ReadTxn, id types.NodeID, entMeta *acl.EnterpriseMeta) (*structs.Node, error) {
 	node, err := tx.First(tableNodes, indexUUID+"_prefix", Query{
 		Value:          string(id),
 		EnterpriseMeta: *entMeta,
@ -445,7 +445,7 @@ func getNodeIDTxn(tx ReadTxn, id types.NodeID, entMeta *structs.EnterpriseMeta)
 }
 // GetNodeID is used to retrieve a node registration by node ID.
-func (s *Store) GetNodeID(id types.NodeID, entMeta *structs.EnterpriseMeta) (uint64, *structs.Node, error) {
+func (s *Store) GetNodeID(id types.NodeID, entMeta *acl.EnterpriseMeta) (uint64, *structs.Node, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -463,7 +463,7 @@ func (s *Store) GetNodeID(id types.NodeID, entMeta *structs.EnterpriseMeta) (uin
 }
 // Nodes is used to return all of the known nodes.
-func (s *Store) Nodes(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.Nodes, error) {
+func (s *Store) Nodes(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.Nodes, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -491,7 +491,7 @@ func (s *Store) Nodes(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint6
 }
 // NodesByMeta is used to return all nodes with the given metadata key/value pairs.
-func (s *Store) NodesByMeta(ws memdb.WatchSet, filters map[string]string, entMeta *structs.EnterpriseMeta) (uint64, structs.Nodes, error) {
+func (s *Store) NodesByMeta(ws memdb.WatchSet, filters map[string]string, entMeta *acl.EnterpriseMeta) (uint64, structs.Nodes, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -537,7 +537,7 @@ func (s *Store) NodesByMeta(ws memdb.WatchSet, filters map[string]string, entMet
 }
 // DeleteNode is used to delete a given node by its ID.
-func (s *Store) DeleteNode(idx uint64, nodeName string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) DeleteNode(idx uint64, nodeName string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -557,7 +557,7 @@ func (s *Store) DeleteNode(idx uint64, nodeName string, entMeta *structs.Enterpr
 // deleteNodeCASTxn is used to try doing a node delete operation with a given
 // raft index. If the CAS index specified is not equal to the last observed index for
 // the given check, then the call is a noop, otherwise a normal check delete is invoked.
-func (s *Store) deleteNodeCASTxn(tx WriteTxn, idx, cidx uint64, nodeName string, entMeta *structs.EnterpriseMeta) (bool, error) {
+func (s *Store) deleteNodeCASTxn(tx WriteTxn, idx, cidx uint64, nodeName string, entMeta *acl.EnterpriseMeta) (bool, error) {
 	// Look up the node.
 	node, err := getNodeTxn(tx, nodeName, entMeta)
 	if err != nil {
@ -584,7 +584,7 @@ func (s *Store) deleteNodeCASTxn(tx WriteTxn, idx, cidx uint64, nodeName string,
 // deleteNodeTxn is the inner method used for removing a node from
 // the store within a given transaction.
-func (s *Store) deleteNodeTxn(tx WriteTxn, idx uint64, nodeName string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) deleteNodeTxn(tx WriteTxn, idx uint64, nodeName string, entMeta *acl.EnterpriseMeta) error {
 	// TODO: accept non-pointer value
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
@ -978,7 +978,7 @@ func terminatingGatewayVirtualIPsSupported(tx ReadTxn, ws memdb.WatchSet) (bool,
 }
 // Services returns all services along with a list of associated tags.
-func (s *Store) Services(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.Services, error) {
+func (s *Store) Services(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.Services, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1018,14 +1018,14 @@ func (s *Store) Services(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (ui
 	return idx, results, nil
 }
-func (s *Store) ServiceList(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.ServiceList, error) {
+func (s *Store) ServiceList(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.ServiceList, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
 	return serviceListTxn(tx, ws, entMeta)
 }
-func serviceListTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.ServiceList, error) {
+func serviceListTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.ServiceList, error) {
 	idx := catalogServicesMaxIndex(tx, entMeta)
 	services, err := tx.Get(tableServices, indexID+"_prefix", entMeta)
@ -1049,7 +1049,7 @@ func serviceListTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *structs.EnterpriseMe
 }
 // ServicesByNodeMeta returns all services, filtered by the given node metadata.
-func (s *Store) ServicesByNodeMeta(ws memdb.WatchSet, filters map[string]string, entMeta *structs.EnterpriseMeta) (uint64, structs.Services, error) {
+func (s *Store) ServicesByNodeMeta(ws memdb.WatchSet, filters map[string]string, entMeta *acl.EnterpriseMeta) (uint64, structs.Services, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1144,7 +1144,7 @@ func (s *Store) ServicesByNodeMeta(ws memdb.WatchSet, filters map[string]string,
 //   * return when the last instance of a service is removed
 //   * block until an instance for this service is available, or another
 //     service is unregistered.
-func maxIndexForService(tx ReadTxn, serviceName string, serviceExists, checks bool, entMeta *structs.EnterpriseMeta) uint64 {
+func maxIndexForService(tx ReadTxn, serviceName string, serviceExists, checks bool, entMeta *acl.EnterpriseMeta) uint64 {
 	idx, _ := maxIndexAndWatchChForService(tx, serviceName, serviceExists, checks, entMeta)
 	return idx
 }
@ -1163,7 +1163,7 @@ func maxIndexForService(tx ReadTxn, serviceName string, serviceExists, checks bo
 // returned for the chan. This allows for blocking watchers to _only_ watch this
 // one chan in the common case, falling back to watching all touched MemDB
 // indexes in more complicated cases.
-func maxIndexAndWatchChForService(tx ReadTxn, serviceName string, serviceExists, checks bool, entMeta *structs.EnterpriseMeta) (uint64, <-chan struct{}) {
+func maxIndexAndWatchChForService(tx ReadTxn, serviceName string, serviceExists, checks bool, entMeta *acl.EnterpriseMeta) (uint64, <-chan struct{}) {
 	if !serviceExists {
 		res, err := catalogServiceLastExtinctionIndex(tx, entMeta)
 		if missingIdx, ok := res.(*IndexEntry); ok && err == nil {
@ -1207,7 +1207,7 @@ func maxIndexAndWatchChsForServiceNodes(tx ReadTxn,
 // ConnectServiceNodes returns the nodes associated with a Connect
 // compatible destination for the given service name. This will include
 // both proxies and native integrations.
-func (s *Store) ConnectServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
+func (s *Store) ConnectServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
 	tx := s.db.ReadTxn()
 	defer tx.Abort()
@ -1220,7 +1220,7 @@ func (s *Store) ConnectServiceNodes(ws memdb.WatchSet, serviceName string, entMe
 }
 // ServiceNodes returns the nodes associated with a given service name.
-func (s *Store) ServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
+func (s *Store) ServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
 	tx := s.db.ReadTxn()
 	defer tx.Abort()
@ -1294,7 +1294,7 @@ func serviceNodesTxn(tx ReadTxn, ws memdb.WatchSet, index string, q Query) (uint
 // ServiceTagNodes returns the nodes associated with a given service, filtering
 // out services that don't contain the given tags.
-func (s *Store) ServiceTagNodes(ws memdb.WatchSet, service string, tags []string, entMeta *structs.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
+func (s *Store) ServiceTagNodes(ws memdb.WatchSet, service string, tags []string, entMeta *acl.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1364,7 +1364,7 @@ func serviceTagsFilter(sn *structs.ServiceNode, tags []string) bool {
 // ServiceAddressNodes returns the nodes associated with a given service, filtering
 // out services that don't match the given serviceAddress
-func (s *Store) ServiceAddressNodes(ws memdb.WatchSet, address string, entMeta *structs.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
+func (s *Store) ServiceAddressNodes(ws memdb.WatchSet, address string, entMeta *acl.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1401,7 +1401,7 @@ func (s *Store) ServiceAddressNodes(ws memdb.WatchSet, address string, entMeta *
 // parseServiceNodes iterates over a services query and fills in the node details,
 // returning a ServiceNodes slice.
-func parseServiceNodes(tx ReadTxn, ws memdb.WatchSet, services structs.ServiceNodes, entMeta *structs.EnterpriseMeta) (structs.ServiceNodes, error) {
+func parseServiceNodes(tx ReadTxn, ws memdb.WatchSet, services structs.ServiceNodes, entMeta *acl.EnterpriseMeta) (structs.ServiceNodes, error) {
 	// We don't want to track an unlimited number of nodes, so we pull a
 	// top-level watch to use as a fallback.
 	allNodes, err := tx.Get(tableNodes, indexID+"_prefix", entMeta)
@ -1446,7 +1446,7 @@ func parseServiceNodes(tx ReadTxn, ws memdb.WatchSet, services structs.ServiceNo
 // NodeService is used to retrieve a specific service associated with the given
 // node.
-func (s *Store) NodeService(nodeName string, serviceID string, entMeta *structs.EnterpriseMeta) (uint64, *structs.NodeService, error) {
+func (s *Store) NodeService(nodeName string, serviceID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.NodeService, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1462,7 +1462,7 @@ func (s *Store) NodeService(nodeName string, serviceID string, entMeta *structs.
 	return idx, service, nil
 }
-func getNodeServiceTxn(tx ReadTxn, nodeName, serviceID string, entMeta *structs.EnterpriseMeta) (*structs.NodeService, error) {
+func getNodeServiceTxn(tx ReadTxn, nodeName, serviceID string, entMeta *acl.EnterpriseMeta) (*structs.NodeService, error) {
 	// TODO: pass non-pointer type for ent meta
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
@ -1485,7 +1485,7 @@ func getNodeServiceTxn(tx ReadTxn, nodeName, serviceID string, entMeta *structs.
 	return nil, nil
 }
-func (s *Store) nodeServices(ws memdb.WatchSet, nodeNameOrID string, entMeta *structs.EnterpriseMeta, allowWildcard bool) (bool, uint64, *structs.Node, memdb.ResultIterator, error) {
+func (s *Store) nodeServices(ws memdb.WatchSet, nodeNameOrID string, entMeta *acl.EnterpriseMeta, allowWildcard bool) (bool, uint64, *structs.Node, memdb.ResultIterator, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1555,7 +1555,7 @@ func (s *Store) nodeServices(ws memdb.WatchSet, nodeNameOrID string, entMeta *st
 }
 // NodeServices is used to query service registrations by node name or UUID.
-func (s *Store) NodeServices(ws memdb.WatchSet, nodeNameOrID string, entMeta *structs.EnterpriseMeta) (uint64, *structs.NodeServices, error) {
+func (s *Store) NodeServices(ws memdb.WatchSet, nodeNameOrID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.NodeServices, error) {
 	done, idx, node, services, err := s.nodeServices(ws, nodeNameOrID, entMeta, false)
 	if done || err != nil {
 		return idx, nil, err
@ -1579,7 +1579,7 @@ func (s *Store) NodeServices(ws memdb.WatchSet, nodeNameOrID string, entMeta *st
 }
 // NodeServices is used to query service registrations by node name or UUID.
-func (s *Store) NodeServiceList(ws memdb.WatchSet, nodeNameOrID string, entMeta *structs.EnterpriseMeta) (uint64, *structs.NodeServiceList, error) {
+func (s *Store) NodeServiceList(ws memdb.WatchSet, nodeNameOrID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.NodeServiceList, error) {
 	done, idx, node, services, err := s.nodeServices(ws, nodeNameOrID, entMeta, true)
 	if done || err != nil {
 		return idx, nil, err
@ -1606,7 +1606,7 @@ func (s *Store) NodeServiceList(ws memdb.WatchSet, nodeNameOrID string, entMeta
 }
 // DeleteService is used to delete a given service associated with a node.
-func (s *Store) DeleteService(idx uint64, nodeName, serviceID string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) DeleteService(idx uint64, nodeName, serviceID string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -1621,7 +1621,7 @@ func (s *Store) DeleteService(idx uint64, nodeName, serviceID string, entMeta *s
 // deleteServiceCASTxn is used to try doing a service delete operation with a given
 // raft index. If the CAS index specified is not equal to the last observed index for
 // the given service, then the call is a noop, otherwise a normal delete is invoked.
-func (s *Store) deleteServiceCASTxn(tx WriteTxn, idx, cidx uint64, nodeName, serviceID string, entMeta *structs.EnterpriseMeta) (bool, error) {
+func (s *Store) deleteServiceCASTxn(tx WriteTxn, idx, cidx uint64, nodeName, serviceID string, entMeta *acl.EnterpriseMeta) (bool, error) {
 	// Look up the service.
 	service, err := getNodeServiceTxn(tx, nodeName, serviceID, entMeta)
 	if err != nil {
@ -1648,7 +1648,7 @@ func (s *Store) deleteServiceCASTxn(tx WriteTxn, idx, cidx uint64, nodeName, ser
 // deleteServiceTxn is the inner method called to remove a service
 // registration within an existing transaction.
-func (s *Store) deleteServiceTxn(tx WriteTxn, idx uint64, nodeName, serviceID string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) deleteServiceTxn(tx WriteTxn, idx uint64, nodeName, serviceID string, entMeta *acl.EnterpriseMeta) error {
 	// TODO: pass non-pointer type for ent meta
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
@ -1751,7 +1751,7 @@ func (s *Store) deleteServiceTxn(tx WriteTxn, idx uint64, nodeName, serviceID st
 // freeServiceVirtualIP is used to free a virtual IP for a service after the last instance
 // is removed.
-func freeServiceVirtualIP(tx WriteTxn, svc string, excludeGateway *structs.ServiceName, entMeta *structs.EnterpriseMeta) error {
+func freeServiceVirtualIP(tx WriteTxn, svc string, excludeGateway *structs.ServiceName, entMeta *acl.EnterpriseMeta) error {
 	supported, err := virtualIPsSupported(tx, nil)
 	if err != nil {
 		return err
@ -1818,7 +1818,7 @@ func (s *Store) EnsureCheck(idx uint64, hc *structs.HealthCheck) error {
 }
 // updateAllServiceIndexesOfNode updates the Raft index of all the services associated with this node
-func updateAllServiceIndexesOfNode(tx WriteTxn, idx uint64, nodeID string, entMeta *structs.EnterpriseMeta) error {
+func updateAllServiceIndexesOfNode(tx WriteTxn, idx uint64, nodeID string, entMeta *acl.EnterpriseMeta) error {
 	services, err := tx.Get(tableServices, indexNode, Query{
 		Value:          nodeID,
 		EnterpriseMeta: *entMeta.WithWildcardNamespace(),
@ -1977,7 +1977,7 @@ func (s *Store) ensureCheckTxn(tx WriteTxn, idx uint64, preserveIndexes bool, hc
 // NodeCheck is used to retrieve a specific check associated with the given
 // node.
-func (s *Store) NodeCheck(nodeName string, checkID types.CheckID, entMeta *structs.EnterpriseMeta) (uint64, *structs.HealthCheck, error) {
+func (s *Store) NodeCheck(nodeName string, checkID types.CheckID, entMeta *acl.EnterpriseMeta) (uint64, *structs.HealthCheck, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -1986,7 +1986,7 @@ func (s *Store) NodeCheck(nodeName string, checkID types.CheckID, entMeta *struc
 // nodeCheckTxn is used as the inner method to handle reading a health check
 // from the state store.
-func getNodeCheckTxn(tx ReadTxn, nodeName string, checkID types.CheckID, entMeta *structs.EnterpriseMeta) (uint64, *structs.HealthCheck, error) {
+func getNodeCheckTxn(tx ReadTxn, nodeName string, checkID types.CheckID, entMeta *acl.EnterpriseMeta) (uint64, *structs.HealthCheck, error) {
 	// Get the table index.
 	idx := catalogChecksMaxIndex(tx, entMeta)
@ -2009,7 +2009,7 @@ func getNodeCheckTxn(tx ReadTxn, nodeName string, checkID types.CheckID, entMeta
 // NodeChecks is used to retrieve checks associated with the
 // given node from the state store.
-func (s *Store) NodeChecks(ws memdb.WatchSet, nodeName string, entMeta *structs.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
+func (s *Store) NodeChecks(ws memdb.WatchSet, nodeName string, entMeta *acl.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2037,7 +2037,7 @@ func (s *Store) NodeChecks(ws memdb.WatchSet, nodeName string, entMeta *structs.
 // ServiceChecks is used to get all checks associated with a
 // given service ID. The query is performed against a service
 // _name_ instead of a service ID.
-func (s *Store) ServiceChecks(ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
+func (s *Store) ServiceChecks(ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2065,7 +2065,7 @@ func (s *Store) ServiceChecks(ws memdb.WatchSet, serviceName string, entMeta *st
 // given service ID, filtered by the given node metadata values. The query
 // is performed against a service _name_ instead of a service ID.
 func (s *Store) ServiceChecksByNodeMeta(ws memdb.WatchSet, serviceName string,
-	filters map[string]string, entMeta *structs.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
+	filters map[string]string, entMeta *acl.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2088,7 +2088,7 @@ func (s *Store) ServiceChecksByNodeMeta(ws memdb.WatchSet, serviceName string,
 // ChecksInState is used to query the state store for all checks
 // which are in the provided state.
-func (s *Store) ChecksInState(ws memdb.WatchSet, state string, entMeta *structs.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
+func (s *Store) ChecksInState(ws memdb.WatchSet, state string, entMeta *acl.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2106,7 +2106,7 @@ func (s *Store) ChecksInState(ws memdb.WatchSet, state string, entMeta *structs.
 // ChecksInStateByNodeMeta is used to query the state store for all checks
 // which are in the provided state, filtered by the given node metadata values.
-func (s *Store) ChecksInStateByNodeMeta(ws memdb.WatchSet, state string, filters map[string]string, entMeta *structs.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
+func (s *Store) ChecksInStateByNodeMeta(ws memdb.WatchSet, state string, filters map[string]string, entMeta *acl.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2118,7 +2118,7 @@ func (s *Store) ChecksInStateByNodeMeta(ws memdb.WatchSet, state string, filters
 	return parseChecksByNodeMeta(tx, ws, idx, iter, filters, entMeta)
 }
-func checksInStateTxn(tx ReadTxn, ws memdb.WatchSet, state string, entMeta *structs.EnterpriseMeta) (uint64, memdb.ResultIterator, error) {
+func checksInStateTxn(tx ReadTxn, ws memdb.WatchSet, state string, entMeta *acl.EnterpriseMeta) (uint64, memdb.ResultIterator, error) {
 	// Get the table index.
 	idx := catalogChecksMaxIndex(tx, entMeta)
@ -2147,7 +2147,7 @@ func checksInStateTxn(tx ReadTxn, ws memdb.WatchSet, state string, entMeta *stru
 // repetitive code for returning health checks filtered by node metadata fields.
 func parseChecksByNodeMeta(tx ReadTxn, ws memdb.WatchSet,
 	idx uint64, iter memdb.ResultIterator, filters map[string]string,
-	entMeta *structs.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
+	entMeta *acl.EnterpriseMeta) (uint64, structs.HealthChecks, error) {
 	// We don't want to track an unlimited number of nodes, so we pull a
 	// top-level watch to use as a fallback.
@ -2183,7 +2183,7 @@ func parseChecksByNodeMeta(tx ReadTxn, ws memdb.WatchSet,
 }
 // DeleteCheck is used to delete a health check registration.
-func (s *Store) DeleteCheck(idx uint64, node string, checkID types.CheckID, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) DeleteCheck(idx uint64, node string, checkID types.CheckID, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -2198,7 +2198,7 @@ func (s *Store) DeleteCheck(idx uint64, node string, checkID types.CheckID, entM
 // deleteCheckCASTxn is used to try doing a check delete operation with a given
 // raft index. If the CAS index specified is not equal to the last observed index for
 // the given check, then the call is a noop, otherwise a normal check delete is invoked.
-func (s *Store) deleteCheckCASTxn(tx WriteTxn, idx, cidx uint64, node string, checkID types.CheckID, entMeta *structs.EnterpriseMeta) (bool, error) {
+func (s *Store) deleteCheckCASTxn(tx WriteTxn, idx, cidx uint64, node string, checkID types.CheckID, entMeta *acl.EnterpriseMeta) (bool, error) {
 	// Try to retrieve the existing health check.
 	_, hc, err := getNodeCheckTxn(tx, node, checkID, entMeta)
 	if err != nil {
@ -2227,7 +2227,7 @@ func (s *Store) deleteCheckCASTxn(tx WriteTxn, idx, cidx uint64, node string, ch
 type NodeServiceQuery struct {
 	Node    string
 	Service string
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NamespaceOrDefault exists because structs.EnterpriseMeta uses a pointer
@ -2244,7 +2244,7 @@ func (q NodeServiceQuery) PartitionOrDefault() string {
 // deleteCheckTxn is the inner method used to call a health
 // check deletion within an existing transaction.
-func (s *Store) deleteCheckTxn(tx WriteTxn, idx uint64, node string, checkID types.CheckID, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) deleteCheckTxn(tx WriteTxn, idx uint64, node string, checkID types.CheckID, entMeta *acl.EnterpriseMeta) error {
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
 	}
@ -2337,19 +2337,19 @@ func (s *Store) CombinedCheckServiceNodes(ws memdb.WatchSet, service structs.Ser
 }
 // CheckServiceNodes is used to query all nodes and checks for a given service.
-func (s *Store) CheckServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func (s *Store) CheckServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	return s.checkServiceNodes(ws, serviceName, false, entMeta)
 }
 // CheckConnectServiceNodes is used to query all nodes and checks for Connect
 // compatible endpoints for a given service.
-func (s *Store) CheckConnectServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func (s *Store) CheckConnectServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	return s.checkServiceNodes(ws, serviceName, true, entMeta)
 }
 // CheckIngressServiceNodes is used to query all nodes and checks for ingress
 // endpoints for a given service.
-func (s *Store) CheckIngressServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func (s *Store) CheckIngressServiceNodes(ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2385,14 +2385,14 @@ func (s *Store) CheckIngressServiceNodes(ws memdb.WatchSet, serviceName string,
 	return maxIdx, results, nil
 }
-func (s *Store) checkServiceNodes(ws memdb.WatchSet, serviceName string, connect bool, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func (s *Store) checkServiceNodes(ws memdb.WatchSet, serviceName string, connect bool, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
 	return checkServiceNodesTxn(tx, ws, serviceName, connect, entMeta)
 }
-func checkServiceNodesTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, connect bool, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func checkServiceNodesTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, connect bool, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	index := indexService
 	if connect {
 		index = indexConnect
@ -2526,7 +2526,7 @@ func checkServiceNodesTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, con
 // CheckServiceTagNodes is used to query all nodes and checks for a given
 // service, filtering out services that don't contain the given tag.
-func (s *Store) CheckServiceTagNodes(ws memdb.WatchSet, serviceName string, tags []string, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func (s *Store) CheckServiceTagNodes(ws memdb.WatchSet, serviceName string, tags []string, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2559,7 +2559,7 @@ func (s *Store) CheckServiceTagNodes(ws memdb.WatchSet, serviceName string, tags
 }
 // GatewayServices is used to query all services associated with a gateway
-func (s *Store) GatewayServices(ws memdb.WatchSet, gateway string, entMeta *structs.EnterpriseMeta) (uint64, structs.GatewayServices, error) {
+func (s *Store) GatewayServices(ws memdb.WatchSet, gateway string, entMeta *acl.EnterpriseMeta) (uint64, structs.GatewayServices, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2631,7 +2631,7 @@ func serviceNamesOfKindTxn(tx ReadTxn, ws memdb.WatchSet, kind structs.ServiceKi
 func parseCheckServiceNodes(
 	tx ReadTxn, ws memdb.WatchSet, idx uint64,
 	services structs.ServiceNodes,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	err error) (uint64, structs.CheckServiceNodes, error) {
 	if err != nil {
 		return 0, nil, err
@ -2722,7 +2722,7 @@ func parseCheckServiceNodes(
 // NodeInfo is used to generate a dump of a single node. The dump includes
 // all services and checks which are registered against the node.
-func (s *Store) NodeInfo(ws memdb.WatchSet, node string, entMeta *structs.EnterpriseMeta) (uint64, structs.NodeDump, error) {
+func (s *Store) NodeInfo(ws memdb.WatchSet, node string, entMeta *acl.EnterpriseMeta) (uint64, structs.NodeDump, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2748,7 +2748,7 @@ func (s *Store) NodeInfo(ws memdb.WatchSet, node string, entMeta *structs.Enterp
 // NodeDump is used to generate a dump of all nodes. This call is expensive
 // as it has to query every node, service, and check. The response can also
 // be quite large since there is currently no filtering applied.
-func (s *Store) NodeDump(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.NodeDump, error) {
+func (s *Store) NodeDump(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.NodeDump, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2764,7 +2764,7 @@ func (s *Store) NodeDump(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (ui
 	return parseNodes(tx, ws, idx, nodes, entMeta)
 }
-func (s *Store) ServiceDump(ws memdb.WatchSet, kind structs.ServiceKind, useKind bool, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func (s *Store) ServiceDump(ws memdb.WatchSet, kind structs.ServiceKind, useKind bool, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -2775,7 +2775,7 @@ func (s *Store) ServiceDump(ws memdb.WatchSet, kind structs.ServiceKind, useKind
 	}
 }
-func serviceDumpAllTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func serviceDumpAllTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	// Get the table index
 	idx := catalogMaxIndexWatch(tx, ws, entMeta, true)
@ -2793,7 +2793,7 @@ func serviceDumpAllTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *structs.Enterpris
 	return parseCheckServiceNodes(tx, nil, idx, results, entMeta, err)
 }
-func serviceDumpKindTxn(tx ReadTxn, ws memdb.WatchSet, kind structs.ServiceKind, entMeta *structs.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
+func serviceDumpKindTxn(tx ReadTxn, ws memdb.WatchSet, kind structs.ServiceKind, entMeta *acl.EnterpriseMeta) (uint64, structs.CheckServiceNodes, error) {
 	// unlike when we are dumping all services here we only need to watch the kind specific index entry for changing (or nodes, checks)
 	// updating any services, nodes or checks will bump the appropriate service kind index so there is no need to watch any of the individual
 	// entries
@ -2821,7 +2821,7 @@ func serviceDumpKindTxn(tx ReadTxn, ws memdb.WatchSet, kind structs.ServiceKind,
 // containing the nodes along with all of their associated services
 // and/or health checks.
 func parseNodes(tx ReadTxn, ws memdb.WatchSet, idx uint64,
-	iter memdb.ResultIterator, entMeta *structs.EnterpriseMeta) (uint64, structs.NodeDump, error) {
+	iter memdb.ResultIterator, entMeta *acl.EnterpriseMeta) (uint64, structs.NodeDump, error) {
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
@ -2900,7 +2900,7 @@ func checkSessionsTxn(tx ReadTxn, hc *structs.HealthCheck) ([]*sessionCheck, err
 }
 // updateGatewayServices associates services with gateways as specified in a gateway config entry
-func updateGatewayServices(tx WriteTxn, idx uint64, conf structs.ConfigEntry, entMeta *structs.EnterpriseMeta) error {
+func updateGatewayServices(tx WriteTxn, idx uint64, conf structs.ConfigEntry, entMeta *acl.EnterpriseMeta) error {
 	var (
 		noChange        bool
 		gatewayServices structs.GatewayServices
@ -2970,7 +2970,7 @@ func updateGatewayServices(tx WriteTxn, idx uint64, conf structs.ConfigEntry, en
 	return nil
 }
-func getTermGatewayVirtualIPs(tx WriteTxn, services []structs.LinkedService, entMeta *structs.EnterpriseMeta) (map[string]structs.ServiceAddress, error) {
+func getTermGatewayVirtualIPs(tx WriteTxn, services []structs.LinkedService, entMeta *acl.EnterpriseMeta) (map[string]structs.ServiceAddress, error) {
 	addrs := make(map[string]structs.ServiceAddress, len(services))
 	for _, s := range services {
 		sn := structs.ServiceName{Name: s.Name, EnterpriseMeta: *entMeta}
@ -2985,7 +2985,7 @@ func getTermGatewayVirtualIPs(tx WriteTxn, services []structs.LinkedService, ent
 	return addrs, nil
 }
-func updateTerminatingGatewayVirtualIPs(tx WriteTxn, idx uint64, conf *structs.TerminatingGatewayConfigEntry, entMeta *structs.EnterpriseMeta) error {
+func updateTerminatingGatewayVirtualIPs(tx WriteTxn, idx uint64, conf *structs.TerminatingGatewayConfigEntry, entMeta *acl.EnterpriseMeta) error {
 	// Build the current map of services with virtual IPs for this gateway
 	services := conf.Services
 	addrs, err := getTermGatewayVirtualIPs(tx, services, entMeta)
@ -3067,7 +3067,7 @@ func ingressConfigGatewayServices(
 	tx ReadTxn,
 	gateway structs.ServiceName,
 	conf structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (bool, structs.GatewayServices, error) {
 	entry, ok := conf.(*structs.IngressGatewayConfigEntry)
 	if !ok {
@ -3112,7 +3112,7 @@ func terminatingConfigGatewayServices(
 	tx ReadTxn,
 	gateway structs.ServiceName,
 	conf structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (bool, structs.GatewayServices, error) {
 	entry, ok := conf.(*structs.TerminatingGatewayConfigEntry)
 	if !ok {
@ -3149,7 +3149,7 @@ func terminatingConfigGatewayServices(
 }
 // updateGatewayNamespace is used to target all services within a namespace
-func updateGatewayNamespace(tx WriteTxn, idx uint64, service *structs.GatewayService, entMeta *structs.EnterpriseMeta) error {
+func updateGatewayNamespace(tx WriteTxn, idx uint64, service *structs.GatewayService, entMeta *acl.EnterpriseMeta) error {
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
 	}
@ -3343,7 +3343,7 @@ func (s *Store) collectGatewayServices(tx ReadTxn, ws memdb.WatchSet, iter memdb
 // TODO(ingress): How to handle index rolling back when a config entry is
 // deleted that references a service?
 // We might need something like the service_last_extinction index?
-func serviceGatewayNodes(tx ReadTxn, ws memdb.WatchSet, service string, kind structs.ServiceKind, entMeta *structs.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
+func serviceGatewayNodes(tx ReadTxn, ws memdb.WatchSet, service string, kind structs.ServiceKind, entMeta *acl.EnterpriseMeta) (uint64, structs.ServiceNodes, error) {
 	// Look up gateway name associated with the service
 	gws, err := tx.Get(tableGatewayServices, indexService, structs.NewServiceName(service, entMeta))
 	if err != nil {
@ -3448,7 +3448,7 @@ func (s *Store) ServiceTopology(
 	dc, service string,
 	kind structs.ServiceKind,
 	defaultAllow acl.EnforcementDecision,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *structs.ServiceTopology, error) {
 	tx := s.db.ReadTxn()
 	defer tx.Abort()
@ -3883,7 +3883,7 @@ func updateMeshTopology(tx WriteTxn, idx uint64, node string, svc *structs.NodeS
 	oldUpstreams := make(map[structs.ServiceName]bool)
 	if e, ok := existing.(*structs.ServiceNode); ok {
 		for _, u := range e.ServiceProxy.Upstreams {
-			upstreamMeta := structs.NewEnterpriseMetaWithPartition(e.PartitionOrDefault(), u.DestinationNamespace)
+			upstreamMeta := acl.NewEnterpriseMetaWithPartition(e.PartitionOrDefault(), u.DestinationNamespace)
 			sn := structs.NewServiceName(u.DestinationName, &upstreamMeta)
 			oldUpstreams[sn] = true
@ -3899,7 +3899,7 @@ func updateMeshTopology(tx WriteTxn, idx uint64, node string, svc *structs.NodeS
 		}
 		// TODO (freddy): Account for upstream datacenter
-		upstreamMeta := structs.NewEnterpriseMetaWithPartition(svc.PartitionOrDefault(), u.DestinationNamespace)
+		upstreamMeta := acl.NewEnterpriseMetaWithPartition(svc.PartitionOrDefault(), u.DestinationNamespace)
 		upstream := structs.NewServiceName(u.DestinationName, &upstreamMeta)
 		obj, err := tx.First(tableMeshTopology, indexID, upstream, downstream)
--- a/agent/consul/state/catalog_events.go
+++ b/agent/consul/state/catalog_events.go
@ -16,7 +16,7 @@ import (
 // a specific service.
 type EventSubjectService struct {
 	Key            string
-	EnterpriseMeta structs.EnterpriseMeta
+	EnterpriseMeta acl.EnterpriseMeta
 	overrideKey       string
 	overrideNamespace string
@ -128,7 +128,7 @@ func serviceHealthSnapshot(db ReadDB, topic stream.Topic) stream.SnapshotFunc {
 type nodeServiceTuple struct {
 	Node      string
 	ServiceID string
-	EntMeta   structs.EnterpriseMeta
+	EntMeta   acl.EnterpriseMeta
 }
 func newNodeServiceTupleFromServiceNode(sn *structs.ServiceNode) nodeServiceTuple {
@ -553,7 +553,7 @@ func getPayloadCheckServiceNode(payload stream.Payload) *structs.CheckServiceNod
 // given node. This mirrors some of the the logic in the oddly-named
 // parseCheckServiceNodes but is more efficient since we know they are all on
 // the same node.
-func newServiceHealthEventsForNode(tx ReadTxn, idx uint64, node string, entMeta *structs.EnterpriseMeta) ([]stream.Event, error) {
+func newServiceHealthEventsForNode(tx ReadTxn, idx uint64, node string, entMeta *acl.EnterpriseMeta) ([]stream.Event, error) {
 	services, err := tx.Get(tableServices, indexNode, Query{
 		Value:          node,
 		EnterpriseMeta: *entMeta,
@ -580,7 +580,7 @@ func newServiceHealthEventsForNode(tx ReadTxn, idx uint64, node string, entMeta
 // getNodeAndNodeChecks returns a the node structure and a function that returns
 // the full list of checks for a specific service on that node.
-func getNodeAndChecks(tx ReadTxn, node string, entMeta *structs.EnterpriseMeta) (*structs.Node, serviceChecksFunc, error) {
+func getNodeAndChecks(tx ReadTxn, node string, entMeta *acl.EnterpriseMeta) (*structs.Node, serviceChecksFunc, error) {
 	// Fetch the node
 	nodeRaw, err := tx.First(tableNodes, indexID, Query{
 		Value:          node,
--- a/agent/consul/state/catalog_oss.go
+++ b/agent/consul/state/catalog_oss.go
@ -9,20 +9,21 @@ import (
 	memdb "github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
 func withEnterpriseSchema(_ *memdb.DBSchema) {}
-func serviceIndexName(name string, _ *structs.EnterpriseMeta) string {
+func serviceIndexName(name string, _ *acl.EnterpriseMeta) string {
 	return fmt.Sprintf("service.%s", name)
 }
-func serviceKindIndexName(kind structs.ServiceKind, _ *structs.EnterpriseMeta) string {
+func serviceKindIndexName(kind structs.ServiceKind, _ *acl.EnterpriseMeta) string {
 	return "service_kind." + kind.Normalized()
 }
-func catalogUpdateNodesIndexes(tx WriteTxn, idx uint64, entMeta *structs.EnterpriseMeta) error {
+func catalogUpdateNodesIndexes(tx WriteTxn, idx uint64, entMeta *acl.EnterpriseMeta) error {
 	// overall nodes index
 	if err := indexUpdateMaxTxn(tx, idx, tableNodes); err != nil {
 		return fmt.Errorf("failed updating index: %s", err)
@ -31,7 +32,7 @@ func catalogUpdateNodesIndexes(tx WriteTxn, idx uint64, entMeta *structs.Enterpr
 	return nil
 }
-func catalogUpdateServicesIndexes(tx WriteTxn, idx uint64, _ *structs.EnterpriseMeta) error {
+func catalogUpdateServicesIndexes(tx WriteTxn, idx uint64, _ *acl.EnterpriseMeta) error {
 	// overall services index
 	if err := indexUpdateMaxTxn(tx, idx, tableServices); err != nil {
 		return fmt.Errorf("failed updating index: %s", err)
@ -40,7 +41,7 @@ func catalogUpdateServicesIndexes(tx WriteTxn, idx uint64, _ *structs.Enterprise
 	return nil
 }
-func catalogUpdateServiceKindIndexes(tx WriteTxn, kind structs.ServiceKind, idx uint64, _ *structs.EnterpriseMeta) error {
+func catalogUpdateServiceKindIndexes(tx WriteTxn, kind structs.ServiceKind, idx uint64, _ *acl.EnterpriseMeta) error {
 	// service-kind index
 	if err := indexUpdateMaxTxn(tx, idx, serviceKindIndexName(kind, nil)); err != nil {
 		return fmt.Errorf("failed updating index: %s", err)
@ -49,7 +50,7 @@ func catalogUpdateServiceKindIndexes(tx WriteTxn, kind structs.ServiceKind, idx
 	return nil
 }
-func catalogUpdateServiceIndexes(tx WriteTxn, serviceName string, idx uint64, _ *structs.EnterpriseMeta) error {
+func catalogUpdateServiceIndexes(tx WriteTxn, serviceName string, idx uint64, _ *acl.EnterpriseMeta) error {
 	// per-service index
 	if err := indexUpdateMaxTxn(tx, idx, serviceIndexName(serviceName, nil)); err != nil {
 		return fmt.Errorf("failed updating index: %s", err)
@ -58,7 +59,7 @@ func catalogUpdateServiceIndexes(tx WriteTxn, serviceName string, idx uint64, _
 	return nil
 }
-func catalogUpdateServiceExtinctionIndex(tx WriteTxn, idx uint64, _ *structs.EnterpriseMeta) error {
+func catalogUpdateServiceExtinctionIndex(tx WriteTxn, idx uint64, _ *acl.EnterpriseMeta) error {
 	if err := tx.Insert(tableIndex, &IndexEntry{indexServiceExtinction, idx}); err != nil {
 		return fmt.Errorf("failed updating missing service extinction index: %s", err)
 	}
@ -109,49 +110,49 @@ func catalogInsertService(tx WriteTxn, svc *structs.ServiceNode) error {
 	return nil
 }
-func catalogNodesMaxIndex(tx ReadTxn, entMeta *structs.EnterpriseMeta) uint64 {
+func catalogNodesMaxIndex(tx ReadTxn, entMeta *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableNodes)
 }
-func catalogServicesMaxIndex(tx ReadTxn, _ *structs.EnterpriseMeta) uint64 {
+func catalogServicesMaxIndex(tx ReadTxn, _ *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableServices)
 }
-func catalogServiceMaxIndex(tx ReadTxn, serviceName string, _ *structs.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
+func catalogServiceMaxIndex(tx ReadTxn, serviceName string, _ *acl.EnterpriseMeta) (<-chan struct{}, interface{}, error) {
 	return tx.FirstWatch(tableIndex, "id", serviceIndexName(serviceName, nil))
 }
-func catalogServiceKindMaxIndex(tx ReadTxn, ws memdb.WatchSet, kind structs.ServiceKind, entMeta *structs.EnterpriseMeta) uint64 {
+func catalogServiceKindMaxIndex(tx ReadTxn, ws memdb.WatchSet, kind structs.ServiceKind, entMeta *acl.EnterpriseMeta) uint64 {
 	return maxIndexWatchTxn(tx, ws, serviceKindIndexName(kind, nil))
 }
-func catalogServiceListNoWildcard(tx ReadTxn, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func catalogServiceListNoWildcard(tx ReadTxn, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableServices, indexID)
 }
-func catalogServiceListByNode(tx ReadTxn, node string, _ *structs.EnterpriseMeta, _ bool) (memdb.ResultIterator, error) {
+func catalogServiceListByNode(tx ReadTxn, node string, _ *acl.EnterpriseMeta, _ bool) (memdb.ResultIterator, error) {
 	return tx.Get(tableServices, indexNode, Query{Value: node})
 }
-func catalogServiceLastExtinctionIndex(tx ReadTxn, _ *structs.EnterpriseMeta) (interface{}, error) {
+func catalogServiceLastExtinctionIndex(tx ReadTxn, _ *acl.EnterpriseMeta) (interface{}, error) {
 	return tx.First(tableIndex, "id", indexServiceExtinction)
 }
-func catalogMaxIndex(tx ReadTxn, _ *structs.EnterpriseMeta, checks bool) uint64 {
+func catalogMaxIndex(tx ReadTxn, _ *acl.EnterpriseMeta, checks bool) uint64 {
 	if checks {
 		return maxIndexTxn(tx, tableNodes, tableServices, tableChecks)
 	}
 	return maxIndexTxn(tx, tableNodes, tableServices)
 }
-func catalogMaxIndexWatch(tx ReadTxn, ws memdb.WatchSet, _ *structs.EnterpriseMeta, checks bool) uint64 {
+func catalogMaxIndexWatch(tx ReadTxn, ws memdb.WatchSet, _ *acl.EnterpriseMeta, checks bool) uint64 {
 	if checks {
 		return maxIndexWatchTxn(tx, ws, tableNodes, tableServices, tableChecks)
 	}
 	return maxIndexWatchTxn(tx, ws, tableNodes, tableServices)
 }
-func catalogUpdateCheckIndexes(tx WriteTxn, idx uint64, _ *structs.EnterpriseMeta) error {
+func catalogUpdateCheckIndexes(tx WriteTxn, idx uint64, _ *acl.EnterpriseMeta) error {
 	// update the universal index entry
 	if err := tx.Insert(tableIndex, &IndexEntry{tableChecks, idx}); err != nil {
 		return fmt.Errorf("failed updating index: %s", err)
@ -159,7 +160,7 @@ func catalogUpdateCheckIndexes(tx WriteTxn, idx uint64, _ *structs.EnterpriseMet
 	return nil
 }
-func catalogChecksMaxIndex(tx ReadTxn, _ *structs.EnterpriseMeta) uint64 {
+func catalogChecksMaxIndex(tx ReadTxn, _ *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableChecks)
 }
@ -180,11 +181,11 @@ func catalogInsertCheck(tx WriteTxn, chk *structs.HealthCheck, idx uint64) error
 	return nil
 }
-func validateRegisterRequestTxn(_ ReadTxn, _ *structs.RegisterRequest, _ bool) (*structs.EnterpriseMeta, error) {
+func validateRegisterRequestTxn(_ ReadTxn, _ *structs.RegisterRequest, _ bool) (*acl.EnterpriseMeta, error) {
 	return nil, nil
 }
-func (s *Store) ValidateRegisterRequest(_ *structs.RegisterRequest) (*structs.EnterpriseMeta, error) {
+func (s *Store) ValidateRegisterRequest(_ *structs.RegisterRequest) (*acl.EnterpriseMeta, error) {
 	return nil, nil
 }
--- a/agent/consul/state/catalog_oss_test.go
+++ b/agent/consul/state/catalog_oss_test.go
@ -6,6 +6,7 @@ package state
 import (
 	"net"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/types"
 )
@ -33,7 +34,7 @@ func testIndexerTableChecks() map[string]indexerTestCase {
 			},
 			prefix: []indexValue{
 				{
-					source:   structs.EnterpriseMeta{},
+					source:   acl.EnterpriseMeta{},
 					expected: nil,
 				},
 				{
@ -193,11 +194,11 @@ func testIndexerTableNodes() map[string]indexerTestCase {
 			},
 			prefix: []indexValue{
 				{
-					source:   (*structs.EnterpriseMeta)(nil),
+					source:   (*acl.EnterpriseMeta)(nil),
 					expected: nil,
 				},
 				{
-					source:   structs.EnterpriseMeta{},
+					source:   acl.EnterpriseMeta{},
 					expected: nil,
 				},
 				{
@ -220,11 +221,11 @@ func testIndexerTableNodes() map[string]indexerTestCase {
 			},
 			prefix: []indexValue{
 				{
-					source:   (*structs.EnterpriseMeta)(nil),
+					source:   (*acl.EnterpriseMeta)(nil),
 					expected: nil,
 				},
 				{
-					source:   structs.EnterpriseMeta{},
+					source:   acl.EnterpriseMeta{},
 					expected: nil,
 				},
 				{ // partial length
@ -286,11 +287,11 @@ func testIndexerTableServices() map[string]indexerTestCase {
 			},
 			prefix: []indexValue{
 				{
-					source:   (*structs.EnterpriseMeta)(nil),
+					source:   (*acl.EnterpriseMeta)(nil),
 					expected: nil,
 				},
 				{
-					source:   structs.EnterpriseMeta{},
+					source:   acl.EnterpriseMeta{},
 					expected: nil,
 				},
 				{
--- a/agent/consul/state/catalog_schema.go
+++ b/agent/consul/state/catalog_schema.go
@ -8,6 +8,7 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -589,7 +590,7 @@ type upstreamDownstream struct {
 type NodeCheckQuery struct {
 	Node    string
 	CheckID string
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NamespaceOrDefault exists because structs.EnterpriseMeta uses a pointer
@ -709,7 +710,7 @@ func kindServiceNameTableSchema() *memdb.TableSchema {
 type KindServiceNameQuery struct {
 	Kind structs.ServiceKind
 	Name string
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NamespaceOrDefault exists because structs.EnterpriseMeta uses a pointer
--- a/agent/consul/state/config_entry.go
+++ b/agent/consul/state/config_entry.go
@ -6,6 +6,7 @@ import (
 	memdb "github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/configentry"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/consul/discoverychain"
@ -95,13 +96,13 @@ func (s *Restore) ConfigEntry(c structs.ConfigEntry) error {
 }
 // ConfigEntry is called to get a given config entry.
-func (s *Store) ConfigEntry(ws memdb.WatchSet, kind, name string, entMeta *structs.EnterpriseMeta) (uint64, structs.ConfigEntry, error) {
+func (s *Store) ConfigEntry(ws memdb.WatchSet, kind, name string, entMeta *acl.EnterpriseMeta) (uint64, structs.ConfigEntry, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
 	return configEntryTxn(tx, ws, kind, name, entMeta)
 }
-func configEntryTxn(tx ReadTxn, ws memdb.WatchSet, kind, name string, entMeta *structs.EnterpriseMeta) (uint64, structs.ConfigEntry, error) {
+func configEntryTxn(tx ReadTxn, ws memdb.WatchSet, kind, name string, entMeta *acl.EnterpriseMeta) (uint64, structs.ConfigEntry, error) {
 	// Get the index
 	idx := maxIndexTxn(tx, tableConfigEntries)
@ -124,19 +125,19 @@ func configEntryTxn(tx ReadTxn, ws memdb.WatchSet, kind, name string, entMeta *s
 }
 // ConfigEntries is called to get all config entry objects.
-func (s *Store) ConfigEntries(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, []structs.ConfigEntry, error) {
+func (s *Store) ConfigEntries(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, []structs.ConfigEntry, error) {
 	return s.ConfigEntriesByKind(ws, "", entMeta)
 }
 // ConfigEntriesByKind is called to get all config entry objects with the given kind.
 // If kind is empty, all config entries will be returned.
-func (s *Store) ConfigEntriesByKind(ws memdb.WatchSet, kind string, entMeta *structs.EnterpriseMeta) (uint64, []structs.ConfigEntry, error) {
+func (s *Store) ConfigEntriesByKind(ws memdb.WatchSet, kind string, entMeta *acl.EnterpriseMeta) (uint64, []structs.ConfigEntry, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
 	return configEntriesByKindTxn(tx, ws, kind, entMeta)
 }
-func configEntriesByKindTxn(tx ReadTxn, ws memdb.WatchSet, kind string, entMeta *structs.EnterpriseMeta) (uint64, []structs.ConfigEntry, error) {
+func configEntriesByKindTxn(tx ReadTxn, ws memdb.WatchSet, kind string, entMeta *acl.EnterpriseMeta) (uint64, []structs.ConfigEntry, error) {
 	// Get the index and watch for updates
 	idx := maxIndexWatchTxn(tx, ws, tableConfigEntries)
@ -278,7 +279,7 @@ func (s *Store) DeleteConfigEntryCAS(idx, cidx uint64, conf structs.ConfigEntry)
 	return err == nil, err
 }
-func (s *Store) DeleteConfigEntry(idx uint64, kind, name string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) DeleteConfigEntry(idx uint64, kind, name string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -290,7 +291,7 @@ func (s *Store) DeleteConfigEntry(idx uint64, kind, name string, entMeta *struct
 }
 // TODO: accept structs.ConfigEntry instead of individual fields
-func deleteConfigEntryTxn(tx WriteTxn, idx uint64, kind, name string, entMeta *structs.EnterpriseMeta) error {
+func deleteConfigEntryTxn(tx WriteTxn, idx uint64, kind, name string, entMeta *acl.EnterpriseMeta) error {
 	q := configentry.NewKindName(kind, name, entMeta)
 	existing, err := tx.First(tableConfigEntries, indexID, q)
 	if err != nil {
@ -423,7 +424,7 @@ var serviceGraphKinds = []string{
 }
 // discoveryChainTargets will return a list of services listed as a target for the input's discovery chain
-func (s *Store) discoveryChainTargetsTxn(tx ReadTxn, ws memdb.WatchSet, dc, service string, entMeta *structs.EnterpriseMeta) (uint64, []structs.ServiceName, error) {
+func (s *Store) discoveryChainTargetsTxn(tx ReadTxn, ws memdb.WatchSet, dc, service string, entMeta *acl.EnterpriseMeta) (uint64, []structs.ServiceName, error) {
 	source := structs.NewServiceName(service, entMeta)
 	req := discoverychain.CompileRequest{
 		ServiceName:          source.Name,
@ -438,7 +439,7 @@ func (s *Store) discoveryChainTargetsTxn(tx ReadTxn, ws memdb.WatchSet, dc, serv
 	var resp []structs.ServiceName
 	for _, t := range chain.Targets {
-		em := structs.NewEnterpriseMetaWithPartition(entMeta.PartitionOrDefault(), t.Namespace)
+		em := acl.NewEnterpriseMetaWithPartition(entMeta.PartitionOrDefault(), t.Namespace)
 		target := structs.NewServiceName(t.Service, &em)
 		// TODO (freddy): Allow upstream DC and encode in response
@ -494,7 +495,7 @@ func (s *Store) discoveryChainSourcesTxn(tx ReadTxn, ws memdb.WatchSet, dc strin
 		}
 		for _, t := range chain.Targets {
-			em := structs.NewEnterpriseMetaWithPartition(sn.PartitionOrDefault(), t.Namespace)
+			em := acl.NewEnterpriseMetaWithPartition(sn.PartitionOrDefault(), t.Namespace)
 			candidate := structs.NewServiceName(t.Service, &em)
 			if !candidate.Matches(destination) {
@ -740,7 +741,7 @@ func testCompileDiscoveryChain(
 	tx ReadTxn,
 	chainName string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (string, *structs.DiscoveryGraphNode, error) {
 	_, speculativeEntries, err := readDiscoveryChainConfigEntriesTxn(tx, nil, chainName, overrides, entMeta)
 	if err != nil {
@ -770,7 +771,7 @@ func testCompileDiscoveryChain(
 func (s *Store) ServiceDiscoveryChain(
 	ws memdb.WatchSet,
 	serviceName string,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	req discoverychain.CompileRequest,
 ) (uint64, *structs.CompiledDiscoveryChain, *configentry.DiscoveryChainSet, error) {
 	tx := s.db.ReadTxn()
@ -783,7 +784,7 @@ func (s *Store) serviceDiscoveryChainTxn(
 	tx ReadTxn,
 	ws memdb.WatchSet,
 	serviceName string,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	req discoverychain.CompileRequest,
 ) (uint64, *structs.CompiledDiscoveryChain, *configentry.DiscoveryChainSet, error) {
@ -821,7 +822,7 @@ func (s *Store) serviceDiscoveryChainTxn(
 func (s *Store) ReadResolvedServiceConfigEntries(
 	ws memdb.WatchSet,
 	serviceName string,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 	upstreamIDs []structs.ServiceID,
 	proxyMode structs.ProxyMode,
 ) (uint64, *configentry.ResolvedServiceConfigSet, error) {
@ -941,7 +942,7 @@ func (s *Store) ReadResolvedServiceConfigEntries(
 func (s *Store) ReadDiscoveryChainConfigEntries(
 	ws memdb.WatchSet,
 	serviceName string,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *configentry.DiscoveryChainSet, error) {
 	return s.readDiscoveryChainConfigEntries(ws, serviceName, nil, entMeta)
 }
@ -960,7 +961,7 @@ func (s *Store) readDiscoveryChainConfigEntries(
 	ws memdb.WatchSet,
 	serviceName string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *configentry.DiscoveryChainSet, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -972,7 +973,7 @@ func readDiscoveryChainConfigEntriesTxn(
 	ws memdb.WatchSet,
 	serviceName string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *configentry.DiscoveryChainSet, error) {
 	res := configentry.NewDiscoveryChainSet()
@ -1179,7 +1180,7 @@ func getProxyConfigEntryTxn(
 	ws memdb.WatchSet,
 	name string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *structs.ProxyConfigEntry, error) {
 	idx, entry, err := configEntryWithOverridesTxn(tx, ws, structs.ProxyDefaults, name, overrides, entMeta)
 	if err != nil {
@ -1204,7 +1205,7 @@ func getServiceConfigEntryTxn(
 	ws memdb.WatchSet,
 	serviceName string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *structs.ServiceConfigEntry, error) {
 	idx, entry, err := configEntryWithOverridesTxn(tx, ws, structs.ServiceDefaults, serviceName, overrides, entMeta)
 	if err != nil {
@ -1229,7 +1230,7 @@ func getRouterConfigEntryTxn(
 	ws memdb.WatchSet,
 	serviceName string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *structs.ServiceRouterConfigEntry, error) {
 	idx, entry, err := configEntryWithOverridesTxn(tx, ws, structs.ServiceRouter, serviceName, overrides, entMeta)
 	if err != nil {
@ -1254,7 +1255,7 @@ func getSplitterConfigEntryTxn(
 	ws memdb.WatchSet,
 	serviceName string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *structs.ServiceSplitterConfigEntry, error) {
 	idx, entry, err := configEntryWithOverridesTxn(tx, ws, structs.ServiceSplitter, serviceName, overrides, entMeta)
 	if err != nil {
@ -1279,7 +1280,7 @@ func getResolverConfigEntryTxn(
 	ws memdb.WatchSet,
 	serviceName string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *structs.ServiceResolverConfigEntry, error) {
 	idx, entry, err := configEntryWithOverridesTxn(tx, ws, structs.ServiceResolver, serviceName, overrides, entMeta)
 	if err != nil {
@ -1304,7 +1305,7 @@ func getServiceIntentionsConfigEntryTxn(
 	ws memdb.WatchSet,
 	name string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, *structs.ServiceIntentionsConfigEntry, error) {
 	idx, entry, err := configEntryWithOverridesTxn(tx, ws, structs.ServiceIntentions, name, overrides, entMeta)
 	if err != nil {
@ -1326,7 +1327,7 @@ func configEntryWithOverridesTxn(
 	kind string,
 	name string,
 	overrides map[configentry.KindName]structs.ConfigEntry,
-	entMeta *structs.EnterpriseMeta,
+	entMeta *acl.EnterpriseMeta,
 ) (uint64, structs.ConfigEntry, error) {
 	if len(overrides) > 0 {
 		kn := configentry.NewKindName(kind, name, entMeta)
@ -1389,7 +1390,7 @@ func newConfigEntryQuery(c structs.ConfigEntry) configentry.KindName {
 // ConfigEntryKindQuery is used to lookup config entries by their kind.
 type ConfigEntryKindQuery struct {
 	Kind string
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NamespaceOrDefault exists because structs.EnterpriseMeta uses a pointer
--- a/agent/consul/state/config_entry_intention.go
+++ b/agent/consul/state/config_entry_intention.go
@ -6,6 +6,7 @@ import (
 	memdb "github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -123,7 +124,7 @@ func (s *ServiceIntentionSourceIndex) FromArgs(args ...interface{}) ([]byte, err
 	return []byte(arg.String() + "\x00"), nil
 }
-func configIntentionsListTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.Intentions, bool, error) {
+func configIntentionsListTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.Intentions, bool, error) {
 	// unrolled part of configEntriesByKindTxn
 	idx := maxIndexTxn(tx, tableConfigEntries)
@ -238,7 +239,7 @@ func configIntentionMatchOneTxn(
 	}
 }
-func readSourceIntentionsFromConfigEntriesTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta) (uint64, structs.Intentions, error) {
+func readSourceIntentionsFromConfigEntriesTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta) (uint64, structs.Intentions, error) {
 	idx := maxIndexTxn(tx, tableConfigEntries)
 	var (
@ -262,7 +263,7 @@ func readSourceIntentionsFromConfigEntriesTxn(tx ReadTxn, ws memdb.WatchSet, ser
 	return idx, results, nil
 }
-func readSourceIntentionsFromConfigEntriesForServiceTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta, results structs.Intentions) (structs.Intentions, error) {
+func readSourceIntentionsFromConfigEntriesForServiceTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta, results structs.Intentions) (structs.Intentions, error) {
 	sn := structs.NewServiceName(serviceName, entMeta)
 	iter, err := tx.Get(tableConfigEntries, indexSource, sn)
@ -283,7 +284,7 @@ func readSourceIntentionsFromConfigEntriesForServiceTxn(tx ReadTxn, ws memdb.Wat
 	return results, nil
 }
-func readDestinationIntentionsFromConfigEntriesTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, entMeta *structs.EnterpriseMeta) (uint64, structs.Intentions, error) {
+func readDestinationIntentionsFromConfigEntriesTxn(tx ReadTxn, ws memdb.WatchSet, serviceName string, entMeta *acl.EnterpriseMeta) (uint64, structs.Intentions, error) {
 	idx := maxIndexTxn(tx, tableConfigEntries)
 	var results structs.Intentions
--- a/agent/consul/state/config_entry_intention_oss.go
+++ b/agent/consul/state/config_entry_intention_oss.go
@ -4,10 +4,11 @@
 package state
 import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
-func getIntentionPrecedenceMatchServiceNames(serviceName string, entMeta *structs.EnterpriseMeta) []structs.ServiceName {
+func getIntentionPrecedenceMatchServiceNames(serviceName string, entMeta *acl.EnterpriseMeta) []structs.ServiceName {
 	if serviceName == structs.WildcardSpecifier {
 		return []structs.ServiceName{
 			structs.NewServiceName(structs.WildcardSpecifier, entMeta),
--- a/agent/consul/state/config_entry_oss.go
+++ b/agent/consul/state/config_entry_oss.go
@ -9,6 +9,7 @@ import (
 	memdb "github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/configentry"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -17,9 +18,9 @@ func indexFromConfigEntryKindName(arg interface{}) ([]byte, error) {
 	var b indexBuilder
 	switch n := arg.(type) {
-	case *structs.EnterpriseMeta:
+	case *acl.EnterpriseMeta:
 		return nil, nil
-	case structs.EnterpriseMeta:
+	case acl.EnterpriseMeta:
 		return b.Bytes(), nil
 	case ConfigEntryKindQuery:
 		b.String(strings.ToLower(n.Kind))
@ -37,7 +38,7 @@ func validateConfigEntryEnterprise(_ ReadTxn, _ structs.ConfigEntry) error {
 	return nil
 }
-func getAllConfigEntriesWithTxn(tx ReadTxn, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func getAllConfigEntriesWithTxn(tx ReadTxn, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableConfigEntries, indexID)
 }
@ -45,11 +46,11 @@ func getAllConfigEntriesByKindWithTxn(tx ReadTxn, kind string) (memdb.ResultIter
 	return getConfigEntryKindsWithTxn(tx, kind, nil)
 }
-func getConfigEntryKindsWithTxn(tx ReadTxn, kind string, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func getConfigEntryKindsWithTxn(tx ReadTxn, kind string, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	return tx.Get(tableConfigEntries, indexID+"_prefix", ConfigEntryKindQuery{Kind: kind})
 }
-func configIntentionsConvertToList(iter memdb.ResultIterator, _ *structs.EnterpriseMeta) structs.Intentions {
+func configIntentionsConvertToList(iter memdb.ResultIterator, _ *acl.EnterpriseMeta) structs.Intentions {
 	var results structs.Intentions
 	for v := iter.Next(); v != nil; v = iter.Next() {
 		entry := v.(*structs.ServiceIntentionsConfigEntry)
--- a/agent/consul/state/config_entry_oss_test.go
+++ b/agent/consul/state/config_entry_oss_test.go
@ -4,6 +4,7 @@
 package state
 import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/configentry"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -24,7 +25,7 @@ func testIndexerTableConfigEntries() map[string]indexerTestCase {
 			},
 			prefix: []indexValue{
 				{
-					source:   structs.EnterpriseMeta{},
+					source:   acl.EnterpriseMeta{},
 					expected: nil,
 				},
 				{
--- a/agent/consul/state/coordinate.go
+++ b/agent/consul/state/coordinate.go
@ -6,6 +6,7 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/lib"
 )
@ -66,7 +67,7 @@ type CoordinateQuery struct {
 }
 func (c CoordinateQuery) PartitionOrDefault() string {
-	return structs.PartitionOrDefault(c.Partition)
+	return acl.PartitionOrDefault(c.Partition)
 }
 // coordinatesTableSchema returns a new table schema used for storing
@ -128,7 +129,7 @@ func (s *Restore) Coordinates(idx uint64, updates structs.Coordinates) error {
 // Coordinate returns a map of coordinates for the given node, indexed by
 // network segment.
-func (s *Store) Coordinate(ws memdb.WatchSet, node string, entMeta *structs.EnterpriseMeta) (uint64, lib.CoordinateSet, error) {
+func (s *Store) Coordinate(ws memdb.WatchSet, node string, entMeta *acl.EnterpriseMeta) (uint64, lib.CoordinateSet, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -157,7 +158,7 @@ func (s *Store) Coordinate(ws memdb.WatchSet, node string, entMeta *structs.Ente
 }
 // Coordinates queries for all nodes with coordinates.
-func (s *Store) Coordinates(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.Coordinates, error) {
+func (s *Store) Coordinates(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.Coordinates, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
--- a/agent/consul/state/coordinate_oss.go
+++ b/agent/consul/state/coordinate_oss.go
@ -6,14 +6,15 @@ package state
 import (
 	"fmt"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
-func coordinatesMaxIndex(tx ReadTxn, entMeta *structs.EnterpriseMeta) uint64 {
+func coordinatesMaxIndex(tx ReadTxn, entMeta *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableCoordinates)
 }
-func updateCoordinatesIndexes(tx WriteTxn, idx uint64, entMeta *structs.EnterpriseMeta) error {
+func updateCoordinatesIndexes(tx WriteTxn, idx uint64, entMeta *acl.EnterpriseMeta) error {
 	// Update the index.
 	if err := indexUpdateMaxTxn(tx, idx, tableCoordinates); err != nil {
 		return fmt.Errorf("failed updating index: %s", err)
--- a/agent/consul/state/coordinate_oss_test.go
+++ b/agent/consul/state/coordinate_oss_test.go
@ -3,7 +3,10 @@
 package state
-import "github.com/hashicorp/consul/agent/structs"
+import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
 func testIndexerTableCoordinates() map[string]indexerTestCase {
 	return map[string]indexerTestCase{
@ -24,11 +27,11 @@ func testIndexerTableCoordinates() map[string]indexerTestCase {
 			},
 			prefix: []indexValue{
 				{
-					source:   (*structs.EnterpriseMeta)(nil),
+					source:   (*acl.EnterpriseMeta)(nil),
 					expected: nil,
 				},
 				{
-					source:   structs.EnterpriseMeta{},
+					source:   acl.EnterpriseMeta{},
 					expected: nil,
 				},
 				{
--- a/agent/consul/state/delay_oss.go
+++ b/agent/consul/state/delay_oss.go
@ -4,9 +4,10 @@
 package state
 import (
 	"github.com/hashicorp/consul/agent/structs"
 	"sync"
 	"time"
 	"github.com/hashicorp/consul/acl"
 )
 // Delay is used to mark certain locks as unacquirable. When a lock is
@ -36,7 +37,7 @@ func NewDelay() *Delay {
 // GetExpiration returns the expiration time of a key lock delay. This must be
 // checked on the leader node, and not in KVSLock due to the variability of
 // clocks.
-func (d *Delay) GetExpiration(key string, entMeta *structs.EnterpriseMeta) time.Time {
+func (d *Delay) GetExpiration(key string, entMeta *acl.EnterpriseMeta) time.Time {
 	d.lock.RLock()
 	expires := d.delay[key]
 	d.lock.RUnlock()
@ -45,7 +46,7 @@ func (d *Delay) GetExpiration(key string, entMeta *structs.EnterpriseMeta) time.
 // SetExpiration sets the expiration time for the lock delay to the given
 // delay from the given now time.
-func (d *Delay) SetExpiration(key string, now time.Time, delay time.Duration, entMeta *structs.EnterpriseMeta) {
+func (d *Delay) SetExpiration(key string, now time.Time, delay time.Duration, entMeta *acl.EnterpriseMeta) {
 	d.lock.Lock()
 	defer d.lock.Unlock()
--- a/agent/consul/state/graveyard.go
+++ b/agent/consul/state/graveyard.go
@ -5,7 +5,7 @@ import (
 	"github.com/hashicorp/go-memdb"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
 // Tombstone is the internal type used to track tombstones.
@ -13,7 +13,7 @@ type Tombstone struct {
 	Key   string
 	Index uint64
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 func (t Tombstone) IDValue() string {
@ -33,7 +33,7 @@ func NewGraveyard(gc *TombstoneGC) *Graveyard {
 }
 // InsertTxn adds a new tombstone.
-func (g *Graveyard) InsertTxn(tx WriteTxn, key string, idx uint64, entMeta *structs.EnterpriseMeta) error {
+func (g *Graveyard) InsertTxn(tx WriteTxn, key string, idx uint64, entMeta *acl.EnterpriseMeta) error {
 	stone := &Tombstone{
 		Key:   key,
 		Index: idx,
--- a/agent/consul/state/graveyard_oss.go
+++ b/agent/consul/state/graveyard_oss.go
@ -6,6 +6,7 @@ package state
 import (
 	"fmt"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -28,7 +29,7 @@ func (g *Graveyard) insertTombstoneWithTxn(tx WriteTxn, _ string, stone *Tombsto
 // GetMaxIndexTxn returns the highest index tombstone whose key matches the
 // given context, using a prefix match.
-func (g *Graveyard) GetMaxIndexTxn(tx ReadTxn, prefix string, _ *structs.EnterpriseMeta) (uint64, error) {
+func (g *Graveyard) GetMaxIndexTxn(tx ReadTxn, prefix string, _ *acl.EnterpriseMeta) (uint64, error) {
 	var lindex uint64
 	q := Query{Value: prefix, EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition()}
 	stones, err := tx.Get(tableTombstones, indexID+"_prefix", q)
--- a/agent/consul/state/indexer.go
+++ b/agent/consul/state/indexer.go
@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -196,7 +197,7 @@ func (b *indexBuilder) Bool(v bool) {
 type TimeQuery struct {
 	Value time.Time
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NamespaceOrDefault exists because structs.EnterpriseMeta uses a pointer
--- a/agent/consul/state/intention.go
+++ b/agent/consul/state/intention.go
@ -150,7 +150,7 @@ func areIntentionsInConfigEntries(tx ReadTxn, ws memdb.WatchSet) (bool, error) {
 // LegacyIntentions is like Intentions() but only returns legacy intentions.
 // This is exposed for migration purposes.
-func (s *Store) LegacyIntentions(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.Intentions, error) {
+func (s *Store) LegacyIntentions(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.Intentions, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -159,7 +159,7 @@ func (s *Store) LegacyIntentions(ws memdb.WatchSet, entMeta *structs.EnterpriseM
 }
 // Intentions returns the list of all intentions. The boolean response value is true if it came from config entries.
-func (s *Store) Intentions(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.Intentions, bool, error) {
+func (s *Store) Intentions(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.Intentions, bool, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -173,7 +173,7 @@ func (s *Store) Intentions(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (
 	return configIntentionsListTxn(tx, ws, entMeta)
 }
-func legacyIntentionsListTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.Intentions, bool, error) {
+func legacyIntentionsListTxn(tx ReadTxn, ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.Intentions, bool, error) {
 	// Get the index
 	idx := maxIndexTxn(tx, tableConnectIntentions)
 	if idx < 1 {
--- a/agent/consul/state/intention_oss.go
+++ b/agent/consul/state/intention_oss.go
@ -6,10 +6,10 @@ package state
 import (
 	memdb "github.com/hashicorp/go-memdb"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
-func intentionListTxn(tx ReadTxn, _ *structs.EnterpriseMeta) (memdb.ResultIterator, error) {
+func intentionListTxn(tx ReadTxn, _ *acl.EnterpriseMeta) (memdb.ResultIterator, error) {
 	// Get all intentions
 	return tx.Get(tableConnectIntentions, "id")
 }
--- a/agent/consul/state/kvs.go
+++ b/agent/consul/state/kvs.go
@ -6,6 +6,7 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -176,7 +177,7 @@ func kvsSetTxn(tx WriteTxn, idx uint64, entry *structs.DirEntry, updateSession b
 }
 // KVSGet is used to retrieve a key/value pair from the state store.
-func (s *Store) KVSGet(ws memdb.WatchSet, key string, entMeta *structs.EnterpriseMeta) (uint64, *structs.DirEntry, error) {
+func (s *Store) KVSGet(ws memdb.WatchSet, key string, entMeta *acl.EnterpriseMeta) (uint64, *structs.DirEntry, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -191,7 +192,7 @@ func (s *Store) KVSGet(ws memdb.WatchSet, key string, entMeta *structs.Enterpris
 // kvsGetTxn is the inner method that gets a KVS entry inside an existing
 // transaction.
 func kvsGetTxn(tx ReadTxn,
-	ws memdb.WatchSet, key string, entMeta structs.EnterpriseMeta) (uint64, *structs.DirEntry, error) {
+	ws memdb.WatchSet, key string, entMeta acl.EnterpriseMeta) (uint64, *structs.DirEntry, error) {
 	// Get the table index.
 	idx := kvsMaxIndex(tx, entMeta)
@ -212,7 +213,7 @@ func kvsGetTxn(tx ReadTxn,
 // is the max index of the returned kvs entries or applicable tombstones, or
 // else it's the full table indexes for kvs and tombstones.
 func (s *Store) KVSList(ws memdb.WatchSet,
-	prefix string, entMeta *structs.EnterpriseMeta) (uint64, structs.DirEntries, error) {
+	prefix string, entMeta *acl.EnterpriseMeta) (uint64, structs.DirEntries, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -228,7 +229,7 @@ func (s *Store) KVSList(ws memdb.WatchSet,
 // kvsListTxn is the inner method that gets a list of KVS entries matching a
 // prefix.
 func (s *Store) kvsListTxn(tx ReadTxn,
-	ws memdb.WatchSet, prefix string, entMeta structs.EnterpriseMeta) (uint64, structs.DirEntries, error) {
+	ws memdb.WatchSet, prefix string, entMeta acl.EnterpriseMeta) (uint64, structs.DirEntries, error) {
 	// Get the table indexes.
 	idx := kvsMaxIndex(tx, entMeta)
@ -262,7 +263,7 @@ func (s *Store) kvsListTxn(tx ReadTxn,
 // KVSDelete is used to perform a shallow delete on a single key in the
 // the state store.
-func (s *Store) KVSDelete(idx uint64, key string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) KVSDelete(idx uint64, key string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -276,7 +277,7 @@ func (s *Store) KVSDelete(idx uint64, key string, entMeta *structs.EnterpriseMet
 // kvsDeleteTxn is the inner method used to perform the actual deletion
 // of a key/value pair within an existing transaction.
-func (s *Store) kvsDeleteTxn(tx WriteTxn, idx uint64, key string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) kvsDeleteTxn(tx WriteTxn, idx uint64, key string, entMeta *acl.EnterpriseMeta) error {
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
@ -303,7 +304,7 @@ func (s *Store) kvsDeleteTxn(tx WriteTxn, idx uint64, key string, entMeta *struc
 // raft index. If the CAS index specified is not equal to the last
 // observed index for the given key, then the call is a noop, otherwise
 // a normal KV delete is invoked.
-func (s *Store) KVSDeleteCAS(idx, cidx uint64, key string, entMeta *structs.EnterpriseMeta) (bool, error) {
+func (s *Store) KVSDeleteCAS(idx, cidx uint64, key string, entMeta *acl.EnterpriseMeta) (bool, error) {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -318,7 +319,7 @@ func (s *Store) KVSDeleteCAS(idx, cidx uint64, key string, entMeta *structs.Ente
 // kvsDeleteCASTxn is the inner method that does a CAS delete within an existing
 // transaction.
-func (s *Store) kvsDeleteCASTxn(tx WriteTxn, idx, cidx uint64, key string, entMeta *structs.EnterpriseMeta) (bool, error) {
+func (s *Store) kvsDeleteCASTxn(tx WriteTxn, idx, cidx uint64, key string, entMeta *acl.EnterpriseMeta) (bool, error) {
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
 	}
@ -390,7 +391,7 @@ func kvsSetCASTxn(tx WriteTxn, idx uint64, entry *structs.DirEntry) (bool, error
 // KVSDeleteTree is used to do a recursive delete on a key prefix
 // in the state store. If any keys are modified, the last index is
 // set, otherwise this is a no-op.
-func (s *Store) KVSDeleteTree(idx uint64, prefix string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) KVSDeleteTree(idx uint64, prefix string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -403,7 +404,7 @@ func (s *Store) KVSDeleteTree(idx uint64, prefix string, entMeta *structs.Enterp
 // KVSLockDelay returns the expiration time for any lock delay associated with
 // the given key.
-func (s *Store) KVSLockDelay(key string, entMeta *structs.EnterpriseMeta) time.Time {
+func (s *Store) KVSLockDelay(key string, entMeta *acl.EnterpriseMeta) time.Time {
 	return s.lockDelay.GetExpiration(key, entMeta)
 }
@ -527,7 +528,7 @@ func kvsUnlockTxn(tx WriteTxn, idx uint64, entry *structs.DirEntry) (bool, error
 // kvsCheckSessionTxn checks to see if the given session matches the current
 // entry for a key.
 func kvsCheckSessionTxn(tx WriteTxn,
-	key string, session string, entMeta *structs.EnterpriseMeta) (*structs.DirEntry, error) {
+	key string, session string, entMeta *acl.EnterpriseMeta) (*structs.DirEntry, error) {
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
@ -552,7 +553,7 @@ func kvsCheckSessionTxn(tx WriteTxn,
 // kvsCheckIndexTxn checks to see if the given modify index matches the current
 // entry for a key.
 func kvsCheckIndexTxn(tx WriteTxn,
-	key string, cidx uint64, entMeta structs.EnterpriseMeta) (*structs.DirEntry, error) {
+	key string, cidx uint64, entMeta acl.EnterpriseMeta) (*structs.DirEntry, error) {
 	entry, err := tx.First(tableKVs, indexID, Query{Value: key, EnterpriseMeta: entMeta})
 	if err != nil {
--- a/agent/consul/state/kvs_oss.go
+++ b/agent/consul/state/kvs_oss.go
@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -25,7 +26,7 @@ func prefixIndexForIDValue(arg interface{}) ([]byte, error) {
 	// DeletePrefix always uses a string, pass it along unmodified
 	case string:
 		return []byte(v), nil
-	case structs.EnterpriseMeta:
+	case acl.EnterpriseMeta:
 		return nil, nil
 	case singleValueID:
 		var b indexBuilder
@ -56,7 +57,7 @@ func insertKVTxn(tx WriteTxn, entry *structs.DirEntry, updateMax bool, _ bool) e
 	return nil
 }
-func kvsListEntriesTxn(tx ReadTxn, ws memdb.WatchSet, prefix string, entMeta structs.EnterpriseMeta) (uint64, structs.DirEntries, error) {
+func kvsListEntriesTxn(tx ReadTxn, ws memdb.WatchSet, prefix string, entMeta acl.EnterpriseMeta) (uint64, structs.DirEntries, error) {
 	var ents structs.DirEntries
 	var lindex uint64
@ -79,7 +80,7 @@ func kvsListEntriesTxn(tx ReadTxn, ws memdb.WatchSet, prefix string, entMeta str
 // kvsDeleteTreeTxn is the inner method that does a recursive delete inside an
 // existing transaction.
-func (s *Store) kvsDeleteTreeTxn(tx WriteTxn, idx uint64, prefix string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) kvsDeleteTreeTxn(tx WriteTxn, idx uint64, prefix string, entMeta *acl.EnterpriseMeta) error {
 	// For prefix deletes, only insert one tombstone and delete the entire subtree
 	deleted, err := tx.DeletePrefix(tableKVs, indexID+"_prefix", prefix)
 	if err != nil {
@ -100,7 +101,7 @@ func (s *Store) kvsDeleteTreeTxn(tx WriteTxn, idx uint64, prefix string, entMeta
 	return nil
 }
-func kvsMaxIndex(tx ReadTxn, entMeta structs.EnterpriseMeta) uint64 {
+func kvsMaxIndex(tx ReadTxn, entMeta acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, "kvs", "tombstones")
 }
--- a/agent/consul/state/kvs_oss_test.go
+++ b/agent/consul/state/kvs_oss_test.go
@ -3,7 +3,10 @@
 package state
-import "github.com/hashicorp/consul/agent/structs"
+import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
 func testIndexerTableKVs() map[string]indexerTestCase {
 	return map[string]indexerTestCase{
@ -22,7 +25,7 @@ func testIndexerTableKVs() map[string]indexerTestCase {
 					expected: []byte("indexString"),
 				},
 				{
-					source:   structs.EnterpriseMeta{},
+					source:   acl.EnterpriseMeta{},
 					expected: nil,
 				},
 				{
@ -51,7 +54,7 @@ func testIndexerTableTombstones() map[string]indexerTestCase {
 					expected: []byte("indexString"),
 				},
 				{
-					source:   structs.EnterpriseMeta{},
+					source:   acl.EnterpriseMeta{},
 					expected: nil,
 				},
 				{
--- a/agent/consul/state/operations_oss.go
+++ b/agent/consul/state/operations_oss.go
@ -6,11 +6,11 @@ package state
 import (
 	"github.com/hashicorp/go-memdb"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
 func getCompoundWithTxn(tx ReadTxn, table, index string,
-	_ *structs.EnterpriseMeta, idxVals ...interface{}) (memdb.ResultIterator, error) {
+	_ *acl.EnterpriseMeta, idxVals ...interface{}) (memdb.ResultIterator, error) {
 	return tx.Get(table, index, idxVals...)
 }
--- a/agent/consul/state/query.go
+++ b/agent/consul/state/query.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -12,7 +13,7 @@ import (
 // enterprise identifier.
 type Query struct {
 	Value string
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 func (q Query) IDValue() string {
@ -33,7 +34,7 @@ func (q Query) PartitionOrDefault() string {
 type MultiQuery struct {
 	Value []string
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 func (q MultiQuery) IDValue() []string {
@ -118,7 +119,7 @@ func parseUUIDString(uuid string) ([]byte, error) {
 // enterprise identifier.
 type BoolQuery struct {
 	Value bool
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NamespaceOrDefault exists because structs.EnterpriseMeta uses a pointer
@ -138,7 +139,7 @@ func (q BoolQuery) PartitionOrDefault() string {
 type KeyValueQuery struct {
 	Key   string
 	Value string
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NamespaceOrDefault exists because structs.EnterpriseMeta uses a pointer
@ -168,8 +169,8 @@ func indexFromKeyValueQuery(arg interface{}) ([]byte, error) {
 type AuthMethodQuery struct {
 	Value             string
-	AuthMethodEntMeta structs.EnterpriseMeta
+	AuthMethodEntMeta acl.EnterpriseMeta
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NamespaceOrDefault exists because structs.EnterpriseMeta uses a pointer
--- a/agent/consul/state/query_oss.go
+++ b/agent/consul/state/query_oss.go
@ -7,15 +7,15 @@ import (
 	"fmt"
 	"strings"
-	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/acl"
 )
 func prefixIndexFromQuery(arg interface{}) ([]byte, error) {
 	var b indexBuilder
 	switch v := arg.(type) {
-	case *structs.EnterpriseMeta:
+	case *acl.EnterpriseMeta:
 		return nil, nil
-	case structs.EnterpriseMeta:
+	case acl.EnterpriseMeta:
 		return nil, nil
 	case Query:
 		if v.Value == "" {
--- a/agent/consul/state/schema_oss.go
+++ b/agent/consul/state/schema_oss.go
@ -3,12 +3,12 @@
 package state
-import "github.com/hashicorp/consul/agent/structs"
+import "github.com/hashicorp/consul/acl"
 func partitionedIndexEntryName(entry string, _ string) string {
 	return entry
 }
-func partitionedAndNamespacedIndexEntryName(entry string, _ *structs.EnterpriseMeta) string {
+func partitionedAndNamespacedIndexEntryName(entry string, _ *acl.EnterpriseMeta) string {
 	return entry
 }
--- a/agent/consul/state/session.go
+++ b/agent/consul/state/session.go
@ -8,6 +8,7 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -291,7 +292,7 @@ func sessionCreateTxn(tx WriteTxn, idx uint64, sess *structs.Session) error {
 // SessionGet is used to retrieve an active session from the state store.
 func (s *Store) SessionGet(ws memdb.WatchSet,
-	sessionID string, entMeta *structs.EnterpriseMeta) (uint64, *structs.Session, error) {
+	sessionID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.Session, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -318,7 +319,7 @@ func (s *Store) SessionGet(ws memdb.WatchSet,
 // NodeSessions returns a set of active sessions associated
 // with the given node ID. The returned index is the highest
 // index seen from the result set.
-func (s *Store) NodeSessions(ws memdb.WatchSet, nodeID string, entMeta *structs.EnterpriseMeta) (uint64, structs.Sessions, error) {
+func (s *Store) NodeSessions(ws memdb.WatchSet, nodeID string, entMeta *acl.EnterpriseMeta) (uint64, structs.Sessions, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -336,7 +337,7 @@ func (s *Store) NodeSessions(ws memdb.WatchSet, nodeID string, entMeta *structs.
 // SessionDestroy is used to remove an active session. This will
 // implicitly invalidate the session and invoke the specified
 // session destroy behavior.
-func (s *Store) SessionDestroy(idx uint64, sessionID string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) SessionDestroy(idx uint64, sessionID string, entMeta *acl.EnterpriseMeta) error {
 	tx := s.db.WriteTxn(idx)
 	defer tx.Abort()
@ -350,7 +351,7 @@ func (s *Store) SessionDestroy(idx uint64, sessionID string, entMeta *structs.En
 // deleteSessionTxn is the inner method, which is used to do the actual
 // session deletion and handle session invalidation, etc.
-func (s *Store) deleteSessionTxn(tx WriteTxn, idx uint64, sessionID string, entMeta *structs.EnterpriseMeta) error {
+func (s *Store) deleteSessionTxn(tx WriteTxn, idx uint64, sessionID string, entMeta *acl.EnterpriseMeta) error {
 	// Look up the session.
 	if entMeta == nil {
 		entMeta = structs.DefaultEnterpriseMetaInDefaultPartition()
--- a/agent/consul/state/session_oss.go
+++ b/agent/consul/state/session_oss.go
@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
 )
@ -121,7 +122,7 @@ func allNodeSessionsTxn(tx ReadTxn, node string, _ string) (structs.Sessions, er
 }
 func nodeSessionsTxn(tx ReadTxn,
-	ws memdb.WatchSet, node string, entMeta *structs.EnterpriseMeta) (structs.Sessions, error) {
+	ws memdb.WatchSet, node string, entMeta *acl.EnterpriseMeta) (structs.Sessions, error) {
 	sessions, err := tx.Get(tableSessions, indexNode, Query{Value: node})
 	if err != nil {
@ -136,7 +137,7 @@ func nodeSessionsTxn(tx ReadTxn,
 	return result, nil
 }
-func sessionMaxIndex(tx ReadTxn, entMeta *structs.EnterpriseMeta) uint64 {
+func sessionMaxIndex(tx ReadTxn, entMeta *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, "sessions")
 }
@ -161,7 +162,7 @@ func validateSessionChecksTxn(tx ReadTxn, session *structs.Session) error {
 }
 // SessionList returns a slice containing all of the active sessions.
-func (s *Store) SessionList(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta) (uint64, structs.Sessions, error) {
+func (s *Store) SessionList(ws memdb.WatchSet, entMeta *acl.EnterpriseMeta) (uint64, structs.Sessions, error) {
 	tx := s.db.Txn(false)
 	defer tx.Abort()
@ -184,7 +185,7 @@ func (s *Store) SessionList(ws memdb.WatchSet, entMeta *structs.EnterpriseMeta)
 	return idx, result, nil
 }
-func maxIndexTxnSessions(tx *memdb.Txn, _ *structs.EnterpriseMeta) uint64 {
+func maxIndexTxnSessions(tx *memdb.Txn, _ *acl.EnterpriseMeta) uint64 {
 	return maxIndexTxn(tx, tableSessions)
 }
--- a/agent/consul/state/state_store.go
+++ b/agent/consul/state/state_store.go
@ -8,6 +8,7 @@ import (
 	memdb "github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/consul/stream"
 	"github.com/hashicorp/consul/agent/structs"
 )
@ -143,7 +144,7 @@ type sessionCheck struct {
 	Session string
 	CheckID structs.CheckID
-	structs.EnterpriseMeta
+	acl.EnterpriseMeta
 }
 // NewStateStore creates a new in-memory state storage layer.
--- a/agent/consul/state/state_store_test.go
+++ b/agent/consul/state/state_store_test.go
@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/go-memdb"
 	"github.com/stretchr/testify/require"
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/types"
 )
@ -229,7 +230,7 @@ func testRegisterConnectNativeService(t *testing.T, s *Store, idx uint64, nodeID
 	require.NoError(t, s.EnsureService(idx, nodeID, svc))
 }
-func testSetKey(t *testing.T, s *Store, idx uint64, key, value string, entMeta *structs.EnterpriseMeta) {
+func testSetKey(t *testing.T, s *Store, idx uint64, key, value string, entMeta *acl.EnterpriseMeta) {
 	entry := &structs.DirEntry{
 		Key:   key,
 		Value: []byte(value),
--- a/Show More
+++ b/Show More