Introduction
Consul Guardian watches your Consul KV store in real-time, commits every change to Git, takes scheduled snapshots, detects configuration drift, and restores individual keys to any point in time. It ships with a 10-page web dashboard for visual management.
The problem
Consul KV has no version history. If someone changes a config value and your service breaks at 3am, you have no way to see what the previous value was, who changed it, or when. HashiCorp rejected this feature request with 60+ upvotes.
Automated snapshot backups exist -- but only behind the Enterprise license paywall. The open-source community tools that tried to fill this gap are either abandoned (git2consul, unmaintained since 2020) or limited to one-time exports (consul-backinator, no updates since 2020).
Consul Guardian fills these gaps as a free, open-source tool.
Key features
- Real-time KV-to-Git sync -- Every KV change is committed to a Git repository with full history. Browse changes with
git log, diff withgit diff, restore withgit checkout. - Scheduled snapshots -- Full cluster snapshots (KV, ACLs, sessions, catalog) stored on local disk or S3 with configurable retention.
- Drift detection -- Compare the desired state in Git against the live state in Consul. Find keys that are missing, extra, or drifted. Exits non-zero for CI/CD pipelines.
- Selective restore -- Restore a single key, a prefix, or the entire KV store from Git history. Uses CAS (Check-And-Set) to prevent overwriting concurrent changes.
- Web dashboard -- 10-page React UI with real-time WebSocket updates. Browse keys, view diffs, trigger snapshots, detect drift, and restore configs.
- Alerting -- Slack and webhook notifications when keys change, drift is detected, or errors occur.
Who is it for
- Platform teams running Consul in production who need an audit trail for config changes.
- SREs who want to restore a bad config change without digging through deployment logs.
- Developers who use Consul KV for feature flags or service configuration and want visibility into what changed and when.
- Organizations on Consul Community Edition that need automated backups without paying for Enterprise.
Comparison
| Feature | consul snapshot | consul-backinator | git2consul | Consul Guardian |
|---|---|---|---|---|
| Automated backup | Enterprise only | No | N/A | Free |
| Git sync | No | No | One-way (dead) | Bidirectional |
| Version history | No | No | No | Full (Git) |
| Selective restore | No | Partial | N/A | CAS-based |
| Drift detection | No | No | No | Yes |
| Web dashboard | Consul UI only | No | No | 10-page UI |
| Actively maintained | Yes | No (since 2020) | No | Yes |