diff --git a/REFERENCE.md b/REFERENCE.md
index cea8beaf..fa462a44 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -17,6 +17,7 @@
 ### Defined types
 
 * [`bacula::director::client`](#bacula--director--client): Define a Bacula Director Client
+* [`bacula::director::console`](#bacula--director--console): Define a Bacula Director Console
 * [`bacula::director::fileset`](#bacula--director--fileset): Configure a Bacula Director Fileset
 * [`bacula::director::job`](#bacula--director--job): Configure a Bacula Director Job
 * [`bacula::director::pool`](#bacula--director--pool): Configure a Bacula Director Pool
@@ -1007,6 +1008,143 @@ The path to the bacula configuration directory
 
 Default value: `$bacula::conf_dir`
 
+### <a name="bacula--director--console"></a>`bacula::director::console`
+
+This define creates a console declaration for the director.
+Resources of this type are intended to manage conf.d/console.conf entries.
+
+Aside from Director resource names and console command names,
+the special keyword *all* can be specified in any of the above access control lists.
+When this keyword is present, any resource or command name (which ever is appropriate) will be accepted.
+
+#### Examples
+
+##### 
+
+```puppet
+bacula::director::console { 'Monitoring':
+  password     => 'monitoring_password',
+}
+```
+
+#### Parameters
+
+The following parameters are available in the `bacula::director::console` defined type:
+
+* [`conf_dir`](#-bacula--director--console--conf_dir)
+* [`password`](#-bacula--director--console--password)
+* [`jobacl`](#-bacula--director--console--jobacl)
+* [`clientacl`](#-bacula--director--console--clientacl)
+* [`storageacl`](#-bacula--director--console--storageacl)
+* [`scheduleacl`](#-bacula--director--console--scheduleacl)
+* [`poolacl`](#-bacula--director--console--poolacl)
+* [`filesetacl`](#-bacula--director--console--filesetacl)
+* [`catalogacl`](#-bacula--director--console--catalogacl)
+* [`commandacl`](#-bacula--director--console--commandacl)
+* [`whereacl`](#-bacula--director--console--whereacl)
+
+##### <a name="-bacula--director--console--conf_dir"></a>`conf_dir`
+
+Data type: `String`
+
+The bacula configuration director.  Should not need adjusting
+
+Default value: `$bacula::conf_dir`
+
+##### <a name="-bacula--director--console--password"></a>`password`
+
+Data type: `String[1]`
+
+The password that must be supplied for a named Bacula Console to be authorized
+
+##### <a name="-bacula--director--console--jobacl"></a>`jobacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Job resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--clientacl"></a>`clientacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Client resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--storageacl"></a>`storageacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Storage resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--scheduleacl"></a>`scheduleacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Schedule resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--poolacl"></a>`poolacl`
+
+Data type: `Optional[String[1]]`
+
+A list of Pool resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--filesetacl"></a>`filesetacl`
+
+Data type: `Optional[String[1]]`
+
+A list of FileSet resource names that can be accessed by the console.
+
+Default value: `undef`
+
+##### <a name="-bacula--director--console--catalogacl"></a>`catalogacl`
+
+Data type: `String[1]`
+
+A list of Catalog resource names that can be accessed by the console.
+
+Default value: `'*all*'`
+
+##### <a name="-bacula--director--console--commandacl"></a>`commandacl`
+
+Data type:
+
+```puppet
+Array[Enum[
+      ['add'], ['autodisplay'], ['automount'], ['cancel'], ['cloud'], ['create'], ['delete'], ['disable'], ['enable'], ['estimate'],
+      ['exit'], ['gui'], ['help'], ['label'], ['list'], ['llist'], ['messages'], ['memory'], ['mount'], ['prune'], ['purge'], ['query'],
+      ['quit'], ['relabel'], ['release'], ['reload'], ['restart'], ['resume'], ['restore'], ['run'], ['setbandwidth'], ['setdebug'],
+      ['setip'], ['show'], ['sqlquery'], ['status'], ['tag'], ['time'], ['trace'], ['umount'], ['unmount'], ['update'], ['use'], ['var'],
+      ['version'], ['wait'], ['.api'], ['.backups'], ['.clients'], ['.catalogs'], ['.defaults'], ['.die'], ['.dir'], ['.dump'], ['.exit'],
+      ['.events'], ['.filesets'], ['.help'], ['.jobs'], ['.estimate'], ['.jlist'], ['.levels'], ['.messages'], ['.msgs'], ['.pools'],
+      ['.quit'], ['.putfile'], ['.schedule'], ['.sql'], ['.status'], ['.storage'], ['.volstatus'], ['.media'], ['.mediatypes'],
+      ['.locations'], ['.actiononpurge'], ['.bvfs_lsdirs'], ['.bvfs_lsfiles'], ['.bvfs_get_volumes'], ['.bvfs_update'],
+      ['.bvfs_get_jobids'], ['.bvfs_get_jobs'], ['.bvfs_get_bootstrap'], ['.bvfs_get_fileindex'], ['.bvfs_versions'], ['.bvfs_get_delta'],
+      ['.bvfs_restore'], ['.bvfs_cleanup'], ['.bvfs_decode_lstat'], ['.bvfs_clear_cache'], ['.bvfs_update_fv'], ['.bvfs_delete_fileid'],
+      ['.setuid'], ['.ls'], ['.types'], ['.query'], ['.tags'],
+  ]]
+```
+
+A list of of console commands that can be executed by the console.
+
+Default value: `['list']`
+
+##### <a name="-bacula--director--console--whereacl"></a>`whereacl`
+
+Data type: `Optional[String[1]]`
+
+This directive permits you to specify where a restricted console can restore files.
+
+Default value: `undef`
+
 ### <a name="bacula--director--fileset"></a>`bacula::director::fileset`
 
 This class handles a Director's fileset.conf entry.  Filesets are intended to
diff --git a/manifests/director.pp b/manifests/director.pp
index 40e0b7b1..0731fd6c 100644
--- a/manifests/director.pp
+++ b/manifests/director.pp
@@ -155,6 +155,7 @@
   ]
 
   $sub_confs_with_secrets = [
+    "${conf_dir}/conf.d/console.conf",
     "${conf_dir}/conf.d/client.conf",
     "${conf_dir}/conf.d/storage.conf",
   ]
diff --git a/manifests/director/console.pp b/manifests/director/console.pp
new file mode 100644
index 00000000..57afa112
--- /dev/null
+++ b/manifests/director/console.pp
@@ -0,0 +1,70 @@
+# @summary Define a Bacula Director Console
+#
+# This define creates a console declaration for the director.
+# Resources of this type are intended to manage conf.d/console.conf entries.
+#
+# @param conf_dir    The bacula configuration director.  Should not need adjusting
+# @param password    The password that must be supplied for a named Bacula Console to be authorized
+# @param jobacl      A list of Job resource names that can be accessed by the console.
+# @param clientacl   A list of Client resource names that can be accessed by the console.
+# @param storageacl  A list of Storage resource names that can be accessed by the console.
+# @param scheduleacl A list of Schedule resource names that can be accessed by the console.
+# @param poolacl     A list of Pool resource names that can be accessed by the console.
+# @param filesetacl  A list of FileSet resource names that can be accessed by the console.
+# @param catalogacl  A list of Catalog resource names that can be accessed by the console.
+# @param commandacl  A list of of console commands that can be executed by the console.
+# @param whereacl    This directive permits you to specify where a restricted console can restore files.
+#
+# Aside from Director resource names and console command names,
+# the special keyword *all* can be specified in any of the above access control lists.
+# When this keyword is present, any resource or command name (which ever is appropriate) will be accepted.
+#
+# @example
+#   bacula::director::console { 'Monitoring':
+#     password     => 'monitoring_password',
+#   }
+#
+define bacula::director::console (
+  String[1] $password,
+  String $conf_dir                 = $bacula::conf_dir,
+  String[1] $catalogacl            = '*all*',
+  Array[Enum[
+      ['add'], ['autodisplay'], ['automount'], ['cancel'], ['cloud'], ['create'], ['delete'], ['disable'], ['enable'], ['estimate'],
+      ['exit'], ['gui'], ['help'], ['label'], ['list'], ['llist'], ['messages'], ['memory'], ['mount'], ['prune'], ['purge'], ['query'],
+      ['quit'], ['relabel'], ['release'], ['reload'], ['restart'], ['resume'], ['restore'], ['run'], ['setbandwidth'], ['setdebug'],
+      ['setip'], ['show'], ['sqlquery'], ['status'], ['tag'], ['time'], ['trace'], ['umount'], ['unmount'], ['update'], ['use'], ['var'],
+      ['version'], ['wait'], ['.api'], ['.backups'], ['.clients'], ['.catalogs'], ['.defaults'], ['.die'], ['.dir'], ['.dump'], ['.exit'],
+      ['.events'], ['.filesets'], ['.help'], ['.jobs'], ['.estimate'], ['.jlist'], ['.levels'], ['.messages'], ['.msgs'], ['.pools'],
+      ['.quit'], ['.putfile'], ['.schedule'], ['.sql'], ['.status'], ['.storage'], ['.volstatus'], ['.media'], ['.mediatypes'],
+      ['.locations'], ['.actiononpurge'], ['.bvfs_lsdirs'], ['.bvfs_lsfiles'], ['.bvfs_get_volumes'], ['.bvfs_update'],
+      ['.bvfs_get_jobids'], ['.bvfs_get_jobs'], ['.bvfs_get_bootstrap'], ['.bvfs_get_fileindex'], ['.bvfs_versions'], ['.bvfs_get_delta'],
+      ['.bvfs_restore'], ['.bvfs_cleanup'], ['.bvfs_decode_lstat'], ['.bvfs_clear_cache'], ['.bvfs_update_fv'], ['.bvfs_delete_fileid'],
+      ['.setuid'], ['.ls'], ['.types'], ['.query'], ['.tags'],
+  ]] $commandacl                   = ['list'],
+  Optional[String[1]] $jobacl      = undef,
+  Optional[String[1]] $clientacl   = undef,
+  Optional[String[1]] $storageacl  = undef,
+  Optional[String[1]] $scheduleacl = undef,
+  Optional[String[1]] $poolacl     = undef,
+  Optional[String[1]] $filesetacl  = undef,
+  Optional[String[1]] $whereacl       = undef,
+) {
+  $epp_console_variables = {
+    name         => $name,
+    password     => $password,
+    commandacl   => $commandacl,
+    whereacl     => $whereacl,
+    jobacl       => $jobacl,
+    clientacl    => $clientacl,
+    storageacl   => $scheduleacl,
+    scheduleacl  => $scheduleacl,
+    poolacl      => $poolacl,
+    filesetacl   => $filesetacl,
+    catalogacl   => $catalogacl,
+  }
+
+  concat::fragment { "bacula-director-console-${name}":
+    target  => "${conf_dir}/conf.d/console.conf",
+    content => epp('bacula/bacula-dir-console.epp', $epp_console_variables),
+  }
+}
diff --git a/templates/bacula-dir-console.epp b/templates/bacula-dir-console.epp
new file mode 100644
index 00000000..2da27d3d
--- /dev/null
+++ b/templates/bacula-dir-console.epp
@@ -0,0 +1,42 @@
+<%
+  |
+    String $name,
+    String $password,
+    String $catalogacl,
+    Array $commandacl,
+    Optional[String] $jobacl,
+    Optional[String] $clientacl,
+    Optional[String] $storageacl,
+    Optional[String] $scheduleacl,
+    Optional[String] $poolacl,
+    Optional[String] $filesetacl,
+    Optional[String] $whereacl,
+  |
+-%>
+Console {
+    Name        = <%= $name %>
+    Password    = "<%= $password %>"
+<% if $jobacl { -%>
+    JobACL      = <%= $jobacl %>
+<% } -%>
+<% if $clientacl { -%>
+    ClientACL   = <%= $clientacl %>
+<% } -%>
+<% if $storageacl { -%>
+    StorageACL  = <%= $storageacl %>
+<% } -%>
+<% if $scheduleacl { -%>
+    ScheduleACL = <%= $scheduleacl %>
+<% } -%>
+<% if $poolacl { -%>
+    PoolACL     = <%= $poolacl %>
+<% } -%>
+<% if $filesetacl { -%>
+    FileSetACL  = <%= $filesetacl %>
+<% } -%>
+    CatalogACL  = <%= $catalogacl %>
+    CommandACL  = <%= $commandacl.join(', ') %>
+<% if $whereacl { -%>
+    WhereACL = <%= $whereacl %>
+<% } -%>
+}
diff --git a/templates/bacula-dir-tail.epp b/templates/bacula-dir-tail.epp
index a8e4020d..d5aa3400 100644
--- a/templates/bacula-dir-tail.epp
+++ b/templates/bacula-dir-tail.epp
@@ -5,3 +5,4 @@
 @<%= $bacula::conf_dir %>/conf.d/fileset.conf
 @<%= $bacula::conf_dir %>/conf.d/jobdefs.conf
 @<%= $bacula::conf_dir %>/conf.d/job.conf
+@<%= $bacula::conf_dir %>/conf.d/console.conf