Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services. Terraform codifies cloud APIs into declarative configuration files.
Teleport is a Certificate Authority and an Access Plane for your infrastructure. With Teleport you can:
Terraform relies on plugins called “providers” to interact with cloud providers, SaaS providers, and other APIs.
Terraform configurations must declare which providers they require so that Terraform can install and use them. Additionally, some providers require configuration (like endpoint URLs or cloud regions) before they can be used.
This article describe how to use Terraform to manage Teleport resources.
In order for Terraform to manage resources in your Teleport cluster, it needs a signed identity file from the cluster’s certificate authority. The Terraform user cannot request this itself, and requires another user to impersonate this account in order to request a certificate.
Create a role that enables your user to impersonate the Terraform user. First, paste the following YAML document into a file called terraform-impersonator.yaml:
kind:role version:v5 metadata: name:terraform-impersonator spec: # SSH options used for user sessions options: # max_session_ttl defines the TTL (time to live) of SSH certificates # issued to the users with this role. max_session_ttl:10h
# The allow section declares a list of resource/verb combinations that are # allowed for the users of this role. By default, nothing is allowed. allow: impersonate: users: ['terraform'] roles: ['terraform']
# The deny section uses the identical format as the 'allow' section. # Deny rules always override allow rules. deny: node_labels: '*':'*'
Next, create the role:
$ tctl create terraform-impersonator.yaml
Assign this role to the current user. Log in to your Teleport cluster to assume the new role.