
Login Rules are currently in Preview mode.
This guide will explain how to:
- Use Teleport's Terraform Provider to deploy Login Rules to your Teleport cluster
- Edit deployed Login Rules via Terraform
Prerequisites
-
A running Teleport Enterprise cluster, including the Auth Service and Proxy Service. For details on how to set this up, see our Enterprise Getting Started guide.
-
The Enterprise
tctl
admin tool andtsh
client tool version >= 13.0.3, which you can download by visiting your Teleport account.tctl versionTeleport Enterprise v13.0.3 go1.20
tsh versionTeleport v13.0.3 go1.20
Please use the latest version of Teleport Enterprise documentation.
-
Make sure you can connect to Teleport. Log in to your cluster using
tsh
, then usetctl
remotely:tsh login --proxy=teleport.example.com [email protected]tctl statusCluster teleport.example.com
Version 13.0.3
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
You can run subsequent
tctl
commands in this guide on your local machine.For full privileges, you can also run
tctl
commands on your Auth Service host. -
terraform version
Terraform v1.0.0
Step 1/4. Set up Teleport credentials for Terraform
For simplicity, this guide will configure the Terraform provider to use your
current logged-in user's Teleport credentials obtained from tsh login
.
The Terraform provider guide
includes instructions for configuring a dedicated terraform
user and role,
which is a better option when running Terraform in a non-interactive
environment.
If you are already using Terraform to manage other resources in your Teleport
cluster then you have probably already set up a terraform
user and role and
configured the associated credentials.
Make sure to use the terraform
role from the latest version of the guide,
which has list
, read
, create
, update
, and delete
verbs for
login_rule
resources.
First, ensure you are logged into Teleport as a user that has permissions to
read and modify login_rule
resources.
The preset editor
role has access to this already, but in case you are using a
more customized configuration, create a role called loginrule-manager.yaml
with the following contents:
kind: role
metadata:
name: loginrule-manager
spec:
allow:
rules:
- resources: [login_rule]
verbs: [list, read, create, update, delete]
version: v6
Create the role with tctl
:
tctl create loginrule-manager.yamlrole 'loginrule-manager' has been created
Assign the loginrule-manager
role to your Teleport user by running the following
commands, depending on whether you authenticate as a local Teleport user or via
the github
, saml
, or oidc
authentication connectors:
Retrieve your local user's configuration resource:
tctl get users/$(tsh status -f json | jq -r '.active.username') > out.yaml
Edit out.yaml
, adding loginrule-manager
to the list of existing roles:
roles:
- access
- auditor
- editor
+ - loginrule-manager
Apply your changes:
tctl create -f out.yaml
Retrieve your github
configuration resource:
tctl get github/github --with-secrets > github.yaml
Edit github.yaml
, adding loginrule-manager
to the
teams_to_roles
section. The team you will map to this role will depend on how
you have designed your organization's RBAC, but it should be the smallest team
possible within your organization. This team must also include your user.
Here is an example:
teams_to_roles:
- organization: octocats
team: admins
roles:
- access
+ - loginrule-manager
Apply your changes:
tctl create -f github.yaml
Note the --with-secrets
flag in the tctl get
command. This adds the value of
spec.signing_key_pair.private_key
to github.yaml
. This is a sensitive value,
so take precautions when creating this file and remove it after updating the resource.
Retrieve your saml
configuration resource:
tctl get --with-secrets saml/mysaml > saml.yaml
Edit saml.yaml
, adding loginrule-manager
to the
attributes_to_roles
section. The attribute you will map to this role will
depend on how you have designed your organization's RBAC, but it should be the
smallest group possible within your organization. This group must also include
your user.
Here is an example:
attributes_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - loginrule-manager
Apply your changes:
tctl create -f saml.yaml
Note the --with-secrets
flag in the tctl get
command. This adds the value of
spec.signing_key_pair.private_key
to saml.yaml
. This is a sensitive value,
so take precautions when creating this file and remove it after updating the resource.
Retrieve your oidc
configuration resource:
tctl get oidc/myoidc --with-secrets > oidc.yaml
Edit oidc.yaml
, adding loginrule-manager
to the
claims_to_roles
section. The claim you will map to this role will depend on
how you have designed your organization's RBAC, but it should be the smallest
group possible within your organization. This group must also include your
user.
Here is an example:
claims_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - loginrule-manager
Apply your changes:
tctl create -f oidc.yaml
Note the --with-secrets
flag in the tctl get
command. This adds the value of
spec.signing_key_pair.private_key
to oidc.yaml
. This is a sensitive value,
so take precautions when creating this file and remove it after updating the resource.
Log out of your Teleport cluster and log in again to assume the new role.
Step 2/4. Create a Terraform configuration
Paste the following into a file called main.tf
to configure the Terraform
provider and create two example Login Rules.
Make sure to update the addr = "teleport.example.com:443"
field with the
public address of your Teleport Proxy.
terraform {
required_providers {
teleport = {
source = "terraform.releases.teleport.dev/gravitational/teleport"
version = ">= 13.0.3"
}
}
}
provider "teleport" {
# Update addr to point to your Teleport proxy
addr = "teleport.example.com:443"
# Setting profile_dir and profile_name to empty strings will cause the
# Terraform provider to authenticate using the current logged-in tsh profile
profile_dir = ""
profile_name = ""
}
resource "teleport_login_rule" "terraform-test-map-rule" {
metadata = {
name = "terraform-test-map-rule"
description = "Terraform test rule using traits_map"
labels = {
example = "yes"
}
}
version = "v1"
# The rule with the lowest priority will be evaluated first.
priority = 0
# traits_map holds a map of all desired trait keys to list ofexpressions to
# determine the trait values.
traits_map = {
# The "logins" traits will be set to the external "username" trait converted
# to lowercase, as well as any external "logins" trait.
"logins" = {
# The traits_map value must be an object holding the expressions list in a
# "values" field
values = [
"strings.lower(external.username)",
"external.logins",
]
}
# The external "groups" trait will be passed through unchanged, all other
# traits will be filtered out.
"groups" = {
values = [
"external.groups",
]
}
}
}
resource "teleport_login_rule" "terraform-test-expression-rule" {
metadata = {
name = "terraform-test-expression-rule"
description = "Terraform test rule using traits_expression"
labels = {
example = "yes"
}
}
version = "v1"
# This rule has a higher priority value, so it will be evaluated after the
# "terraform-test-map-rule".
priority = 1
# traits_expression is an alternative to traits_map, which returns all desired
# traits in a single expression. The EOT syntax is a way of writing a
# multiline string in Terraform, it is not part of the expression.
traits_expression = <<-EOT
external.put("groups",
choose(
option(external.groups.contains("admins"), external.groups.add("app-admins", "db-admins")),
option(external.groups.contains("ops"), external.groups.add("k8s-admins")),
option(true, external.groups)))
EOT
}
Step 3/4. Apply the configuration
Init Terraform and apply the configuration:
terraform initterraform apply
Step 4/4. Make sure everything worked
Double-check that the new Login Rules are now available in your cluster:
tctl get login_ruleskind: login_rule
metadata:
description: Terraform test rule using traits_expression
id: 1680190764978381000
labels:
example: "yes"
name: terraform-test-expression-rule
spec:
priority: 1
traits_expression: |
external.put("groups",
choose(
option(external.groups.contains("admins"),
external.groups.add("app-admins", "db-admins")),
option(external.groups.contains("ops"),
external.groups.add("k8s-admins")),
option(true, external.groups)))
version: v1
---
kind: login_rule
metadata:
description: Terraform test rule using traits_map
id: 1680193055097268000
labels:
example: "yes"
name: terraform-test-map-rule
spec:
priority: 0
traits_map:
groups:
- external.groups
logins:
- strings.lower(external.username)
- external.logins
version: v1
Test the Login Rules you just installed with the tctl login_rule test
command.
The --load-from-cluster
flag tells the command to load all Login Rules
currently installed in the cluster.
You can send example traits to the standard input of the command, and it will
print the final traits after transformation by the Login Rules.
echo '{"groups": ["admins", "ops"], "username": ["Alice"], "logins": ["user", "root"]}' | \ tctl login_rule test --load-from-clustergroups:
- admins
- ops
- app-admins
- db-admins
logins:
- alice
- user
- root
Next Steps
- Read the Terraform Guide to learn more about configuring the Terraform provider.
- Read the Login Rules reference to learn mode about the Login Rule expression syntax.