Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Configuring Teleport with Terraform

Teleport Terraform Provider

Teleport Terraform Provider

Length: 07:38

The Teleport Terraform provider allows Teleport administrators to use Terraform to configure Teleport via dynamic resources.

Setup

For instructions on managing users and roles via Terraform, read the "Managing users and roles with IaC" guide.

The provider must obtain an identity to connect to Teleport. The method to obtain it depends on where the Terraform code is executed. You must pick the correct guide for your setup:

GuideUse-caseHow it works
Run the Teleport Terraform provider locallyYou are getting started with the Teleport Terraform provider and managing Teleport resources with IaC.You use local credentials to create a temporary bot, obtain short-lived credentials, and store them in environment variables.
Run the Teleport Terraform provider on Terraform CloudYou're running on HCP Terraform (Terraform Cloud) or self-hosted Terraform Enterprise.Terraform Cloud Workload Identity issues a proof of identity and the Teleport Terraform provider uses it to authenticate.
Run the Teleport Terraform provider in CI or a cloud VMYou already have a working Terraform module configuring Teleport and want to run it in CI to benefit from review and audit capabilities from your versioning system (e.g. git).You're using a proof provided by your runtime (CI engine, cloud provider) to prove your identity and join using MachineID.
Run the Teleport Terraform provider on SpaceliftYou already have a working Terraform module configuring Teleport and want to run it on the Spacelift platform.You're using a proof provided by Spacelift to prove your identity and join using MachineID.
Run the Teleport Terraform provider from a serverYou have working Terraform code and want to run it on a dedicated server. The server is long-lived, like a bastion or a task runner.You setup a MachineID daemon (tbot) that obtains and refreshes credentials for the Terraform provider.
Run the Teleport Terraform provider with long-lived credentials.This method is discouraged as less secure than the others. This should be used when none of the other methods work in your case (short-lived CI environments that don't have dedicated Teleport join methods).You sign one long lived certificate allowing the Terraform provider to connect to Teleport.

Resource guides

Once you have a functional Teleport Terraform provider, you will want to configure your resources with it.

The list of supported resources and their fields is available in the Terraform reference.

Some resources have their dedicated Infrastructure-as-Code (IaC) step-by step guides such as:

Finally, you can import your existing resources in Terraform.