Teleport Workload Identity with SPIFFE: Achieving Zero Trust in Modern Infrastructure
May 23
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Fork me on GitHub

Teleport

Machine ID with the Teleport Terraform Provider

Version 15.x

The Teleport Terraform provider can be used to configure your Teleport cluster using Terraform. This Terraform provider requires a way to authenticate with Teleport and Machine ID credentials can be used for this purpose.

In this guide, you will configure tbot to produce credentials for the Teleport Terraform Provider and use Terraform to configure a Teleport role.

Prerequisites

  • A running Teleport cluster version 15.2.4 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    On Teleport Enterprise, you must use the Enterprise version of tctl, which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloading tctl and tsh for Teleport Community Edition.

  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines.

    For example:

    tsh login --proxy=teleport.example.com --user=[email protected]
    tctl status
    Cluster  teleport.example.com
    Version  15.2.4
    CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

  • Terraform >= 1.0.0+

    terraform version
    Terraform v1.0.0

  • tbot must already be installed and configured on the machine that will run Terraform. For more information, see the deployment guides.

Step 1/3. Configure RBAC

First, Teleport must be configured to allow the credentials produced by tbot to modify the Teleport configuration. This is done by creating a role that grants the necessary permissions and then assigning this role to a Bot.

Create a file called role.yaml with the following content:

kind: role
version: v6
metadata:
  name: example-role
spec:
  allow:
    rules:
    - resources:
      # These currently represent all the resources that can be configured by
      # Terraform. You may wish to remove resources that you do not intend to
      # configure with Terraform from this list to reduce blast radius.
      - app
      - cluster_auth_preference
      - cluster_networking_config
      - db
      - device
      - github
      - login_rule
      - oidc
      - okta_import_rule
      - role
      - saml
      - session_recording_config
      - token
      - trusted_cluster
      - user
      verbs:
      - create
      - read
      - update
      - delete
      - list

Replace example-role with a descriptive name related to your use case.

Use tctl create -f ./role.yaml to create the role.

Now, use tctl bots update to add the role to the Bot. Replace example with the name of the Bot you created in the deployment guide and example-role with the name of the role you just created:

$ tctl bots update example --add-roles example-role

Step 2/3. Configure tbot output

Now, tbot needs to be configured with an output that will produce the credentials needed by the Terraform provider. As the Terraform provider will be accessing the Teleport API, the correct output type to use is identity.

For this guide, the directory destination will be used. This will write these credentials to a specified directory on disk. Ensure that this directory can be written to by the Linux user that tbot runs as, and that it can be read by the Linux user that Terraform will run as.

Modify your tbot configuration to add an identity output:

outputs:
- type: identity
  destination:
    type: directory
    # For this guide, /opt/machine-id is used as the destination directory.
    # You may wish to customize this. Multiple outputs cannot share the same
    # destination.
    path: /opt/machine-id

If operating tbot as a background service, restart it. If running tbot in one-shot mode (which creates credentials and ends the process, rather than running a background process), it must be executed before you attempt to execute the Terraform plan later.

You should now see an identity file under /opt/machine-id. This contains the private key and signed certificates needed by the Terraform provider to authenticate with the Teleport Auth Server.

Step 3/3. Use Terraform with the identity output

Start by creating a new Terraform working directory:

mkdir ./my-terraform && cd ./my-terraform
terraform init

In order to configure the Teleport Terraform provider to use the credentials output by Machine ID, we use the identity_file_path option. Whilst is is possible to configure the Terraform provider using the TLS certificate, the identity file provides support across more Teleport configurations.

This example creates a simple role for demonstrative purposes, this role is unlikely to be useful within your Teleport Cluster. Therefore, once you have confirmed that you have configured Terraform correctly, this resource should be modified to suit your needs.

In this directory, create main.tf:

terraform {
  required_providers {
    teleport = {
      version = "15.2.4"
      source  = "terraform.releases.teleport.dev/gravitational/teleport"
    }
  }
}

provider "teleport" {
  # Replace with the address of your Teleport Proxy or Auth Server.
  addr               = "teleport.example.com:443"
  # Replace with the directory configured in the identity output in the
  # previous step.
  identity_file_path = "/opt/machine-id/identity"
}

# This is an example. Replace this with the resource you wish to be managed
# with Terraform. See the following reference for supported options:
# https://goteleport.com/docs/reference/terraform-provider/
resource "teleport_role" "terraform-test" {
  version = "v7"
  metadata = {
    name        = "terraform-test"
    description = "Example role created by Terraform"
  }

  spec = {
    # This role does nothing as it is an example role.
    allow = {}
  }
}

Replace teleport.example.com:443 with the address of your Teleport Proxy or Auth Server. If you modified the destination directory from /opt/machine-id, then this should also be replaced.

Now, execute Terraform to test the configuration:

terraform apply

Check your Teleport cluster, ensuring the role has been created:

tctl get role/terraform-test

Next steps