Teleport
Configuring Teleport with Terraform
- Edge version
- Version 17.x
- Version 16.x
- Version 15.x
- Older Versions
Teleport Terraform Provider
Length: 07:38
The Teleport Terraform provider allows Teleport administrators to use Terraform to configure Teleport via dynamic resources.
Setup
For instructions on managing users and roles via Terraform, read the "Managing users and roles with IaC" guide.
The provider must obtain an identity to connect to Teleport. The method to obtain it depends on where the Terraform code is executed. You must pick the correct guide for your setup:
Guide | Use-case | How it works |
---|---|---|
Run the Teleport Terraform provider locally | You are getting started with the Teleport Terraform provider and managing Teleport resources with IaC. | You use local credentials to create a temporary bot, obtain short-lived credentials, and store them in environment variables. |
Run the Teleport Terraform provider on Terraform Cloud | You're running on HCP Terraform (Terraform Cloud) or self-hosted Terraform Enterprise. | Terraform Cloud Workload Identity issues a proof of identity and the Teleport Terraform provider uses it to authenticate. |
Run the Teleport Terraform provider in CI or a cloud VM | You already have a working Terraform module configuring Teleport and want to run it in CI to benefit from review and audit capabilities from your versioning system (e.g. git). | You're using a proof provided by your runtime (CI engine, cloud provider) to prove your identity and join using MachineID. |
Run the Teleport Terraform provider on Spacelift | You already have a working Terraform module configuring Teleport and want to run it on the Spacelift platform. | You're using a proof provided by Spacelift to prove your identity and join using MachineID. |
Run the Teleport Terraform provider from a server | You have working Terraform code and want to run it on a dedicated server. The server is long-lived, like a bastion or a task runner. | You setup a MachineID daemon (tbot ) that obtains and refreshes credentials for the Terraform provider. |
Run the Teleport Terraform provider with long-lived credentials. | This method is discouraged as less secure than the others. This should be used when none of the other methods work in your case (short-lived CI environments that don't have dedicated Teleport join methods). | You sign one long lived certificate allowing the Terraform provider to connect to Teleport. |
Resource guides
Once you have a functional Teleport Terraform provider, you will want to configure your resources with it.
The list of supported resources and their fields is available in the Terraform reference.
Some resources have their dedicated Infrastructure-as-Code (IaC) step-by step guides such as:
- Managing Users And Roles With IaC
- Creating Access Lists with IaC
- Registering Agentless OpenSSH Servers with IaC
Finally, you can import your existing resources in Terraform.