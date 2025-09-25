Version: 18.x

Teleport Terraform Provider

The Teleport Terraform provider allows Terraform users to configure Teleport from Terraform.

This section is the Teleport Terraform Provider reference. It lists all the supported resources and their fields.

tip To get started with the Terraform provider, you must start with the installation guide. Once you got a working provider, we recommend you to follow the "Managing users and roles with IaC" guide.

The provider exposes Teleport resources both as Terraform data-sources and Terraform resources. Data-sources are used by Terraform to fetch information from Teleport, while resources are used to create resources in Teleport.

cloud terraform { required_providers { teleport = { source = "terraform.releases.teleport.dev/gravitational/teleport" version = "~> 18.0" } } } provider "teleport" { addr = "proxy.example.com:443" identity_file_path = "terraform-identity/identity" } terraform { required_providers { teleport = { source = "terraform.releases.teleport.dev/gravitational/teleport" version = "~> 18.0" } } } provider "teleport" { addr = "mytenant.teleport.sh:443" identity_file_path = "terraform-identity/identity" }

This section lists the different ways of passing credentials to the Terraform provider. You can find which method fits your use case in the Teleport Terraform provider setup page

With this connection method, you must provide an identity file.This file allows Terraform to connect both via the Proxy Service (ports 443 or 3080) and via the Auth Service (port 3025). This is the recommended way of passing credentials to the Terraform provider.

The identity file can be obtained via several ways:

Since 16.2, you can use tctl and your local credentials to create a temporary bot and load its identity in your shell's environment variables:

eval "$(tctl terraform env)" 🔑 Detecting if MFA is required This is an admin-level action and requires MFA to complete Tap any security key Detected security key tap ⚙️ Creating temporary bot "tctl-terraform-env-82ab1a2e" and its token 🤖 Using the temporary bot to obtain certificates 🚀 Certificates obtained, you can now use Terraform in this terminal for 1h0m0s

You can find more information in the "Run the Terraform provider locally" guide

tbot relies on Machine ID to obtain and automatically renew short-lived credentials. Such credentials are harder to exfiltrate, and you can control more precisely who has access to which roles (e.g. you can allow only GitHub Actions pipelines targeting the prod environment to get certificates).

You can follow the Terraform Provider guide to setup tbot and have Terraform use its identity.

You can obtain an identity file with the command

tctl auth sign --user terraform --format file -o identity.pem

This auth method has the following limitations:

Such credentials are high-privileged and long-lived. They must be protected and rotated.

This auth method does not work against Teleport clusters with MFA set to webauthn . On such clusters, Teleport will reject any long-lived certificate and require an additional MFA challenge for administrative actions.

Starting with 16.2, the Teleport Terraform provider can natively use MachineID (without tbot ) to join a Teleport cluster. The Terraform Provider will rely on its runtime (AWS, GCP, Kubernetes, CI/CD system) to prove its identity to Teleport.

You can use any delegated join method by setting both join_method and join_token in the provider configuration.

This setup is described in more details in the "Run the Teleport Terraform provider in CI or Cloud" guide.

With this connection method, you must provide a TLS key, a TLS certificate, and the Teleport Auth Service TLS CA certificates. Those can be obtained with the command:

tctl auth sign --user terraform --format=tls -o terraform.pem

This auth method has the following limitations:

The provider can only connect to the Auth directly (port 3025). On most clusters, only the proxy is publicly exposed.

Such credentials are high-privileged and long-lived. They must be protected and rotated.

This auth method does not work against Teleport clusters with MFA set to webauthn . On such clusters, Teleport will reject any long-lived certificate and require an additional MFA challenge for administrative actions.