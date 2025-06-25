Machine ID with the Teleport Terraform Provider
The Teleport Terraform provider can be used to configure your Teleport cluster using Terraform. This Terraform provider requires a way to authenticate with Teleport and Machine ID credentials can be used for this purpose.
In this guide, you will configure
tbot to produce credentials for the Teleport
Terraform Provider and use Terraform to configure a Teleport role.
Prerequisites
-
A running Teleport cluster version 15.5.3 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctladmin tool and
tshclient tool.
On Teleport Enterprise, you must use the Enterprise version of
tctl, which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloading
tctland
tshfor Teleport Community Edition.
-
To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines.
For example:tsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 15.5.3
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
If you can connect to the cluster and run the
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
-
terraform version
Terraform v1.0.0
-
tbotmust already be installed and configured on the machine that will run Terraform. For more information, see the deployment guides.
Step 1/3. Configure RBAC
First, Teleport must be configured to allow the credentials produced by
tbot
to modify the Teleport configuration. This is done by creating a role that
grants the necessary permissions and then assigning this role to a Bot.
Create a file called
role.yaml with the following content:
kind: role
version: v6
metadata:
name: example-role
spec:
allow:
rules:
- resources:
# These currently represent all the resources that can be configured by
# Terraform. You may wish to remove resources that you do not intend to
# configure with Terraform from this list to reduce blast radius.
- app
- cluster_auth_preference
- cluster_networking_config
- db
- device
- github
- login_rule
- oidc
- okta_import_rule
- role
- saml
- session_recording_config
- token
- trusted_cluster
- user
verbs:
- create
- read
- update
- delete
- list
Replace
example-role with a descriptive name related to your use case.
Use
tctl create -f ./role.yaml to create the role.
Now, use
tctl bots update to add the role to the Bot. Replace
example
with the name of the Bot you created in the deployment guide and
example-role
with the name of the role you just created:
$ tctl bots update example --add-roles example-role
Step 2/3. Configure
tbot output
Now,
tbot needs to be configured with an output that will produce the
credentials needed by the Terraform provider. As the Terraform provider will be
accessing the Teleport API, the correct output type to use is
identity.
For this guide, the
directory destination will be used. This will write these
credentials to a specified directory on disk. Ensure that this directory can
be written to by the Linux user that
tbot runs as, and that it can be read by
the Linux user that Terraform will run as.
Modify your
tbot configuration to add an
identity output:
outputs:
- type: identity
destination:
type: directory
# For this guide, /opt/machine-id is used as the destination directory.
# You may wish to customize this. Multiple outputs cannot share the same
# destination.
path: /opt/machine-id
If operating
tbot as a background service, restart it. If running
tbot in
one-shot mode (which creates credentials and ends the process, rather than running
a background process), it must be executed before you attempt to execute the
Terraform plan later.
You should now see an
identity file under
/opt/machine-id. This contains
the private key and signed certificates needed by the Terraform provider to
authenticate with the Teleport Auth Server.
Step 3/3. Use Terraform with the identity output
Start by creating a new Terraform working directory:
mkdir ./my-terraform && cd ./my-terraformterraform init
In order to configure the Teleport Terraform provider to use the credentials
output by Machine ID, we use the
identity_file_path option. Whilst is is
possible to configure the Terraform provider using the TLS certificate, the
identity file provides support across more Teleport configurations.
This example creates a simple role for demonstrative purposes, this role is unlikely to be useful within your Teleport Cluster. Therefore, once you have confirmed that you have configured Terraform correctly, this resource should be modified to suit your needs.
In this directory, create
main.tf:
terraform {
required_providers {
teleport = {
version = "15.5.3"
source = "terraform.releases.teleport.dev/gravitational/teleport"
}
}
}
provider "teleport" {
# Replace with the address of your Teleport Proxy or Auth Server.
addr = "teleport.example.com:443"
# Replace with the directory configured in the identity output in the
# previous step.
identity_file_path = "/opt/machine-id/identity"
}
# This is an example. Replace this with the resource you wish to be managed
# with Terraform. See the following reference for supported options:
# https://goteleport.com/docs/reference/terraform-provider/
resource "teleport_role" "terraform-test" {
version = "v7"
metadata = {
name = "terraform-test"
description = "Example role created by Terraform"
}
spec = {
# This role does nothing as it is an example role.
allow = {}
}
}
Replace
teleport.example.com:443 with the address of your Teleport Proxy or
Auth Server. If you modified the destination directory from
/opt/machine-id,
then this should also be replaced.
Now, execute Terraform to test the configuration:
terraform apply
Check your Teleport cluster, ensuring the role has been created:
tctl get role/terraform-test
Next steps
- Explore the Terraform provider resource reference to discover what can be configured with the Teleport Terraform provider.
- Read the configuration reference to explore
all the available
tbotconfiguration options.