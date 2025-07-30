Version: 18.x

Run the Teleport Terraform Provider on a Server

This guide demonstrates how to set up the Terraform provider for Teleport on a persistent Linux or macOS server.

This guide does not cover running the Terraform provider locally, or in temporary environments such as CI/CD and short-lived cloud VMs. If you are in one of those cases, please follow the dedicated guides:

This guide will setup MachineID on the server. MachineID is Teleport's feature for providing identities to machines and services, rather than users.

This setup relies on a MachineID daemon ( tbot ) to join the Teleport cluster, obtain and refresh credentials for the Terraform provider. The daemon stores its identity on the disk and refresh the terraform credentials, typically every 30 minutes.

A running Teleport cluster version 18.0.1 or above. If you do not have one, read Get Started with Teleport or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-18.0.1.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v18.0.1-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v18.0.1-linux-amd64-bin.tar.gz tar -xzf teleport-v18.0.1-linux-amd64-bin.tar.gz cd teleport sudo ./install The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version: curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version' 18.0.1



Terraform >= 1.0.0+ terraform version

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username: teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

A Linux host that you wish to run the Teleport Terraform provider onto.

A Linux user on that host that you wish Terraform and tbot to run as.

You must install tbot and make it join the Teleport cluster. To do so, follow the tbot deployment guide for Linux until step 3.

At this point, tbot is installed and configured on the machine that will run Terraform.

Starting with 16.2, Teleport comes with a built-in role for the Terraform provider: terraform-provider .

RBAC for versions before v16.2 On older version you will need to create the Terraform role yourself. Write the following role.yaml manifest: kind: role version: v7 metadata: name: terraform-provider spec: allow: db_labels: '*': '*' app_labels: '*': '*' node_labels: '*': '*' rules: - resources: - app - cluster_auth_preference - cluster_networking_config - db - device - github - login_rule - oidc - okta_import_rule - role - saml - session_recording_config - token - trusted_cluster - user - access_list - node verbs: [ 'list' , 'create' , 'read' , 'update' , 'delete' ] Use tctl create -f ./role.yaml to create the role.

Use the tctl bots update command to add the role to the Bot. Replace example with the name of the Bot you created in the deployment guide.

tctl bots update example --add-roles terraform-provider

Now, tbot needs to be configured with an output that will produce the credentials needed by the Terraform provider. As the Terraform provider will be accessing the Teleport API, the correct output type to use is identity .

For this guide, the directory destination will be used. This will write these credentials to a specified directory on disk. Ensure that this directory can be written to by the Linux user that tbot runs as, and that it can be read by the Linux user that Terraform will run as.

Modify your tbot configuration to add an identity output:

outputs: - type: identity destination: type: directory path: /opt/machine-id

If operating tbot as a background service, restart it. If running tbot in one-shot mode (which creates credentials and ends the process, rather than running a background process), it must be executed before you attempt to execute the Terraform plan later.

You should now see an identity file under /opt/machine-id . This contains the private key and signed certificates needed by the Terraform provider to authenticate with the Teleport Auth Service.

Start by creating a new Terraform working directory:

mkdir ./my-terraform && cd ./my-terraform terraform init

In order to configure the Teleport Terraform provider to use the credentials output by Machine ID, we use the identity_file_path option.

In this directory, create main.tf :

terraform { required_providers { teleport = { version = "18.0.1" source = "terraform.releases.teleport.dev/gravitational/teleport" } } } provider "teleport" { addr = "teleport.example.com:443" identity_file_path = "/opt/machine-id/identity" } resource "teleport_role" "terraform-test" { version = "v7" metadata = { name = "terraform-test" description = "Example role created by Terraform" } spec = { allow = {} } }

Replace teleport.example.com:443 with the address of your Teleport Proxy Service or Auth Service. If you modified the destination directory from /opt/machine-id , then this should also be replaced.

Now, execute Terraform to test the configuration:

terraform init terraform plan terraform apply

Check your Teleport cluster, ensuring the role has been created:

tctl get role/terraform-test