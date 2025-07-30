Version: 19.x (unreleased)

Run the Teleport Terraform Provider in CI or Cloud

This guides covers how to run the Teleport Terraform Provider from:

your CI/CD pipelines on: GitHub Actions (we'll use the github join method) GitlabCI (we'll use the gitlab join method) CircleCI (we'll use the circleci join method)

a cloud VM on: AWS (we'll use the aws join method) GCP (we'll use the gcp join method)



note Running the Terraform provider with native MachineID is supported on Azure, inside a Kubernetes pod, and on servers with Trusted Platform Module (TPM). While those setups are not described in details in this guide, you can follow their regular MachineID guides and replace the "Configure tbot " step by passing the join method and token to the provider. Azure MachineID guide

Kubernetes MachineID guide

TPM MachineID guide HCP Terraform (Terraform Cloud) and self-hosted Terraform Enterprise are supported but require special configuration, so refer to our dedicated guide.

This guide does not cover running Teleport locally, on a dedicated server or on certain platforms. See the following more specific guides for those cases:

This setup asks the runtime (the CI/CD system, cloud provider, container engine, ...) for an identity proof. This proof is then used directly by the Terraform provider to connect to Teleport and obtain credentials. In this setup, there is no tbot daemon involved as the Terraform provider can natively obtain the identity proof and join the Teleport cluster.

The setup only works for select runtimes which Teleport has a delegated join method for (e.g. GitHub Actions, GitLab CI, ...)

You need either:

A GCP or AWS VM with terraform installed

A git repo able to run GitHub Actions, GitLab CI or CircleCI jobs

You also need:

A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-17.0.0-dev.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v17.0.0-dev-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v17.0.0-dev-linux-amd64-bin.tar.gz tar -xzf teleport-v17.0.0-dev-linux-amd64-bin.tar.gz cd teleport sudo ./install The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version: curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version' 17.0.0-dev



In this step you will create a bot named terraform .

Create a file named terraform-bot.yaml :

kind: bot version: v1 metadata: name: terraform spec: roles: [ "terraform-provider" ]

Then apply it with tctl :

tctl create terraform-bot.yaml

This is an admin-level action and requires MFA to complete Tap any security key Detected security key tap bot "terraform" has been created

At this point, you should see your new bot:

tctl bots ls

Bot User Roles --------- ------------- ------------------ terraform bot-terraform terraform-provider

In this step you will create a token allowing a process to connect to Teleport as the terraform bot you created earlier.

The token type and configuration depends on where the Terraform provider is running. See the joining reference for more details about the joining process, the different join methods, types of tokens, and the fields they support.

GitHub Actions

GitLab CI

CircleCI

AWS

GCP To allow the Terraform Provider to join from GitHub Actions workflows in organization/repository , create the following terraform-bot-token.yaml : kind: token version: v2 metadata: name: terraform-bot spec: roles: [ Bot ] join_method: github bot_name: terraform github: allow: - repository: organization/repository To allow the Terraform Provider to join from GitLab CI pipelines in group/project on the gitlab.example.com GitLab instance, create the following terraform-bot-token.yaml : kind: token version: v2 metadata: name: terraform-bot spec: roles: [ Bot ] join_method: gitlab bot_name: terraform gitlab: domain: gitlab.example.com allow: - project_path: group/project In order to configure the rules for which CircleCI workflows will be allowed to connect to your Teleport cluster, you must determine the ID of your CircleCI organization and create a CircleCI context. Open CircleCI and navigate to "Organization settings" from the navbar. You should be presented with an interface titled "Overview" with a section called "Organization ID". Note this value down and substitute organization-id in configuration examples with this. CircleCI has an organization-level concept called contexts, which allow you to configure a series of secrets that should be exposed to a workflow job. You can configure CircleCI to control which actors are allowed to trigger jobs associated with a context. The contexts that a workflow job has been assigned are also encoded in the identity token that CircleCI creates for the job. This makes them an ideal way for Teleport to determine which CircleCI jobs should be granted access to the Teleport cluster. In this example, you will create a CircleCI context named teleport-access . You will then grant this context access to your Teleport cluster. To create the CircleCI context, open up "Organization settings" in CircleCI and navigate to "Contexts". Click "Create Context" and provide teleport-access as the name of the context you wish to create. You may substitute this value for a string that makes more sense to your organization, but ensure in future steps of this guide that you replace teleport-access with your value. Select the context you have just created. You will now be on a page that allows you to configure the context. To determine the ID of the context to use when configuring Teleport, locate the URL of the context settings page, which should have a format similar to the following: https://app.circleci.com/settings/organization/github/gravitational/contexts/00000000-0000-0000-0000-000000000000 In this case, the context ID is: 00000000-0000-0000-0000-000000000000 . Note this value down and substitute context-id in configuration examples with it. Then, create the following terraform-bot-token.yaml , replacing context-id with your context ID: kind: token version: v2 metadata: name: terraform-bot spec: roles: [ Bot ] join_method: circleci bot_name: terraform circleci: organization_id: organization-id allow: - context_id: context-id Make sure you have: An AWS IAM role that you wish to grant access to your Teleport cluster. This role must be granted sts:GetCallerIdentity . In this guide, this role will be named instance-iam-role .

. In this guide, this role will be named . An AWS EC2 virtual machine configured with the IAM role attached where you want to run the Terraform provider.

The AWS account ID: 111111111111 Then, create the following terraform-bot-token.yaml : kind: token version: v2 metadata: name: terraform-bot spec: roles: [ Bot ] bot_name: terraform join_method: iam allow: - aws_account: " 111111111111 " aws_arn: "arn:aws:sts:: organization-id :assumed-role/ instance-iam-role /i-*" Make sure you have: A GCP Service Account (SA) attached to the VM you want to run the provider on. This cannot be the default compute SA. In this guide, this SA will be named my-service-account .

. The GCP project ID: my-project-123456 Then, create the following terraform-bot-token.yaml : kind: token version: v2 metadata: name: terraform-bot spec: roles: [ Bot ] bot_name: terraform join_method: gcp gcp: allow: - project_ids: - " my-project-123456 " service_accounts: - " my-service-account @ my-project-123456 .iam.gserviceaccount.com"

Create the bot token described by the terraform-bot-token.yaml manifest:

tctl create -f terraform-bot-token.yaml

This is an admin-level action and requires MFA to complete Tap any security key Detected security key tap provision_token "terraform-bot" has been created

In this step you will write a minimal Terraform code that configures the provider to connect to your Teleport cluster and join with the token you previously created.

To do this you need:

your Teleport cluster domain including the port: teleport.example.com:443 . You can find this in the URL when accessing the Web UI.

. You can find this in the URL when accessing the Web UI. the join method of the token you've created. This is the spec.join_method field in the terraform-bot-token.yaml : token-join-method .

Create this minimal main.tf file:

terraform { required_providers { teleport = { source = "terraform.releases.teleport.dev/gravitational/teleport" version = "~> 17.0" } } } provider "teleport" { addr = " teleport.example.com:443 " join_method = " token-join-method " join_token = "terraform-bot" } resource "teleport_role" "test" { version = "v7" metadata = { name = "test" description = "Dummy role to validate Terraform Provider setup" labels = { test = "yes" } } spec = {} }

GitHub Actions

GitLab CI

CircleCI

AWS

GCP Copy the main.tf file in the GitHub repo that runs GitHub Actions pipelines. Copy the main.tf file in the GitLab repo that runs GitLab CI pipelines. Copy the main.tf file in the Git repo that runs CircleCI pipelines. Copy the main.tf file on the AWS VM you will run Terraform from. Copy the main.tf file on the GCP VM you will run Terraform from.

This step shows minimal examples on how to run Terraform based on your environment. This code uses the default local backend which is not fit for production purposes. Especially in CI, you must use non-local Terraform backends so the Terraform state is persisted across CI pipelines.