Version: 19.x (unreleased)

Run the Teleport Terraform Provider on Spacelift

You can use Spacelift with the Teleport Terraform provider to manage dynamic configuration resources via GitOps and infrastructure as code. This gives you an audit trail of changes to your Teleport configuration and a single source of truth for operators to examine.

This guide shows you how to configure the Teleport Terraform Provider to authenticate to a Teleport cluster using Machine ID when running on Spacelift.

In this setup, the Teleport Terraform Provider proves its identity to the Teleport Auth Service by presenting an ID token signed by Spacelift. This allows it to authenticate with the Teleport cluster without the need for a long-lived shared secret.

While following this guide, you will create a Teleport user and role with no privileges in order to show you how to use Spacelift to create dynamic resources.

A running Teleport Enterprise cluster version 19.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-19.0.0-dev.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v19.0.0-dev-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v19.0.0-dev-linux-amd64-bin.tar.gz tar -xzf teleport-v19.0.0-dev-linux-amd64-bin.tar.gz cd teleport sudo ./install The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/ping and use a JSON query tool to obtain your cluster version: curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version' 19.0.0-dev



To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

, then verify that you can run commands using your current credentials. For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and command, you can use your current credentials to run subsequent commands from your workstation. If you host your own Teleport cluster, you can also run commands on the computer that hosts the Teleport Auth Service for full permissions. A GitHub repository where you will store your Terraform configuration and a Spacelift stack linked to this repository.

A paid Spacelift account. This is required to use the spacelift join method.

join method. Your Teleport user should have the privileges to create token resources.

First, we'll create a Machine ID Bot for our Spacelift job to act as. We'll grant it the terraform-provider role, which automatically grants access to every resource supported by the Teleport terraform provider.

Create bot.yaml :

kind: bot version: v1 metadata: name: example spec: roles: - terraform-provider

Make sure you replace example with a unique, descriptive, name for your Bot.

Use tctl to apply this file:

tctl create bot.yaml

In order to allow your Spacelift stack to authenticate with your Teleport cluster, you'll first need to create a join token. A join token sets out criteria by which the Teleport Auth Service decides whether to allow a bot or node to join a cluster.

In this example, you will create a join token that grants access to any execution within a specific Spacelift stack.

Create a file named bot-token.yaml :

kind: token version: v2 metadata: name: example-bot spec: roles: [ Bot ] join_method: spacelift bot_name: example spacelift: hostname: example.app.spacelift.io allow: - space_id: root caller_type: stack caller_id: my-stack

Replace:

example.app.spacelift.io with the hostname of your Spacelift tenant.

with the hostname of your Spacelift tenant. my-stack with the name of the Spacelift stack.

with the name of the Spacelift stack. root with the ID of the space that the stack resides within. The "space details" panel on the "Spaces" page of the Spacelift UI shows the ID.

Once the resource file has been written, create the token with tctl :

tctl create -f bot-token.yaml

Check that token example-bot has been created with the following command:

tctl tokens ls Token Type Labels Expiry Time (UTC) ----------- ---- ------ ---------------------------------------------- example-bot Bot

Add the following to a file called main.tf to configure the Teleport Terraform provider and declare two dynamic resources, a user and role:

terraform { required_providers { teleport = { source = "terraform.releases.teleport.dev/gravitational/teleport" version = ">= 13.3.7" } } } provider "teleport" { addr = "teleport.example.com:443" join_method = "spacelift" join_token = "example-bot" } resource "teleport_role" "terraform_test" { version = "v7" metadata = { name = "terraform-test" description = "Terraform test role" labels = { test = "true" } } } resource "teleport_user" "terraform-test" { metadata = { name = "terraform-test" description = "Terraform test user" labels = { test = "true" } } spec = { roles = [teleport_role.terraform_test.id] } }

In the provider block, change:

teleport.example.com:443 to the host and HTTPS port of your Teleport Proxy Service.

to the host and HTTPS port of your Teleport Proxy Service. example-bot to the name of the join token you created earlier.

Commit your changes and push the branch to GitHub, then open a pull request against the main branch. (Do not merge it just yet.)

In the Spacelift UI, navigate to your stack, then to PRs. Click the name of the PR you opened.

You should see a Terraform plan that includes the user and role you defined earlier:

When running terraform plan , the Teleport Terraform Provider uses Machine ID to generate the short-lived credentials necessary to authenticate to the Teleport cluster.

Merge the PR, then navigate to your stack and click Runs. Click the status of the first run, which corresponds to merging your PR, to visit the page for the run. Click Confirm to begin applying your Terraform plan.

You should see output indicating success:

Verify that Spacelift has created the new user and role by running the following commands, which should return YAML data for each resource:

tctl get roles/terraform-test tctl get users/terraform-test