Run the Teleport Terraform Provider on env zero

This guide demonstrates how to use the Terraform provider for Teleport in jobs running on env zero.

This guide does not cover running the Terraform provider locally, in other CI/CD environments, or in short-lived cloud VMs. In any of these cases, refer to a dedicated guide:

When running the Teleport Terraform provider on env zero, you can use its built-in Machine & Workload ID support to dynamically authenticate to your Teleport cluster without any shared secrets.

To do so, Teleport can make use of env zero's support for General OIDC Integrations, which provides OIDC tokens to jobs run on env zero's platform. The Teleport Terraform provider can then use these tokens to prove its identity to your Teleport cluster.

While following this guide, you'll configure your Teleport cluster to accept join requests from env zero deployments and configure the provider to authenticate using the env0 join method.

A running Teleport 18.4.0 cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: TELEPORT_DOMAIN= teleport.example.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username: teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Terraform >= 1.0.0+ terraform version To import existing Teleport resources as Terraform resources, you must have Terraform version v1.5.0 or above.

An account and project on env zero

The Teleport Terraform provider, v18.4.0 or later

OIDC integrations must be enabled in your organization's credential settings. To do so:

Navigate to your organization settings Select the "Policies" tab Under the "Third-Party Authentication" header, ensure "Enable OIDC during deployments" is checked If necessary, select "Save"

For more information, refer to env zero's documentation.

To allow deployment workflows to authenticate to Teleport, you'll need to configure - at a minimum - the IDs of your organization and project. These values can be found in the env zero UI.

To determine your organization ID, navigate to your organization's settings, select the "General" tab, and make a note of the value shown in the ID field. If desired, store your organization ID here: example-organization-id

Next, you'll also need to retrieve a project ID. Navigate to the settings for the desired project and make a note of the ID shown. If desired, you can insert it here: example-project-id

To start, the Teleport Auth Service needs to be configured to accept join requests from env zero runs. We'll do this by creating a bot named terraform which the Teleport Terraform provider will use in a later step.

Write the following to terraform_bot.yaml :

kind: bot version: v1 metadata: name: terraform spec: roles: [ "terraform-provider" ]

Then, create the bot from the new YAML manifest:

tctl create -f terraform_bot.yaml bot 'terraform' has been created

Next, the new bot needs to be allowed to authenticate with env zero's OIDC credentials. Create a file named terraform_token.yaml with this content:

kind: token version: v2 metadata: name: terraform spec: roles: [ Bot ] join_method: env0 bot_name: terraform env0: allow: - organization_id: example-organization-id project_id: example-project-id

Additional allow rules fields may be used to further restrict which jobs are allowed to authenticate , refer to the env0 join method reference for a full list of options.

Note that all specified fields must match those presented to Teleport by a deployment job for it to be allowed to join. If you want to allow multiple different projects to join, you can add additional entries to the allow field. Additionally, note that each entry must provide at minimum organization_id and a project identifier ( project_id or project_name ).

Once finished, create the token:

tctl create -f terraform_token.yaml token 'terraform' has been created

In your provider.tf or similar, configure the teleport provider:

provider "teleport" { addr = "example.teleport.sh:443" join_method = "env0" join_token = "terraform" }

These parameters must be set:

addr should match the public hostname and port of your Teleport cluster

should match the public hostname and port of your Teleport cluster join_method should be env0

should be join_token should match the name of the token resource created in Step #2

Be sure to remove any preexisting identity_file_path ; it is replaced by join_method and join_token .

For a complete example, consider this minimal provider.tf :

terraform { required_providers { teleport = { source = "terraform.releases.teleport.dev/gravitational/teleport" version = "18.4.0" } } } provider "teleport" { addr = "example.teleport.sh:443" join_method = "env0" join_token = "terraform" } resource "teleport_role" "test" { version = "v7" metadata = { name = "test" description = "Dummy role to validate Terraform Provider setup" labels = { test = "yes" } } }

You should now be able to perform a Terraform plan or apply . All types of triggers should work, including CLI, API, and Git, so long as the run is coordinated by Terraform Cloud.

If your local terraform is authenticated to env zero and Remote Plan is configured, you can run:

terraform plan

Otherwise, you can trigger a job execution through whichever means you normally use: manually, via a Git hook, etc.

Regardless of trigger, the workflow should successfully execute, depending on your Terraform configuration. You can use tctl to verify the dummy role was created:

tctl get role/test