Run the Teleport Terraform Provider on a Server
This guide demonstrates how to set up the Terraform provider for Teleport on a persistent Linux or macOS server.
This guide does not cover running the Terraform provider locally, or in temporary environments such as CI/CD and short-lived cloud VMs. If you are in one of those cases, please follow the dedicated guides:
This guide will setup MachineID on the server. MachineID is Teleport's feature for providing identities to machines and services, rather than users.
How it works
This setup relies on a MachineID daemon (tbot) to join the Teleport cluster, obtain and refresh credentials for the
Terraform provider. The daemon stores its identity on the disk and refresh the terraform credentials, typically every
30 minutes.
Prerequisites
-
A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctladmin tool andtshclient tool.Visit Installation for instructions on downloading
tctlandtsh.
-
$ terraform version
# Terraform v1.0.0 -
To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can runtctlcommands using your current credentials.For example:
$ tsh login --proxy=teleport.example.com [email protected]
$ tctl status
# Cluster teleport.example.com
# Version 17.0.0-dev
# CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678If you can connect to the cluster and run the
tctl statuscommand, you can use your current credentials to run subsequenttctlcommands from your workstation. If you host your own Teleport cluster, you can also runtctlcommands on the computer that hosts the Teleport Auth Service for full permissions. -
A Linux host that you wish to run the Teleport Terraform provider onto.
-
A Linux user on that host that you wish Terraform and
tbotto run as. In the guide, we will use teleport for this.
Step 1/4. Install tbot on your server
You must install tbot and make it join the Teleport cluster.
To do so, follow the tbot deployment guide for Linux
until step 3.
Step 2/4. Configure RBAC
At this point, tbot is installed and configured on the machine that will run Terraform.
Starting with 16.2, Teleport comes with a built-in role for the Terraform provider: terraform-provider.
RBAC for versions before v16.2
On older version you will need to create the Terraform role yourself.
Write the following role.yaml manifest:
kind: role
version: v7
metadata:
name: terraform-provider
spec:
allow:
db_labels:
'*': '*'
app_labels:
'*': '*'
node_labels:
'*': '*'
rules:
- resources:
- app
- cluster_auth_preference
- cluster_networking_config
- db
- device
- github
- login_rule
- oidc
- okta_import_rule
- role
- saml
- session_recording_config
- token
- trusted_cluster
- user
- access_list
- node
verbs: ['list','create','read','update','delete']
Use tctl create -f ./role.yaml to create the role.
Use the tctl bots update command to add the role to the Bot. Replace example
with the name of the Bot you created in the deployment guide.
$ tctl bots update example --add-roles terraform-provider
Step 3/4. Configure tbot output
Now, tbot needs to be configured with an output that will produce the
credentials needed by the Terraform provider. As the Terraform provider will be
accessing the Teleport API, the correct output type to use is identity.
For this guide, the directory destination will be used. This will write these
credentials to a specified directory on disk. Ensure that this directory can
be written to by the Linux user that tbot runs as, and that it can be read by
the Linux user that Terraform will run as.
Modify your tbot configuration to add an identity output:
outputs:
- type: identity
destination:
type: directory
# For this guide, /opt/machine-id is used as the destination directory.
# You may wish to customize this. Multiple outputs cannot share the same
# destination.
path: /opt/machine-id
If operating tbot as a background service, restart it. If running tbot in
one-shot mode (which creates credentials and ends the process, rather than running
a background process), it must be executed before you attempt to execute the
Terraform plan later.
You should now see an identity file under /opt/machine-id. This contains
the private key and signed certificates needed by the Terraform provider to
authenticate with the Teleport Auth Server.
Step 4/4. Run Terraform
Start by creating a new Terraform working directory:
$ mkdir ./my-terraform && cd ./my-terraform
$ terraform init
In order to configure the Teleport Terraform provider to use the credentials
output by Machine ID, we use the identity_file_path option.
In this directory, create main.tf:
terraform {
required_providers {
teleport = {
version = "17.0.0-dev"
source = "terraform.releases.teleport.dev/gravitational/teleport"
}
}
}
provider "teleport" {
# Replace with the address of your Teleport Proxy or Auth Server.
addr = "teleport.example.com:443"
# Replace with the directory configured in the identity output in the
# previous step.
identity_file_path = "/opt/machine-id/identity"
}
# We must create a test role, if we don't declare resources, Terraform won't try to
# connect to Teleport and we won't be able to validate the setup.
resource "teleport_role" "terraform-test" {
version = "v7"
metadata = {
name = "terraform-test"
description = "Example role created by Terraform"
}
spec = {
# This role does nothing as it is an example role.
allow = {}
}
}
Replace teleport.example.com:443 with the address of your Teleport Proxy or
Auth Server. If you modified the destination directory from /opt/machine-id,
then this should also be replaced.
Now, execute Terraform to test the configuration:
$ terraform init
$ terraform plan
$ terraform apply
Check your Teleport cluster, ensuring the role has been created:
$ tctl get role/terraform-test
Next steps
- Explore the Terraform provider resource reference to discover what can be configured with the Teleport Terraform provider.
- Read the tbot configuration reference to explore
all the available
tbotconfiguration options.