Skip to main content

Machine ID with the Teleport Terraform Provider

The Teleport Terraform provider can be used to configure your Teleport cluster using Terraform. This Terraform provider requires a way to authenticate with Teleport and Machine ID credentials can be used for this purpose.

In this guide, you will configure tbot to produce credentials for the Teleport Terraform Provider and use Terraform to configure a Teleport role.

Prerequisites

  • A running Teleport cluster version 14.3.33 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    Visit Installation for instructions on downloading tctl and tsh.

  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines.

    For example:

    $ tsh login --proxy=teleport.example.com --user=email@example.com
    $ tctl status
    # Cluster teleport.example.com
    # Version 14.3.33
    # CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

  • Terraform >= 1.0.0+

    $ terraform version
    # Terraform v1.0.0
  • tbot must already be installed and configured on the machine that will run Terraform. For more information, see the deployment guides.

Step 1/3. Configure RBAC

First, Teleport must be configured to allow the credentials produced by tbot to modify the Teleport configuration.

If you have followed a platform guide, you will have created a role and granted the bot the ability to impersonate it already. This role just needs to have the additional privileges added to it.

Use tctl edit role/example-bot to add the following rule to the role:

spec:
allow:
rules:
- resources:
# These currently represent all the resources that can be configured by
# Terraform. You may wish to remove resources that you do not intend to
# configure with Terraform from this list to reduce blast radius.
- app
- cluster_auth_preference
- cluster_networking_config
- db
- device
- github
- login_rule
- oidc
- okta_import_rule
- role
- saml
- session_recording_config
- token
- trusted_cluster
- user
verbs:
- create
- read
- update
- delete
- list

Step 2/3. Configure tbot output

Now, tbot needs to be configured with an output that will produce the credentials needed by the Terraform provider. As the Terraform provider will be accessing the Teleport API, the correct output type to use is identity.

For this guide, the directory destination will be used. This will write these credentials to a specified directory on disk. Ensure that this directory can be written to by the Linux user that tbot runs as, and that it can be read by the Linux user that Terraform will run as.

Modify your tbot configuration to add an identity output:

outputs:
- type: identity
destination:
type: directory
# For this guide, /opt/machine-id is used as the destination directory.
# You may wish to customize this. Multiple outputs cannot share the same
# destination.
path: /opt/machine-id

If operating tbot as a background service, restart it. If running tbot in one-shot mode, it must be executed before you attempt to execute the Terraform plan later.

You should now see an identity file under /opt/machine-id. This contains the private key and signed certificates needed by the Terraform provider to authenticate with the Teleport Auth Server.

Step 3/3. Use Terraform with the identity output

Start by creating a new Terraform working directory:

$ mkdir ./my-terraform && cd ./my-terraform
$ terraform init

In order to configure the Teleport Terraform provider to use the credentials output by Machine ID, we use the identity_file_path option. Whilst is is possible to configure the Terraform provider using the TLS certificate, the identity file provides support across more Teleport configurations.

This example creates a simple role for demonstrative purposes, this role is unlikely to be useful within your Teleport Cluster. Therefore, once you have confirmed that you have configured Terraform correctly, this resource should be modified to suit your needs.

In this directory, create main.tf:

terraform {
required_providers {
teleport = {
version = "14.3.33"
source = "terraform.releases.teleport.dev/gravitational/teleport"
}
}
}

provider "teleport" {
# Replace with the address of your Teleport Proxy or Auth Server.
addr = "teleport.example.com:443"
# Replace with the directory configured in the identity output in the
# previous step.
identity_file_path = "/opt/machine-id/identity"
}

# This is an example. Replace this with the resource you wish to be managed
# with Terraform. See the following reference for supported options:
# https://goteleport.com/docs/reference/terraform-provider/
resource "teleport_role" "terraform-test" {
metadata = {
name = "terraform-test"
description = "Example role created by Terraform"
}

spec = {
# This role does nothing as it is an example role.
allow = {}
}
}

Replace teleport.example.com:443 with the address of your Teleport Proxy or Auth Server. If you modified the destination directory from /opt/machine-id, then this should also be replaced.

Now, execute Terraform to test the configuration:

$ terraform apply

Check your Teleport cluster, ensuring the role has been created:

$ tctl get role/terraform-test

Next steps