Introduce the tctl terraform env command

api/constants/constants.go

@@ -458,3 +458,46 @@ const (
 	// Multiple decisions can be sent for the same request if the policy requires it.
 	FileTransferDecision string = "file-transfer-decision@goteleport.com"
 )
+
+// Terraform provider environment variable names.
+// This is mainly used by the Terraform provider and the `tctl terraform` command.
+const (
+	// EnvVarTerraformAddress is the environment variable configuring the Teleport address the Terraform provider connects to.
+	EnvVarTerraformAddress = "TF_TELEPORT_ADDR"
+	// EnvVarTerraformCertificates is the environment variable configuring the path the Terraform provider loads its
+	// client certificates from. This only works for direct auth joining.
+	EnvVarTerraformCertificates = "TF_TELEPORT_CERT"
+	// EnvVarTerraformCertificatesBase64 is the environment variable configuring the client certificates used by the
+	// Terraform provider. This only works for direct auth joining.
+	EnvVarTerraformCertificatesBase64 = "TF_TELEPORT_CERT_BASE64"
+	// EnvVarTerraformKey is the environment variable configuring the path the Terraform provider loads its
+	// client key from. This only works for direct auth joining.
+	EnvVarTerraformKey = "TF_TELEPORT_KEY"
+	// EnvVarTerraformKeyBase64 is the environment variable configuring the client key used by the
+	// Terraform provider. This only works for direct auth joining.
+	EnvVarTerraformKeyBase64 = "TF_TELEPORT_KEY_BASE64"
+	// EnvVarTerraformRootCertificates is the environment variable configuring the path the Terraform provider loads its
+	// trusted CA certificates from. This only works for direct auth joining.
+	EnvVarTerraformRootCertificates = "TF_TELEPORT_ROOT_CA"
+	// EnvVarTerraformRootCertificatesBase64 is the environment variable configuring the CA certificates trusted by the
+	// Terraform provider. This only works for direct auth joining.
+	EnvVarTerraformRootCertificatesBase64 = "TF_TELEPORT_CA_BASE64"
+	// EnvVarTerraformProfileName is the environment variable containing name of the profile used by the Terraform provider.
+	EnvVarTerraformProfileName = "TF_TELEPORT_PROFILE_NAME"
+	// EnvVarTerraformProfilePath is the environment variable containing the profile directory used by the Terraform provider.
+	EnvVarTerraformProfilePath = "TF_TELEPORT_PROFILE_PATH"
+	// EnvVarTerraformIdentityFilePath is the environment variable containing the path to the identity file used by the provider.
+	EnvVarTerraformIdentityFilePath = "TF_TELEPORT_IDENTITY_FILE_PATH"
+	// EnvVarTerraformIdentityFile is the environment variable containing the identity file used by the Terraform provider.
+	EnvVarTerraformIdentityFile = "TF_TELEPORT_IDENTITY_FILE"
+	// EnvVarTerraformIdentityFileBase64 is the environment variable containing the base64-encoded identity file used by the Terraform provider.
+	EnvVarTerraformIdentityFileBase64 = "TF_TELEPORT_IDENTITY_FILE_BASE64"
+	// EnvVarTerraformRetryBaseDuration is the environment variable configuring the base duration between two Terraform provider retries.
+	EnvVarTerraformRetryBaseDuration = "TF_TELEPORT_RETRY_BASE_DURATION"
+	// EnvVarTerraformRetryCapDuration is the environment variable configuring the maximum duration between two Terraform provider retries.
+	EnvVarTerraformRetryCapDuration = "TF_TELEPORT_RETRY_CAP_DURATION"
+	// EnvVarTerraformRetryMaxTries is the environment variable configuring the maximum number of Terraform provider retries.
+	EnvVarTerraformRetryMaxTries = "TF_TELEPORT_RETRY_MAX_TRIES"
+	// EnvVarTerraformDialTimeoutDuration is the environment variable configuring the Terraform provider dial timeout.
+	EnvVarTerraformDialTimeoutDuration = "TF_TELEPORT_DIAL_TIMEOUT_DURATION"
+)

constants.go

@@ -675,6 +675,10 @@ const (
 	// resources.
 	PresetRequireTrustedDeviceRoleName = "require-trusted-device"
 
+	// PresetTerraformProviderRoleName is a name of a default role that allows the Terraform provider
+	// to configure all its supported Teleport resources.
+	PresetTerraformProviderRoleName = "terraform-provider"
+
 	// SystemAutomaticAccessApprovalRoleName names a preset role that may
 	// automatically approve any Role Access Request
 	SystemAutomaticAccessApprovalRoleName = "@teleport-access-approver"

integration/helpers/helpers.go

@@ -189,7 +189,7 @@ func CloseAgent(teleAgent *teleagent.AgentServer, socketDirPath string) error {
 	return nil
 }
 
-func MustCreateUserIdentityFile(t *testing.T, tc *TeleInstance, username string, ttl time.Duration) string {
+func MustCreateUserKey(t *testing.T, tc *TeleInstance, username string, ttl time.Duration) *client.Key {
 	key, err := client.GenerateRSAKey()
 	require.NoError(t, err)
 	key.ClusterName = tc.Secrets.SiteName
@@ -209,9 +209,14 @@ func MustCreateUserIdentityFile(t *testing.T, tc *TeleInstance, username string,
 	hostCAs, err := tc.Process.GetAuthServer().GetCertAuthorities(context.Background(), types.HostCA, false)
 	require.NoError(t, err)
 	key.TrustedCerts = authclient.AuthoritiesToTrustedCerts(hostCAs)
+	return key
+}
+
+func MustCreateUserIdentityFile(t *testing.T, tc *TeleInstance, username string, ttl time.Duration) string {
+	key := MustCreateUserKey(t, tc, username, ttl)
 
 	idPath := filepath.Join(t.TempDir(), "user_identity")
-	_, err = identityfile.Write(context.Background(), identityfile.WriteConfig{
+	_, err := identityfile.Write(context.Background(), identityfile.WriteConfig{
 		OutputPath: idPath,
 		Key:        key,
 		Format:     identityfile.FormatFile,