Machine ID: Terraform Cloud joining#45574
Conversation
This adds a new `terraform` join method, which uses Terraform Cloud's Workload Identity OIDC provider to provide delegated joining support for Machine ID bots. As the Terraform provider now embeds tbot, this means - with some light modifications - that the Terraform provider can now join using this join method, and without any secrets.
|
|
||
| // Audience is the JWT audience as configured in the | ||
| // TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. | ||
| string Audience = 2 [(gogoproto.jsontag) = "audience,omitempty"]; |
There was a problem hiding this comment.
Could we have it so that we always just expect the audience to equal the name of the Teleport cluster ? That sounds more semantically correct to me.
There was a problem hiding this comment.
We could, and I think that's the only answer we could bake in that makes sense. It might make the config/docs UX a bit weird (without a guided flow of some sort at least) but is otherwise fine.
The more confusing parameter is the $TAG, I suppose. For docs purposes we can just recommend TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=<cluster name>.
Do you think that should be the default value if unset, or should we just always use the cluster name? Is there any sane usecase for allowing user override?
|
|
||
| for i, allowRule := range a.Allow { | ||
| orgSet := allowRule.OrganizationID != "" || allowRule.OrganizationName != "" | ||
| projectSet := allowRule.ProjectID != "" || allowRule.ProjectName != "" |
There was a problem hiding this comment.
Are project names globally unique across TfCloud ? We should ensure we require at least one globally unique property here.
There was a problem hiding this comment.
Organization names/ids are, at least. The others are only unique within their parent org/project. I think we could require that at least organization (name or ID) is set, then at least one of project name/project ID/workspace name/workspace ID?
There was a problem hiding this comment.
👍 I think I've done similar on another one of the join methods (always required org id/org name). Without it, it's super easy to make a join token that would allow a bad actor to create their own org, create a project w/ the same name, and access your cluster.
| func (its *IDTokenSource) GetIDToken() (string, error) { | ||
| name := "TFC_WORKLOAD_IDENTITY_TOKEN" | ||
| if its.audienceTag != "" { | ||
| name = fmt.Sprintf("TFC_WORKLOAD_IDENTITY_TOKEN_%s", strings.ToUpper(its.audienceTag)) |
There was a problem hiding this comment.
Wow - had no clue they put the audience into the name of the env var - that's super awkward!
There was a problem hiding this comment.
Yep, it's a weird one. Well, not quite in the name of the var - the audience tag is an optional parameter in the var name. The audience is the var value.
The rule is more or less: whenever TFC sees a var matching TFC_WORKLOAD_IDENTITY_AUDIENCE(?P<tag>_\w+)? during a run, it uses the value as the audience, then writes the JWT into $TFC_WORKLOAD_IDENTITY_TOKEN$tag.
The tag is meant to let you issue more than one token, since otherwise you could only define one audience. More docs here: https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials/specifying-multiple-configurations
(Naturally, none of this applies to their own providers which use some slightly different magic to write the same content into different env vars 🤷)
This addresses a few feedback items, defaulting the audience to the Teleport cluster name and requiring allow rules specify an organization + at least one other parameter. Also, adds a first batch of tests.
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
github-actions
Bot
requested review from
bernardjkim,
hugoShaka,
marcoandredinis,
mmcallister,
ptgott,
r0mant,
strideynet,
tigrato,
xinding33 and
zmb3
|
@timothyb89 - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
|
🤖 Vercel preview here: https://docs-368e171r4-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-lzdcdb8sb-goteleport.vercel.app/docs/ver/preview |
Thanks. I'm excited for this, because this is blocking my upgrade to Teleport v16+ after the change that required MFA for every local user, and I'm using Terraform Enterprise, which is why I'm curious about compatibility. |
@mgriffin13, if you'd be up for testing out early builds, feel free to reach out to me on our community Slack! I'd like to follow up quickly with support for Terraform Enterprise but don't have a way of testing it myself at the moment. If things go well, I think we should be able to get everything into v16.3. |
public-teleport-github-review-bot
Bot
removed request for
bernardjkim,
hugoShaka,
ptgott,
r0mant and
xinding33
|
🤖 Vercel preview here: https://docs-7d5on2n3a-goteleport.vercel.app/docs/ver/preview |
|
@timothyb89 See the table below for backport results.
|
Backport of #45574 for branch/v16 --- * Machine ID: Terraform Cloud joining This adds a new `terraform` join method, which uses Terraform Cloud's Workload Identity OIDC provider to provide delegated joining support for Machine ID bots. As the Terraform provider now embeds tbot, this means - with some light modifications - that the Terraform provider can now join using this join method, and without any secrets. * Address some review feedback, add first batch of tests This addresses a few feedback items, defaulting the audience to the Teleport cluster name and requiring allow rules specify an organization + at least one other parameter. Also, adds a first batch of tests. * Update autogenerated CRD docs * Add tests for RegisterUsingToken and provisioning token init * Fix imports * Fix CRD docs * Update tfschema * Update tf docs * Update docstring to make it clear that `Audience` is optional * Update manifests * Update CRD docs * Code review feedback; docstring fixes * Rename lib/terraform to lib/terraformcloud * Rename terraform -> terraform_cloud Renames the new join method to terraform_cloud to make it clear that it won't work for TF running elsewhere (where other join methods should be used) * Fix tests and docs lints * Update api/proto/teleport/legacy/types/types.proto Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Update proto artifacts --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
This adds support for hostname/issuer overrides, needed to support on-prem Terraform Enterprise installs. When the new `hostname` field is unset, behavior is changed, but when set, the JWT is validated against it instead of `app.terraform.io`. Additionally, this renames `join_terraform.go` to `join_terraformcloud.go`, since that was missed during the rename in #45574.
|
Support for Terraform Enterprise is in progress here: #46051 |
This adds support for hostname/issuer overrides, needed to support on-prem Terraform Enterprise installs. When the new `hostname` field is unset, behavior is changed, but when set, the JWT is validated against it instead of `app.terraform.io`. Additionally, this renames `join_terraform.go` to `join_terraformcloud.go`, since that was missed during the rename in #45574.
* Terraform Cloud joining: Support Terraform Enterprise issuers This adds support for hostname/issuer overrides, needed to support on-prem Terraform Enterprise installs. When the new `hostname` field is unset, behavior is changed, but when set, the JWT is validated against it instead of `app.terraform.io`. Additionally, this renames `join_terraform.go` to `join_terraformcloud.go`, since that was missed during the rename in #45574. * Enable Terraform Cloud joining for Teleport Community Edition This enables Terraform Cloud joining for Community Edition when using the public HCP Terraform SaaS. Teleport Enterprise is still required for use with self-hosted Terraform Enterprise. changelog: Enable Terraform Cloud joining for Teleport Community Edition when using HCP Terraform * Fix unit tests * Update lib/auth/join_terraformcloud.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Fix linter --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
This adds support for hostname/issuer overrides, needed to support on-prem Terraform Enterprise installs. When the new `hostname` field is unset, behavior is changed, but when set, the JWT is validated against it instead of `app.terraform.io`. Additionally, this renames `join_terraform.go` to `join_terraformcloud.go`, since that was missed during the rename in #45574.
* Terraform Cloud joining: Support Terraform Enterprise issuers This adds support for hostname/issuer overrides, needed to support on-prem Terraform Enterprise installs. When the new `hostname` field is unset, behavior is changed, but when set, the JWT is validated against it instead of `app.terraform.io`. Additionally, this renames `join_terraform.go` to `join_terraformcloud.go`, since that was missed during the rename in #45574. * Enable Terraform Cloud joining for Teleport Community Edition This enables Terraform Cloud joining for Community Edition when using the public HCP Terraform SaaS. Teleport Enterprise is still required for use with self-hosted Terraform Enterprise. changelog: Enable Terraform Cloud joining for Teleport Community Edition when using HCP Terraform * Fix unit tests * Update lib/auth/join_terraformcloud.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Fix linter --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
* Machine ID: Terraform Cloud joining (#45574) Backport of #45574 for branch/v16 --- * Machine ID: Terraform Cloud joining This adds a new `terraform` join method, which uses Terraform Cloud's Workload Identity OIDC provider to provide delegated joining support for Machine ID bots. As the Terraform provider now embeds tbot, this means - with some light modifications - that the Terraform provider can now join using this join method, and without any secrets. * Address some review feedback, add first batch of tests This addresses a few feedback items, defaulting the audience to the Teleport cluster name and requiring allow rules specify an organization + at least one other parameter. Also, adds a first batch of tests. * Update autogenerated CRD docs * Add tests for RegisterUsingToken and provisioning token init * Fix imports * Fix CRD docs * Update tfschema * Update tf docs * Update docstring to make it clear that `Audience` is optional * Update manifests * Update CRD docs * Code review feedback; docstring fixes * Rename lib/terraform to lib/terraformcloud * Rename terraform -> terraform_cloud Renames the new join method to terraform_cloud to make it clear that it won't work for TF running elsewhere (where other join methods should be used) * Fix tests and docs lints * Update api/proto/teleport/legacy/types/types.proto Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Update proto artifacts --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Terraform Cloud joining: Support Terraform Enterprise issuers (#46051) This adds support for hostname/issuer overrides, needed to support on-prem Terraform Enterprise installs. When the new `hostname` field is unset, behavior is changed, but when set, the JWT is validated against it instead of `app.terraform.io`. Additionally, this renames `join_terraform.go` to `join_terraformcloud.go`, since that was missed during the rename in #45574. * Enable Terraform Cloud joining for Teleport Community Edition (#46419) * Terraform Cloud joining: Support Terraform Enterprise issuers This adds support for hostname/issuer overrides, needed to support on-prem Terraform Enterprise installs. When the new `hostname` field is unset, behavior is changed, but when set, the JWT is validated against it instead of `app.terraform.io`. Additionally, this renames `join_terraform.go` to `join_terraformcloud.go`, since that was missed during the rename in #45574. * Enable Terraform Cloud joining for Teleport Community Edition This enables Terraform Cloud joining for Community Edition when using the public HCP Terraform SaaS. Teleport Enterprise is still required for use with self-hosted Terraform Enterprise. changelog: Enable Terraform Cloud joining for Teleport Community Edition when using HCP Terraform * Fix unit tests * Update lib/auth/join_terraformcloud.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Fix linter --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
7 participants
This adds a new
terraformjoin method, which uses Terraform Cloud's Workload Identity OIDC provider to provide delegated joining support for Machine ID bots. As the Terraform provider now embeds tbot, this means - with some light modifications - that the Terraform provider can now join using this join method, and without any secrets.Short instruction doc: https://gist.github.com/timothyb89/5bb905e8c7065ae0601e83f816af8056
changelog: Add new
terraformjoin method to allow secretless authentication for Terraform Cloud jobs in the Teleport Terraform providerSeparate docs PR (WIP): #45806