diff --git a/docs/config.json b/docs/config.json index ab1ae4a1eb22a..7d825c90cebd8 100644 --- a/docs/config.json +++ b/docs/config.json @@ -1043,7 +1043,7 @@ }, { "source": "/machine-id/deployment/spacelift/", - "destination": "/enroll-resources/machine-id/deployment/spacelift/", + "destination": "/admin-guides/infrastructure-as-code/terraform-provider/spacelift/", "permanent": true }, { @@ -2575,6 +2575,11 @@ "source": "/choose-an-edition/teleport-enterprise/introduction/", "destination": "/admin-guides/deploy-a-cluster/deploy-a-cluster/", "permanent": true + }, + { + "source": "/enroll-resources/machine-id/deployment/spacelift/", + "destination": "/admin-guides/infrastructure-as-code/terraform-provider/spacelift/", + "permanent": true } ] } diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx index 4f4919dedfd78..05f9847994cc9 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider.mdx @@ -19,6 +19,7 @@ is executed. You must pick the correct guide for your setup: |---------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| | [Run the Teleport Terraform provider locally](./terraform-provider/local.mdx) | This is the best way to get started with the Teleport terraform provider, write some initial Terraform code and get familiar with IaC. | You're using you local credentials to create a temporary bot, obtain short-lived credentials, and store them in environment variables. | | [Run the Teleport Terraform provider in CI or a cloud VM](./terraform-provider/ci-or-cloud.mdx) | You already have a working Terraform module configuring Teleport and want to run it in CI to benefit from review and audit capabilities from your versioning system (e.g. git). | You're using a proof provided by your runtime (CI engine, cloud provider) to prove your identity and join using MachineID. | +| [Run the Teleport Terraform provider on Spacelift](./terraform-provider/spacelift.mdx) | You already have a working Terraform module configuring Teleport and want to run it on the Spacelift platform. | You're using a proof provided by Spacelift to prove your identity and join using MachineID. | | [Run the Teleport Terraform provider from a server](./terraform-provider/dedicated-server.mdx) | You have working Terraform code and want to run it on a dedicated server. The server is long-lived, like a bastion or a task runner. | You setup a MachineID daemon (`tbot`) that obtains and refreshes credentials for the Terraform provider. | | [Run the Teleport Terraform provider with long-lived credentials.](./terraform-provider/long-lived-credentials.mdx) | This method is discouraged as less secure than the 3 others. This should be used when none of the other methods work in your case (short-lived CI environments that don't have dedicated Teleport join methods). | You sign one long lived certificate allowing the Terraform provider to connect to Teleport. | diff --git a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/ci-or-cloud.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/ci-or-cloud.mdx index 9f9602237ba08..87810c8ee8cac 100644 --- a/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/ci-or-cloud.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/ci-or-cloud.mdx @@ -25,10 +25,11 @@ join method and token to the provider. -This guide does not cover running Teleport locally or on a dedicated server. -If you are in one of those cases, follow the dedicated guides: +This guide does not cover running Teleport locally, on a dedicated server or on +certain platforms. See the following more specific guides for those cases: - [Run the Terraform Provider locally](./local.mdx) - [Run the Teleport Terraform Provider on a server](./dedicated-server.mdx) +- [Run the Teleport Terraform Provider on Spacelift](./spacelift.mdx) ## How it works diff --git a/docs/pages/enroll-resources/machine-id/deployment/spacelift.mdx b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx similarity index 85% rename from docs/pages/enroll-resources/machine-id/deployment/spacelift.mdx rename to docs/pages/admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx index 2cccd4f432fd2..976b95f8b2306 100644 --- a/docs/pages/enroll-resources/machine-id/deployment/spacelift.mdx +++ b/docs/pages/admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx @@ -1,6 +1,6 @@ --- -title: Deploying Machine ID on Spacelift -description: How to install and configure Machine ID on Spacelift +title: Run the Teleport Terraform Provider on Spacelift +description: How to manage dynamic resources using the Teleport Terraform provider on the Spacelift platform. --- You can use Spacelift with the Teleport Terraform provider to manage dynamic @@ -32,56 +32,9 @@ resources. ## Step 1/3. Create a role and Machine ID bot -Create `example-bot-role.yaml`, which declares a Teleport role that we will -assign to the bot user for Spacelift. `tbot` generates short-lived credentials -that grant the user access to this role, allowing Spacelift to manage dynamic -Teleport resources using Terraform: - -```yaml -kind: role -version: v5 -metadata: - name: example-bot -spec: - allow: - rules: - - resources: - - app - - cluster_auth_preference - - cluster_networking_config - - db - - device - - github - - login_rule - - oidc - - okta_import_rule - - role - - saml - - session_recording_config - - token - - trusted_cluster - - user - verbs: - - create - - read - - update - - delete - - list - deny: {} - options: {} -``` - -This role grants access to create, update, delete, and list a number of Teleport -resources. You may wish to remove resources that you do not intend to configure -with Terraform from this list to reduce blast radius. See the [Teleport Role -Reference](../../../reference/access-controls/roles.mdx) -for the dynamic resources you can grant access to in a Teleport role. - -Create this role by applying the manifest: - -``` -$ tctl create example-bot-role.yaml -``` +First, we'll create a Machine ID Bot for our Spacelift job to act as. We'll +grant it the `terraform-provider` role, which automatically grants access to +every resource supported by the Teleport terraform provider. Create `bot.yaml`: @@ -92,9 +45,10 @@ metadata: # name is a unique identifier for the Bot in the cluster. name: example spec: - # we specify the role that we just created to grant it to the Bot + # The terraform-provider is a default role shipped in Teleport granting access + # to every resource supported by the terraform provider. roles: - - example-bot + - terraform-provider ``` Make sure you replace `example` with a unique, descriptive, name for your Bot. diff --git a/docs/pages/enroll-resources/machine-id/deployment.mdx b/docs/pages/enroll-resources/machine-id/deployment.mdx index fc3e238ffe743..aff3a54a3d35b 100644 --- a/docs/pages/enroll-resources/machine-id/deployment.mdx +++ b/docs/pages/enroll-resources/machine-id/deployment.mdx @@ -66,10 +66,10 @@ on-prem infrastructure. Read the following guides for how to deploy Machine ID on a continuous integration and continuous deployment platform -| Platform | Installation method | Join method | -|---------------------------------------------------|---------------------------------------------------------------|------------------------------------| -| [CircleCI](./deployment/circleci.mdx) | TAR archive | CircleCI-signed identity document | -| [GitLab](./deployment/gitlab.mdx) | TAR archive | GitLab-signed identity document | -| [GitHub Actions](./deployment/github-actions.mdx) | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document. | -| [Jenkins](./deployment/jenkins.mdx) | Package manager or TAR archive | Static join token | -| [Spacelift](./deployment/spacelift.mdx) | Docker Image | Spacelift-signed identity document | +| Platform | Installation method | Join method | +|-----------------------------------------------------------------------------------------|---------------------------------------------------------------|------------------------------------| +| [CircleCI](./deployment/circleci.mdx) | TAR archive | CircleCI-signed identity document | +| [GitLab](./deployment/gitlab.mdx) | TAR archive | GitLab-signed identity document | +| [GitHub Actions](./deployment/github-actions.mdx) | Teleport job available through the GitHub Actions marketplace | GitHub-signed identity document. | +| [Jenkins](./deployment/jenkins.mdx) | Package manager or TAR archive | Static join token | +| [Spacelift](../../admin-guides/infrastructure-as-code/terraform-provider/spacelift.mdx) | Docker Image | Spacelift-signed identity document |