Terraform patterns for Boundary users and auth methods
Boundary supports password, OIDC, and LDAP auth methods.
Requirements
This document assumes the reader has:
- An understanding of Terraform fundamentals
- An existing Boundary installation. Refer to Initialize Boundary to learn about deploying Boundary.
- Configured the Terraform Boundary provider.
- Created a scope to add the users and auth methods to.
Auth method configuration
Below is an example of creating a password auth method. Terraform creates the auth method in the scope that is specified by the scope_id
option.
resource "boundary_auth_method" "password" { scope_id = boundary_scope.org.id type = "password"}
LDAP auth method configuration
The next example demonstrates how to create an LDAP auth method.
resource "boundary_auth_method_ldap" "forumsys_ldap" { name = "forumsys public LDAP" scope_id = "global" # add the new auth method to the global scope urls = ["ldap://ldap.forumsys.com"] # the addr of the LDAP server user_dn = "dc=example,dc=com" # the basedn for users user_attr = "uid" # the user attribute group_dn = "dc=example,dc=com" # the basedn for groups bind_dn = "cn=read-only-admin,dc=example,dc=com" # the dn to use when binding bind_password = "password" # passwd to use when binding state = "active-public" # make sure the new auth-method is available to everyone enable_groups = true # this turns-on the discovery of a user's groups discover_dn = true # this turns-on the discovery of an authenticating user's dn}
Account and user configuration
After you create an auth method, you need to add accounts to it and create users to represent the accounts. Users and accounts are different constructs. A user is a "parent" object associated to one or more accounts created using a supported auth method.
This example creates 2 accounts using the password auth method and associated users.
# Create a user named "Jeff"resource "boundary_account_password" "jeff" { auth_method_id = boundary_auth_method.password.id type = "password" login_name = "jeff" password = "$uper$ecure"} # Associate the Jeff account with a user aliasresource "boundary_user" "jeff" { name = "jeff" description = "Jeff's user resource" account_ids = [boundary_account_password.jeff.id] scope_id = boundary_scope.org.id} #Create a user named Susmitharesource "boundary_account_password" "susmitha" { auth_method_id = boundary_auth_method.password.id type = "password" login_name = "susmitha" password = "more$super$ecure"} # And this associates the account with a user aliasresource "boundary_user" "susmitha" { name = "susmitha" description = "Susmitha's user resource" account_ids = [boundary_account_password.susmitha.id] scope_id = boundary_scope.org.id}
More information
For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:
For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:
Next steps
Once you have created users and auth methods, you may want to create groups for your users or configure RBAC to define the actions a user is allowed to take.