Skip to content

Other Authentication and Authorization

Overview

Terrateam needs permission to access resources in your cloud provider no matter which provider you’re using. Without credentials, Terrateam won’t have permission to view or update cloud resources using the Terraform CLI.

Vendors typically publish an official Terraform provider on the Terraform Registry. There are many ways to configure authentication across Terraform providers. The instructions on this page aim to be a general guide. You should first read the official documentation of the Terraform provider you’re using to properly set things up.

For most Terraform providers, a secret access token is required for authentication. Most of the time, an environment variable can be used to set the token.

The typical steps are as follows:

  1. Create a user/role/service-account on your cloud provider with a set of access permissions you’re comfortable giving Terrateam
  2. Create a secret access token for the new user/role/service-account
  3. Create the required environment variables for the provider to consume using GitHub Secrets

Fly.io: An example

As an example, the Fly.io Terraform provider can be configured with the following Terraform code:

provider "fly" {
  # Please don't do this. Use the FLY_API_TOKEN env variable instead.
  flytoken = "abc123"
}

As you can see, the fly provider requires a token. This can be specified by using a flytoken configuration inside the provider stanza, or by specifying a FLY_API_TOKEN environment variable. Specifying an environment variable to be used is the recommended approach. Storing secrets and passwords in Git is a bad idea.

Prerequisites: These instructions require you to run commands from a terminal.

  1. Export your Terraform organization/repo combination as an environment variable

For example:

export REPO="<OWNER/REPO>"
  1. Choose a Fly.io user you wish to use with Terrateam

  2. Create a new Fly.io customer access token

export FLY_API_TOKEN=$(fly auth token)
  1. Create the FLY_API_TOKEN GitHub Secret
gh secret --repo "$REPO" set FLY_API_TOKEN --body "$FLY_API_TOKEN"

The next time you issue a Terrateam operation, the Terrateam GitHub Action runner will pull down the FLY_API_TOKEN GitHub Secret to be used against Fly.io resources.

Back to Getting Started