Other Authentication and Authorization
Overview
Terrateam needs permission to access resources in your cloud provider no matter which provider you’re using. Without credentials, Terrateam won’t have permission to view or update cloud resources using the Terraform CLI.
Vendors typically publish an official Terraform provider on the Terraform Registry. There are many ways to configure authentication across Terraform providers. The instructions on this page aim to be a general guide. You should first read the official documentation of the Terraform provider you’re using to properly set things up.
For most Terraform providers, a secret access token is required for authentication. Most of the time, an environment variable can be used to set the token.
The typical steps are as follows:
- Create a user/role/service-account on your cloud provider with a set of access permissions you’re comfortable giving Terrateam
- Create a secret access token for the new user/role/service-account
- Create the required environment variables for the provider to consume using GitHub Secrets
Fly.io: An example
As an example, the Fly.io
Terraform provider can be configured with the
following Terraform code:
provider "fly" {
# Please don't do this. Use the FLY_API_TOKEN env variable instead.
flytoken = "abc123"
}
As you can see, the fly
provider requires a token. This can be specified by using
a flytoken
configuration inside the provider
stanza, or by specifying a
FLY_API_TOKEN
environment variable. Specifying an environment variable to be used
is the recommended approach. Storing secrets and passwords in Git is a bad idea.
Prerequisites: These instructions require you to run commands from a terminal.
- Export your Terraform
organization/repo
combination as an environment variable
For example:
export REPO="<OWNER/REPO>"
-
Choose a
Fly.io
user you wish to use with Terrateam -
Create a new
Fly.io
customer access token
export FLY_API_TOKEN=$(fly auth token)
- Create the
FLY_API_TOKEN
GitHub Secret
gh secret --repo "$REPO" set FLY_API_TOKEN --body "$FLY_API_TOKEN"
The next time you issue a Terrateam operation, the Terrateam GitHub Action runner will pull down the FLY_API_TOKEN
GitHub Secret to be used against Fly.io
resources.