|
| 1 | +--- |
| 2 | +title: Configure with Terraform |
| 3 | +description: Learn how to manage your Pomerium Enterprise configuration using Terraform, including authentication setup, resource management, and deployment examples. |
| 4 | +keywords: |
| 5 | + [ |
| 6 | + Pomerium Enterprise, |
| 7 | + Terraform, |
| 8 | + IaC, |
| 9 | + infrastructure as code, |
| 10 | + configuration management, |
| 11 | + service accounts, |
| 12 | + provider configuration, |
| 13 | + ] |
| 14 | +--- |
| 15 | + |
| 16 | +# Configure with Terraform |
| 17 | + |
| 18 | +Pomerium Enterprise can be configured and managed using Terraform through our official provider. This enables you to manage your Pomerium Enterprise resources as infrastructure as code, making it easier to version, review, and automate your configuration changes. |
| 19 | + |
| 20 | +## Provider Configuration |
| 21 | + |
| 22 | +To use the Pomerium Terraform provider, first configure it in your Terraform configuration: |
| 23 | + |
| 24 | +```hcl |
| 25 | +terraform { |
| 26 | + required_providers { |
| 27 | + pomerium = { |
| 28 | + source = "pomerium/pomerium" |
| 29 | + version = "~> 0.0.7" |
| 30 | + } |
| 31 | + } |
| 32 | +} |
| 33 | +
|
| 34 | +provider "pomerium" { |
| 35 | + api_url = "https://console-api.your-domain.com" |
| 36 | + # Choose one of the authentication methods below |
| 37 | +} |
| 38 | +``` |
| 39 | + |
| 40 | +## Authentication Methods |
| 41 | + |
| 42 | +The provider supports two authentication methods: |
| 43 | + |
| 44 | +### 1. Service Account Token (Recommended) |
| 45 | + |
| 46 | +This method uses a [Pomerium Enterprise Service Account](/docs/capabilities/service-accounts) and provides fine-grained access control at the namespace level: |
| 47 | + |
| 48 | +```hcl |
| 49 | +provider "pomerium" { |
| 50 | + api_url = "https://console-api.your-domain.com" |
| 51 | + service_account_token = var.pomerium_service_account_token |
| 52 | +} |
| 53 | +``` |
| 54 | + |
| 55 | +### 2. Bootstrap Service Account |
| 56 | + |
| 57 | +This method requires enabling bootstrap service accounts in your Enterprise Console: |
| 58 | + |
| 59 | +```hcl |
| 60 | +provider "pomerium" { |
| 61 | + api_url = "https://console-api.your-domain.com" |
| 62 | + shared_secret_b64 = var.shared_secret_b64 |
| 63 | +} |
| 64 | +``` |
| 65 | + |
| 66 | +:::warning The Bootstrap Service Account method requires setting `BOOTSTRAP_SERVICE_ACCOUNT=true` in your Enterprise Console configuration. ::: |
| 67 | + |
| 68 | +## Example |
| 69 | + |
| 70 | +```hcl |
| 71 | + resource "pomerium_namespace" "engineering" { |
| 72 | + name = "engineering" |
| 73 | + } |
| 74 | +
|
| 75 | + resource "pomerium_policy" "engineering_policy" { |
| 76 | + name = "engineering-policy" |
| 77 | + namespace = pomerium_namespace.engineering.id |
| 78 | + ppl = yamlencode({ |
| 79 | + allow = { |
| 80 | + and = [ |
| 81 | + { |
| 82 | + groups = { |
| 83 | + has = "engineering" |
| 84 | + } |
| 85 | + } |
| 86 | + ] |
| 87 | + } |
| 88 | + }) |
| 89 | + } |
| 90 | +
|
| 91 | + resource "pomerium_route" "internal_tools" { |
| 92 | + name = "internal-tools" |
| 93 | + namespace = pomerium_namespace.engineering.id |
| 94 | + from = "https://tools.example.com" |
| 95 | + to = ["https://internal-tools.local"] |
| 96 | + } |
| 97 | +``` |
| 98 | + |
| 99 | +## Next Steps |
| 100 | + |
| 101 | +- [Provider Documentation](https://registry.terraform.io/providers/pomerium/pomerium/latest/docs) |
| 102 | +- [Example Configurations](https://github.com/pomerium/enterprise-terraform-provider/tree/main/examples) |
| 103 | +- [Enterprise API Reference](/docs/internals/management-api-enterprise) |
| 104 | +- [Service Accounts](/docs/capabilities/service-accounts) |
0 commit comments