Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add enterprise/terraform docs #1778

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+135 −35
Open

add enterprise/terraform docs #1778

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b6171c0
add enterprise/terraform docs
wasaga Feb 10, 2025
f7b867b
fix formatting
wasaga Feb 11, 2025
d24a813
Merge remote-tracking branch 'origin/main' into wasaga/terraform
wasaga Feb 24, 2025
f567c68
update docs
wasaga Feb 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 131 additions & 0 deletions content/docs/deploy/enterprise/configure-terraform.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
---
title: Configure with Terraform
description: Learn how to manage your Pomerium Enterprise configuration using Terraform, including authentication setup, resource management, and deployment examples.
keywords:
[
Pomerium Enterprise,
Terraform,
IaC,
infrastructure as code,
configuration management,
service accounts,
provider configuration,
]
---

# Configure with Terraform

Pomerium Enterprise can be configured and managed using Terraform through the [official Pomerium provider](https://registry.terraform.io/providers/pomerium/pomerium/latest/docs). This enables you to manage your Pomerium Enterprise resources as infrastructure as code, making it easier to version, review, and automate your configuration changes.

## Prerequisites

- Pomerium Enterprise must be running first
- Console API must be accessible

## Provider Configuration

To use the Pomerium Terraform provider, first configure it in your Terraform configuration:

```hcl
terraform {
required_providers {
pomerium = {
source = "pomerium/pomerium"
version = "~> 0.0.7"
}
}
}

provider "pomerium" {
api_url = "https://console-api.your-domain.com"
# Choose one of the authentication methods below
}
```

## Authentication Methods

The provider supports one of the two authentication methods:

### 1. Service Account Token

This method uses a [Pomerium Enterprise Service Account](/docs/capabilities/service-accounts) and provides fine-grained access control at the namespace level:

```hcl
provider "pomerium" {
api_url = "https://console-api.your-domain.com"
service_account_token = var.pomerium_service_account_token
}
```

The Pomerium API route should authorize the relative pomerium service account access:

```yaml
- allow:
or:
- user:
is: 'bootstrap-014e587b-3f4b-4fcf-90a9-f6ecdf8154af.pomerium'
```

### 2. Bootstrap Service Account

This method requires enabling bootstrap service accounts in your Enterprise Console. It may be used if you wish to configure Pomerium Enterprise part of the installation process, without accessing its UI to create a new service account.

```hcl
provider "pomerium" {
api_url = "https://console-api.your-domain.com"
shared_secret_b64 = var.shared_secret_b64
}
```

The Pomerium API route should have the following policy, with the special bootstrap service account user ID.

```yaml
- allow:
or:
- user:
is: 'bootstrap-014e587b-3f4b-4fcf-90a9-f6ecdf8154af.pomerium'
```

:::warning

The Bootstrap Service Account method requires setting `BOOTSTRAP_SERVICE_ACCOUNT=true` in your Enterprise Console configuration.

:::

## Example

```hcl
resource "pomerium_namespace" "engineering" {
name = "engineering"
}

resource "pomerium_policy" "engineering_policy" {
name = "engineering-policy"
namespace = pomerium_namespace.engineering.id
ppl = yamlencode({
allow = {
and = [
{
groups = {
has = "engineering"
}
}
]
}
})
}

resource "pomerium_route" "internal_tools" {
name = "internal-tools"
namespace = pomerium_namespace.engineering.id
from = "https://tools.example.com"
to = ["https://internal-tools.local"]
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's apply the policy to this route to complete the example.

Missing something like this in the route resource definition:

policies = [
  pomerium_policy.engineering_policy.id
]

```

## Next Steps

- [Provider Documentation](https://registry.terraform.io/providers/pomerium/pomerium/latest/docs)
- [Example Configurations](https://github.com/pomerium/enterprise-terraform-provider/tree/main/example)
- [Enterprise API Reference](/docs/internals/management-api-enterprise)
- [Service Accounts](/docs/capabilities/service-accounts)
1 change: 1 addition & 0 deletions cspell.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,7 @@
"tgroth",
"unvalidated",
"Whitelabeling",
"yamlencode",
"yourcompany",
"Zipkin"
],
Expand Down
4 changes: 3 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@
"write-translations": "docusaurus write-translations",
"write-heading-ids": "docusaurus write-heading-ids",
"format": "prettier --write .",
"format-check": "prettier --check ."
"format-check": "prettier --check .",
"precommit": "npm run format-check && npm run cspell",
"cspell": "cspell \"**/*\""
},
"dependencies": {
"@docusaurus/core": "^3.6.3",
Expand Down
34 changes: 0 additions & 34 deletions src/theme/NotFound/Content/index.tsx
View file
Open in desktop

This file was deleted.