Terraform patterns for Boundary credentials and credential stores
Boundary supports multiple types of static credentials and Vault dynamic credentials. A credential store stores credentials for hosts. Static credential stores can hold username/passwords, JSON tokens, SSH key pairs, and SSH certificates.
Requirements
This document assumes the reader has:
- An understanding of Terraform fundamentals
- An existing Boundary installation. Refer to Initialize Boundary to learn about deploying Boundary.
- Configured the Terraform Boundary provider.
- Configured hosts for any credential store you plan to create.
Static credential store configuration
This example creates both a static credential store and a Vault credential store.
After you create a credential store, you can create one or more credentials in that store.
Add static credentials configuration
This example creates static credentials that Boundary manages. The credentials are for a user named Carlos.
Vault credential store configuration
For Vault credential stores, you can then create a credential library which distributes credentials of a specific access level from a Vault path.
This example creates a credential library that reads secrets from a Vault path called my/secret/foo
.
Translate key names from Vault configuration
If you need to translate the key names from Vault into values expected by Boundary, use this pattern.
Use SSH certificates as credentials configuration
To use SSH certificates as credentials, you use the boundary_credential_vault_ssh_certificate
resource as shown in this example.
Declare additional certificate attributes and extensions configuration
This example declares additional certificate attributes and extensions. Note that you can enable extensions by declaring their names and setting their values to empty strings.
More information
For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:
For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:
- Credentials
- Credential libraries
- Credential stores
Next steps
Once you have configured credentials and credential stores, you may want to enable session recording for auditing purposes or configure targets for your users to connect to.