Terraform patterns for Boundary users and auth methods

Boundary supports password, OIDC, and LDAP auth methods.

Requirements

This document assumes the reader has:

An understanding of Terraform fundamentals
An existing Boundary installation. Refer to Initialize Boundary to learn about deploying Boundary.
Configured the Terraform Boundary provider.
Created a scope to add the users and auth methods to.

Auth method configuration

Below is an example of creating a password auth method. Terraform creates the auth method in the scope that is specified by the scope_id option.

resource "boundary_auth_method" "password" {
  scope_id = boundary_scope.org.id
  type     = "password"
}

LDAP auth method configuration

The next example demonstrates how to create an LDAP auth method.

resource "boundary_auth_method_ldap" "forumsys_ldap" {
  name          = "forumsys public LDAP"
  scope_id      = "global"                               # add the new auth method to the global scope
  urls          = ["ldap://ldap.forumsys.com"]           # the addr of the LDAP server
  user_dn       = "dc=example,dc=com"                    # the basedn for users
  user_attr     = "uid"                                  # the user attribute
  group_dn      = "dc=example,dc=com"                    # the basedn for groups
  bind_dn       = "cn=read-only-admin,dc=example,dc=com" # the dn to use when binding
  bind_password = "password"                             # passwd to use when binding
  state         = "active-public"                        # make sure the new auth-method is available to everyone
  enable_groups = true                                   # this turns-on the discovery of a user's groups
  discover_dn   = true                                   # this turns-on the discovery of an authenticating user's dn
}

Account and user configuration

After you create an auth method, you need to add accounts to it and create users to represent the accounts. Users and accounts are different constructs. A user is a "parent" object associated to one or more accounts created using a supported auth method.

This example creates 2 accounts using the password auth method and associated users.

# Create a user named "Jeff"
resource "boundary_account_password" "jeff" {
  auth_method_id = boundary_auth_method.password.id
  type           = "password"
  login_name     = "jeff"
  password       = "$uper$ecure"
}

# Associate the Jeff account with a user alias
resource "boundary_user" "jeff" {
  name        = "jeff"
  description = "Jeff's user resource"
  account_ids = [boundary_account_password.jeff.id]
  scope_id    = boundary_scope.org.id
}

#Create a user named Susmitha
resource "boundary_account_password" "susmitha" {
  auth_method_id = boundary_auth_method.password.id
  type           = "password"
  login_name     = "susmitha"
  password       = "more$super$ecure"
}

# And this associates the account with a user alias
resource "boundary_user" "susmitha" {
  name        = "susmitha"
  description = "Susmitha's user resource"
  account_ids = [boundary_account_password.susmitha.id]
  scope_id    = boundary_scope.org.id
}

More information

For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:

For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:

Next steps

Once you have created users and auth methods, you may want to create groups for your users or configure RBAC to define the actions a user is allowed to take.