Skip to content
Terraform provider for Conjur
Shell Go HCL
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/ISSUE_TEMPLATE Added bug template Jul 17, 2019
bin Upgrade terraform to 0.12. Fix build script. Jun 25, 2019
conjur Updating build to use official goreleaser image Mar 11, 2019
demo Use Conjur policies for demos/testing that are easy to understand (#17) Aug 31, 2018
test Use Conjur policies for demos/testing that are easy to understand (#17) Aug 31, 2018
.codeclimate.yml Run an integration test against Conjur 5 Enterprise (#8) Aug 17, 2018
.dockerignore Add coreutils to terraform image so the entrypoint can be "sleep infi… Aug 23, 2018
.gitignore Use Conjur policies for demos/testing that are easy to understand (#17) Aug 31, 2018
.gitlab-ci.yml Make it possible to brew install this provider (#16) Aug 29, 2018
.goreleaser.yml Make it possible to brew install this provider (#16) Aug 29, 2018
CHANGELOG.md Updating build to use official goreleaser image Mar 11, 2019
CONTRIBUTING.md Updating build to use official goreleaser image Mar 11, 2019
Dockerfile.terraform Add coreutils to terraform image so the entrypoint can be "sleep infi… Aug 23, 2018
Jenkinsfile Make it possible to brew install this provider (#16) Aug 29, 2018
LICENSE Initial commit Aug 10, 2018
README.md fix readme typo Sep 11, 2018
docker-compose.enterprise.yml DRY up docker-compose files, get rid of unused dependency between cli… Aug 24, 2018
docker-compose.oss.yml DRY up docker-compose files, get rid of unused dependency between cli… Aug 24, 2018
docker-compose.yml Updating build to use official goreleaser image Mar 11, 2019
go.mod Upgrade terraform to 0.12. Fix build script. Jun 25, 2019
go.sum Upgrade terraform to 0.12. Fix build script. Jun 25, 2019
main.go first pass Aug 10, 2018

README.md

terraform-provider-conjur

Terraform provider for Conjur.

GitHub release

pipeline status Maintainability


Installation

Binaries (Recommended)

The recommended way to install terraform-provider-conjur is to use the binary distributions from this project's GitHub Releases page. The packages are available for Linux, macOS and Windows.

Download and uncompress the latest release for your OS. This example uses the linux binary.

$ wget https://github.com/cyberark/terraform-provider-conjur/releases/download/$VERSION/terraform-provider-conjur-linux-amd64.tar.gz
$ tar -xvf terraform-provider-conjur*.tar.gz

Replace $VERSION above.

Now copy the binary to the Terraform's plugins folder. If this is your first plugin, you'll need to create the folder first.

$ mkdir -p ~/.terraform.d/plugins/
$ mv terraform-provider-conjur*/terraform-provider-conjur ~/.terraform.d/plugins/

Homebrew (MacOS)

Add and update the CyberArk Tools Homebrew tap.

$ brew tap cyberark/tools

Install the provider and symlink it to Terraform's plugins directory.

$ brew install terraform-provider-conjur

$ mkdir -p ~/.terraform.d/plugins/
$ ln -sf /usr/local/Cellar/terraform-provider-conjur/$VERSION/bin/terraform-provider-conjur

Symlinking is necessary because Homebrew is sandboxed and cannot write to your home directory. Replace $VERSION above. If Homebrew is installing somewhere other than /usr/local/Cellar, update the path as well.

Compile from Source

If you wish to compile the provider from source code, you'll first need Go installed on your machine (version >=1.9 is required).

Clone repository to: $GOPATH/src/github.com/cyberark/terraform-provider-conjur

$ mkdir -p $GOPATH/src/github.com/cyberark

$ git clone https://github.com/cyberark/terraform-provider-conjur.git $GOPATH/src/github.com/cyberark/terraform-provider-conjur

Enter the provider directory and build the provider

$ cd $GOPATH/src/github.com/cyberark/terraform-provider-conjur
$ make build

Now copy the binary to the Terraform's plugins folder. If this is your first plugin, you'll need to create the folder first.

$ mkdir -p ~/.terraform.d/plugins/
$ mv terraform-provider-conjur ~/.terraform.d/plugins/

Usage

Workflow

Terraform can be run manually by users, but it is often run by machines. Conjur supports authentication and authorization for both.

If you are logged into the Conjur CLI, this provider will read your configuration. If you have applied Conjur machine identity, this provider will read the machine's configuration.

To access the values of secrets, the user/machine needs execute privilege on the Conjur variables referenced in your Terraform manifests.

For more details, see the "Authentication" section on this page.

Provider configuration

Using environment variables

The provider uses conjur-api-go to load its configuration. conjur-api-go can be configured using environment variables:

export CONJUR_APPLIANCE_URL="https://localhost:8443"
export CONJUR_ACCOUNT="quick-start"
export CONJUR_AUTHN_LOGIN="admin"
export CONJUR_AUTHN_API_KEY="3ahcddy39rcxzh3ggac4cwk3j2r8pqwdg33059y835ys2rh2kzs2a"
export CONJUR_CERT_FILE="/etc/conjur.pem"

No other configuration is necessary in main.tf:

# main.tf
provider "conjur" {}

Using attributes

In addition, the provider can be configured using attributes in the configuration. Attributes specified in main.tf override the configuration loaded by conjur-api-go.

For example, if the environment is initialized as above, this configuration would authenticate as terraform-user instead of admin:

# main.tf
provider "conjur" {
  login = "terraform-user"
  api_key = "x0dwqc3jrqkye3xhn7k62rw31c6216ewfe1wv71291jrqm4j15b3dg9"
}

Fetch secrets

# main.tf
# ... provider configuration above

data "conjur_secret" "dbpass" {
  name = "my/shiny/dbpass"
}

output "dbpass_output" {
  value = "${data.conjur_secret.dbpass.value}"
  sensitive = true  # toggle this off to view value
}

Secrets like data.conjur_secret.dbpass.value can be used in any Terraform resources.

View an example Terraform manifest and Conjur policies in the test/ directory in this project.


Alternate Workflow with Summon

If this Terraform provider does not fit your needs, you can also use summon with the summon-conjur provider to provide secrets to Terraform via environment variables. The user running terraform must already be authenticated with Conjur.

Terraform's TF_VAR_name syntax allows a user to set Terraform variables via environment variables. To use Terraform with Summon, prefix the environment variable names in secrets.yml with TF_VAR_.

Example

# variables.tf
variable "access_key" {}
variable "secret_key" {}
# secrets.yml
TF_VAR_access_key: !var aws/dev/sys_powerful/access_key_id
TF_VAR_secret_key: !var aws/dev/sys_powerful/secret_access_key

Run Terraform with Summon:

summon terraform apply

License

Copyright 2016-2018 CyberArk

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this software except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

You can’t perform that action at this time.