Dynamic Provider Credentials in Terraform Cloud
HTML-код
- Опубликовано: 30 июл 2024
- Terraform Cloud has introduced Dynamic Provider Credentials to automate the provisioning of federated credentials on Azure, AWS, GCP, and Vault. Previously, I created a video that walked through using the raw Workload Identity Token to accomplish authentication to Azure Active Directory with OIDC. The new way is much easier!
Terraform Cloud and Terraform Enterprise can generate workload identity tokens for each run that is executed by a cloud runner. The token carries with it information about who generated the token, what type of run is being executed, and from which workspace and project. It also specifies the target audience, which is the cloud provider in question.
The workload identity token is passed from the runner to the cloud provider, who then performs a verification of the token. First it makes sure that the information in the token comes from a trusted source, which in our case is going to be Terraform Cloud, and that the token has been signed by that entity. Then it checks the subject claim against a security identity, like an Azure application with a federated credential, to make sure the subject and audience information match.
If all that lines up, Azure will generate a temporary credential that is scoped to the permissions of the identity. That credential is then used to perform the actions in the Terraform plan or apply. Once the run is complete, the credential will be discarded and eventually expire.
In the video we'll cover the following:
🌮 How Dynamic Provider Credentials Work
🌮 Setting up Azure AD and Terraform Cloud
🌮 Linking and Testing a Terraform Configuration
🌮 Using Custom Providers and Multiple Instances
Here's the official HashiCorp docs: developer.hashicorp.com/terra...
Here's the example repository: github.com/ned1313/tfc-azure-...
Thank you so much for watching! Subscribe if you think I’ve earned it. Hit the bell as well if you’re feeling swell.❤️&🌮
✅🔔 Subscribe ► nedinthecloud.com/SubscribeYT
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
🌮 Other videos to check out:
📽️ Terraform Check Block: • Terraform Check Block ...
📽️ Terraform Cloud Projects: • Terraform Cloud - Mana...
📽️ Workload Identity with Terraform Cloud: • Using Workload Identit...
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
🌮 Timestamps:
⌚ 0:00 Intro
⌚ 1:27 Why Use Dynamic Credentials?
⌚ 2:16 How Do They Work?
⌚ 3:50 Azure and Terraform Cloud Setup
⌚ 7:48 Testing the Credentials
⌚ 10:02 Custom Providers
⌚ 11:12 Multiple Provider Instances
⌚ 13:43 Final Thoughts
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
#terraform #hashicorp #devops #cloudengineer #techlearning
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
⭐ CONNECT WITH ME 🏃🦖
🌐 Day Two Cloud: daytwocloud.io
🌐 Chaos Lever: chaoslever.com
🌐 Visit my Website ► nedinthecloud.com
🗳 Pluralsight ► app.pluralsight.com/profile/a...
🐙 Find the code at GitHub► github.com/ned1313
🐧 Twitter ► / ned1313
👨💼 LinkedIn► / ned-bellavance
For collaboration or any queries: ned@nedinthecloud.com
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
🌮 About Me 🌮
Ned is a curious human with a knack for creating entertaining and informative content. With over 20 years in the industry, Ned brings real-world experience to all his creative endeavours, whether that's pontificating on a podcast, delivering live instruction, writing certification guides, or producing technical training videos. He has been a helpdesk operator, systems administrator, cloud architect, and product manager. In his newest incarnation, Ned is the Founder of Ned in the Cloud LLC. As a one-man-tech juggernaut, he develops courses for Pluralsight, runs two podcasts (Day Two Cloud and Chaos Lever, and creates original content for technology vendors.
Ned has been a Microsoft MVP since 2017 and a HashiCorp Ambassador since 2020, and he holds a bunch of industry certifications that have no bearing on anything beyond his exceptional ability to take exams and pass them. When not in front of the camera, keyboard, and microphone, you can find Ned running the scenic trails of Pennsylvania or rocking out to live music in his hometown of Philadelphia. Ned has three guiding principles: Embrace discomfort, Fail often, and Be kind. 
Наука
Congrats on the Ironman 🎉😊
Great quick informative video as always, Thanks Ned, Question, Since we exposing these dynamic secrets to state files would this be fixable just with an OICD policy to make it short-term secrets to be secure or we do have a better solution to not have these secrets on state files at all?
Good question! The federated credential itself is never stored in state data, so you don't need to worry about it leaking through there. Same thing goes for the provider configuration, input variables, and environment variables. None of those are stored in state.
Is it possible to do this without TerraForm Cloud or as Azure DevOps to Azure?
Yes! ADO Pipelines now supports Workload Identity Federation. It's in public preview ATM. learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-using-workload-identity-federation
Thank you for sharing the video. Sir i have enrolled in azure terraform course of you in pluralsight . Is that sufficient for basic please.
Are you referring to the Terraform Associate certification? I would recommend by Getting Started and Deep Dive Terraform courses if you're planning to sit the exam.