Terraform patterns for Boundary groups and RBAC
The following pattern demonstrates how to aggregate users into groups.
Security best-practices recommend that you use Role-Based Access Control (RBAC) when you make authorization decisions. RBAC is a methodology in which you create a role that defines the actions that a user is allowed to take, and then assign one or more users to that role.
In Boundary, you can assign users directly to a role, but a better pattern is to put users with equivalent access into groups. You can then assign groups to roles that grant least-privileges to your Boundary environment.
Requirements
This document assumes the reader has:
- An understanding of Terraform fundamentals
- An existing Boundary installation. Refer to Initialize Boundary to learn about deploying Boundary.
- Configured the Terraform Boundary provider.
- Created Boundary users and auth methods to assign to the group you plan to create.
Group configuration
This example adds users to the Accounting
group.
# Add Jeff and Susmitha to the Accounting groupresource "boundary_group" "Accounting" { name = "Accounting" description = "The Accounting Department" member_ids = [boundary_user.susmitha,id, boundary_user.jeff.id] scope_id = boundary_scope.project.id}
You are not required to populate groups manually, and can instead take advantage of the pre-existing groups provided by an identity provider.
Managed group configuration
This example creates a managed group that is automatically populated based on an LDAP group called Engineering
.
resource "boundary_managed_group_ldap" "Engineering" { name = "Engineering" description = "Engineering Managed LDAP Group" auth_method_id = boundary_auth_method_ldap.forumsys_ldap.id group_names = ["Engineering"]}
HashiCorp recommends using managed groups whenever possible because it abstracts the management of group membership and simplifies Boundary administration.
Role configuration
After you have created a group, you must assign one or more roles to that group to enable the group members to do useful work in Boundary.
This pattern creates a role called readonly
that include a grant
that allows the user read-only access to all Boundary resources. This example also associates the Accounting
static group and the Engineering
managed group with that role.
resource "boundary_role" "readonly" { name = "readonly" description = "A readonly role" # Assign Accounting and Engineering to this role principal_ids = [boundary_group.accounting.id, boundary_managed_group_ldap.Engineering.id] # This is the grant string provides read-only access to all objects in the current scope. grant_strings = ["ids=*;type=*;actions=read"] scope_id = boundary_scope.project.id}
More information
For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:
For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:
Next steps
You may want to create hosts and host sets so that you can configure targets for your users to connect to. Targets require an address or host, and credentials to connect to that host.