Terraform is a powerful infrastructure as code (IaC) tool that streamlines automation processes by enabling users to define and manage their infrastructure through code. By utilizing a declarative configuration language, Terraform automates the provisioning, updating, and scaling of infrastructure resources across various environments.
Its automation capabilities offer several benefits, including increased efficiency by reducing manual intervention, ensuring consistency in infrastructure deployments, facilitating version control to track changes, and enabling the management of complex infrastructures at scale. With Terraform providers, organizations can automate repetitive tasks, accelerate deployment processes, and maintain infrastructure configurations more effectively, ultimately enhancing productivity and agility in their operations.
Enabling the Aembit Terraform Provider requires two steps.
1) Create or update the Terraform configuration to include the Aembit provider.
2) Specify the Aembit provider authentication configuration.
In keeping with our vision of moving away from long-lived secrets, Aembit supports authentication to the Aembit API using a native authentication capability which utilizes OIDC (Open ID Connect) tokens. Once set up, we can use this identity federation to provide just-in-time short-lived access credentials to services.
The Aembit Terraform Provider enables users to create, update, import, and delete Aembit Cloud resources using Terraform manually or via CI/CD workflows. The deployment of the Aembit Edge agent/proxy can also be automated.
Here’s a detailed example of how Aembit Terraform Provider can be used:
- Deploy:
- Define a new Agent using aembit_agent_controller.
- Use aembit_agent_controller_device_code to fetch a device code for an agent.
- Check on its status using aembit_agent_controllers.
- Configure a policy for GitHub Actions:
- Use aembit_client_workload to define the system which will access GitHub Actions.
- Define the GitHub server workload using aembit_server_workload.
- Add a GitHub API key using aembit_credential_provider.
- Optional, but recommended steps: configure a trust provider, and use conditional access and integrations with Wiz or CrowdStrike.
- Tie it all together with a workload access policy using aembit_access_policy.
- Monitor the end-to-end deployment using one of the many calls in Terraform Provider.
Here’s some sample code to integrate with CrowdStrike and use it for conditional access to a workload: