Dynamic Provider Credentials in Terraform Cloud

preview_player
Показать описание
Terraform Cloud has introduced Dynamic Provider Credentials to automate the provisioning of federated credentials on Azure, AWS, GCP, and Vault. Previously, I created a video that walked through using the raw Workload Identity Token to accomplish authentication to Azure Active Directory with OIDC. The new way is much easier!

Terraform Cloud and Terraform Enterprise can generate workload identity tokens for each run that is executed by a cloud runner. The token carries with it information about who generated the token, what type of run is being executed, and from which workspace and project. It also specifies the target audience, which is the cloud provider in question.

The workload identity token is passed from the runner to the cloud provider, who then performs a verification of the token. First it makes sure that the information in the token comes from a trusted source, which in our case is going to be Terraform Cloud, and that the token has been signed by that entity. Then it checks the subject claim against a security identity, like an Azure application with a federated credential, to make sure the subject and audience information match.

If all that lines up, Azure will generate a temporary credential that is scoped to the permissions of the identity. That credential is then used to perform the actions in the Terraform plan or apply. Once the run is complete, the credential will be discarded and eventually expire.

In the video we'll cover the following:

🌮 How Dynamic Provider Credentials Work
🌮 Setting up Azure AD and Terraform Cloud
🌮 Linking and Testing a Terraform Configuration
🌮 Using Custom Providers and Multiple Instances

Thank you so much for watching! Subscribe if you think I’ve earned it. Hit the bell as well if you’re feeling swell.❤️&🌮

▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
🌮 Other videos to check out:

▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
🌮 Timestamps:

⌚ 0:00 Intro
⌚ 1:27 Why Use Dynamic Credentials?
⌚ 2:16 How Do They Work?
⌚ 3:50 Azure and Terraform Cloud Setup
⌚ 7:48 Testing the Credentials
⌚ 10:02 Custom Providers
⌚ 11:12 Multiple Provider Instances
⌚ 13:43 Final Thoughts

▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
#terraform #hashicorp #devops #cloudengineer #techlearning
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
⭐ CONNECT WITH ME 🏃🦖

▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬

🌮 About Me 🌮

Ned is a curious human with a knack for creating entertaining and informative content. With over 20 years in the industry, Ned brings real-world experience to all his creative endeavours, whether that's pontificating on a podcast, delivering live instruction, writing certification guides, or producing technical training videos. He has been a helpdesk operator, systems administrator, cloud architect, and product manager. In his newest incarnation, Ned is the Founder of Ned in the Cloud LLC. As a one-man-tech juggernaut, he develops courses for Pluralsight, runs two podcasts (Day Two Cloud and Chaos Lever, and creates original content for technology vendors.

Ned has been a Microsoft MVP since 2017 and a HashiCorp Ambassador since 2020, and he holds a bunch of industry certifications that have no bearing on anything beyond his exceptional ability to take exams and pass them. When not in front of the camera, keyboard, and microphone, you can find Ned running the scenic trails of Pennsylvania or rocking out to live music in his hometown of Philadelphia. Ned has three guiding principles: Embrace discomfort, Fail often, and Be kind.
Рекомендации по теме
Комментарии
Автор

Great quick informative video as always, Thanks Ned, Question, Since we exposing these dynamic secrets to state files would this be fixable just with an OICD policy to make it short-term secrets to be secure or we do have a better solution to not have these secrets on state files at all?

aminniktash
Автор

Is it possible to do this without TerraForm Cloud or as Azure DevOps to Azure?

thebtm
Автор

Thank you for sharing the video. Sir i have enrolled in azure terraform course of you in pluralsight . Is that sufficient for basic please.

jafarshaik