Terraform Provider (OSS)

The gravity terraform provider is used to support terraform management of opensource gravity clusters. The provider needs to be configured with a valid token in order to manage a cluster.

Getting Started

Install the Gravity provider

The terraform provider will be automatically installed when getting the gravity tools.

curl https://get.gravitational.io/telekube/install/5.2.0 | bash

Please see the getting started guide for more information.

Example Usage

# Configure the Gravity provider
provider "gravity" {
    host  = "https://example.com"
    token = "abcdefghi"
}

# Create a log forwarder
resource "gravity_log_forwarder" "logs" {
    # ...
}

Authentication

The terraform provider uses token based authentication which must be provisioned to the cluster before being used.

See Configuring Users & Tokens for more information

gravity_cluster_auth_preference

Configures authentication preferences for authenticating users on the cluster.

Example Usage

resource "gravity_cluster_auth_preference" "test" {
    type = "local"
    second_factor = "otp"
    connector_name = "test"
}

Argument Reference

The following arguments are supported:

gravity_github

Configures the cluster to allow authentication using github as an identity provider.

Example Usage

resource "gravity_github" "test" {
  name          = "github"
  display       = "Github"
  client_id     = "<client-id>"
  client_secret = "<client-secret>"
  redirect_url  = "https://<cluster-url>/portalapi/v1/github/callback"

  teams_to_logins {
    organization = "example"
    team         = "admins"
    logins       = ["@teleadmin"]
  }
}

Argument Reference

The following arguments are supported:

gravity_log_forwarder

Configure log forwarding to an external syslog server.

Example Usage

resource "gravity_log_forwarder" "test" {
  name     = "logzer"
  address  = "192.168.1.1:514"
  protocol = "udp"
}

Argument Reference

The following arguments are supported:

gravity_tlskeypair

Apply a TLS Certificate and Key to the cluster to be used for the Web UI and API of the cluster.

Example Usage

resource "gravity_tlskeypair" "test" {
  cert = <<EOF
-----BEGIN CERTIFICATE-----
# ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
# ...
-----END CERTIFICATE-----
EOF

  private_key = <<EOF
-----BEGIN PRIVATE KEY-----
# ...
-----END PRIVATE KEY-----
EOF
}

Argument Reference

The following arguments are supported:

gravity_token

A token is a static secret that can be used to login to a cluster as a user.

Example Usage

resource "random_id" "secret_admin_token" {
  byte_length = 32
}

resource "gravity_token" "test" {
  token = "${random_id.secret_admin_token.hex}"
  user  = "[email protected]"
}

Argument Reference

The following arguments are supported:

gravity_user

A local cluster user

Example Usage

resource "random_id" "admin_password" {
  byte_length = 32
}

resource "gravity_user" "test" {
  name      = "test"
  full_name = "Test User"
  type      = "admin"
  roles     = ["@teleadmin"]
  password  = "${random_id.admin_password.hex}"
}

Argument Reference

The following arguments are supported:

Terraform Provider (Enterprise)

The gravity enterprise terraform provider is used to support terraform management of resources only available in the enterprise version of gravity. This provider should be used in conjunction with the opensource gravity provider to manage a gravity cluster.

Getting Started

Install the Gravity Enterprise provider

The terraform provider will be automatically installed when getting the gravity tools.

curl https://get.gravitational.io/telekube/install/5.2.0 | bash

Please see the getting started guide for more information.

Example Usage

# Configure the Gravity provider
provider "gravity" {
    host  = "https://example.com"
    token = "abcdefghi"
}

# Create a log forwarder
resource "gravity_log_forwarder" "logs" {
    # ...
}

# Configure the gravity enterprise provider
provider "gravityenterprise" {
    host  = "https://example.com"
    token = "abcdefghi"
}

# Create an oidc connector
resource "gravityenterprise_oidc" "test" {
    # ...
}

Authentication

The terraform provider uses token based authentication which must be provisioned to the cluster before being used.

See Configuring Users & Tokens for more information

gravityenterprise_endpoints

By default an Ops Center is configured with a single endpoint set via --ops-advertise-addr flag passed during installation. This configuration allows creating separate endpoints for cluster management and inter-cluster communications that can be firewalled separately.

Example Usage

resource "gravityenterprise_endpoints" "test" {
  public_advertise_addr = "public.example.com:443"
  agents_advertise_addr = "agents.example.com:443"
}

Argument Reference

The following arguments are supported:

gravityenterprise_oidc

A gravity enterprise cluster can be configured to use Open ID connect as an identity provider and authenticate users.

Example Usage

resource "gravityenterprise_oidc" "test" {
  name = "auth0"
  redirect_url = "https://example.com/portalapi/v1/oidc/callback"
  client_id = "1234"
  client_secret = "5678"
  issuer_url = "https://example.auth0.com/"
  scope = ["roles"]

  claims_to_roles {
      claim = "roles"
      value = "admins"
      roles = ["@teleadmin]
  }
}

Argument Reference

The following arguments are supported:

gravityenterprise_role

Roles can be used to tune access permissions to the cluster.

Example Usage

Admin access to all resources:

resource "gravityenterprise_role" "admin" {
  name = "administrator"

  allow {
    logins = ["root"]
    namespaces = ["default"]
    node_labels = {
      "*"= "*"
    }
    rule {
      resources = ["*"]
      verbs = ["*"]
    }
  }
}

See the teleport documents for more information.

Argument Reference

The following arguments are supported:

gravityenterprise_saml

Enables using SAML as an identity provider for cluster logins.

Example Usage

resource "gravityenterprise_saml" "test" {
  name = "saml"
  display = "SAML Example"
  acs = "https://example.com/portalapi/v1/saml/callback"

  attributes_to_role {
    name = "groups"
    value = "admins"
    roles = ["@teleadmin"]
  }
}

Argument Reference

The following arguments are supported:

gravityenterprise_trusted_cluster

Trusted clusters allows connecting a standalone gravity enterprise cluster to an Ops Center.

Example Usage

resource "gravityenterprise_trusted_cluster" "test" {
  name = "test"
  token = "abcdef"
  web_proxy_addr = "1.1.1.1"
  tunnel_addr = "1.1.1.1"
}

Argument Reference

The following arguments are supported:

Gravity Enterprise

Gravity Enterprise enhances Gravity Community, the open-source Kubernetes packaging solution, to meet security and compliance requirements. It is trusted by some of the largest enterprises in software, finance, healthcare, security, telecom, government, and other industries.

Demo Gravity Enterprise

Gravity Community

Gravity Community is an upstream Kubernetes packaging solution that takes the drama out of on-premise deployments. Gravity Community is open-source software that anyone can download and install for free.

Download Gravity Community