Automate Warpgate with Terraform: Secure Infrastructure Access Management

This article shows you how to use the Terraform provider for Warpgate to manage and automate your secure infrastructure access. Warpgate, a smart SSH and HTTPS bastion, ensures your infrastructure remains protected. By using Warpgate with Terraform, you gain efficiency, consistency, and control over your security protocols.

Why Use Terraform with Warpgate?

• Infrastructure as Code (IaC): Define your Warpgate resources (users, roles, targets) in code, enabling version control and repeatability.
• Automation: Automate the provisioning and configuration of your Warpgate setup, reducing manual effort and errors.
• Consistency: Ensure consistent configurations across your environments, improving security and compliance.
• Simplified Management: Easily manage complex access control scenarios through Terraform's declarative approach.

Prerequisites for Using the Warpgate Terraform Provider

Before diving in, make sure you have:

• Terraform: Version 0.13.x or later.
• Go: Version 1.18 or later (for building the provider).
• Warpgate: Version 0.13.2 or later.

Setting Up the Warpgate Terraform Provider

1. Build the Provider Locally

First, clone the Warpgate Terraform provider repository:

git clone https://github.com/warp-tech/terraform-provider-warpgate.git
cd terraform-provider-warpgate
make build

This command downloads the necessary code. Next, navigate into the directory and build the provider using the make build command.

2. Install the Provider

Install the compiled provider for local development:

make install

This command places the provider in your ~/.terraform.d/plugins directory (or the appropriate equivalent for Windows/macOS). This allows Terraform to discover and use the Warpgate provider.

3. Configure the Provider in Terraform

In your Terraform configuration files, define the Warpgate provider:

terraform {
  required_providers {
    warpgate = {
      source  = "registry.terraform.io/warp-tech/warpgate"
      version = "~> 1.0.0"
    }
  }
}

provider "warpgate" {
  host  = "https://warpgate.example.com"
  token = var.warpgate_token
}

Alternatively, use environment variables for configuration:

export WARPGATE_HOST="https://warpgate.example.com"
export WARPGATE_TOKEN="your-api-token"

Warpgate Resources Available Through Terraform

Here's a quick overview of the resources you can manage with this provider:

Resources

• warpgate_role: Manages Warpgate roles.
• warpgate_user: Manages Warpgate users.
• warpgate_target: Manages Warpgate targets (SSH, HTTP, MySQL, PostgreSQL).
• warpgate_user_role: Manages role assignments to users.
• warpgate_target_role: Manages role assignments to targets.
• warpgate_password_credential: Manages password credentials for users.
• warpgate_public_key_credential: Manages SSH public key credentials for users.

Data Sources

• warpgate_role: Retrieves information about a Warpgate role.
• warpgate_user: Retrieves information about a Warpgate user.
• warpgate_target: Retrieves information about a Warpgate target.

Practical Examples

Let's explore some practical examples of using the Warpgate Terraform provider.

Creating a User

resource "warpgate_user" "example" {
  username    = "eugene"
  description = "Eugene - WarpGate Developer"

  credential_policy {
    http     = ["Password", "Totp"]
    ssh      = ["PublicKey"]
    mysql    = ["Password"]
    postgres = ["Password"]
  }
}

This config creates a new Warpgate user named 'eugene' with defined credentialing policies. You can customize credential policies based on protocol.

Adding Credentials to a User

resource "warpgate_password_credential" "eugene_password" {
  user_id  = warpgate_user.example.id
  password = var.user_password
}

resource "warpgate_public_key_credential" "eugene_ssh_key" {
  user_id    = warpgate_user.example.id
  label      = "Work Laptop"
  public_key = "ssh-rsa AAAAB3NzaC1yc2E... [email protected]"
}

This adds both a password and an SSH public key credential to the 'eugene' user. Securely manage user access with multiple credential types.

Defining a Role

resource "warpgate_role" "developers" {
  name        = "developers"
  description = "Role for development team"
}

This creates a role called 'developers' which can be assigned to users, target, etc. Use roles to simplify permission management.

Assigning Roles to Users

resource "warpgate_user_role" "developer_role" {
  user_id = warpgate_user.example.id
  role_id = warpgate_role.developers.id
}

Here we assign the created 'developers' role to the "eugene" user. This grants the user all permissions associated with the role.

Creating SSH and HTTP Targets

resource "warpgate_target" "app_server" {
  name        = "app-server"
  description = "Application Server"

  ssh_options {
    host     = "10.0.0.10"
    port     = 22
    username = "admin"

    password_auth {
      password = var.ssh_password
    }
  }
}

resource "warpgate_target" "web_app" {
  name        = "internal-web-app"
  description = "Internal Web Application"

  http_options {
    url = "https://internal.example.com"
    tls {
      mode   = "Required"
      verify = true
    }
    headers = {
      "X-Custom-Header" = "value"
    }
  }
}

These code blocks define an SSH target and an HTTP target. Warpgate can act as a bastion host for different protocols/target types.

Managing MySQL and PostgreSQL Targets

resource "warpgate_target" "database" {
  name        = "mysql-db"
  description = "Production MySQL Database"

  mysql_options {
    host     = "db.example.com"
    port     = 3306
    username = "admin"
    password = var.db_password
    tls {
      mode   = "Required"
      verify = true
    }
  }
}

resource "warpgate_target" "postgres_db" {
  name        = "postgres-db"
  description = "Production PostgreSQL Database"

  postgres_options {
    host     = "postgres.example.com"
    port     = 5432
    username = "admin"
    password = var.postgres_password
    tls {
      mode   = "Required"
      verify = true
    }
  }
}

This shows configuration examples for MySQL and PostgreSQL targets. Warpgate's bastion applies to various database systems.

Assigning Roles to Targets

resource "warpgate_target_role" "app_server_access" {
  target_id = warpgate_target.app_server.id
  role_id   = warpgate_role.developers.id
}

Again, roles are assigned, this time the 'developers' role is assigned to the 'app-server' target. Manage who can access which resources through roles.

Using Data Sources to Fetch Information

data "warpgate_user" "existing_user" {
  id = "existing-user-id"
}

data "warpgate_role" "existing_role" {
  id = "existing-role-id"
}

data "warpgate_target" "existing_target" {
  id = "existing-target-id"
}

Use data sources to retrieve information about existing Warpgate resources. This integrates existing setups into your Terraform configurations.

Importing Existing Warpgate Resources

You can import existing Warpgate resources into your Terraform state using the terraform import command:

terraform import warpgate_user.example user-uuid
terraform import warpgate_role.example role-uuid
terraform import warpgate_target.example target-uuid
terraform import warpgate_user_role.example user-uuid:role-uuid
terraform import warpgate_target_role.example target-uuid:role-uuid
terraform import warpgate_password_credential.example user-uuid:credential-uuid
terraform import warpgate_public_key_credential.example user-uuid:credential-uuid

Authentication

The provider uses an API token for authentication. Generate this token through the Warpgate admin interface to ensure secure access.

Contributing to the Provider

To contribute to the Warpgate Terraform provider:

1. Fork the repository.
2. Create a feature branch: git checkout -b feature/my-new-feature.
3. Commit your changes: git commit -am 'Add some feature'.
4. Push to the branch: git push origin feature/my-new-feature.
5. Submit a pull request.

License

The Warpgate Terraform provider is distributed under the MIT License.