Automate Warpgate with Terraform: Secure Access Management as Code

This article guides you through using the Terraform provider for Warpgate, a smart SSH and HTTPS bastion. Learn how to manage your Warpgate resources programmatically, ensuring secure and consistent access to your infrastructure. We'll cover everything from initial setup to advanced use cases, complete with real-world examples.

Why Use Terraform with Warpgate? Streamline Your Security

Managing Warpgate resources through code offers significant benefits:

• Infrastructure as Code (IaC): Define and manage your Warpgate configuration in a repeatable and version-controlled manner.
• Automation: Automate the creation, modification, and deletion of users, roles, and targets, reducing manual effort and errors.
• Consistency: Ensure consistent configurations across your environments.
• Collaboration: Enable collaboration among team members through code review and version control.

Prerequisites: Get Ready to Manage Warpgate with Terraform

Before you start, ensure you have the following:

• Terraform: Version 0.13.x or later.
• Go: Version 1.18 or later (required for building the provider).
• Warpgate: Version 0.13.2 or later, with a working instance and API token.

Installation: Build and Configure the Warpgate Terraform Provider

Follow these steps to install the Warpgate Terraform provider:

1. Clone the repository:

   git clone https://github.com/warp-tech/terraform-provider-warpgate.git
   cd terraform-provider-warpgate
   

   Copy

2. Build the provider:

   make build
   

   Copy

3. Install locally: This command installs the provider to your Terraform plugins directory.

   make install
   

   Copy

Configuration: Connect Terraform to Your Warpgate Instance

To configure the provider, add the following to your Terraform configuration file:

terraform {
  required_providers {
    warpgate = {
      source = "registry.terraform.io/warp-tech/warpgate"
      version = "~> 1.0.0"
    }
  }
}

provider "warpgate" {
  host  = "https://warpgate.example.com"
  token = var.warpgate_token
}

Alternatively, you can use environment variables:

export WARPGATE_HOST="https://warpgate.example.com"
export WARPGATE_TOKEN="your-api-token"

Warpgate Terraform Resources: Control Users, Roles, and Targets

The Warpgate Terraform provider allows you to manage various resources:

Resources:

• warpgate_role: Manage Warpgate roles.
• warpgate_user: Manage Warpgate users.
• warpgate_target: Manage Warpgate targets (SSH, HTTP, MySQL, PostgreSQL).
• warpgate_user_role: Manage role assignments to users.
• warpgate_target_role: Manage role assignments to targets.
• warpgate_password_credential: Manage password credentials for users.
• warpgate_public_key_credential: Manage SSH public key credentials for users.

Data Sources:

• warpgate_role: Retrieve information about a Warpgate role.
• warpgate_user: Retrieve information about a Warpgate user.
• warpgate_target: Retrieve information about a Warpgate target.

Example: Setting Up Secure Access for a New Developer

Let's walk through a common scenario: provisioning access for a new developer.

1. Create a Warpgate User:

resource "warpgate_user" "example" {
  username    = "eugene"
  description = "Eugene - WarpGate Developer"

  credential_policy {
    http     = ["Password", "Totp"]
    ssh      = ["PublicKey"]
    mysql    = ["Password"]
    postgres = ["Password"]
  }
}

2. Add Credentials (Password and SSH Key):

resource "warpgate_password_credential" "eugene_password" {
  user_id  = warpgate_user.example.id
  password = var.user_password
}

resource "warpgate_public_key_credential" "eugene_ssh_key" {
  user_id    = warpgate_user.example.id
  label      = "Work Laptop"
  public_key = "ssh-rsa AAAAB3NzaC1yc2E... [email protected]"
}

3. Create a Developer Role:

resource "warpgate_role" "developers" {
  name        = "developers"
  description = "Role for development team"
}

4. Assign the Role to the User:

resource "warpgate_user_role" "developer_role" {
  user_id = warpgate_user.example.id
  role_id = warpgate_role.developers.id
}

5. Create an SSH Target:

resource "warpgate_target" "app_server" {
  name        = "app-server"
  description = "Application Server"

  ssh_options {
    host     = "10.0.0.10"
    port     = 22
    username = "admin"

    password_auth {
      password = var.ssh_password
    }
  }
}

6. Assign the Role to the Target:

resource "warpgate_target_role" "app_server_access" {
  target_id = warpgate_target.app_server.id
  role_id   = warpgate_role.developers.id
}

Beyond the Basics: Creating HTTP, MySQL, and PostgreSQL Targets

The Warpgate Terraform provider also supports creating other target types.

HTTP Target Example

resource "warpgate_target" "web_app" {
  name        = "internal-web-app"
  description = "Internal Web Application"

  http_options {
    url = "https://internal.example.com"
    tls {
      mode   = "Required"
      verify = true
    }
    headers = {
      "X-Custom-Header" = "value"
    }
  }
}

MySQL Target Example

resource "warpgate_target" "database" {
  name        = "mysql-db"
  description = "Production MySQL Database"

  mysql_options {
    host     = "db.example.com"
    port     = 3306
    username = "admin"
    password = var.db_password
    tls {
      mode   = "Required"
      verify = true
    }
  }
}

PostgreSQL Target Example

resource "warpgate_target" "postgres_db" {
  name        = "postgres-db"
  description = "Production PostgreSQL Database"

  postgres_options {
    host     = "postgres.example.com"
    port     = 5432
    username = "admin"
    password = var.postgres_password
    tls {
      mode   = "Required"
      verify = true
    }
  }
}

Data Sources: Retrieve Existing Warpgate Information

Use data sources to retrieve information about existing Warpgate resources:

data "warpgate_user" "existing_user" {
  id = "existing-user-id"
}

data "warpgate_role" "existing_role" {
  id = "existing-role-id"
}

data "warpgate_target" "existing_target" {
  id = "existing-target-id"
}

Importing Existing Resources: Bring Your Current Warpgate Setup Under Terraform Control

You can import existing Warpgate resources into your Terraform state:

terraform import warpgate_user.example user-uuid
terraform import warpgate_role.example role-uuid
terraform import warpgate_target.example target-uuid
terraform import warpgate_user_role.example user-uuid:role-uuid
terraform import warpgate_target_role.example target-uuid:role-uuid
terraform import warpgate_password_credential.example user-uuid:credential-uuid
terraform import warpgate_public_key_credential.example user-uuid:credential-uuid

Contributing: Help Improve the Warpgate Terraform Provider

Contributions are welcome! Follow these steps:

1. Fork the repository.
2. Create a feature branch: git checkout -b feature/my-new-feature.
3. Commit your changes: git commit -am 'Add some feature'.
4. Push to the branch: git push origin feature/my-new-feature.
5. Submit a pull request.

License: Open Source and Ready to Use

The Warpgate Terraform provider is distributed under the MIT License.

Next Steps: Securing Your Infrastructure with Automation

By using the Warpgate Terraform provider, you can automate and streamline the management of your Warpgate infrastructure. This leads to improved security, consistency, and collaboration within your team. Start implementing these principles today and experience the benefits of Infrastructure as Code.