Terraform patterns for Boundary groups and RBAC

The following pattern demonstrates how to aggregate users into groups.

Security best-practices recommend that you use Role-Based Access Control (RBAC) when you make authorization decisions. RBAC is a methodology in which you create a role that defines the actions that a user is allowed to take, and then assign one or more users to that role.

In Boundary, you can assign users directly to a role, but a better pattern is to put users with equivalent access into groups. You can then assign groups to roles that grant least-privileges to your Boundary environment.

Requirements

This document assumes the reader has:

• An understanding of Terraform fundamentals
• An existing Boundary installation. Refer to Initialize Boundary to learn about deploying Boundary.
• Configured the Terraform Boundary provider.
• Created Boundary users and auth methods to assign to the group you plan to create.

Group configuration

This example adds users to the Accounting group.

# Add Jeff and Susmitha to the Accounting group
resource "boundary_group" "Accounting" {
  name        = "Accounting"
  description = "The Accounting Department"
  member_ids  = [boundary_user.susmitha,id, boundary_user.jeff.id]
  scope_id    = boundary_scope.project.id
}

You are not required to populate groups manually, and can instead take advantage of the pre-existing groups provided by an identity provider.

Managed group configuration

This example creates a managed group that is automatically populated based on an LDAP group called Engineering.

resource "boundary_managed_group_ldap" "Engineering" {
  name           = "Engineering"
  description    = "Engineering Managed LDAP Group"
  auth_method_id = boundary_auth_method_ldap.forumsys_ldap.id
  group_names    = ["Engineering"]
}

HashiCorp recommends using managed groups whenever possible because it abstracts the management of group membership and simplifies Boundary administration.

Role configuration

After you have created a group, you must assign one or more roles to that group to enable the group members to do useful work in Boundary.

This pattern creates a role called readonly that include a grant that allows the user read-only access to all Boundary resources. This example also associates the Accounting static group and the Engineering managed group with that role.

resource "boundary_role" "readonly" {
  name          = "readonly"
  description   = "A readonly role"

  # Assign Accounting and Engineering to this role
  principal_ids = [boundary_group.accounting.id, boundary_managed_group_ldap.Engineering.id]

  # This is the grant string provides read-only access to all objects in the current scope.
  grant_strings = ["ids=*;type=*;actions=read"]
  scope_id      = boundary_scope.project.id
}

More information

For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:

• Roles
• Groups
• Managed groups
• Grants

For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:

• Accounts
  • Password accounts
  • LDAP accounts
  • OIDC accounts
• Users
• Groups
• LDAP managed groups
• Roles

Next steps

You may want to create hosts and host sets so that you can configure targets for your users to connect to. Targets require an address or host, and credentials to connect to that host.