HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Boundary
Boundary Home

You are viewing documentation for version v0.15.x. View latest version.

Terraform patterns for Boundary users and auth methods

Boundary supports password, OIDC, and LDAP auth methods.

Requirements

This document assumes the reader has:

Auth method configuration

Below is an example of creating a password auth method. Terraform creates the auth method in the scope that is specified by the scope_id option.

resource "boundary_auth_method" "password" {
  scope_id = boundary_scope.org.id
  type     = "password"
}

LDAP auth method configuration

The next example demonstrates how to create an LDAP auth method.

resource "boundary_auth_method_ldap" "forumsys_ldap" {
  name          = "forumsys public LDAP"
  scope_id      = "global"                               # add the new auth method to the global scope
  urls          = ["ldap://ldap.forumsys.com"]           # the addr of the LDAP server
  user_dn       = "dc=example,dc=com"                    # the basedn for users
  user_attr     = "uid"                                  # the user attribute
  group_dn      = "dc=example,dc=com"                    # the basedn for groups
  bind_dn       = "cn=read-only-admin,dc=example,dc=com" # the dn to use when binding
  bind_password = "password"                             # passwd to use when binding
  state         = "active-public"                        # make sure the new auth-method is available to everyone
  enable_groups = true                                   # this turns-on the discovery of a user's groups
  discover_dn   = true                                   # this turns-on the discovery of an authenticating user's dn
}

Account and user configuration

After you create an auth method, you need to add accounts to it and create users to represent the accounts. Users and accounts are different constructs. A user is a "parent" object associated to one or more accounts created using a supported auth method.

This example creates 2 accounts using the password auth method and associated users.

# Create a user named "Jeff"
resource "boundary_account_password" "jeff" {
  auth_method_id = boundary_auth_method.password.id
  type           = "password"
  login_name     = "jeff"
  password       = "$uper$ecure"
}

# Associate the Jeff account with a user alias
resource "boundary_user" "jeff" {
  name        = "jeff"
  description = "Jeff's user resource"
  account_ids = [boundary_account_password.jeff.id]
  scope_id    = boundary_scope.org.id
}

#Create a user named Susmitha
resource "boundary_account_password" "susmitha" {
  auth_method_id = boundary_auth_method.password.id
  type           = "password"
  login_name     = "susmitha"
  password       = "more$super$ecure"
}

# And this associates the account with a user alias
resource "boundary_user" "susmitha" {
  name        = "susmitha"
  description = "Susmitha's user resource"
  account_ids = [boundary_account_password.susmitha.id]
  scope_id    = boundary_scope.org.id
}

More information

For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:

For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:

Next steps

Once you have created users and auth methods, you may want to create groups for your users or configure RBAC to define the actions a user is allowed to take.

Edit this page on GitHub