Open in app

Sign in

Write

Sign in

Terraform SSO & Auto-Provision Team Members with JumpCloud

Shawn Song
5 min readOct 13, 2021

To neatly provision the team members for your rapidly growing organisations on Terraform Enterprise (TFE), via JumpCloud (JC) SSO.

Background

Have you noticed your TFE workspaces have grown to a significant amount unwittingly? Created a bunch of different organisations, teams, and users?

Now if you combine it with differentiated / role-based accesses across the SRE teams and TF developers who need to be constantly managed, What a nightmare!

Yes, I have the exact same headache. And these accesses need to be regulated and automated, badly.

Intro

In order to address this pain, I will be using JumpCloud as my authoritative Cloud Directory to manage user access to our TFE instances.

What the benefit is?

Well, when at the point we need to do things right by segregating the duties between access mgmt and application users and enforcing IAM policies for compliance— you need to manage the life cycle of every single access in a centralised platform.

So, here are a few scenarios that will be covered by this article:

  • The caveats when setting up TFE SSO connector in JC.
  • To provision TFE site-admins by adding users in a specific user group in JC — i.e. JC group named “tfe-siteadmin”.
  • To provision TFE developer — with accesses to designated TFE Orgs by respective teams.
  • A group of users with mixed accesses to different TFE Orgs and at the same time as a TFE site admin.

The Overall Architecture

Here is an overview of the above 2 provisioning scenarios.

Setup SSO

  • Refer to the official guide here to create a custom SSO connector on JC.

Example SSO Metadata

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="JumpCloud">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate></ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.jumpcloud.com/saml2/terraform"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.jumpcloud.com/saml2/terraform"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Caveats

In order to pass the “user attribute” for defining a user — be it site admin, org member, or both, we need to map the respective attributes in SSO config. You can also check here for the official explanation

  • Go to your JumpCloud Admin console > SSO > TFE SSO connector (you just created)
  • Make sure the user attributes are mapped as:
  • And the Group Attributes are mapped (Case Sensitive):

User Provisioning Scenarios

Prerequisites

  • Enable SAML to manage team memberships on your TFE instance, by login as a local admin.
  • Set the Team Attribute Name accordingly — the same as the above Group Attributes. (Leave blank with “Site Admin Role” section)
  • Leave blank with the “Site Admin Role” section — We will opt for this Hashicorp’s recommended approach to set it up (later)

Scenario 1 — JC user login as site admin

  • Create a group in JC with a proper name.
  • Tag TFE SSO as an application associated with the group.
  • Add a custom attribute (type: booleans) name “SiteAdmin”, and set the value as “True” on the group level — it will be inherited once a user joins the group.
  • Now you can add the user to the group, it will be able to SSO in as a site admin thereafter even if it’s the first time login.
  • The “SiteAdmin” attribute should be passed correctly (I used SAML-tracer to capture it)

Scenario 2 — JC user login as TFE Developer

To 1 or various teams attached with different orgs.

Note The group names in JC need to be exactly the same as the team names in TFE. As per:

https://www.terraform.io/docs/enterprise/saml/team-membership.html#team-names

  • Create a team in an org with respective permissions on TFE.
  • Create a group in JC with the same name. And add the user.
  • Tag TFE SSO as an application associated with the group.
  • Once you logged in, you will be able to choose from the designated org.
  • You can find the memberships been passed in tracer like these (which is expected from TFE):

Scenario 3 — JC user login as an admin with access to different orgs

  • Add the user to the site admin group you created previously.
  • At the same time add the user to respective org groups.
  • Once you logged in, you will be able to choose from the designated org and by clicking your profile there is an “Admin” option there too.
  • Your tracer should look like this:
  • If you notice there is another value of “MemberOf” — tfe-siteadmin been passed, don’t be alarmed since this is the expected behaviour as the user is in “tfe-siteadmin” JC user group. TFE will ignore this value if there is no corresponding teams with the same name exists.
Jumpcloud
Terraform
Sso
Iam
Saml

--

--

Shawn Song

Written by Shawn Song

13 Followers

I am a writer love to blog about tech and life!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams