Configure with Terraform
Pomerium Enterprise can be configured and managed using Terraform through the official Pomerium provider. This enables you to manage your Pomerium Enterprise resources as infrastructure as code, making it easier to version, review, and automate your configuration changes.
Prerequisites
- Pomerium Enterprise must be running first
- Console API must be accessible
Provider Configuration
To use the Pomerium Terraform provider, first configure it in your Terraform configuration:
terraform {
required_providers {
pomerium = {
source = "pomerium/pomerium"
version = "~> 0.29.0"
}
}
}
provider "pomerium" {
api_url = "https://console-api.your-domain.com"
# Choose one of the authentication methods below
}
Authentication Methods
The provider supports one of the two authentication methods:
1. Service Account Token
This method uses a Pomerium Enterprise Service Account and provides fine-grained access control at the namespace level:
provider "pomerium" {
api_url = "https://console-api.your-domain.com"
service_account_token = var.pomerium_service_account_token
}
The Pomerium API route should authorize the relative pomerium service account access:
- allow:
or:
- user:
is: 'bootstrap-014e587b-3f4b-4fcf-90a9-f6ecdf8154af.pomerium'
2. Bootstrap Service Account
This method requires enabling bootstrap service accounts in your Enterprise Console. It may be used if you wish to configure Pomerium Enterprise part of the installation process, without accessing its UI to create a new service account.
provider "pomerium" {
api_url = "https://console-api.your-domain.com"
shared_secret_b64 = var.shared_secret_b64
}
The Pomerium API route should have the following policy, with the special bootstrap service account user ID.
- allow:
or:
- user:
is: 'bootstrap-014e587b-3f4b-4fcf-90a9-f6ecdf8154af.pomerium'
The Bootstrap Service Account method requires setting BOOTSTRAP_SERVICE_ACCOUNT=true
in your Enterprise Console configuration.
Example
resource "pomerium_namespace" "engineering" {
name = "engineering"
}
resource "pomerium_policy" "engineering_policy" {
name = "engineering-policy"
namespace = pomerium_namespace.engineering.id
ppl = yamlencode({
allow = {
and = [
{
groups = {
has = "engineering"
}
}
]
}
})
}
resource "pomerium_route" "internal_tools" {
name = "internal-tools"
namespace = pomerium_namespace.engineering.id
from = "https://tools.example.com"
to = ["https://internal-tools.local"]
policies = [
pomerium_policy.engineering_policy.id
]
}