Manage users and groups
- 10min
- |
- BoundaryBoundary
- TerraformTerraform
Reference this often? Create an account to bookmark tutorials.
Users and groups in Boundary are collectively known as principals. Assigning grants on roles is performed through principal IDs; that is, the unique IDs of users, groups, or both.
This tutorial focus on completing user management tasks within a Boundary environment.
Prerequisites
This tutorial assumes that you successfully completed the Manage Scopes tutorial.
Users
Users in Boundary represent an internal notion of a particular entity (human, machine, etc.). Users can be correlated with one or more account resources via auth methods. Accounts represent external notions of a particular entity. Among other use-cases, this mechanism allows for an easy way to switch users to new IdPs within the organization deploying Boundary.
An auth method can be defined at the org and global scopes. In this tutorial, you will create an account and user for an auth method at the org level.
Currently, all auth methods create users upon authentication. If there is no user linked with an account, Boundary creates a user when the authentication against that account was successful. This behavior may be convenient, but in other situations (such as when you want Terraform to describe the Boundary resources), this may be undesirable. The steps in this tutorial demonstrate manually making these resources and linking them. A future Boundary update will allow turning off auto-vivification on a per-auth-method basis.
Add an auth method
Enable a password-type auth method in the IT_Support
org which you created in
the Manage Scopes tutorial.
Authenticate to Boundary as the admin
user with the login name of password
.
$ boundary authenticate Please enter the login name (it will be hidden): Please enter the password (it will be hidden): Authentication information: Account ID: acctpw_VOeNSFX8pQ Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_1vUkf5fPs9 The token was successfully stored in the chosen keyring and is not displayed here.
$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
Authentication information:
Account ID: acctpw_VOeNSFX8pQ
Auth Method ID: ampw_ZbB6UXpW3B
Expiration Time: Mon, 13 Feb 2023 12:35:32 MST
User ID: u_1vUkf5fPs9
The token was successfully stored in the chosen keyring and is not displayed here.
Create a password auth method in the IT_Support
org.
$ boundary auth-methods create password \ -scope-id=$ORG_ID \ -name="org_auth_method" \ -description="Org auth method"
$ boundary auth-methods create password \
-scope-id=$ORG_ID \
-name="org_auth_method" \
-description="Org auth method"
Example:
$ boundary auth-methods create password \ -scope-id=$ORG_ID \ -name="org_auth_method" \ -description="Org auth method" Auth Method information: Created Time: Fri, 27 May 2022 11:14:30 MDT Description: Org auth method ID: ampw_ZbB6UXpW3B Name: org_auth_method Type: password Updated Time: Fri, 27 May 2022 11:14:30 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete authenticate Authorized Actions on Auth Method's Collections: accounts: create list managed-groups: create list Attributes: Minimum Login Name Length: 3 Minimum Password Length: 8
$ boundary auth-methods create password \
-scope-id=$ORG_ID \
-name="org_auth_method" \
-description="Org auth method"
Auth Method information:
Created Time: Fri, 27 May 2022 11:14:30 MDT
Description: Org auth method
ID: ampw_ZbB6UXpW3B
Name: org_auth_method
Type: password
Updated Time: Fri, 27 May 2022 11:14:30 MDT
Version: 1
Scope:
ID: o_u54jrD6ydN
Name: IT_Support
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
authenticate
Authorized Actions on Auth Method's Collections:
accounts:
create
list
managed-groups:
create
list
Attributes:
Minimum Login Name Length: 3
Minimum Password Length: 8
In this example output, the password auth method ID is ampw_ZbB6UXpW3B
.
Copy the auth method ID and save it as an environment variable, BOUNDARY_AUTH_METHOD_ID
.
Example:
$ export BOUNDARY_AUTH_METHOD_ID=ampw_ZbB6UXpW3B
$ export BOUNDARY_AUTH_METHOD_ID=ampw_ZbB6UXpW3B
Select IT_Support org under Orgs.
Select Auth Methods and then select New.
Enter
org_auth_method
in the Name field, andOrg auth method
in the Description field.Click Save.
In your Terraform configuration file, define a boundary_auth_method
resource
to create a new auth method under the IT_Support
scope which you created in
the Manage Scopes tutorial.
resource "boundary_auth_method" "password" { name = "org_auth_method" description = "Password auth method for org" type = "password" scope_id = boundary_scope.org.id }
resource "boundary_auth_method" "password" {
name = "org_auth_method"
description = "Password auth method for org"
type = "password"
scope_id = boundary_scope.org.id
}
Create an account
Create an account for the org-scoped auth method.
Note
User names must be all lowercase alphanumeric of at least 3 characters and the password must be 8 or more characters. (The minimum lengths can be changed in the attributes for the auth method if desired.)
Create an account named "test_account". Give it a password supersecure
when prompted.
$ boundary accounts create password \ -auth-method-id=$BOUNDARY_AUTH_METHOD_ID \ -login-name="tester01" \ -name=test_account \ -description="Test password account"
$ boundary accounts create password \
-auth-method-id=$BOUNDARY_AUTH_METHOD_ID \
-login-name="tester01" \
-name=test_account \
-description="Test password account"
Example output:
$ boundary accounts create password \ -auth-method-id=$BOUNDARY_AUTH_METHOD_ID \ -login-name="tester01" \ -name=test_account \ -description="Test password account" Please enter the password (it will be hidden): Account information: Auth Method ID: ampw_ZbB6UXpW3B Created Time: Fri, 27 May 2022 11:16:47 MDT Description: Test password account ID: acctpw_A8R1escktO Name: test_account Type: password Updated Time: Fri, 27 May 2022 11:16:47 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete set-password change-password Attributes: Login Name: tester01
$ boundary accounts create password \
-auth-method-id=$BOUNDARY_AUTH_METHOD_ID \
-login-name="tester01" \
-name=test_account \
-description="Test password account"
Please enter the password (it will be hidden):
Account information:
Auth Method ID: ampw_ZbB6UXpW3B
Created Time: Fri, 27 May 2022 11:16:47 MDT
Description: Test password account
ID: acctpw_A8R1escktO
Name: test_account
Type: password
Updated Time: Fri, 27 May 2022 11:16:47 MDT
Version: 1
Scope:
ID: o_u54jrD6ydN
Name: IT_Support
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
set-password
change-password
Attributes:
Login Name: tester01
In this example, the generated account ID is acctpw_A8R1escktO
.
Copy the ID of test_account
and save it as an environment variable, ACCOUNT_ID
.
$ export ACCOUNT_ID=acctpw_A8R1escktO
$ export ACCOUNT_ID=acctpw_A8R1escktO
Select the Accounts tab, and then select Create Account.
Enter
test_account
in the Name field,Test password account
in the Description field,tester01
in the Login Name, andsupersecure
(or your preferred password) in the Password field.Click Save.
In your Terraform configuration file, define a boundary_account_password
resource
to create a new account in the org_auth_method
you created in the previous
step.
resource "boundary_account_password" "test_account" { name = "test_account" description = "Test password account" type = "password" login_name = "tester01" password = "supersecure" auth_method_id = boundary_auth_method.password.id }
resource "boundary_account_password" "test_account" {
name = "test_account"
description = "Test password account"
type = "password"
login_name = "tester01"
password = "supersecure"
auth_method_id = boundary_auth_method.password.id
}
Create a user
Next, create a user at the org scope.
Create a user, "tester01" under the IT_Support
org.
$ boundary users create -name="tester01" -description="A test user" -scope-id=$ORG_ID User information: Created Time: Fri, 27 May 2022 11:17:35 MDT Description: A test user ID: u_ogz79sV4sT Name: tester01 Updated Time: Fri, 27 May 2022 11:17:35 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-accounts set-accounts remove-accounts
$ boundary users create -name="tester01" -description="A test user" -scope-id=$ORG_ID
User information:
Created Time: Fri, 27 May 2022 11:17:35 MDT
Description: A test user
ID: u_ogz79sV4sT
Name: tester01
Updated Time: Fri, 27 May 2022 11:17:35 MDT
Version: 1
Scope:
ID: o_u54jrD6ydN
Name: IT_Support
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
add-accounts
set-accounts
remove-accounts
In the example output, the tester01
user ID is u_ogz79sV4sT
.
Copy the generated user ID and save it as an environment variable, USER_ID
.
Example:
$ export USER_ID=u_ogz79sV4sT
$ export USER_ID=u_ogz79sV4sT
Now, associate the tester01
user with the test_account
account previously
created.
$ boundary users set-accounts -id=$USER_ID -account=$ACCOUNT_ID User information: Created Time: Fri, 27 May 2022 11:17:35 MDT Description: A test user ID: u_ogz79sV4sT Name: tester01 Updated Time: Fri, 27 May 2022 11:18:37 MDT Version: 2 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-accounts set-accounts remove-accounts Accounts: ID: acctpw_A8R1escktO Scope ID: o_u54jrD6ydN
$ boundary users set-accounts -id=$USER_ID -account=$ACCOUNT_ID
User information:
Created Time: Fri, 27 May 2022 11:17:35 MDT
Description: A test user
ID: u_ogz79sV4sT
Name: tester01
Updated Time: Fri, 27 May 2022 11:18:37 MDT
Version: 2
Scope:
ID: o_u54jrD6ydN
Name: IT_Support
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
add-accounts
set-accounts
remove-accounts
Accounts:
ID: acctpw_A8R1escktO
Scope ID: o_u54jrD6ydN
Select Users and then select New.
Enter
tester01
in the Name field, andA test user
in the Description field.Click Save.
Select the Accounts tab and click Add Accounts.
Select the check-box for Test password account and then click Add Accounts.
In your Terraform configuration file, define a boundary_user
resource
to create a new user and associate that with test_account
you created in the
previous step.
resource "boundary_user" "tester01" { name = "tester01" description = "A test user" account_ids = [ boundary_account_password.test_account.id ] scope_id = boundary_scope.org.id }
resource "boundary_user" "tester01" {
name = "tester01"
description = "A test user"
account_ids = [
boundary_account_password.test_account.id
]
scope_id = boundary_scope.org.id
}
Verify Users
Now, test to make sure that you can authenticate with Boundary as tester01
user.
Authenticate with Boundary using the newly created user, tester01
. Enter
supersecure
at the Please enter the password (it will be hidden):
prompt.
$ boundary authenticate Please enter the login name (it will be hidden): Please enter the password (it will be hidden): Authentication information: Account ID: acctpw_A8R1escktO Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_ogz79sV4sT The token was successfully stored in the chosen keyring and is not displayed here.
$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
Authentication information:
Account ID: acctpw_A8R1escktO
Auth Method ID: ampw_ZbB6UXpW3B
Expiration Time: Mon, 13 Feb 2023 12:35:32 MST
User ID: u_ogz79sV4sT
The token was successfully stored in the chosen keyring and is not displayed here.
Warning
To continue the tutorial, re-authenticate with the admin username and password that you were using. Make sure to then select the IT_Support group again.
Example: If you are running Boundary in dev mode, authenticate as the
admin
user. When prompted, enter password
which is the default admin
password in dev mode.
$ boundary authenticate Please enter the login name (it will be hidden): Please enter the password (it will be hidden): Authentication information: Account ID: acctpw_VOeNSFX8pQ Auth Method ID: ampw_ZbB6UXpW3B Expiration Time: Mon, 13 Feb 2023 12:35:32 MST User ID: u_1vUkf5fPs9 The token was successfully stored in the chosen keyring and is not displayed here.
$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
Authentication information:
Account ID: acctpw_VOeNSFX8pQ
Auth Method ID: ampw_ZbB6UXpW3B
Expiration Time: Mon, 13 Feb 2023 12:35:32 MST
User ID: u_1vUkf5fPs9
The token was successfully stored in the chosen keyring and is not displayed here.
Log out by selecting Sign Out from the upper-right menu.
Select IT_Support to set the scope to log in.
Enter
tester01
in the Login Name field, andsupersecure
in the Password field.Click Sign In.
Log out by selecting Sign Out from the upper-right menu.
Warning
To continue the tutorial, re-authenticate with the admin username and password that you were using.
Leave the scope to be Global and enter the Login Name and Password. If you are running Boundary in
dev
mode, enteradmin
in the Login Name field, andpassword
in the Password field.
This tutorial utilizes the recovery key
workflow
to configure Boundary with Terraform utilizing the recovery_kms_hcl
attribute
of the boundary
provider:
provider "boundary" { addr = "http://127.0.0.1:9200" recovery_kms_hcl = <<EOT kms "aead" { purpose = "recovery" aead_type = "aes-gcm" key = "Wt7KhwRKB05YlznYd5i5iPIezLHzbVFrKeZ2ewhoMwk=" key_id = "global_recovery" } EOT }
provider "boundary" {
addr = "http://127.0.0.1:9200"
recovery_kms_hcl = <<EOT
kms "aead" {
purpose = "recovery"
aead_type = "aes-gcm"
key = "Wt7KhwRKB05YlznYd5i5iPIezLHzbVFrKeZ2ewhoMwk="
key_id = "global_recovery"
}
EOT
}
This is useful because it allows Boundary to be configured programmatically, without first bootstrapping Boundary with accounts or users.
Another approach uses a pre-existing account to manage Terraform resources. This method is not recommended, since authentication passwords should not be stored in HCL for production environments. If using this method, consider utilizing Terraform input variables instead. Also note that the account must already exist in order for Terraform to manage resources using this method.
Note
Do NOT copy the following snippet into your main.tf
configuration. The following configuration is only provided as an example.
To configure the Boundary provider using
Terraform,
provide the valid auth method ID, login name, and password for a pre-existing
auth method to authenticate. Note that a valid auth_method_id
must be provided
when configuring Boundary using this method, and the user must have appropriate
grants assigned to manage resources in the desired scope. The next tutorial will
discuss roles and grants.
provider "boundary" { addr = "http://127.0.0.1:9200" auth_method_id = "ampw_sOXVI7JS2l" password_auth_method_login_name = "tester01" password_auth_method_password = "supersecure" }
provider "boundary" {
addr = "http://127.0.0.1:9200"
auth_method_id = "ampw_sOXVI7JS2l"
password_auth_method_login_name = "tester01"
password_auth_method_password = "supersecure"
}
Do NOT add this configuration to your main.tf
file.
Groups
A group in Boundary is a resource that represents a collection of users that are treated equally for the purposes of access control. A group is a principal, which allows it to be assigned to roles. Roles assigned to a group are indirectly assigned to the users in the group, and users receive all permissions of the assigned roles. Groups can be defined at the Global, Organization, or Project scope.
The group resource membership is managed manually. If using an OIDC Auth provider, such as Auth0, Okta or Azure AD, Managed Groups can be used to automatically map membership to a collection of accounts defined by the auth method's identity provider using filtering.
Create a group
Create a user at the org scope.
Create a group, "group01" under the IT_Support
org.
$ boundary groups create -name="group01" -description="A test group" -scope-id=$ORG_ID Group information: Created Time: Fri, 27 May 2022 11:20:55 MDT Description: A test group ID: g_wRpm66iPOX Name: group01 Updated Time: Fri, 27 May 2022 11:20:55 MDT Version: 1 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-members set-members remove-members
$ boundary groups create -name="group01" -description="A test group" -scope-id=$ORG_ID
Group information:
Created Time: Fri, 27 May 2022 11:20:55 MDT
Description: A test group
ID: g_wRpm66iPOX
Name: group01
Updated Time: Fri, 27 May 2022 11:20:55 MDT
Version: 1
Scope:
ID: o_u54jrD6ydN
Name: IT_Support
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
add-members
set-members
remove-members
In the example output, the group01
group ID is g_wRpm66iPOX
.
Copy the generated group ID and save it as an environment variable, GROUP_ID
.
Example:
$ export GROUP_ID=g_wRpm66iPOX
$ export GROUP_ID=g_wRpm66iPOX
Now, add the tester01
user created previously to group01
.
$ boundary groups add-members -id=$GROUP_ID -member=$USER_ID Group information: Created Time: Fri, 27 May 2022 11:20:55 MDT Description: A test group ID: g_wRpm66iPOX Name: group01 Updated Time: Fri, 27 May 2022 11:21:42 MDT Version: 2 Scope: ID: o_u54jrD6ydN Name: IT_Support Parent Scope ID: global Type: org Authorized Actions: no-op read update delete add-members set-members remove-members Members: ID: u_ogz79sV4sT Scope ID: o_u54jrD6ydN
$ boundary groups add-members -id=$GROUP_ID -member=$USER_ID
Group information:
Created Time: Fri, 27 May 2022 11:20:55 MDT
Description: A test group
ID: g_wRpm66iPOX
Name: group01
Updated Time: Fri, 27 May 2022 11:21:42 MDT
Version: 2
Scope:
ID: o_u54jrD6ydN
Name: IT_Support
Parent Scope ID: global
Type: org
Authorized Actions:
no-op
read
update
delete
add-members
set-members
remove-members
Members:
ID: u_ogz79sV4sT
Scope ID: o_u54jrD6ydN
Log back into the Admin Console as the admin user, then select the IT_Support group again.
Select Groups and then select New.
Enter
group01
in the Name field, andA test group
in the Description field.Click Save.
Select the Members tab and click Add Members.
Filter the Scope to the IT_Support org. Select the check-box for tester01 and then click Add Members.
In your Terraform configuration file, define a boundary_group
resource
to create a new group and associate it with the tester01
user you created in
the previous step.
resource "boundary_group" "group01" { name = "My group" description = "A test group" member_ids = [boundary_user.tester01.id] scope_id = boundary_scope.org.id }
resource "boundary_group" "group01" {
name = "My group"
description = "A test group"
member_ids = [boundary_user.tester01.id]
scope_id = boundary_scope.org.id
}
The entire main.tf
file contents are printed below for reference.
terraform { required_providers { boundary = { source = "hashicorp/boundary" version = "1.0.7" } } } provider "boundary" { addr = "http://127.0.0.1:9200" recovery_kms_hcl = <<EOT kms "aead" { purpose = "recovery" aead_type = "aes-gcm" key = "Zg5vogpvOjhM4USNEa21f2zLiKJlWl8Ulklp29gEAcI=" key_id = "global_recovery" } EOT } resource "boundary_scope" "org" { scope_id = "global" name = "IT_Support" description = "IT Support Team" auto_create_default_role = true auto_create_admin_role = true } resource "boundary_scope" "project" { name = "QA_Tests" description = "Manage QA machines" scope_id = boundary_scope.org.id auto_create_admin_role = true auto_create_default_role = true } resource "boundary_host_catalog_static" "devops" { name = "DevOps" description = "For DevOps usage" scope_id = boundary_scope.project.id } resource "boundary_host_static" "postgres" { name = "postgres" description = "Postgres host" address = "127.0.0.1" host_catalog_id = boundary_host_catalog_static.devops.id } resource "boundary_host_static" "localhost" { name = "localhost" description = "Localhost for testing" address = "localhost" host_catalog_id = boundary_host_catalog_static.devops.id } resource "boundary_host_set_static" "test-machines" { name = "test-machines" description = "Host set for postgres" host_catalog_id = boundary_host_catalog_static.devops.id host_ids = [ boundary_host_static.postgres.id, boundary_host_static.localhost.id, ] } resource "boundary_target" "tests" { type = "tcp" name = "tests" description = "Test target" scope_id = boundary_scope.project.id session_connection_limit = -1 default_port = 22 host_source_ids = [ boundary_host_set_static.test-machines.id ] } resource "boundary_auth_method" "password" { name = "org_password_auth" description = "Password auth method for org" type = "password" scope_id = boundary_scope.org.id } resource "boundary_account_password" "test_account" { name = "test_account" description = "Test password account" type = "password" login_name = "tester01" password = "supersecure" auth_method_id = boundary_auth_method.password.id } resource "boundary_user" "tester01" { name = "tester01" description = "A test user" account_ids = [ boundary_account_password.test_account.id ] scope_id = boundary_scope.org.id } resource "boundary_group" "group01" { name = "My group" description = "A test group" member_ids = [boundary_user.tester01.id] scope_id = boundary_scope.org.id }
terraform {
required_providers {
boundary = {
source = "hashicorp/boundary"
version = "1.0.7"
}
}
}
provider "boundary" {
addr = "http://127.0.0.1:9200"
recovery_kms_hcl = <<EOT
kms "aead" {
purpose = "recovery"
aead_type = "aes-gcm"
key = "Zg5vogpvOjhM4USNEa21f2zLiKJlWl8Ulklp29gEAcI="
key_id = "global_recovery"
}
EOT
}
resource "boundary_scope" "org" {
scope_id = "global"
name = "IT_Support"
description = "IT Support Team"
auto_create_default_role = true
auto_create_admin_role = true
}
resource "boundary_scope" "project" {
name = "QA_Tests"
description = "Manage QA machines"
scope_id = boundary_scope.org.id
auto_create_admin_role = true
auto_create_default_role = true
}
resource "boundary_host_catalog_static" "devops" {
name = "DevOps"
description = "For DevOps usage"
scope_id = boundary_scope.project.id
}
resource "boundary_host_static" "postgres" {
name = "postgres"
description = "Postgres host"
address = "127.0.0.1"
host_catalog_id = boundary_host_catalog_static.devops.id
}
resource "boundary_host_static" "localhost" {
name = "localhost"
description = "Localhost for testing"
address = "localhost"
host_catalog_id = boundary_host_catalog_static.devops.id
}
resource "boundary_host_set_static" "test-machines" {
name = "test-machines"
description = "Host set for postgres"
host_catalog_id = boundary_host_catalog_static.devops.id
host_ids = [
boundary_host_static.postgres.id,
boundary_host_static.localhost.id,
]
}
resource "boundary_target" "tests" {
type = "tcp"
name = "tests"
description = "Test target"
scope_id = boundary_scope.project.id
session_connection_limit = -1
default_port = 22
host_source_ids = [
boundary_host_set_static.test-machines.id
]
}
resource "boundary_auth_method" "password" {
name = "org_password_auth"
description = "Password auth method for org"
type = "password"
scope_id = boundary_scope.org.id
}
resource "boundary_account_password" "test_account" {
name = "test_account"
description = "Test password account"
type = "password"
login_name = "tester01"
password = "supersecure"
auth_method_id = boundary_auth_method.password.id
}
resource "boundary_user" "tester01" {
name = "tester01"
description = "A test user"
account_ids = [
boundary_account_password.test_account.id
]
scope_id = boundary_scope.org.id
}
resource "boundary_group" "group01" {
name = "My group"
description = "A test group"
member_ids = [boundary_user.tester01.id]
scope_id = boundary_scope.org.id
}
Save this file.
Now apply the Terraform config. Enter yes
when prompted for confirmation.
$ terraform apply boundary_scope.org: Refreshing state... [id=o_u8j8RSASFv] boundary_scope.project: Refreshing state... [id=p_zFs59oil3J] boundary_host_catalog_static.devops: Refreshing state... [id=hcst_8iV7jlvqi7] boundary_host_static.localhost: Refreshing state... [id=hst_mZxekgMKS6] boundary_host_static.postgres: Refreshing state... [id=hst_KCvhOn9l1Y] boundary_host_set_static.test-machines: Refreshing state... [id=hsst_2kyFXQrsqY] boundary_target.tests: Refreshing state... [id=ttcp_HwZP7XG1PR] Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply": # boundary_target.tests has been changed ~ resource "boundary_target" "tests" { + application_credential_source_ids = [] id = "ttcp_HwZP7XG1PR" name = "tests" # (7 unchanged attributes hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # boundary_account_password.test_account will be created + resource "boundary_account_password" "test_account" { + auth_method_id = (known after apply) + description = "Test password account" + id = (known after apply) + login_name = "tester01" + name = "test_account" + password = "supersecure" + type = "password" } # boundary_auth_method.password will be created + resource "boundary_auth_method" "password" { + description = "Password auth method for org" + id = (known after apply) + min_login_name_length = (known after apply) + min_password_length = (known after apply) + name = "org_password_auth" + scope_id = "o_u8j8RSASFv" + type = "password" } # boundary_group.group01 will be created + resource "boundary_group" "group01" { + description = "A test group" + id = (known after apply) + member_ids = (known after apply) + name = "My group" + scope_id = "o_u8j8RSASFv" } # boundary_user.tester01 will be created + resource "boundary_user" "tester01" { + account_ids = (known after apply) + description = "A test user" + id = (known after apply) + name = "tester01" + scope_id = "o_u8j8RSASFv" } Plan: 4 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes boundary_auth_method.password: Creating... boundary_auth_method.password: Creation complete after 0s [id=ampw_pWFjqh3pks] boundary_account_password.test_account: Creating... boundary_account_password.test_account: Creation complete after 0s [id=acctpw_kYycBlo7Wd] boundary_user.tester01: Creating... boundary_user.tester01: Creation complete after 0s [id=u_5B7g3YUFMf] boundary_group.group01: Creating... boundary_group.group01: Creation complete after 0s [id=g_wueUZm3ZGq] Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
$ terraform apply
boundary_scope.org: Refreshing state... [id=o_u8j8RSASFv]
boundary_scope.project: Refreshing state... [id=p_zFs59oil3J]
boundary_host_catalog_static.devops: Refreshing state... [id=hcst_8iV7jlvqi7]
boundary_host_static.localhost: Refreshing state... [id=hst_mZxekgMKS6]
boundary_host_static.postgres: Refreshing state... [id=hst_KCvhOn9l1Y]
boundary_host_set_static.test-machines: Refreshing state... [id=hsst_2kyFXQrsqY]
boundary_target.tests: Refreshing state... [id=ttcp_HwZP7XG1PR]
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply":
# boundary_target.tests has been changed
~ resource "boundary_target" "tests" {
+ application_credential_source_ids = []
id = "ttcp_HwZP7XG1PR"
name = "tests"
# (7 unchanged attributes hidden)
}
Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may
include actions to undo or respond to these changes.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# boundary_account_password.test_account will be created
+ resource "boundary_account_password" "test_account" {
+ auth_method_id = (known after apply)
+ description = "Test password account"
+ id = (known after apply)
+ login_name = "tester01"
+ name = "test_account"
+ password = "supersecure"
+ type = "password"
}
# boundary_auth_method.password will be created
+ resource "boundary_auth_method" "password" {
+ description = "Password auth method for org"
+ id = (known after apply)
+ min_login_name_length = (known after apply)
+ min_password_length = (known after apply)
+ name = "org_password_auth"
+ scope_id = "o_u8j8RSASFv"
+ type = "password"
}
# boundary_group.group01 will be created
+ resource "boundary_group" "group01" {
+ description = "A test group"
+ id = (known after apply)
+ member_ids = (known after apply)
+ name = "My group"
+ scope_id = "o_u8j8RSASFv"
}
# boundary_user.tester01 will be created
+ resource "boundary_user" "tester01" {
+ account_ids = (known after apply)
+ description = "A test user"
+ id = (known after apply)
+ name = "tester01"
+ scope_id = "o_u8j8RSASFv"
}
Plan: 4 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
boundary_auth_method.password: Creating...
boundary_auth_method.password: Creation complete after 0s [id=ampw_pWFjqh3pks]
boundary_account_password.test_account: Creating...
boundary_account_password.test_account: Creation complete after 0s [id=acctpw_kYycBlo7Wd]
boundary_user.tester01: Creating...
boundary_user.tester01: Creation complete after 0s [id=u_5B7g3YUFMf]
boundary_group.group01: Creating...
boundary_group.group01: Creation complete after 0s [id=g_wueUZm3ZGq]
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
By itself, group membership does not inherently assign its members any permissions. In the next tutorial, a role will be assigned to the group and the included members will inherit the role's permissions.
Next steps
This tutorial demonstrated the steps to add a new authentication method to an
org (IT_Support
), created a new user and group within the org, and added the
user as a member of the group. You verified that you can authenticate and logged
into the IT_Support
org using the newly created user credential.
The next step is to define the permissions to control what operations members of the group can perform. In the Manage Roles and Permissions tutorial, you will create a role, assign grants to the role, and then add the group as a principle of the new role. This group members will then inherit the defined permissions.