Terraform patterns for Boundary targets

Once you have defined a host, a host catalog, and a credential store, you can create targets.

Requirements

This document assumes the reader has:

An understanding of Terraform fundamentals
An existing Boundary installation. Refer to Initialize Boundary to learn about deploying Boundary.
Configured the Terraform Boundary provider.
Defined a host, host catalog, and credential store.
(Optional) Configured a storage policy and storage bucket for any targets you want to enable for session recording.

Target configuration

This example creates a target with an injected username and password.

Note

Credential injection and SSH target types are only supported for HCP Boundary and Boundary Enterprise. You can configure credential brokering instead using brokered_credential_source_ids.

resource "boundary_target" "ssh_foo" {
  name         = "ssh_foo"
  description  = "SSH target"
  scope_id     = boundary_scope.project.id

  # Declare the target type and connection port
  type         = "ssh"
  default_port = "22"

  # Declare the host set
  host_source_ids = [
    boundary_host_set.foo.id
  ]

  # Declare the injected credentials
  injected_application_credential_source_ids = [
    boundary_credential_library_vault.example.id
  ]

  # Enable session recording
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.aws_bucket.id
}

Session recording configuration

This example enables session recording, but uses brokered credentials instead.

resource "boundary_target" "ssh_foo" {
  name         = "ssh_foo"
  description  = "SSH target"
  scope_id     = boundary_scope.project.id

  # Declare the target type and connection port
  type         = "ssh"
  default_port = "22"

  # Declare the host set
  host_source_ids = [
    boundary_host_set.foo.id
  ]

  # Declare the brokered credentials
  # This uses a static credential library created earlier
  brokered_application_credential_source_ids = [
    boundary_credential_library.example.id
  ]

   # Enable session recording.
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.aws_bucket.id
}

TCP target configuration

This example creates a tcp target that connects to Windows servers using RDP.

resource "boundary_target" "rdp_foo" {
  name         = "rdp_foo"
  description  = "RDP target"
  scope_id     = boundary_scope.project.id

  # Declare the target type and connection port
  type         = "tcp"
  default_port = "3389"

  # Declare the host set. This assumes that this host set contains Windows hosts
  host_source_ids = [
    boundary_host_set.foo.id
  ]

  # The credentials we will use to connect. RDP requires the use of brokered credentials
  # This uses a static credential library created earlier
  brokered_application_credential_source_ids = [
    boundary_credential_library.example.id
  ]
}

More information

For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:

Targets

For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:

Targets