Quickstart: Terraform

This page outlines how to use the Cofide Terraform provider to configure Cofide resources backed by the Connect control plane and platform. The provider is available on both the Terraform and OpenTofu public registries.

Initialisation

The provider can be initialised as follows:

terraform {
  required_providers {
    cofide = {
      source  = "cofide/cofide"
      version ~> "0.6.0"
    }
  }
}

provider "cofide" {
  connect_url = "your.connect.url"
  api_token = "your_api_token"
}

Important

Use of the provider relies on a valid authentication token with the Connect platform, which can be obtained with the Cofide CLI command cofidectl connect login.

Alternatively, both the Connect URL and the API token can be set as the environment variables COFIDE_CONNECT_URL and COFIDE_API_TOKEN.

Add a Trust Zone

Using an equivalent configuration to the one used in the cofidectl quickstart, the Terraform provider can create a trust zone as follows:

resource "cofide_connect_trust_zone" "example_trust_zone" {
  name         = "example-trust-zone"
  trust_domain = "example.org"
}

Add a Federation

If multiple trust zones exist, then they may be federated, allowing for a trust relationship to be established.

resource "cofide_connect_federation" "example_federation" {
  org_id               = resource.example_trust_zone.org_id
  trust_zone_id        = resource.example_trust_zone.id
  remote_trust_zone_id = resource.example_federated_trust_zone.id
}

The trust relationship is unidirectional - the local trust zone trusts the remote, but it is not necessarily reciprocated. Bidirectional trust is required for mutual TLS, and may be established by adding a second federation with the arguments reversed.

Add a Cluster

A Kubernetes cluster may be added to the trust zone:

resource "cofide_connect_cluster" "example_cluster" {
  name               = "example-cluster"
  trust_zone_id      = resource.example_trust_zone.id
  org_id             = resource.example_trust_zone.org_id
  profile            = "kubernetes"
  kubernetes_context = "example-cluster-context"

  trust_provider = {
    kind = "kubernetes"
  }
}

Add an Attestation Policy

Similarly, an attestation policy and its binding can be added with:

resource "cofide_connect_attestation_policy" "example_attestation_policy_kubernetes" {
  name   = "example-ap-kubernetes"
  org_id = resource.example_trust_zone.org_id

  kubernetes = {
    namespace_selector = {
      match_labels = {
        "kubernetes.io/metadata.name" = "example"
      }
    }
  }
}

resource "cofide_connect_ap_binding" "example_ap_binding" {
  org_id        = resource.example_trust_zone.org_id
  trust_zone_id = resource.example_trust_zone.trust_zone_id
  policy_id     = resource.example_attestation_policy_kubernetes.policy_id
}

In this policy, all workloads in the example namespace will be issued an identity.

If the workload needs to communicate with a workload in a federated trust zone, this may be achieved as follows:

resource "cofide_connect_ap_binding" "example_ap_binding" {
  org_id        = resource.example_trust_zone.org_id
  trust_zone_id = resource.example_trust_zone.trust_zone_id
  policy_id     = resource.example_attestation_policy_kubernetes.policy_id
  federations   = [
    {
      trust_zone_id = cofide_connect_trust_zone.example_federated_trust_zone.id
    }
  ]
}