Use Terraform with Opal

Learn how to set up Opal's Terraform provider.

You can use Opal’s Terraform provider to manage your Opal infrastructure with code. Use the following instructions to install and get started with Terraform in Opal.

Overview

Most functionality in the Opal UI is also supported using Terraform. Refer to the provider documentation to see available resources, and reach out if you have specific requests.

You should generally use Terraform to manage stateless settings, e.g., request configurations or adding users as permanent members of groups. Once you start using Terraform to manage settings, try to minimize modifications to the same settings in the Opal UI.

Terraform is not suited for managing settings which depend on actions occurring at a specific moment in time—e.g., converting users to timebound access—because Terraform maintains its own internal state.

You also cannot create custom apps with Terraform.

Requirements

Before you begin, you must:

Install Opal’s Terraform provider

To install Terraform for Opal:

  1. Go to Opal’s Terraform provider.
  2. Select Use Provider and copy the dropdown code block. Ensure you use the latest version.
  1. Create a configuration file and paste in the code block.
  2. If you self-host Opal, in the provider section, add server_url = “<SERVER_URL>", replacing SERVER_URL with your self-hosted domain and the suffix /v1—for example, https://company-name-opal.dev/v1. If you use cloud Opal, skip this step.
  3. Save your Opal API key in an environment variable named OPAL_AUTH_TOKEN. Alternatively, or if you're on a version earlier than 3.0.2, add bearer_auth = "<API_KEY>” to the provider section, replacing API_KEY with your Opal API key.
  4. Save the configuration file.
  5. Run terraform init.
  6. Run terraform apply.

Use Opal’s Terraform provider

See the Terraform provider documentation for example usage. To create certain resources, you may need to provide IDs, which you can find for most objects on the Detail tab in the Inventory in the Opal dashboard.

For example, to create a group with the Terraform provider, you must provide an app_id to contain the group. You can find this ID from the app's Detail tab.

Example configuration and usage

The following is an example resource block used to create a new Opal group.

terraform {
  required_providers {
    opal = {
      source = "opalsecurity/opal"
      version = "3.0.12"
    }
  }
}

provider "opal" {
// Define OPAL_AUTH_TOKEN as an environment variable, otherwise include the following line:
// bearer_auth = 'API_KEY_HERE'
}

resource "opal_group" "tf_test" {
  name = "tf_test_group"
  group_type = "OPAL_GROUP"
  app_id = "3ecff5db-e3fc-40c7-bb36-ff202f033095" // Retrieved from Opal dashboard
  visibility = "GLOBAL"
  request_configurations = [
    {
      priority = 0
      require_mfa_to_request = false
      allow_requests = false
      require_support_ticket = false
      auto_approval = false
    }
  ]
}

After running terraform plan and terraform apply, the group is created.