Authentication

วิธี authenticate กับ HCP Terraform — user login, API tokens, SSO, dynamic credentials

Authentication Methods

Method	Use Case
User login	Interactive UI
User token	Personal API access
Team token	Team-shared API access
Organization token	Org-level API
SSO (SAML/OIDC)	Corporate IdP integration
Dynamic credentials	OIDC for cloud providers

terraform login

→ เปิด browser, sign in, save token ใน ~/.terraform.d/credentials.tfrc.json

~/.terraform.d/credentials.tfrc.json
{
  "credentials": {
    "app.terraform.io": {
      "token": "abc123def456..."
    }
  }
}

หลังจากนั้นใช้ TFC ผ่าน CLI ได้:

terraform init
terraform apply    # runs in TFC

terraform logout

terraform logout

API Tokens

User Token (Personal)

User Settings → Tokens → Create

# Use in CI/CD
export TFE_TOKEN=abc123def456
terraform init

ใช้สำหรับ:

✅ Personal automation scripts
❌ Not for shared CI (anyone could see your runs)

Team Token

Settings → Teams → my-team → API Token

export TFE_TOKEN=team-token-xyz

ใช้สำหรับ:

✅ Shared team automation
✅ CI/CD pipelines
⚠️ Token represents team — limited permissions

Organization Token

Settings → API Tokens → Organization

export TFE_TOKEN=org-token-xyz

ใช้สำหรับ:

✅ Org-wide automation (create workspace, manage teams)
⚠️ High permissions — secure carefully

Token Management

# Set in env (preferred)
export TFE_TOKEN=xxx
terraform init

# หรือใน credentials file
cat > ~/.terraform.d/credentials.tfrc.json <<EOF
{
  "credentials": {
    "app.terraform.io": {
      "token": "xxx"
    }
  }
}
EOF

Token Security

❌ ห้าม commit token ใน Git
❌ ห้าม print ใน CI logs
✅ Store ใน vault / secret manager
✅ Rotate ทุก 90 วัน

SSO (Plus Tier+)

Setup SAML

Organization Settings → Authentication → SAML
└── Identity Provider: Okta
    Entity ID: https://app.terraform.io/sso/...
    SSO URL: ...
    Certificate: -----BEGIN CERTIFICATE-----...

Force SSO

Authentication → Settings → Require SSO for all members

→ Users ต้อง login ผ่าน Okta — username/password ใช้ไม่ได้

Just-In-Time (JIT) Provisioning

User login ครั้งแรก → auto create account ใน TFC ตาม SAML attributes

<saml:AttributeStatement>
  <saml:Attribute Name="email">[email protected]</saml:Attribute>
  <saml:Attribute Name="full_name">Alice Smith</saml:Attribute>
  <saml:Attribute Name="MemberOf">team-platform,team-app</saml:Attribute>
</saml:AttributeStatement>

→ TFC ใช้ SAML attributes สร้าง/update user

Dynamic Credentials (OIDC)

Beta+ — TFC แลก OIDC token กับ cloud credentials → ไม่ต้องเก็บ AWS keys

AWS

1. Create IAM Identity Provider

resource "aws_iam_openid_connect_provider" "tfc" {
  url            = "https://app.terraform.io"
  client_id_list = ["aws.workload.identity"]
  thumbprint_list = ["..."]
}

2. Create IAM Role

resource "aws_iam_role" "tfc" {
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Principal = {
        Federated = aws_iam_openid_connect_provider.tfc.arn
      }
      Action = "sts:AssumeRoleWithWebIdentity"
      Condition = {
        StringEquals = {
          "app.terraform.io:aud" = "aws.workload.identity"
        }
        StringLike = {
          "app.terraform.io:sub" = "organization:my-org:project:*:workspace:*:run_phase:*"
        }
      }
    }]
  })
}

3. Set Workspace Variables

Workspace → Variables:

TFC_AWS_PROVIDER_AUTH = true
TFC_AWS_RUN_ROLE_ARN = arn:aws:iam::123:role/TFC

→ TFC auto-assume role, no AWS keys needed!

GCP

resource "google_iam_workload_identity_pool" "tfc" {
  workload_identity_pool_id = "tfc-pool"
}

resource "google_iam_workload_identity_pool_provider" "tfc" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.tfc.workload_identity_pool_id
  workload_identity_pool_provider_id = "tfc-provider"

  oidc {
    issuer_uri = "https://app.terraform.io"
  }
}

Workspace variables:

TFC_GCP_PROVIDER_AUTH = true
TFC_GCP_WORKLOAD_PROVIDER_NAME = projects/...

Azure

resource "azuread_application" "tfc" {
  display_name = "tfc-oidc"
}

resource "azuread_application_federated_identity_credential" "tfc" {
  application_object_id = azuread_application.tfc.object_id
  display_name          = "tfc"
  audiences             = ["api://AzureADTokenExchange"]
  issuer                = "https://app.terraform.io"
  subject               = "organization:my-org:project:default:workspace:*:run_phase:apply"
}

Vault

# Vault config
resource "vault_jwt_auth_backend" "tfc" {
  path                = "jwt-tfc"
  oidc_discovery_url  = "https://app.terraform.io"
  bound_issuer        = "https://app.terraform.io"
}

Workspace variable:

TFC_VAULT_PROVIDER_AUTH = true
TFC_VAULT_ADDR = https://vault.example.com
TFC_VAULT_NAMESPACE = my-namespace
TFC_VAULT_RUN_ROLE = tfc-role

ตัวอย่าง: Workspace with Dynamic AWS

main.tf
terraform {
  cloud {
    organization = "my-org"
    workspaces { name = "prod" }
  }
}

provider "aws" {
  region = "us-east-1"
  # ไม่ต้องระบุ credentials!
}

resource "aws_s3_bucket" "data" {
  bucket = "my-data-bucket"
}

Workspace Variables:

TFC_AWS_PROVIDER_AUTH    = true
TFC_AWS_RUN_ROLE_ARN     = arn:aws:iam::123456789012:role/tfc-run

→ Apply → no AWS keys, secure ✅

Permissions Model

User Permissions

Owner — full org access
Member — only assigned workspaces

Team Permissions

Read — view runs
Plan — create plan only
Write — apply runs
Admin — manage workspace settings

Workspace Access

Workspace → Settings → Team Access
└── Team: platform-team → Admin
└── Team: dev-team → Plan
└── Team: read-only → Read

Audit Authentication

Settings → Audit Trail
└── Filter: Action = "user.login"

ดูว่าใคร login ตอนไหน

Session Timeout

Settings → Authentication → Session Timeout
└── Idle: 2 hours
    Absolute: 8 hours

2FA / MFA

Personal Settings → Account Security → Two-Factor Authentication

→ Enable TOTP (Google Authenticator, Authy)

Best Practices

✅ DO:
- Use SSO ในทีม > 5 คน
- Enable 2FA
- Use Dynamic Credentials (OIDC) แทน AWS keys
- Rotate API tokens ทุก 90 วัน
- Audit login logs

❌ DON'T:
- ห้าม share token ระหว่างคน
- ห้าม commit token ใน Git
- ห้าม disable 2FA
- ห้าม ใช้ user token ใน CI (use team token)
- ห้ามให้ admin token เป็น default

CI/CD Token Setup

.github/workflows/terraform.yml
- name: Setup Terraform
  uses: hashicorp/setup-terraform@v3
  with:
    cli_config_credentials_token: ${{ secrets.TFC_TOKEN }}

- run: terraform init

→ Token อยู่ใน GitHub Secrets, never exposed in code

ทางเลือก: Service Accounts

ถ้าใช้ enterprise:

Create dedicated service account
Limited workspace access
Rotate token ผ่าน automation

สรุป

Authentication options: user login, tokens (user/team/org), SSO, OIDC
terraform login สำหรับ interactive
API tokens สำหรับ automation
SSO (SAML) สำหรับ corporate IdP (Plus+)
Dynamic Credentials (OIDC) = no static cloud keys ⭐ recommended
2FA + token rotation = secure baseline

ต่อไป → Workspaces

Authentication Methods​

terraform login​

terraform logout​

API Tokens​

User Token (Personal)​

Team Token​

Organization Token​

Token Management​

SSO (Plus Tier+)​

Setup SAML​

Force SSO​

Just-In-Time (JIT) Provisioning​

Dynamic Credentials (OIDC)​

AWS​

1. Create IAM Identity Provider​

2. Create IAM Role​

3. Set Workspace Variables​

GCP​

Azure​

Vault​

ตัวอย่าง: Workspace with Dynamic AWS​

Permissions Model​

User Permissions​

Team Permissions​

Workspace Access​

Audit Authentication​

Session Timeout​

2FA / MFA​

Best Practices​

CI/CD Token Setup​

ทางเลือก: Service Accounts​

สรุป​

Authentication Methods

terraform login

terraform logout

API Tokens

User Token (Personal)

Team Token

Organization Token

Token Management

SSO (Plus Tier+)

Setup SAML

Force SSO

Just-In-Time (JIT) Provisioning

Dynamic Credentials (OIDC)

AWS

1. Create IAM Identity Provider

2. Create IAM Role

3. Set Workspace Variables

GCP

Azure

Vault

ตัวอย่าง: Workspace with Dynamic AWS

Permissions Model

User Permissions

Team Permissions

Workspace Access

Audit Authentication

Session Timeout

2FA / MFA

Best Practices

CI/CD Token Setup

ทางเลือก: Service Accounts

สรุป