Authentication in Terraform
Depending on your intended use, there are different ways to authenticate with the NETWAYS Cloud in the context of Terraform. The most common methods are the OpenStack project user, Application Credentials, or a Token, each with their own advantages and disadvantages.
| Method | Lifetime | Use case |
|---|---|---|
| Project user | Unlimited | Project-wide access; can be rotated. |
| Application Credentials | depending on the issuing user | Tied to the session of the issuing user; permissions can be set separately; can be rotated and revoked. |
| Token | depending on the issuing user | Tied to the session and permissions of the issuing user. |
The recommended authentication method is using Application Credentials issued by the project user, as they can be assigned a defined lifetime and permissions.
Configuring Terraform
Shared Configuration
The following settings are required for every authentication method:
terraform {
required_providers {
openstack = {
source = "terraform-provider-openstack/openstack"
version = "~> 3.0"
}
}
}
provider "openstack" {
auth_url = "https://cloud.netways.de:5000/v3"
region = "HetznerNBG4"
}
Further configuration depends on the authentication method used.
Application Credentials
If you want to authenticate in Terraform with restricted permissions, Application Credentials are a good choice.
Lifetime of Application Credentials in the NETWAYS Cloud
Due to the IAM configuration in the NETWAYS Cloud, Application Credentials are tied to the lifetime of the issuing user's session.
When using an NWS-ID for creating application credentials, the lifetime of these credentials is capped at 8 hours. Thus, creation of application credentials should happen through the OpenStack project user.
Application Credentials can be created in the cloud console:
- Log in with the OpenStack project user at console.nws.netways.de.
- Select the desired OpenStack project.
- Navigate to the User Center by clicking the avatar (top right) and selecting User Center.
- Create a new Application Credential by providing a name and, optionally, an expiry date and permissions.
After creating the Application Credential, a file <appcred-name>.json containing the credential details will be downloaded automatically.
Use this information to extend the provider configuration for Terraform:
provider "openstack" {
auth_url = "https://cloud.netways.de:5000/v3"
region = "HetznerNBG4"
application_credential_id = "<application_credential_id>"
application_credential_secret = "<application_credential_secret>"
}
OpenStack Project User
If you have activated the OpenStack project user, it can be used for authentication in Terraform.
The following additional entries are required in the provider configuration:
provider "openstack" {
auth_url = "https://cloud.netways.de:5000/v3"
region = "HetznerNBG4"
user_name = "<project_user>" # the project_user username
password = "<password>" # the project_user password
tenant_name = "<project_id>" # project id, normally same as project_user username
}
The credentials of the OpenStack project user can be viewed and rotated in MyNWS.
Token
Alternatively, authentication in Terraform can also be performed using a Token in the context of the issuing user.
Lifetime of Tokens in the NETWAYS Cloud
Due to the IAM configuration in the NETWAYS Cloud, Tokens are tied to the lifetime of the issuing user's session and are therefore valid for a maximum of 8 hours, unless the issuing user's session is kept alive.
Tokens can be created in the cloud console:
- Log in with your NWS-ID at console.nws.netways.de.
- Click the avatar (top right) and select Get Token.
- Copy the generated token.
The token can be added to the provider configuration for Terraform:
provider "openstack" {
auth_url = "https://cloud.netways.de:5000/v3"
region = "HetznerNBG4"
token = "<token>"
tenant_name = "<project id>" # ID of the OpenStack project you want to work in
}
Creating tokens from the OpenStack CLI
Alternatively, tokens can be created with the OpenStack CLI: