Version: 2.0.0

Terraform Provider (EAP)

terraform

Permit.io is a cloud-based authorization service that allows you to define and manage permissions for your application. In order to make it easier and safer to manage your objects and policies in Permit.io, we have created a Terraform provider.

The Terraform provider is open source and available on GitHub.

Usage

Provider Definition

terraform {
  required_providers {
    permitio = {
      source  = "registry.terraform.io/permitio/permit-io"
      version = "~> 0.0.1"
    }
  }
}

Configure the Provider

provider "permitio" {
    api_url = "https://api.permit.io" # Defaults to - "https://api.permit.io - Can be set as an environment variable PERMITIO_API_URL
    api_key = "YOUR_API_KEY" # Can be set as an environment variable PERMITIO_API_KEY
}

Creating Objects in Permitio

Create a Resource

resource "permitio_resource" "document" {
  key         = "document"
  name        = "Document"
  description = "A confidential document"
  actions     = {
    "read" : {
      "name" : "Read",
      "description" : "Read a document",
    },
    "write" : {
      "name" : "Write",
      "description" : "Write a document",
    }
  }
}

Create a Role

resource "permitio_role" "reader" {
  key         = "reader"
  name        = "Reader"
  description = "A role that allows reading documents"
  permissions = [
    "document:read"
  ]
  extends     = []
  depends_on  = [
    permitio_resource.document # This is required to ensure that the resource is created before the role (for the permissions assignment)
  ]
}

Create a Resource Set

resource "permitio_resource_set" "secret_docs" {
  key      = "secret_docs"
  name     = "Secret Docs"
  resource = permitio_resource.document.key
  conditions = jsonencode({
    "allOf" : [
      {
        "allOf" : [
          {
            "resource.title" = {
              contains = "Rye"
            },
          }
        ]
      }
    ]
  })
}

Create a User Set

resource "permitio_user_set" "privileged_users" {
  key  = "privileged_users"
  name = "Privileged Users"
  conditions = jsonencode({
    "allOf" : [
      {
        "allOf" : [
          {
            "subject.email" = {
              contains = "@admin.com"
            },
          }
        ]
      }
    ]
  })
}

Create a Condition Set Rule

resource "permitio_condition_set_rule" "allow_privileged_users_to_read_secret_docs" {
  user_set     = permitio_user_set.privileged_users.key
  resource_set = permitio_resource_set.secret_docs.key
  permission   = "document:read"
}

Creating a Frontend-only Authorization (FoAz) proxy

resource "permitio_proxy_config" "foaz" {
  key            = "foaz"
  name           = "Boaz"
  auth_mechanism = "basic"
  auth_secret = {
    basic = "hello:world"
  }
  mapping_rules = [
    {
      url = "https://example.com/documents"
      http_method = "post"
      resource = "document"
      action = "read"
    },
    {
      url = "https://example.com/documents/{project_id}"
      http_method = "get"
      resource = "document"
      action = "read"
    },
    {
      url = "https://example.com/documents/{project_id}"
      http_method = "put"
      resource = "document"
      action = "update"
      headers = {
        "x-update-id": "foaz"
      }
    },
    {
      url = "https://example.com/documents/{project_id}"
      http_method = "delete"
      resource = "document"
      action = "delete"
    }
  ]
}

Usage​

Provider Definition​

Configure the Provider​

Creating Objects in Permitio​

Create a Resource​

Create a Role​

Create a Resource Set​

Create a User Set​

Create a Condition Set Rule​

Creating a Frontend-only Authorization (FoAz) proxy​

Contents