Skip to main content
Version: 2.0.0

Terraform Provider

terraform

Permit.io is a cloud-based authorization service that allows you to define and manage permissions for your application. In order to make it easier and safer to manage your objects and policies in Permit.io, we have created a Terraform provider.

The Terraform provider is open source and available on GitHub.

Docs

Our Terraform provider has auto-generated documentation that can be found here - https://registry.terraform.io/providers/permitio/permit-io/latest/docs. We recommend using the auto-generated documentation as it is always up-to-date with the latest version of the provider.

Usage

Provider Definition

terraform {
required_providers {
permitio = {
source = "registry.terraform.io/permitio/permit-io"
version = "~> 0.0.1"
}
}
}

Configure the Provider

provider "permitio" {
api_url = "https://api.permit.io" # Defaults to - "https://api.permit.io - Can be set as an environment variable PERMITIO_API_URL
api_key = "YOUR_API_KEY" # Can be set as an environment variable PERMITIO_API_KEY
}

Creating Objects in Permitio

Create a Resource

resource "permitio_resource" "document" {
key = "document"
name = "Document"
description = "A confidential document"
actions = {
"read" : {
"name" : "Read",
"description" : "Read a document",
},
"write" : {
"name" : "Write",
"description" : "Write a document",
}
}
}

Create a Role

resource "permitio_role" "reader" {
key = "reader"
name = "Reader"
description = "A role that allows reading documents"
permissions = [
"document:read"
]
extends = []
depends_on = [
permitio_resource.document # This is required to ensure that the resource is created before the role (for the permissions assignment)
]
}

Create a Resource Set

resource "permitio_resource_set" "secret_docs" {
key = "secret_docs"
name = "Secret Docs"
resource = permitio_resource.document.key
conditions = jsonencode({
"allOf" : [
{
"allOf" : [
{
"resource.title" = {
contains = "Rye"
},
}
]
}
]
})
}

Create a User Set

resource "permitio_user_set" "privileged_users" {
key = "privileged_users"
name = "Privileged Users"
conditions = jsonencode({
"allOf" : [
{
"allOf" : [
{
"subject.email" = {
contains = "@admin.com"
},
}
]
}
]
})
}

Create a Condition Set Rule

resource "permitio_condition_set_rule" "allow_privileged_users_to_read_secret_docs" {
user_set = permitio_user_set.privileged_users.key
resource_set = permitio_resource_set.secret_docs.key
permission = "document:read"
}

Creating a Frontend-only Authorization (FoAz) proxy

resource "permitio_proxy_config" "foaz" {
key = "foaz"
name = "Boaz"
auth_mechanism = "basic"
auth_secret = {
basic = "hello:world"
}
mapping_rules = [
{
url = "https://example.com/documents"
http_method = "post"
resource = "document"
action = "read"
},
{
url = "https://example.com/documents/{project_id}"
http_method = "get"
resource = "document"
action = "read"
},
{
url = "https://example.com/documents/{project_id}"
http_method = "put"
resource = "document"
action = "update"
headers = {
"x-update-id": "foaz"
}
},
{
url = "https://example.com/documents/{project_id}"
http_method = "delete"
resource = "document"
action = "delete"
}
]
}