We are excited to announce the launch of Opal’s official Terraform provider, now available on the Terraform Registry! The provider allows engineering, security, and IT teams to create and manage Opal resources such as policies, owners, and more using Terraform's declarative configuration language, HCL.
Terraform is the industry standard for automating infrastructure through code instead of manual processes. Summarized nicely by HashiCorp, Terraform can manage low-level components like compute, storage, and networking resources for your cloud provider, as well as high-level components like DNS entries and SaaS features. This approach, known as Infrastructure as Code, has exploded, with Gartner predicting that 70% of organizations will have an infrastructure automation strategy by 2025.
I spent five years at HashiCorp, and this project is dear to my heart! I worked with practitioners in the Terraform ecosystem and saw the benefits of infrastructure automation up close. The shift was foundational in allowing companies to bring applications to market faster. The traction speaks for itself, with over 1B downloads for the AWS Terraform provider alone!
So, where exactly is Opal in all of this, and why would I care about Terraform?
At a high level, Terraform’s value lies in leveraging version control and code review to standardize access change, a core part of Opal’s philosophy in delegating reviews to those with the most context.
Our experience tells us that modern access management solutions must be extensible, which is why Opal takes an API-first approach. These APIs allow our customers to automate the ingestion of new resources and codify policies at scale, so operators can quickly integrate their custom internal applications and secure access to the cloud. Let’s explore this further in two areas, access reduction, and application onboarding.
Reducing your access footprint is hard. One critical way Opal helps solve this problem is its ability to break down larger group structures into smaller groups and individual resource-based entitlements based on need. The flip side of this approach is more objects means more policies. You want to maintain the granularity of access, but you cannot have operators manually configuring hundreds or thousands of policies either. Scalable configuration is where Opal's API shines! Customers don't have to sacrifice granular access to reduce operational overhead, and Terraform makes API automation accessible for all!
Security is a business accelerator, and trust has never been more critical than in today’s environment. The faster your security can move, the more confident your customers and employees will be. Many organizations already have cloud, internal tools, and identity provider deployments managed by infrastructure as code. Instead of manually entering this information in Opal’s UI, operators can programmatically share infrastructure states with Opal allowing migrations to happen in days instead of weeks or months. We’re doubling down on speed and supporting Terrafromer day zero to allow customers to bring existing Opal deployments under Terraform’s management in minutes.
Opal has redefined how we approach identity governance at scale. The product and roadmap align closely with the needs of our hyper-growth business. With their rich's API and Terraform support, we can modernize and automate IAM and assurance in ways that are aligned with other mature facets of our infrastructure. -Andrew McAllister, Head of Corporate Engineering @ Databricks
A Terraform provider is only as good as its API. With significant investment and customer feedback on programmatic workflows, the time is right for a best-in-class Terraform provider to help our customers continue to adopt Opal! Teams can begin configuring Opal resources alongside the rest of their IT and infrastructure stacks. Let’s explore a few use cases!
Okta is one of Opal’s most popular integrations, and we’ve learned progressive IT teams love Terraform and Okta. Don’t believe us; check the downloads page - the Okta provider has over nine million downloads! Okta infrastructure in Terraform is more predictable and easier to create and maintain for admins, which means faster onboarding times for new applications and happier end-users!
Now admins can extend their repositories and manage Opal alongside Okta in Terraform for the same benefit. Using Datadog as an example Okta app, enforcing requests to go through specific Okta groups, and making access to the admin role time-bound for one day is as simple as adding a few lines of declarative code in Opal’s provider.
At Opal, we are not shy about our commitment to protecting our customer’s most sensitive assets in the cloud. Hence, it’s only natural that our provider has first-class support for Opal’s cloud integrations. No JSON blobs here!
Your data sources or remote state can be shared directly with Opal, streamlining the onboarding process for resources in your cloud accounts and projects. Those who read our AWS series learned that EKS is one of many AWS resources we support natively inside Opal. Let’s expand that example with two EKS clusters, one that is marked sensitive for production and another that is a permissive development environment.
With Terraform, retrieving the identifiers and bringing both clusters under Opal’s management is easy. Most importantly, we can ensure that the production environment has MFA controls for approvals and credential issuance, with a maximum session duration of one hour to ensure continuous compliance for day-to-day operations.
Our aim with the Terraform provider is programmatic workflows that complement our user surfaces, such as Opal’s web interface and Slack commands. We believe certain activities should always require human interaction, like sensitive approvals or privileged onboarding of systems like AWS or Salesforce. Tasks that require automation can be easily modeled and understood in Terraform, and our other surfaces can help you do everything else!
Opal is the centralized authorization platform for IT and Infrastructure teams. Opal is deeply integrated with developer infrastructure, SaaS applications, and custom internal tools, enabling companies to implement scalable access management.
Want to see it yourself? Contact email@example.com or book a meeting here for a personalized demo.