BlogResources
Resources
Oct 31, 2022

Announcing Opal’s Terraform Provider

Opal releases Terraform provider for enterprises to manage access using infrastructure-as-code

Kudos to
No items found.
Author
Lance Larsen
Head of Solutions Engineering

Announcing Opal’s Terraform Provider

We are excited to announce the launch of Opal’s official Terraform provider, now available on the Terraform Registry! The provider allows engineering, security, and IT teams to create and manage Opal resources such as policies, owners, and more using Terraform's declarative configuration language, HCL.

Terraform is the industry standard for automating infrastructure through code instead of manual processes.  Summarized nicely by HashiCorp, Terraform can manage low-level components like compute, storage, and networking resources for your cloud provider, as well as high-level components like DNS entries and SaaS features. This approach, known as Infrastructure as Code, has exploded, with Gartner predicting that 70% of organizations will have an infrastructure automation strategy by 2025.

I spent five years at HashiCorp, and this project is dear to my heart! I worked with practitioners in the Terraform ecosystem and saw the benefits of infrastructure automation up close. The shift was foundational in allowing companies to bring applications to market faster. The traction speaks for itself, with over 1B downloads for the AWS Terraform provider alone!

The Power of Opal + Terraform

So, where exactly is Opal in all of this, and why would I care about Terraform? 

At a high level, Terraform’s value lies in leveraging version control and code review to standardize access change, a core part of Opal’s philosophy in delegating reviews to those with the most context.

Our experience tells us that modern access management solutions must be extensible, which is why Opal takes an API-first approach. These APIs allow our customers to automate the ingestion of new resources and codify policies at scale, so operators can quickly integrate their custom internal applications and secure access to the cloud. Let’s explore this further in two areas, access reduction, and application onboarding.

Reducing your access footprint is hard. One critical way Opal helps solve this problem is its ability to break down larger group structures into smaller groups and individual resource-based entitlements based on need. The flip side of this approach is more objects means more policies. You want to maintain the granularity of access, but you cannot have operators manually configuring hundreds or thousands of policies either. Scalable configuration is where Opal's API shines! Customers don't have to sacrifice granular access to reduce operational overhead, and Terraform makes API automation accessible for all!

Security is a business accelerator, and trust has never been more critical than in today’s environment.  The faster your security can move, the more confident your customers and employees will be. Many organizations already have cloud, internal tools, and identity provider deployments managed by infrastructure as code. Instead of manually entering this information in Opal’s UI, operators can programmatically share infrastructure states with Opal allowing migrations to happen in days instead of weeks or months. We’re doubling down on speed and supporting Terrafromer day zero to allow customers to bring existing Opal deployments under Terraform’s management in minutes.

Opal has redefined how we approach identity governance at scale. The product and roadmap align closely with the needs of our hyper-growth business. With their rich's API and Terraform support, we can modernize and automate IAM and assurance in ways that are aligned with other mature facets of our infrastructure. -Andrew McAllister, Head of Corporate Engineering @ Databricks

A Terraform provider is only as good as its API. With significant investment and customer feedback on programmatic workflows, the time is right for a best-in-class Terraform provider to help our customers continue to adopt Opal! Teams can begin configuring Opal resources alongside the rest of their IT and infrastructure stacks. Let’s explore a few use cases!

Use Case: Accelerate Okta Access Requests

Okta is one of Opal’s most popular integrations, and we’ve learned progressive IT teams love Terraform and Okta. Don’t believe us; check the downloads page - the Okta provider has over nine million downloads! Okta infrastructure in Terraform is more predictable and easier to create and maintain for admins, which means faster onboarding times for new applications and happier end-users!

Now admins can extend their repositories and manage Opal alongside Okta in Terraform for the same benefit.  Using Datadog as an example Okta app, enforcing requests to go through specific Okta groups, and making access to the admin role time-bound for one day is as simple as adding a few lines of declarative code in Opal’s provider.

Use Case: Fine-Grained Access for Cloud Infrastructure

At Opal, we are not shy about our commitment to protecting our customer’s most sensitive assets in the cloud. Hence, it’s only natural that our provider has first-class support for Opal’s cloud integrations. No JSON blobs here!

Your data sources or remote state can be shared directly with Opal, streamlining the onboarding process for resources in your cloud accounts and projects.  Those who read our AWS series learned that EKS is one of many AWS resources we support natively inside Opal. Let’s expand that example with two EKS clusters, one that is marked sensitive for production and another that is a permissive development environment.

With Terraform, retrieving the identifiers and bringing both clusters under Opal’s management is easy. Most importantly, we can ensure that the production environment has MFA controls for approvals and credential issuance, with a maximum session duration of one hour to ensure continuous compliance for day-to-day operations.

Summary

Our aim with the Terraform provider is programmatic workflows that complement our user surfaces, such as Opal’s web interface and Slack commands. We believe certain activities should always require human interaction, like sensitive approvals or privileged onboarding of systems like AWS or Salesforce. Tasks that require automation can be easily modeled and understood in Terraform, and our other surfaces can help you do everything else!

About Opal

Opal is the unified identity platform for modern enterprises. Opal aggregates identity and access data to provide visibility and defense-in-depth infrastructure for mission-critical systems. Enterprises can discover anomalous identity risks with the product and remediate them in minutes. The world's best companies trust Opal to govern and adapt sensitive access.

Want to see it yourself? Contact sales@opal.dev or book a meeting here for a personalized demo.

Lance Larsen

Latest articles

Browse all posts
Resources
May 12, 2023

Productivity and Security in AWS: Unpacking the Benefits of Simplified Access

Lance Larsen and Todd Thiel discuss their backgrounds and experiences in dealing with AWS – ranging from topics, such as scalability, IAM challenges, AWS SSO / IAM Identity Center, contextual access, and unified systems for AWS.

Eugene Ling
Resources
Feb 22, 2023

How to Automate On-Call Access Management with Opal and PagerDuty

Opal and PagerDuty have partnered together to automate on-call access management

Eugene Ling
Resources
Oct 27, 2022

Scalable AWS Access Management Part 3: Securing Complex Multi-Account Environments

Opal launches integrations with AWS IAM Identity Center and AWS Organizations

Lance Larsen

Interested in Opal?

Get in touch with our team to learn more!

Schedule a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.