Skip to main content

Terraform Deployment

Deploy and manage your Authlete infrastructure using Terraform for consistent, repeatable, and version-controlled deployments.

Overview

The Authlete Terraform provider allows you to:
  • Define your OAuth 2.0 services as code
  • Manage client applications programmatically
  • Version control your authentication configuration
  • Automate deployment pipelines
  • Ensure consistency across environments

Prerequisites

Before using Terraform with Authlete:
  1. Install Terraform (v1.0+)
  2. Get Authlete Credentials - Service API key and secret
  3. Set Up Backend - Configure state storage
  4. Install Provider - Add Authlete provider to your configuration

Quick Start

1. Initialize Terraform

Create a new directory and initialize Terraform: 
mkdir authlete-terraform
cd authlete-terraform
terraform init

2. Configure Provider

Create main.tf: 
terraform {
  required_providers {
    authlete = {
      source  = "authlete/authlete"
      version = "~> 1.0"
    }
  }
}

provider "authlete" {
  api_key    = var.authlete_api_key
  api_secret = var.authlete_api_secret
  base_url   = "https://api.authlete.com"
}

3. Create Variables

Create variables.tf: 
variable "authlete_api_key" {
  description = "Authlete API Key"
  type        = string
  sensitive   = true
}

variable "authlete_api_secret" {
  description = "Authlete API Secret"
  type        = string
  sensitive   = true
}

4. Define Service

Create service.tf: 
resource "authlete_service" "main" {
  service_name        = "My OAuth Service"
  issuer             = "https://auth.example.com"
  description        = "Production OAuth 2.0 Service"
  supported_grant_types = ["AUTHORIZATION_CODE", "REFRESH_TOKEN"]
  supported_response_types = ["CODE"]
  
  # Supported scopes
  supported_scopes = [
    "read",
    "write", 
    "openid",
    "profile",
    "email"
  ]
  
  # Token endpoint
  access_token_duration = 3600
  refresh_token_duration = 86400
  
  # Security settings
  pkce_required = true
  pkce_s256_required = true
}

5. Deploy

terraform plan
terraform apply

Advanced Configuration

Client Management

Create and manage OAuth clients: 
resource "authlete_client" "web_app" {
  client_name = "Web Application"
  client_type = "CONFIDENTIAL"
  redirect_uris = [
    "https://app.example.com/callback",
    "https://app.example.com/auth/callback"
  ]
  grant_types = ["AUTHORIZATION_CODE", "REFRESH_TOKEN"]
  response_types = ["CODE"]
  scopes = ["read", "write", "openid"]
  
  # Security settings
  tls_client_certificate_bound_access_tokens = true
  dpop_required = false
}

resource "authlete_client" "mobile_app" {
  client_name = "Mobile Application"
  client_type = "PUBLIC"
  redirect_uris = ["com.example.app://callback"]
  grant_types = ["AUTHORIZATION_CODE", "REFRESH_TOKEN"]
  response_types = ["CODE"]
  scopes = ["read", "openid", "profile"]
  
  # PKCE required for public clients
  pkce_required = true
  pkce_s256_required = true
}

State Management

Remote State

Store Terraform state remotely: 
terraform {
  backend "s3" {
    bucket = "my-authlete-terraform-state"
    key    = "authlete/terraform.tfstate"
    region = "us-west-2"
  }
}

State Locking

Enable state locking to prevent concurrent modifications: 
terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "authlete/terraform.tfstate"
    region         = "us-west-2"
    dynamodb_table = "terraform-state-lock"
    encrypt        = true
  }
}

Environment Management

Development Environment

# environments/dev/main.tf
module "authlete" {
  source = "../../modules/authlete"
  
  environment = "dev"
  service_name = "Dev OAuth Service"
  issuer = "https://dev-auth.example.com"
}

Production Environment

# environments/prod/main.tf
module "authlete" {
  source = "../../modules/authlete"
  
  environment = "prod"
  service_name = "Production OAuth Service"
  issuer = "https://auth.example.com"
  
  # Production-specific settings
  access_token_duration = 1800  # 30 minutes
  refresh_token_duration = 2592000  # 30 days
}

CI/CD Integration

GitHub Actions

name: Deploy Authlete Infrastructure

on:
  push:
    branches: [main]
    paths: ['terraform/**']

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.5.0
          
      - name: Terraform Init
        run: terraform init
        working-directory: ./terraform
        
      - name: Terraform Plan
        run: terraform plan
        working-directory: ./terraform
        env:
          TF_VAR_authlete_api_key: ${{ secrets.AUTHLETE_API_KEY }}
          TF_VAR_authlete_api_secret: ${{ secrets.AUTHLETE_API_SECRET }}
          
      - name: Terraform Apply
        run: terraform apply -auto-approve
        working-directory: ./terraform
        env:
          TF_VAR_authlete_api_key: ${{ secrets.AUTHLETE_API_KEY }}
          TF_VAR_authlete_api_secret: ${{ secrets.AUTHLETE_API_SECRET }}

Best Practices

1. Use Modules

Organize your configuration into reusable modules: 
# modules/authlete-service/main.tf
resource "authlete_service" "main" {
  service_name = var.service_name
  issuer      = var.issuer
  # ... other configuration
}

2. Environment Variables

Use environment variables for sensitive data: 
export TF_VAR_authlete_api_key="your-api-key"
export TF_VAR_authlete_api_secret="your-api-secret"

3. State Management

  • Always use remote state storage
  • Enable state locking
  • Regular state backups
  • Separate state per environment

4. Security

  • Never commit secrets to version control
  • Use Terraform Cloud or similar for sensitive operations
  • Rotate API keys regularly
  • Use least privilege access

Troubleshooting

Common Issues

  1. Provider Authentication 
    # Verify credentials
terraform plan
  2. State Conflicts 
    # Refresh state
terraform refresh
  3. Resource Dependencies 
    # Use explicit dependencies
resource "authlete_client" "app" {
  depends_on = [authlete_service.main]
}

Additional Resources