The Terraform provider for Keyfactor Command enables management of Keyfactor Command resources with HashiCorp Terraform. Below are currently supported resources:

In the Keyfactor Community, we welcome contributions. Keyfactor Community software is open-source and community-supported, meaning that no SLA is applicable. Keyfactor will address issues as resources become available.

• To report a problem or suggest a new feature, go to Issues.
• If you want to contribute bug fixes or proposed enhancements, see the Contributing Guidelines and create a Pull request.

• Documentation
• Examples
  • Certificate Resource
  • Certificate Deployment
  • Certificate Store Resource
• Contributing
• License

• Go 1.23.x (to build the provider plugin)
• Terraform 1.1.x
• Keyfactor Command (See compatability table)
  • Keyfactor Command account with permissions to required Keyfactor features

For full details on how to use this provider from the public Terraform registry: https://registry.terraform.io/providers/keyfactor-pub/keyfactor/latest/docs
Make this file: providers.tf

terraform {
  required_providers {
    keyfactor = {
      source  = "keyfactor-pub/keyfactor"
      version = ">=2.2.0"
    }
  }
}

provider "keyfactor" {
  # Configuration options
}

Then run

terraform init

• Download the release from the releases page
• Unzip the release
• Move the binary to a location in your local Terraform plugins directory (typically $HOME/.terraform.d/plugins/keyfactor.com/keyfactor/keyfactor or %APPDATA%\terraform.d\plugins\keyfactor.com\keyfactor\keyfactor on Windows) for more information refer to the Hashicorp documentation
• Write a providers.tf similar to the example Provider configuration below
• Run terraform init to initialize the provider

When installing from source the provider configuration will be slightly different from an installation from the public Terraform registry. Below is an example of a providers.tf for installs directly from a GitHub release:

terraform {
  required_version = ">= 1.0"
  required_providers {
    keyfactor = {
      # source = "keyfactor-pub/keyfactor" #Use this source path if installing from the Terraform plugin registry. 
      source = "keyfactor.com/keyfactor/keyfactor" # 
      version = "2.2.0"
    }
  }
}

When installing from source the provider configuration will be slightly different from an installation from the public Terraform registry. Below is an example of a providers.tf for build from source installs:

terraform {
  required_version = ">= 1.0"
  required_providers {
    keyfactor = {
      # source = "keyfactor-pub/keyfactor" #Use this source path if installing from the Terraform plugin registry. 
      source = "keyfactor.com/keyfactor/keyfactor" # 
      version = "2.2.0"
    }
  }
}

Example build provider from source in bash:

git clone https://github.com/Keyfactor/terraform-provider-keyfactor.git
cd terraform-provider-keyfactor
export PROVIDER_VERSION="2.2.0"
export OS_ARCH=$(echo "$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/arm64/arm64/')")
export BIN_OUTPUT_PATH="${HOME}/.terraform.d/keyfactor.com/keyfactor/${PROVIDER_VERSION}/${OS_ARCH}"
mkdir -p 
go build -o "${BIN_OUTPUT_PATH}/keyfactor"
chmod oug+x "${BIN_OUTPUT_PATH}/keyfactor"

echo "installed terraform-provider-keyfactor at ${BIN_OUTPUT_PATH}"

Example build provider from source in powershell:

# Clone the repository
git clone https://github.com/Keyfactor/terraform-provider-keyfactor.git
Set-Location terraform-provider-keyfactor

# Set the provider version
$ProviderVersion = "2.2.0"

# Determine the OS and architecture
# Determine the architecture and adjust naming
$Arch = (Get-CimInstance Win32_Processor).Architecture
$OSArch = switch ($Arch)
{
    9 {
        "arm64"
    }      # ARM64
    5 {
        "arm"
    }        # ARM
    6 {
        "ia64"
    }       # Itanium (not typically used in Terraform, but provided for completeness)
    0 {
        "386"
    }        # 32-bit
    1 {
        "amd64"
    }      # x86_64
    default {
        "unknown_arch"
    }
}

# Set the binary output path based on the dynamic OS and architecture
$BinOutputPath = "$env:APPDATA\terraform.d\plugins\keyfactor.com\keyfactor\$ProviderVersion\windows_$OSArch\keyfactor-provider.exe"

# Build the provider
go build -o $BinOutputPath

# Confirm that execution permissions have been applied where needed (not always relevant in Windows)
Write-Host "Provider binary created at $BinOutputPath"

Below are minimal required Keyfactor Command global permissions to use the full functionality of this Terraform provider:

• All > Agents > Management > Read
• All > Certificate Authorities > Read
• All > Certificate Stores >
  • Modify
  • Read
  • Schedule
• All > Certificate Templates > Read
• All > Certificates > Enroll >
  • Csr
  • Pfx
• All > Certificates > Collections >
  • Read
  • Revoke
  • Private Key Read
  • Private Key Import

Below are required Keyfactor Command permissions to use each supported Terraform resource type.

Below are minimal permissions to be able to use a Terraform resource "keyfactor_certificate".

Below are minimal global permissions for a Keyfactor Command account to issue a certificate.

• All > Certificate Templates > Read
• All > Certificates > Enroll >
  • Csr
  • Pfx
• All > Certificates > Collections >
  • Read
  • Revoke
  • Private Key Read
  • Private Key Import

Below are minimal permissions for a Keyfactor Command account scoped by collection. For more information on collection permissions please review the product docs

• All > Certificate Templates > Read
• All > Certificates > Enroll >
  • Csr
  • Pfx

• Read
• Edit Metadata
• Revoke
• Download with Private Key

• All > Agents > Management > Read
• All > Certificate Stores >
  • Read
  • Schedule
  • Modify

• All > Agents > Management > Read
• All > Certificate Stores >
  • Read
  • Schedule

Below are required Keyfactor Command permissions to use each supported Terraform data source type.

• All > Agents > Management > Read

Below are minimal permissions to be able to use a Terraform data "keyfactor_certificate".

Below are minimal global permissions for a Keyfactor Command account to read a certificate.

• All > Certificate Templates > Read
• All > Certificates > Collections >
  • Read
  • Private Key Read

Below are minimal permissions for a Keyfactor Command account scoped by collection. For more information on collection permissions please review the product docs

• All > Certificate Templates > Read

• Read
• Download with Private Key

• All > Agents > Management > Read
• All > Certificate Stores >
  • Read

• All > Certificate Templates > Read

The Keyfactor Terraform Provider is an open source project. To contribute, see the contribution guidelines.

Issues may also be reported.

For license information, see LICENSE.