descope-terraform
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseDescope Terraform Provider
Descope Terraform Provider
Manage Descope authentication projects as infrastructure-as-code using the official Terraform provider.
使用官方Terraform Provider将Descope认证项目作为基础设施即代码进行管理。
Prerequisites
前提条件
- Terraform CLI installed
- Paid Descope License (Pro +)
- Management Key from Company Settings (https://app.descope.com/company)
- Management Key must be scoped for all projects if creating new projects
- 已安装Terraform CLI
- 付费Descope许可证(Pro及以上版本)
- 来自公司设置的Management Key(地址:https://app.descope.com/company)
- 若要创建新项目,Management Key必须拥有所有项目的权限范围
Provider Setup
提供商配置
hcl
terraform {
required_providers {
descope = {
source = "descope/descope"
}
}
}
provider "descope" {
management_key = var.descope_management_key
}
variable "descope_management_key" {
type = string
sensitive = true
}hcl
terraform {
required_providers {
descope = {
source = "descope/descope"
}
}
}
provider "descope" {
management_key = var.descope_management_key
}
variable "descope_management_key" {
type = string
sensitive = true
}Resources
资源
| Resource | Purpose |
|---|---|
| Full project configuration (auth methods, roles, connectors, flows, settings) |
| Management keys with RBAC scoping |
| Console user accounts with role assignments |
See for the full schema.
See for and schemas.
references/project-resource.mddescope_projectreferences/other-resources.mddescope_management_keydescope_descoper| 资源 | 用途 |
|---|---|
| 完整项目配置(认证方式、角色、连接器、流程、设置) |
| 带有RBAC权限范围的Management Key |
| 分配了角色的控制台用户账户 |
查看获取完整的 schema。
查看获取和的schema。
references/project-resource.mddescope_projectreferences/other-resources.mddescope_management_keydescope_descoperQuick Start - New Project
快速开始 - 新项目
hcl
resource "descope_project" "myproject" {
name = "my-project"
tags = ["staging"]
}hcl
resource "descope_project" "myproject" {
name = "my-project"
tags = ["staging"]
}Common Configurations
常见配置
Authentication Methods
认证方式
hcl
resource "descope_project" "myproject" {
name = "my-project"
authentication = {
magic_link = {
expiration_time = "1 hour"
}
password = {
lock = true
lock_attempts = 3
min_length = 8
}
sso = {
merge_users = true
redirect_url = var.descope_redirect_url
}
}
}hcl
resource "descope_project" "myproject" {
name = "my-project"
authentication = {
magic_link = {
expiration_time = "1 hour"
}
password = {
lock = true
lock_attempts = 3
min_length = 8
}
sso = {
merge_users = true
redirect_url = var.descope_redirect_url
}
}
}Roles & Permissions (RBAC)
角色与权限(RBAC)
hcl
resource "descope_project" "myproject" {
name = "my-project"
authorization = {
permissions = [
{ name = "read:data", description = "Read access" },
{ name = "write:data", description = "Write access" },
]
roles = [
{
name = "viewer"
permissions = ["read:data"]
},
{
name = "editor"
permissions = ["read:data", "write:data"]
},
]
}
}hcl
resource "descope_project" "myproject" {
name = "my-project"
authorization = {
permissions = [
{ name = "read:data", description = "Read access" },
{ name = "write:data", description = "Write access" },
]
roles = [
{
name = "viewer"
permissions = ["read:data"]
},
{
name = "editor"
permissions = ["read:data", "write:data"]
},
]
}
}Connectors
连接器
hcl
resource "descope_project" "myproject" {
name = "my-project"
connectors = {
http = [{
name = "My Webhook"
base_url = var.webhook_url
bearer_token = var.webhook_secret
}]
aws_s3 = [{
name = "Audit Logs"
role_arn = "arn:aws:iam::YOUR_ACCOUNT:role/connector-role"
region = "us-east-1"
bucket = "audit-logs-bucket"
}]
}
}hcl
resource "descope_project" "myproject" {
name = "my-project"
connectors = {
http = [{
name = "My Webhook"
base_url = var.webhook_url
bearer_token = var.webhook_secret
}]
aws_s3 = [{
name = "Audit Logs"
role_arn = "arn:aws:iam::YOUR_ACCOUNT:role/connector-role"
region = "us-east-1"
bucket = "audit-logs-bucket"
}]
}
}Project Settings
项目设置
hcl
resource "descope_project" "myproject" {
name = "my-project"
project_settings = {
refresh_token_expiration = "3 weeks"
enable_inactivity = true
inactivity_time = "1 hour"
}
}hcl
resource "descope_project" "myproject" {
name = "my-project"
project_settings = {
refresh_token_expiration = "3 weeks"
enable_inactivity = true
inactivity_time = "1 hour"
}
}What Terraform Manages vs. What It Does NOT
Terraform 管理范围与非管理范围
Managed by Terraform:
- Project settings, authentication methods, authorization (roles/permissions)
- Connectors, applications (OIDC/SAML), flows, JWT templates
- Custom attributes, styles, widgets
NOT managed by Terraform (use Console/SDK/API instead):
- Individual users and tenants
- SSO connections and SCIM configurations
- Dynamic per-tenant settings
Terraform管理的内容:
- 项目设置、认证方式、授权(角色/权限)
- 连接器、应用(OIDC/SAML)、流程、JWT模板
- 自定义属性、样式、组件
Terraform不管理的内容(请改用控制台/SDK/API):
- 单个用户和租户
- SSO连接和SCIM配置
- 动态的租户专属设置
DO NOT
注意事项
- DO NOT hardcode in
management_keyfiles - use variables or environment variables (.tf)DESCOPE_MANAGEMENT_KEY - DO NOT commit files to version control - they contain sensitive data
.tfstate - DO NOT skip before
terraform planterraform apply - DO NOT use the deprecated provider argument
project_id
- 请勿在文件中硬编码
.tf- 请使用变量或环境变量(management_key)DESCOPE_MANAGEMENT_KEY - 请勿将文件提交到版本控制系统 - 这些文件包含敏感数据
.tfstate - 在执行前请勿跳过
terraform applyterraform plan - 请勿使用已弃用的提供商参数
project_id
Workflow
工作流程
bash
terraform init # Install provider
terraform plan # Preview changes
terraform apply # Apply changes
terraform destroy # Remove managed resourcesbash
terraform init # Install provider
terraform plan # Preview changes
terraform apply # Apply changes
terraform destroy # Remove managed resourcesReferences
参考资料
- - Full descope_project schema and all nested blocks
references/project-resource.md - - descope_management_key and descope_descoper schemas
references/other-resources.md - - All supported connector types and configuration
references/connectors.md
- - 完整的descope_project schema及所有嵌套块
references/project-resource.md - - descope_management_key和descope_descoper的schema
references/other-resources.md - - 所有支持的连接器类型及配置
references/connectors.md