|
| 1 | +--- |
| 2 | +title: Provisioning Users |
| 3 | +description: Let's populate admin users and teams |
| 4 | +weight: 4 |
| 5 | +--- |
| 6 | + |
| 7 | +Your **Kahuna** instance is now up and running, let's get things and create a few admin users accounts. At first, we only have the super-admin API key that was previously set through Ansible deployment. We'll make use of it to provision further users and associated teams. After all, we want a nominative user acount for each contributor, right ? |
| 8 | + |
| 9 | +Back to TF config, let's edit the **terraform/providers.tf** file: |
| 10 | + |
| 11 | +```hcl |
| 12 | +terraform { |
| 13 | + required_providers { |
| 14 | + kowabunga = { |
| 15 | + source = "kowabunga-cloud/kowabunga" |
| 16 | + version = ">=0.55.0" |
| 17 | + } |
| 18 | + } |
| 19 | +} |
| 20 | +
|
| 21 | +provider "kowabunga" { |
| 22 | + uri = "https://kowabunga.acme.com" |
| 23 | + token = local.secrets.kowabunga_admin_api_key |
| 24 | +} |
| 25 | +``` |
| 26 | + |
| 27 | +Make sure to edit the Kowabunga provider's **uri** with the associated DNS of your freshly deployed **Kahuna** instance and edit the **terraform/secrets.yml** file so match the **kowabunga_admin_api_key** you've picked before. OpenTofu will make use of these parameters to connect to your private **Kahuna** and apply for resources. |
| 28 | + |
| 29 | +Now declare a few users in your **terraform/locals.tf** file: |
| 30 | + |
| 31 | +```hcl |
| 32 | +locals { |
| 33 | + admins = { |
| 34 | + // HUMANS |
| 35 | + "John Doe" = { |
| 36 | + email = "john@acme.com", |
| 37 | + role = "superAdmin", |
| 38 | + notify = true, |
| 39 | + } |
| 40 | + "Jane Doe" = { |
| 41 | + email = "jane@acme.com", |
| 42 | + role = "superAdmin", |
| 43 | + notify = true, |
| 44 | + } |
| 45 | +
|
| 46 | + // BOTS |
| 47 | + "Admin TF Bot" = { |
| 48 | + email = "tf@acme.com", |
| 49 | + role = "superAdmin", |
| 50 | + bot = true, |
| 51 | + } |
| 52 | + } |
| 53 | +} |
| 54 | +``` |
| 55 | + |
| 56 | +and the following resources definition in **terraform/main.tf**: |
| 57 | + |
| 58 | +```hcl |
| 59 | +resource "kowabunga_user" "admins" { |
| 60 | + for_each = local.admins |
| 61 | + name = each.key |
| 62 | + email = each.value.email |
| 63 | + role = each.value.role |
| 64 | + notifications = try(each.value.notify, false) |
| 65 | + bot = try(each.value.bot, false) |
| 66 | +} |
| 67 | +
|
| 68 | +resource "kowabunga_team" "admin" { |
| 69 | + name = "admin" |
| 70 | + desc = "Kowabunga Admins" |
| 71 | + users = sort([for key, user in local.admins : kowabunga_user.users[key].id]) |
| 72 | +} |
| 73 | +``` |
| 74 | + |
| 75 | +Then, simply apply for resources creation: |
| 76 | + |
| 77 | +```sh |
| 78 | +$ kobra tf apply |
| 79 | +``` |
| 80 | + |
| 81 | +What we've done here was to register a new **admin** team, with 3 new associated user accounts: 2 regular ones for human administrators and one **bot**, which you'll be able to use its API key instead of the super-admin master one to further provision resources if you'd like. |
| 82 | + |
| 83 | +Better do this way as, shall the key be compromised, you'll only have to revoke it or destroy the bot account, instead of replacing the master one on **Kahuna** instance. |
| 84 | + |
| 85 | +Newly registered user will be prompted with 2 emails from **Kahuna**: |
| 86 | + |
| 87 | +- a "**Welcome to Kowabunga !**" one, simply asking yourself to confirm your account's creation. |
| 88 | +- a "**Forgot about your Kowabunga password ?**" one, prompting for a password reset. |
| 89 | + |
| 90 | +{{< alert color="warning" title="Warning" >}} |
| 91 | +Account's creation confirmation is required for the user to proceed further. For security purpose, newly created user accounts are locked-down until properly activated. |
| 92 | + |
| 93 | +With security in mind, Kowabunga will prevent you from setting your own password. Whichever IT policy you'd choose, you will always end up with users having a weak password or finding a way to compromise your system. We don't want that to happen, nor do we think it's worth asking a user to generate a random 'strong-enough' password by himself, so Kowabunga does it for you. |
| 94 | +{{< /alert >}} |
| 95 | + |
| 96 | +Once users have been registered and password generated, and provided **Koala** Web application has been deployed as well, they can connect to (and land on a perfectly empty and so useless dashboard ;-) for now at least ). |
| 97 | + |
| 98 | +Let's move on and start [creating our first region](/docs/getting-started/create-region/) ! |
0 commit comments