Home / Terraform providers for Kong
Edit
Report

Configure Basic Auth using Kong Gateway and Terraform

Uses: Terraform
Incompatible with
on-prem
TL;DR

Create the following resources using Terraform:

  • konnect_gateway_control_plane
  • konnect_gateway_service
  • konnect_gateway_route
  • konnect_gateway_plugin_basic_auth
  • konnect_gateway_consumer

Prerequisites

Kong Konnect

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Set the personal access token as an environment variable:

    export KONNECT_TOKEN='YOUR KONNECT TOKEN'

Terraform

This how-to requires you to install Terraform.

Configure the provider

Create an auth.tf file that configures the kong/konnect Terraform provider. Change server_url if you are using a region other than us:

echo '
terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  server_url            = "https://us.api.konghq.com"
}
' > auth.tf

Next, initialize your project and download the provider:

terraform init

The provider automatically uses the KONNECT_TOKEN environment variable if it is available. If you would like to use a custom authentication token, set the personal_access_token field alongside server_url in the provider block.

Create a Control Plane

Before configuring a Service and a Route, you need to create a Control Plane. If you have an existing Control Plane that you’d like to reuse, you can use the konnect_gateway_control_plane_list data source.

echo '
resource "konnect_gateway_control_plane" "my_cp" {
  name         = "Terraform Control Plane"
  description  = "Configured using the demo at developer.konghq.com"
  cluster_type = "CLUSTER_TYPE_CONTROL_PLANE"
}
' > main.tf

Configure a service and a route

After creating a Control Plane, you can configure a Service and a Route.

Our example service uses httpbin.org as the upstream, and matches the /anything path which echos the response back to the client.

echo '
resource "konnect_gateway_service" "httpbin" {
  name             = "HTTPBin"
  protocol         = "https"
  host             = "httpbin.org"
  port             = 443
  path             = "/"
  control_plane_id = konnect_gateway_control_plane.my_cp.id
}

resource "konnect_gateway_route" "hello" {
  methods = ["GET"]
  name    = "Anything"
  paths   = ["/anything"]

  strip_path = false

  control_plane_id = konnect_gateway_control_plane.my_cp.id
  service = {
    id = konnect_gateway_service.httpbin.id
  }
}
' >> main.tf

Add the basic-auth plugin

The Service and Route are now configured, but they’re publicly accessible. Add a basic-auth plugin to the httpbin Service to require authentication for all routes:

echo '
# Secure the service with a basic-auth plugin
resource "konnect_gateway_plugin_basic_auth" "basic_auth" {
  enabled          = true
  control_plane_id = konnect_gateway_control_plane.my_cp.id
  service = {
    id = konnect_gateway_service.httpbin.id
  }
  config = {
    hide_credentials = false
  }
}
' >> main.tf

Create a Consumer and Credential

Now that the Service is secured, create a Consumer and Basic Auth credential that can be used to call the API:

echo '
resource "konnect_gateway_consumer" "alice" {
  username         = "alice"
  custom_id        = "alice"
  control_plane_id = konnect_gateway_control_plane.my_cp.id
}

resource "konnect_gateway_basic_auth" "my_basicauth" {
  username = "alice-test"
  password = "demo"

  consumer_id      = konnect_gateway_consumer.alice.id
  control_plane_id = konnect_gateway_control_plane.my_cp.id
}
' >> main.tf

Create the resources

Create all of the defined resources using Terraform:

terraform apply -auto-approve

You will see six resources created:

Apply complete! Resources: 6 added, 0 changed, 0 destroyed.

Validate your configuration

Fetch the Control Plane and Plugin IDs from the Terraform state:

CONTROL_PLANE_ID=$(terraform show -json | jq -r '.values.root_module.resources[] | select(.address == "konnect_gateway_control_plane.my_cp") | .values.id')
PLUGIN_ID=$(terraform show -json | jq -r '.values.root_module.resources[] | select(.address == "konnect_gateway_plugin_basic_auth.basic_auth") | .values.id')

Call the Konnect API and ensure that the resources exist:

curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/core-entities/plugins/$PLUGIN_ID" \
     -H "Authorization: Bearer $KONNECT_TOKEN"
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support