Salesforce Provider
The Salesforce provider provides resources to interact with a Salesforce organization.
Example Usage
provider "salesforce" {
client_id = "ABCDEFG"
private_key = "/Users/mscott/priv.pem"
api_version = "53.0"
username = "user@example.com"
}
Setup
Authorization
The provider performs actions on behalf of a user, the expectation is that the user has System Administrator level permissions. This is most easily accomplished by assigning the "System Administrator" premade profile to the user being used by Terraform. The profile chosen must also be assigned to the "connected app", which will be covered below.
Authentication
A connected app provides headless interaction with salesforce, it can perform authentication for the admin user account via OAuth. The following guide was adapted from this blog post and this github guide.
Create a self-signed private key and x509 certificate
$ openssl genrsa -out privatekey.pem 1024
$ openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 3650
You can enter filler data when prompted, this certificate is used exclusively for authentication of the provider and the Salesforce REST API and is not signed by a certificate authority.
Create a connected app
- From the lightning experience UI, navigate to Setup > App Manager > New connected app
- Fill in required fields (name, email, etc)
- Enable OAuth settings
- Fill in a callback URL, this URL isn't needed but setting it to https://oauthdebugger.com/debug can be useful.
- Click use digital signatures
- Upload the publickey.cer file
- Add OAuth scopes: api refresh_token offline_access. This should be enough for the provider, more can be added as needed.
- Save
- Note down the Consumer Key, this corresponds to client_id in OAuth terms. You can also make note of the Consumer Secret, however it is not needed in the authentication process.
Manage connected app
- From the lightning experience UI, navigate to Setup > App Manager > click on the newly created connected app and click "manage" (not view/edit).
- Click Edit Policies
- Under OAuth Policies ensure "Permitted Users" is set to "Admin approved users are pre-authorized".
- Save
- Back at the manage page, under the Profiles section click "manage".
- Ensure that the "System Administrator" profile (or whichever profile is assigned to the user for terraform) is checked.
- Save
The provider can be configured using the example provider block, or using the environment variables
SALESFORCE_CLIENT_ID
SALESFORCE_PRIVATE_KEY
SALESFORCE_API_VERSION
SALESFORCE_USERNAME
Schema
Optional
- api_version (String) API version of the salesforce org in the format in the format: MAJOR.MINOR (please omit any leading 'v'). The provider requires at least version 53.0. Can be specified with the environment variable SALESFORCE_API_VERSION.
- client_id (String) Client ID of the connected app. Corresponds to Consumer Key in the user interface. Can be specified with the environment variable SALESFORCE_CLIENT_ID.
- login_url (String) Directs the authentication request, defaults to the production endpoint https://login.salesforce.com, should be set to https://test.salesforce.com for sandbox organizations. Can be specified with the environment variable SALESFORCE_LOGIN_URL.
- private_key (String, Sensitive) Private Key associated to the public certificate that was uploaded to the connected app. This may point to a file location or be set directly. This should not be confused with the Consumer Secret in the user interface. Can be specified with the environment variable SALESFORCE_PRIVATE_KEY.
- username (String) Salesforce Username of a System Administrator like user for the provider to authenticate as. Can be specified with the environment variable SALESFORCE_USERNAME.