A Terraform provider for managing Cribl resources.
To install this provider, copy and paste this code into your Terraform configuration. Then, run terraform init.
terraform {
required_providers {
criblio = {
source = "criblio/criblio"
}
}
}
provider "criblio" {
# Configuration options
}The Cribl provider supports multiple authentication methods and deployment types:
- Cribl.Cloud - Managed cloud deployment (default)
- On-Prem - Self-hosted deployments
Authentication methods follow this precedence order (highest to lowest priority):
- Provider configuration block (highest priority - overrides all other methods)
- Environment variables
- Credentials file (
~/.cribl/credentials) (lowest priority)
You can configure authentication using any of these methods, but provider configuration will always take precedence.
You can set the following environment variables:
# Direct authentication
export CRIBL_BEARER_TOKEN="your-bearer-token"
# OAuth authentication
export CRIBL_CLIENT_ID="your-client-id"
export CRIBL_CLIENT_SECRET="your-client-secret"
export CRIBL_ORGANIZATION_ID="your-organization-id"
export CRIBL_WORKSPACE_ID="your-workspace-id"# Required: Server URL
export CRIBL_ONPREM_SERVER_URL="http://localhost:9000" # or https://your-server.com
# Authentication option 1: Bearer token
export CRIBL_BEARER_TOKEN="your-bearer-token"
# OR Authentication option 2: Username and password
export CRIBL_ONPREM_USERNAME="admin"
export CRIBL_ONPREM_PASSWORD="admin"You can store your credentials in ~/.cribl/credentials or ~/.cribl (legacy) with the following format:
# For Cribl.Cloud deployments
[default]
client_id = your-client-id
client_secret = your-client-secret
organization_id = your-organization-id
workspace = your-workspace-id
# Optional: specify cloud domain
cloud_domain = cribl-playground.cloud
[profile2]
client_id = another-client-id
client_secret = another-client-secret
organization_id = another-organization-id
workspace = another-workspace-id
cloud_domain = cribl.cloud
# For on-prem deployments
[onprem]
onprem_server_url = http://localhost:9000
onprem_username = admin
onprem_password = adminTo use a specific profile, set the CRIBL_PROFILE environment variable:
export CRIBL_PROFILE="profile2"You can configure authentication directly in your Terraform configuration. This has the highest precedence and will override any environment variables or credentials file settings:
provider "criblio" {
# Using bearer token
bearer_token = "your-bearer-token"
# Or using OAuth credentials
client_id = "your-client-id"
client_secret = "your-client-secret"
organization_id = "your-organization-id"
workspace_id = "your-workspace-id"
cloud_domain = "cribl.cloud"
}The simplest way to authenticate is using a bearer token:
provider "criblio" {
bearer_token = "your-bearer-token"
}For OAuth authentication, you can use client credentials:
provider "criblio" {
client_id = "your-client-id"
client_secret = "your-client-secret"
organization_id = "your-organization-id"
workspace_id = "your-workspace-id"
}The provider supports on-prem deployments through environment variables or credentials file only. Configure on-prem using one of these methods:
Note: On-prem deployments only support workspace resources (sources, destinations, routes, pipelines, packs, etc.) and do not support Search, Lake, Lakehouse, or workspace management features.
# Required: Server URL
export CRIBL_ONPREM_SERVER_URL="http://localhost:9000" # or https://your-server.com:9000
# Authentication option 1: Bearer token (recommended for automation)
export CRIBL_BEARER_TOKEN="your-bearer-token"
# OR Authentication option 2: Username and password
export CRIBL_ONPREM_USERNAME="admin"
export CRIBL_ONPREM_PASSWORD="admin"Then use the provider without authentication settings (they come from environment):
provider "criblio" {
# No configuration needed - uses environment variables
}Create or edit ~/.cribl/credentials:
[onprem]
onprem_server_url = http://localhost:9000
onprem_username = admin
onprem_password = adminTo use this profile:
export CRIBL_PROFILE="onprem"provider "criblio" {
# No configuration needed - uses credentials file
}Important Notes:
- On-prem deployments do not support Search, Lake, Lakehouse, or workspace management resources
- The bearer token is automatically obtained via
/api/v1/auth/loginwhen using username/password - Token caching is handled automatically for efficient re-authentication
- Configuration through the provider block is not supported - use environment variables or credentials file instead
✅ Supported:
criblio_source- Data sources (HTTP, TCP, Syslog, etc.)criblio_destination- Data destinations (Splunk, S3, Kafka, etc.)criblio_routes- Routing rulescriblio_pipeline- Data pipelinescriblio_pack- Configuration packscriblio_group- Worker groupscriblio_certificate- Certificatescriblio_collector- Collectors- And other workspace configuration resources
❌ Not Supported:
criblio_search_*- All Search resourcescriblio_cribl_lake_*- All Lake resourcescriblio_cribl_lake_house- Lakehouse resourcescriblio_workspace- Workspace management (only available via gateway/cloud)criblio_notification_target- Part of Search feature set
# main.tf
provider "criblio" {
# Credentials will be read from environment variables
}
# Use the provider
resource "criblio_pipeline" "example" {
name = "example-pipeline"
# ... other configuration
}# Set environment variables
export CRIBL_CLIENT_ID="your-client-id"
export CRIBL_CLIENT_SECRET="your-client-secret"
export CRIBL_ORGANIZATION_ID="your-organization-id"
export CRIBL_WORKSPACE_ID="your-workspace-id"
# Run Terraform
terraform init
terraform planThis provider includes comprehensive security features:
- Software Bill of Materials (SBOM) - Automatic generation of dependency inventories
- Vulnerability Scanning - Continuous security monitoring
- Dependency Management - Automated dependency updates and security alerts
For detailed security information, see SBOM.md.
- criblio_appscope_config
- criblio_certificate
- criblio_collector
- criblio_commit
- criblio_cribl_lake_dataset
- criblio_cribl_lake_house
- criblio_database_connection
- criblio_deploy
- criblio_destination
- criblio_event_breaker_ruleset
- criblio_global_var
- criblio_grok
- criblio_group
- criblio_group_system_settings
- criblio_hmac_function
- criblio_key
- criblio_lakehouse_dataset_connection
- criblio_lookup_file
- criblio_mapping_ruleset
- criblio_notification
- criblio_notification_target
- criblio_pack
- criblio_pack_breakers
- criblio_pack_destination
- criblio_pack_lookups
- criblio_pack_pipeline
- criblio_pack_routes
- criblio_pack_source
- criblio_pack_vars
- criblio_parquet_schema
- criblio_parser_lib_entry
- criblio_pipeline
- criblio_project
- criblio_regex
- criblio_routes
- criblio_schema
- criblio_search_dashboard
- criblio_search_dashboard_category
- criblio_search_dataset
- criblio_search_dataset_provider
- criblio_search_macro
- criblio_search_saved_query
- criblio_search_usage_group
- criblio_secret
- criblio_source
- criblio_subscription
- criblio_workspace
- criblio_appscope_config
- criblio_certificate
- criblio_certificates
- criblio_collector
- criblio_collectors
- criblio_config_version
- criblio_cribl_lake_dataset
- criblio_cribl_lake_house
- criblio_database_connection
- criblio_destination
- criblio_destinations
- criblio_event_breaker_ruleset
- criblio_global_var
- criblio_grok
- criblio_group
- criblio_group_system_settings
- criblio_hmac_function
- criblio_instance_settings
- criblio_key
- criblio_keys
- criblio_lookup_file
- criblio_mapping_ruleset
- criblio_mappings
- criblio_notification
- criblio_notification_target
- criblio_notification_targets
- criblio_pack
- criblio_pack_breakers
- criblio_pack_destination
- criblio_pack_lookups
- criblio_pack_pipeline
- criblio_pack_routes
- criblio_pack_source
- criblio_pack_vars
- criblio_parquet_schema
- criblio_parser_lib_entry
- criblio_pipeline
- criblio_project
- criblio_regex
- criblio_routes
- criblio_schema
- criblio_search_dashboard
- criblio_search_dashboard_category
- criblio_search_dataset
- criblio_search_dataset_provider
- criblio_search_macro
- criblio_search_saved_query
- criblio_search_usage_group
- criblio_secret
- criblio_source
- criblio_sources
- criblio_subscription
- criblio_system_info
- criblio_workspace
- criblio_workspaces
Should you want to validate a change locally, the --debug flag allows you to execute the provider against a terraform instance locally.
This also allows for debuggers (e.g. delve) to be attached to the provider.
go run main.go --debug
# Copy the TF_REATTACH_PROVIDERS env var
# In a new terminal
cd examples/your-example
TF_REATTACH_PROVIDERS=... terraform init
TF_REATTACH_PROVIDERS=... terraform applyTerraform allows you to use local provider builds by setting a dev_overrides block in a configuration file called .terraformrc. This block overrides all other configured installation methods.
- Execute
go buildto construct a binary calledterraform-provider-criblio - Ensure that the
.terraformrcfile is configured with adev_overridessection such that your local copy of terraform can see the provider binary
Terraform searches for the .terraformrc file in your home directory and applies any configuration settings you set.
provider_installation {
dev_overrides {
"registry.terraform.io/criblio/criblio" = "<PATH>"
}
# For all other providers, install them directly from their origin provider
# registries as normal. If you omit this, Terraform will _only_ use
# the dev_overrides block, and so no other providers will be available.
direct {}
}
Contributions are welcome! Please feel free to submit a Pull Request.
Make sure hooks run on your local!
git config core.hooksPath .githooks
This project is licensed under the terms of the license included in the repository.