UX Bug: Terraform is extremely hard to use when MFA for admin action is enforced

[hugoShaka]

MFA for admin action blocks the local execution of Terraform code and forces the administrators to use machineID locally. This both degrades the Terraform experience and reduces the security.

Expected behaviour:

• I have a secure cluster with "MFA for admin actions" required
• I want to configure my Teleport resources via Terraform (e.g. create roles)
• I can quickly and securely use Terraform from my workstation, relying on the strong identity from Teleport to perform administrative actions

Current behaviour:

• Most users were relying on tctl auth sign to get a Terraform idenitty
• Since v15 and "MFA for admin" This does not work anymore, they get the error:

  admin-level API request requires MFA verification, missing PromptAdminRequestMFA field, client cannot perform MFA ceremony

• They fail to use Terraform against clusters with MFA
• Either they disable "MFA for admin" or spend more time setting up a local MachineID bot (which is worse from a security pov).

Why local Terraform execution matters

• this is the first step towards IaC, this initial setup has to be easy if we want most users to do IaC by default
• several Teleport prospects and customers want to use Terraform to configure Teleport. A quick and easy local execution means a short Time-To-Value
• most teams are not mature or large enough to have fully automated Terraform pipelines (such as Spacelift or TF Cloud)

Why the local machine ID workaround is a security downgrade

The users deploying Terraform code locally are administrators. They are the high-privilege target we want to protect with "MFA for admin".

Setting up a local MachineID bot generates long-lived renewable credentials on their machine. Those credentials can be exfiltrated and MachineID's exfiltrartion mechanism only works when the bot is running (which is very infrequent as we are using it in oneshot mode).

We wanted to reduce the risk of admin account takeover, but forced users to create more sensitive long-lived credentials, increasing the risk of admin account exfiltration. Those credentials are also not subject to "MFA for admin" by definition.

Workaround:

• setup MahcineID:
  • this is painful and complex, especially for local environments such as laptops/workstations and users wanting to protoype
  • Most local setups cannot use any of the delegated join methods
  • using a regular token implies creating 1 bot per user + frequently running tbot
• downgrade the Teleport security by disabling MFA for admin (switch MFA method back to on instead of webauthn)

Bug details:

• Teleport version v15

[hugoShaka]

With @Joerger we discussed the following approaches:

Use the user's local ~/.tsh profile and MFA

This approach removes the use of impersonation, Terraform would run as the user. The user would get prompted for MFA when running Terraform.

This approach offers a simple setup flow (no additional user, role, bot, just use your rights) and a strong security posture (MFA for admin security properties are preserved).

This approach requires the user to have the appropriate rights. This was already the case indirectly with the previous impersonation approach. This means users potentially have higher standing privileges by default, although most users applying Terraform code are very likely already editors/

Use impersonated certificates + user MFA

This approach is a port of the current impersonation approach, but with "MFA for admin" support. This implies:

• adding support for requesting the impersionator MFA during impersonated actions.
• adding TF provider support for prompting MFA (similar to the 1st approach)

Allow the user to sign certs bypassing from "MFA for admin"

This would make the old approach functional again. However, this would remove most security benefits brought by "MFA for Admin"

Allow Terraform to run MachineID natively

This would partially address the UX issue. The user would pass a bot token to Terraform, and Terraform would do the MachineID dance to get Bot certs, without the need for tbot.

This improves the UX locally, but also in the CI: you can pass to Terraform a GHA token and let it get the certs automatically.

However this doesn't address the security aspect of having long-lived/renewable admin certificates not subject to MFA on every admin laptop.