Skip to content
Vidos Logo Vidos

Gateway + Authorizer + Validator

Provision a Validator, an Authorizer configured to validate via that Validator, and a Gateway that routes to the authorizer.

This example uses environment variable authentication (VIDOS_API_KEY) and managed service roles:

  • authorizer_all_actions for gateway -> authorizer
  • validator_all_actions for authorizer -> validator

Prerequisites

Section titled “Prerequisites”
  • Terraform CLI >= 1.6.0
  • A Vidos IAM API key secret with permission to create validator/authorizer/gateway resources

Inputs

Section titled “Inputs”
  • VIDOS_API_KEY (required): Vidos IAM API secret

Create the configuration

Section titled “Create the configuration”

From a clean directory, create main.tf:

terraform {
  required_version = ">= 1.6.0"


  required_providers {
    vidos = {
      source  = "registry.terraform.io/vidos-id/vidos"
      version = "~> 0.1"
    }
  }
}


locals {
  # Example PEM-encoded root certificates for validator trust anchors.
  # Replace these with real roots for your environment.
  valera_test_certificate = trimspace(<<-PEM
-----BEGIN CERTIFICATE-----
MIICGzCCAcCgAwIBAgIUb9GJdqQMdwXaoO61uxoBlg+jhbYwCgYIKoZIzj0EAwIw
LDELMAkGA1UEBhMCQVQxDjAMBgNVBAoMBUEtU0lUMQ0wCwYDVQQDDARJQUNBMB4X
DTI1MDQwNzA5NDQ1N1oXDTI2MDQwNzA5NDQ1N1owLDELMAkGA1UEBhMCQVQxDjAM
BgNVBAoMBUEtU0lUMQ0wCwYDVQQDDARJQUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAElIXOzb+iF+zGutygdIVOBnC4R6OvhYo5TGWhrH0idmqs56IVwJWYzQYz
K4CbYePcxpMQY3lKBa5O0MAZe+EogKOBvzCBvDASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBBjAiBgNVHRIEGzAZhhdodHRwczovL3dhbGxldC5hLXNp
dC5hdDAyBgNVHR8EKzApMCegJaAjhiFodHRwczovL3dhbGxldC5hLXNpdC5hdC9j
cmwvMS5jcmwwHwYDVR0jBBgwFoAUDQF5K46YVgzLpfV5stoutBezK6QwHQYDVR0O
BBYEFA0BeSuOmFYMy6X1ebLaLrQXsyukMAoGCCqGSM49BAMCA0kAMEYCIQCz0i9G
A24ZOf3Wk+w8+09J6ARAHKLuBuepszBxVZdaZAIhAJlgzKBhHw8+Bwr+wLGQVjMC
5e9BWWaUga8ZP9dRYhHJ
-----END CERTIFICATE-----
  PEM
  )


  multipaz_certificate = trimspace(<<-PEM
-----BEGIN CERTIFICATE-----
MIICpjCCAi2gAwIBAgIQiiieDKBRbQvx4FJgTHQFbTAKBggqhkjOPQQDAzAuMR8w
HQYDVQQDDBZPV0YgTXVsdGlwYXogVEVTVCBJQUNBMQswCQYDVQQGDAJVUzAeFw0y
NDEyMDEwMDAwMDBaFw0zNDEyMDEwMDAwMDBaMC4xHzAdBgNVBAMMFk9XRiBNdWx0
aXBheiBURVNUIElBQ0ExCzAJBgNVBAAYMAlVUzB2MBAGByqGSM49AgEGBSuBBAAi
A2IABPkA8nu9JtjtJZT1zI1Y8VWc95uZOmqE/sIofi+/W+48qlJffbG3lJ6cWiw/
nJgdxyt7cJAO35lSUqGwXPvQg4ZId5sep/mKB+0XpWklk4VgXzMkY7H1Tg5KLByw
g52z1aOCAQ4wggEKMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEA
MEwGA1UdEgRFMEOGQWh0dHBzOi8vZ2l0aHViLmNvbS9vcGVud2FsbGV0LWZvdW5k
YXRpb24tbGFicy9pZGVudGl0eS1jcmVkZW50aWFsMFYGA1UdHwRPME0wS6BJoEeg
R4ZFaHR0cHM6Ly9naXRodWIuY29tL29wZW53YWxsZXQtZm91bmRhdGlvbi1sYWJz
L2lkZW50aXR5LWNyZWRlbnRpYWwvY3JsMB0GA1UdDgQWBBSrZRvgVsKQU/Hdf2zk
h75o3mDJ9TAfBgNVHSMEGDAWgBSrZRvgVsKQU/Hdf2zkh75o3mDJ9TAKBggqhkjO
PQQDAwNnADBkAjAtTLS7FfsbUe/SKlIhYgnDcD6fDgiUaUR4htNhFVHPA4d8OlUG
qmof76xieBjEc9MCMGKk27tss0KCk93qaRsZ7NuAGWMSun6mraePJ7PUpaYz2/6z
ztu51kYK6NftObq4fw==
-----END CERTIFICATE-----
  PEM
  )
}


resource "vidos_validator_instance" "main" {
  name = "terraform-example-validator-instance"


  inline_configuration = jsonencode({
    policies = {
      trustedIssuer = {
        skip = false
        trustedIssuerRootCertificates = [
          { type = "predefined", tag = "vidos" },
          { type = "pem", pem = local.valera_test_certificate },
          { type = "pem", pem = local.multipaz_certificate },
        ]
      }
    }
  })
}


resource "vidos_authorizer_instance" "main" {
  name = "terraform-example-authorizer-instance"


  inline_configuration = jsonencode({
    policies = {
      validate = {
        skip = false
        validator = {
          type       = "instance"
          resourceId = vidos_validator_instance.main.resource_id
          serviceRole = {
            owner      = "managed"
            resourceId = "validator_all_actions"
          }
        }
      }
    }
  })
}


resource "vidos_gateway_instance" "main" {
  name = "terraform-example-gateway-instance"


  inline_configuration = jsonencode({
    cors = {
      enabled      = true
      allowHeaders = ["*"]
      origin       = ["*"]
    }
    paths = {
      auth = {
        type       = "instance"
        service    = "authorizer"
        resourceId = vidos_authorizer_instance.main.resource_id
        serviceRole = {
          owner      = "managed"
          resourceId = "authorizer_all_actions"
        }
      }
    }
  })
}


output "gateway_endpoint" {
  description = "Gateway instance endpoint."
  value       = vidos_gateway_instance.main.endpoint
}

Run it

Section titled “Run it”
Terminal window
export VIDOS_API_KEY="<YOUR_VIDOS_IAM_API_SECRET>"


terraform init
terraform apply

Verify

Section titled “Verify”
  • Confirm gateway_endpoint is present in outputs.
  • Requests to <gateway_endpoint>/auth/* are routed to the Authorizer instance.

Validator trust anchors (important)

Section titled “Validator trust anchors (important)”

This configuration configures trusted issuer roots. Replace the example PEMs with your real roots.

Clean up

Section titled “Clean up”
Terminal window
terraform destroy
Section titled “Related”