A reusable, production-ready Terraform module for managing an OWASP DependencyTrack instance
using the SolarFactories/dependencytrack provider.
.
βββ versions.tf # Provider & Terraform version constraints
βββ projects.tf # π¦ Projects
βββ teams.tf # π₯ Teams, permissions & ACL mappings
βββ users.tf # π§ Managed users, team memberships & permissions
βββ policies.tf # π Policies, conditions & project assignments
βββ repositories.tf # ποΈ Package repositories
βββ oidc.tf # π OIDC groups & team mappings
βββ tags.tf # π·οΈ Tags (API v4.13+)
βββ config.tf # βοΈ Server config properties
βββ examples/
βββ complete/ # Full working example
| Icon | File | Resources | Description |
|---|---|---|---|
| π¦ | projects.tf |
dependencytrack_project |
Applications, libraries, containers |
| π₯ | teams.tf |
dependencytrack_team Β· _team_permissions Β· _acl_mapping |
Groups with shared permissions & project ACLs |
| π§ | users.tf |
dependencytrack_user Β· _user_team Β· _user_permission |
Local user accounts, memberships & permissions |
| π | policies.tf |
dependencytrack_policy Β· _policy_condition Β· _policy_project |
Compliance policies with conditions |
| ποΈ | repositories.tf |
dependencytrack_repository |
Maven, NPM, PyPI, NuGet, etc. |
| π | oidc.tf |
dependencytrack_oidc_group Β· _oidc_group_mapping |
SSO group β team mappings |
| π·οΈ | tags.tf |
dependencytrack_tag |
Reusable tags (API v4.13+) |
| βοΈ | config.tf |
dependencytrack_config_property |
Server-level settings |
| Name | Version |
|---|---|
>= 1.0 |
|
>= 4.11 (tags & collections require 4.13) |
|
>= 1.18.0 |
# 1. Configure the provider in your root module
provider "dependencytrack" {
host = "https://dtrack-api.example.com"
key = "OS_ENV" # reads DEPENDENCYTRACK_API_KEY env var
}
# 2. Call the module
module "dependencytrack" {
source = "path/to/this/module"
projects = {
my_app = {
name = "My Application"
description = "Main production app"
tags = ["production"]
}
}
teams = {
security = {
name = "Security Team"
permissions = ["VIEW_PORTFOLIO", "VULNERABILITY_ANALYSIS"]
project_acls = ["my_app"]
}
}
policies = {
critical_vulns = {
name = "Block Critical Vulns"
operator = "ANY"
violation = "FAIL"
conditions = [{
subject = "SEVERITY"
operator = "IS"
value = "CRITICAL"
}]
projects = ["my_app"]
}
}
}π‘ See
examples/complete/for a full working example with all resource types.
| Name | Description | Type | Default |
|---|---|---|---|
projects |
Map of projects to create | map(object({...})) |
{} |
Project object attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
string |
β | Name of the project |
description |
string |
β | Description |
version |
string |
β | Version string |
classifier |
string |
β | Classifier (default: APPLICATION) |
active |
bool |
β | Active state (default: true) |
parent |
string |
β | UUID of parent project |
tags |
list(string) |
β | Tag names to assign |
group |
string |
β | Namespace / group / vendor |
| Name | Description | Type | Default |
|---|---|---|---|
teams |
Map of teams with permissions and ACLs | map(object({...})) |
{} |
Team object attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
string |
β | Team name |
permissions |
list(string) |
β | Permission names (e.g. BOM_UPLOAD, VIEW_PORTFOLIO) |
project_acls |
list(string) |
β | Project keys from var.projects to grant access |
| Name | Description | Type | Default |
|---|---|---|---|
users |
Map of managed user accounts | map(object({...})) |
{} |
User object attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
username |
string |
β | Username |
fullname |
string |
β | Full name |
email |
string |
β | Email address |
password |
string |
β | Initial password (sensitive) |
force_password_change |
bool |
β | Force password change on next login |
suspended |
bool |
β | Account suspended |
teams |
list(string) |
β | Team keys from var.teams |
permissions |
list(string) |
β | Direct permission names |
| Name | Description | Type | Default |
|---|---|---|---|
policies |
Map of compliance policies | map(object({...})) |
{} |
Policy object attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
string |
β | Policy name |
operator |
string |
β | Condition operator: ALL or ANY |
violation |
string |
β | Violation state: ERROR, WARN, INFO, FAIL |
conditions |
list(object) |
β | Policy conditions (see below) |
projects |
list(string) |
β | Project keys from var.projects |
Condition object:
| Attribute | Type | Required | Description |
|---|---|---|---|
subject |
string |
β | Condition subject |
operator |
string |
β | Condition operator |
value |
string |
β | Value to compare |
| Name | Description | Type | Default |
|---|---|---|---|
repositories |
Map of package repositories | map(object({...})) |
{} |
Repository object attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
type |
string |
β | Type: MAVEN, NPM, PYPI, NUGET, GEM, GITHUB, etc. |
identifier |
string |
β | Repository identifier |
url |
string |
β | Repository URL |
enabled |
bool |
β | Enabled (default: true) |
internal |
bool |
β | Internal repo (default: false) |
username |
string |
β | Auth username |
password |
string |
β | Auth password (sensitive) |
| Name | Description | Type | Default |
|---|---|---|---|
oidc_groups |
Map of OIDC groups with team mappings | map(object({...})) |
{} |
OIDC group object attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
string |
β | OIDC group name |
teams |
list(string) |
β | Team keys from var.teams |
| Name | Description | Type | Default |
|---|---|---|---|
config_properties |
Map of server config properties | map(object({...})) |
{} |
tags |
List of tag names to create (API v4.13+) | list(string) |
[] |
| Name | Description |
|---|---|
project_ids |
map β project keys β DependencyTrack UUIDs |
projects |
map β full project resource objects |
team_ids |
map β team keys β UUIDs |
user_ids |
map β user keys β usernames |
policy_ids |
map β policy keys β UUIDs |
repository_ids |
map β repository keys β UUIDs |
oidc_group_ids |
map β OIDC group keys β UUIDs |
tag_ids |
map β tag names β IDs |
The provider must be configured in your root module (not inside the child module). Three auth methods are supported:
API Key (most common)
provider "dependencytrack" {
host = "https://dtrack-api.example.com"
key = "OS_ENV" # reads DEPENDENCYTRACK_API_KEY env var
}Bearer Token
provider "dependencytrack" {
host = "https://dtrack-api.example.com"
auth = {
type = "BEARER"
bearer = var.bearer_token
}
}mTLS + API Key
provider "dependencytrack" {
host = "https://dtrack-api.example.com"
key = "OS_ENV"
root_ca = file("${path.module}/ca.pem")
mtls = {
key_path = "/opt/client.key"
cert_path = "/opt/client.crt"
}
}| Component | Supported Versions |
|---|---|
1.0 β 1.14 |
|
4.11.7 Β· 4.12.7 Β· 4.13.0 β 4.13.6 |
|
>= 1.18.0 |
Note: Tags (
dependencytrack_tag) and project collection logic require API v4.13+.