backport of commit 09de8ff (#5906)

hc-github-team-secure-boundary · stellarsquall · web-flow · commit 9e1d3d4450dd · 2025-07-08T15:49:09.000-06:00
Co-authored-by: stellarsquall &lt;stellarsquall@protonmail.ch&gt;
diff --git a/website/content/docs/configuration/target-aliases/create-target-alias.mdx b/website/content/docs/configuration/target-aliases/create-target-alias.mdx
@@ -75,6 +75,22 @@ Complete the following steps to create a new alias and associate it with a targe
    The alias `value` can be a hostname or a DNS-like string.
    - `-authorize-session-host-id=<string>` - Optionally indicates the host ID to use when you use the alias to authorize a session.
 
+</Tab>
+<Tab heading="Terraform" group="terraform">
+
+Apply the following Terraform policy to create target alias `example.bar.foo.boundary` for an existing target `foo_target` and host `bar_host`:
+
+```hcl
+resource "boundary_alias_target" "example_alias_target" {
+  name                      = "example_alias_target"
+  description               = "Example alias to target foo using host boundary_host_static.bar_host"
+  scope_id                  = "global"
+  value                     = "example.bar.foo.boundary"
+  destination_id            = boundary_target.foo_target.id
+  authorize_session_host_id = boundary_host_static.bar_host.id
+}
+```
+
 </Tab>
 </Tabs>
 
@@ -158,6 +174,67 @@ A value of `-1` means the connections are unlimited.
      Note that you can create SSH or TCP [target types](/boundary/docs/concepts/domain-model/targets#target-types).
      The example command in this section creates an SSH target.
 
+</Tab>
+<Tab heading="Terraform" group="terraform">
+
+Apply the following Terraform policy to create the following:
+
+- A static host catalog `test_catalog` in `boundary_scope.project` (not shown) containing static host set `test_set`.
+- A host `foo` belonging to `test_set`.
+- A host `bar` belonging to `test_set`.
+- A target `foo_target` using `foo_set` as its host source.
+- A target alias `example.bar.foo.boundary` for `foo_target` that always uses `bar_host` to connect.
+
+```hcl
+resource "boundary_host_catalog_static" "foo_catalog" {
+  name        = "foo_catalog"
+  description = "test catalog"
+  scope_id    = boundary_scope.project.id
+}
+
+resource "boundary_host_static" "foo_host" {
+  name            = "foo_host"
+  host_catalog_id = boundary_host_catalog_static.foo.id
+  address         = "10.0.0.1"
+}
+
+resource "boundary_host_static" "bar_host" {
+  name            = "bar_host"
+  host_catalog_id = boundary_host_catalog_static.foo.id
+  address         = "127.0.0.1"
+}
+
+resource "boundary_host_set_static" "foo_set" {
+  name            = "foo_set"
+  host_catalog_id = boundary_host_catalog_static.foo_catalog.id
+
+  host_ids = [
+    boundary_host_static.foo_host.id,
+    boundary_host_static.bar_host.id,
+  ]
+}
+
+resource "boundary_target" "foo_target" {
+  name         = "foo"
+  description  = "Foo target"
+  type         = "tcp"
+  default_port = "22"
+  scope_id     = boundary_scope.project.id
+  host_source_ids = [
+    boundary_host_set_static.foo_set.id,
+  ]
+}
+
+resource "boundary_alias_target" "example_alias_target" {
+  name                      = "example_alias_target"
+  description               = "Example alias to target foo using host boundary_host_static.bar_host"
+  scope_id                  = "global"
+  value                     = "example.bar.foo.boundary"
+  destination_id            = boundary_target.foo_target.id
+  authorize_session_host_id = boundary_host_static.bar_host.id
+}
+```
+
 </Tab>
 </Tabs>
 
@@ -210,6 +287,22 @@ If you [created an alias](#create-an-alias-for-an-existing-target) without assoc
    The alias `value` must comply with DNS naming rules.
    - `-authorize-session-host-id=<string>` - Optionally indicates the host ID to use when you use the alias to authorize a session.
 
+</Tab>
+<Tab heading="Terraform" group="terraform">
+
+If you created a `boundary_alias_target` resource without setting a `destination_id` attribute, update the `destination_id` and reapply the following policy:
+
+```hcl
+resource "boundary_alias_target" "example_alias_target" {
+  name                      = "example_alias_target"
+  description               = "Example alias to target foo using host boundary_host_static.bar_host"
+  scope_id                  = "global"
+  value                     = "example.bar.foo.boundary"
+  destination_id            = boundary_target.foo_target.id
+  authorize_session_host_id = boundary_host_static.bar_host.id
+}
+```
+
 </Tab>
 </Tabs>
 
@@ -252,7 +345,7 @@ And the following host set and hosts exist:
 - Host: `dev-040`, ID `hst_7wGXkF8e0Q`
 - Host: `dev-041`, ID `hst_zlRwMMPKwp`
 
-Because the `linux-dev-servers` hosts are functionally equivalent, you can create a single target for the  host set, and create an alias for the target.
+Because the `linux-dev-servers` hosts are functionally equivalent, you can create a single target for the host set, and create an alias for the target.
 
 We recommend creating DNS-like aliases to ensure consistent naming conventions. In this example, an alias pattern might be:
 
@@ -362,6 +455,30 @@ Then add the `linux-dev-servers` host set (ID `hsst_56oiL0WaKu`) to the new `lin
 $ boundary targets add-host-sources -id tssh_lhH5pa425G -host-sourchsst_56oiL0WaKu
 ```
 
+</Tab>
+<Tab heading="Terraform" group="terraform">
+
+<Note>
+
+  In the following examples, Terraform resources are named with underscores instead of dashes, such as `linux_dev_servers`. The target alias values use dashes, such as `dev-041.linux-dev.app-servers.eng`. You do not need to follow these naming conventions. 
+
+</Note>
+
+Create the `linux_dev_servers` SSH target, with `scope_id` set to `app_servers` and the host source `linux_dev_servers` (these resources are not shown):
+
+```hcl
+resource "boundary_target" "linux_dev_servers" {
+  name         = "linux_dev_servers"
+  description  = "linux_dev_servers target"
+  type         = "ssh"
+  default_port = "22"
+  scope_id     = boundary_scope.app_servers.id
+  host_source_ids = [
+    boundary_host_set_static.linux_dev_servers.id,
+  ]
+}
+```
+
 </Tab>
 </Tabs>
 
@@ -444,6 +561,20 @@ Create the `dev-040.linux-dev.app-servers.eng` alias for the host `dev-040`:
 
   </CodeBlockConfig>
 
+</Tab>
+<Tab heading="Terraform" group="terraform">
+
+```hcl
+resource "boundary_alias_target" "dev_040" {
+  name                      = "dev_040"
+  description               = "Example alias for target linux_dev_servers using host dev_040"
+  scope_id                  = "global"
+  value                     = "dev-040.linux-dev.app-servers.eng"
+  destination_id            = boundary_target.linux_dev_servers.id
+  authorize_session_host_id = boundary_host_static.dev_040.id
+}
+```
+
 </Tab>
 </Tabs>
 
@@ -524,6 +655,20 @@ Then create the `dev-041.linux-dev.app-servers.eng` alias for the host `dev-041`
 
   </CodeBlockConfig>
 
+</Tab>
+<Tab heading="Terraform" group="terraform">
+
+```hcl
+resource "boundary_alias_target" "dev_041" {
+  name                      = "dev_040"
+  description               = "Example alias for target linux_dev_servers using host dev_040"
+  scope_id                  = "global"
+  value                     = "dev-041.linux-dev.app-servers.eng"
+  destination_id            = boundary_target.linux_dev_servers.id
+  authorize_session_host_id = boundary_host_static.dev_041.id
+}
+```
+
 </Tab>
 </Tabs>
 
