Skip to main content

Salesforce Provider for HashiCorp Terraform Now in Tech Preview

Manage Salesforce users, roles, and profiles with HashiCorp Terraform using the new Salesforce provider — now in tech preview.

Salesforce built the most popular CRM in the world, making it a common tool to manage all of an organization’s interactions with its customers and prospects. The new Salesforce provider for HashiCorp Terraform allows you to create and manage Salesforce users, roles, and profiles programmatically using the Terraform workflow. This provider is currently a technical preview, which means it's a community-supported project that requires incremental testing and polishing to mature into an officially supported HashiCorp project.

This post will cover use cases, requirements, configuration, and examples for the Salesforce provider for Terraform and show how to create your first user, role, and profile. We welcome your feedback, so please detail your experience while using the provider and file your issues on the Salesforce provider GitHub page.

»Salesforce Provider for Terraform Use Cases

The Salesforce provider was built with administrators in mind. It allows the creation and management of a core set of fields for users, profiles, and roles. You will be able to use Terraform's ability to interpolate resources among each other to associate users to newly created or existing profiles. You will also be able to create role hierarchies and assign them to users. Full examples with instructions are available in the provider repository.

»Requirements

In order to use the Salesforce provider, you will need:

  • A Salesforce organization
  • A Salesforce user account with a system administrator profile
  • A connected app created for Terraform

»Configuring the Provider

The provider requires system administrator level permissions to a Salesforce organization. This is accomplished by creating a connected app within your organization and having Terraform authenticate as a user with a system administrator profile. You can find instructions in the Provider Configuration Reference.

Once the Client ID is known after creating the app, the provider can be configured as follows:

provider "salesforce" {
  client_id      = "ABCDEFG"
  private_key    = "/Users/mscott/priv.pem"
  api_version    = "53.0"
  username       = "user@example.com"
}

The private key can be a location or the content of the file. The API version must be >= 53.0. If the organization is a sandbox organization, please set the optional field: login_url = "https://test.salesforce.com".

»Creating Role Hierarchies

You can create role hierarchies with the role resource. The developer_name is the unique name of the role, and the name represents the label in the web user interface:

resource "salesforce_user_role" "ceo" {
  name           = "CEO"
  developer_name = "ceo"
}
 
resource "salesforce_user_role" "vp" {
  name           = "Vice President"
  developer_name = "vp"
  parent_role_id = salesforce_user_role.ceo.id
}

»Creating Your First Profile

Outside of the predefined profiles provided by Salesforce, new profiles can be created using the profile resource. Use the user license datasource to specify which license to base the profile from. A list of license definition keys can be found in the Salesforce User License documentation. Permissions can be manually enabled/disabled using the permissions map:

data "salesforce_user_license" "sf-platform" {
  license_definition_key = "AUL"
}
 
resource "salesforce_profile" "standard" {
  name            = "standard"
  user_license_id = data.salesforce_user_license.sf-platform.id
  description     = "standard profile"
  permissions = {
    EmailSingle = true
    EditTask = true
  }
}

»Create Your First User

Users can be created using the user resource. You must assign the user a profile, which can be a custom one or a pre-existing Salesforce profile (look them up using the profile datasource). You may also assign a role to the user. Please note users cannot be deleted from Salesforce after creation. Their unique username will be taken forever and they will be deactivated and dropped from Terraform state only if a destroy command is run. Set reset_password = true to have the reset password email sent to the new user:

data "salesforce_profile" "standard" {
  name = "Standard User"
}
 
resource "salesforce_user_role" "ceo" {
  name           = "ceo"
  developer_name = "ceo"
}
 
resource "salesforce_user" "michael" {
  alias               = "michael"
  email               = "michael.scott@example.com"
  last_name           = "scott"
  username            = "michael.scott@example.com"
  profile_id          = data.salesforce_profile.standard.id
  user_role_id        = salesforce_user_role.ceo.id
  email_encoding_key  = "UTF-8"
  language_locale_key = "en_US"
  time_zone_sid_key   = "America/Chicago"
  locale_sid_key      = "en_US"
  reset_password      = true
}

»Please Share Your Feedback

We would love to hear your feedback on this project! The Salesforce provider for Terraform was built with a small initial scope in mind and we would love your help shaping its future. You can post bugs and feature requests for the Salesforce provider by opening an issue on GitHub. You can also engage with us and the community on HashiCorp Discuss.

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.