Skip to main content

Terraform provider resources

Supported resources:

Provider configuration

Ensure your Terraform version is v1.0.0 or higher.

Add the following configuration section to your terraform configuration block:

terraform {
required_providers {
teleport = {
version = "~> 15.0"
source = "terraform.releases.teleport.dev/gravitational/teleport"
}
}
}

The provider supports the following options:

NameTypeDescriptionEnvironment Variable
addrstringTeleport auth or proxy address in "host:port" format.TF_TELEPORT_ADDR
cert_pathstringPath to Teleport certificate file.TF_TELEPORT_CERT
cert_base64stringTeleport certificate as base64.TF_TELEPORT_CERT_BASE64
identity_file_pathstringPath to Teleport identity file.TF_TELEPORT_IDENTITY_FILE_PATH
identity_file_base64stringTeleport identity file as base64.TF_TELEPORT_IDENTITY_FILE_BASE64
key_pathstringPath to Teleport key file.TF_TELEPORT_KEY
key_base64stringTeleport key as base64.TF_TELEPORT_KEY_BASE64
profile_dirstringTeleport profile path.TF_TELEPORT_PROFILE_PATH
profile_namestringTeleport profile name.TF_TELEPORT_PROFILE_NAME
root_ca_pathstringPath to Teleport CA file.TF_TELEPORT_ROOT_CA
root_ca_base64stringTeleport CA as base64.TF_TELEPORT_ROOT_CA_BASE64
retry_base_durationstringBase duration between retries. FormatTF_TELEPORT_RETRY_BASE_DURATION
retry_cap_durationstringMax duration between retries. FormatTF_TELEPORT_RETRY_CAP_DURATION
retry_max_triesstringMax number of retries.TF_TELEPORT_RETRY_MAX_TRIES

You need to specify at least one of:

  • cert_path, key_path,root_ca_path and addr to connect using key files.
  • cert_base64, key_base64,root_ca_base64 and addr to connect using a base64-encoded key.
  • identity_file_path or identity_file_base64 and addr to connect using an identity file.
  • profile_name, profile_dir (both can be empty) and addr to connect using current profile from ~/.tsh

The retry_* values are used to retry the API calls to Teleport when the cache is stale.

If more than one are provided, they will be tried in the order above until one succeeds.

Example:

provider "teleport" {
addr = "localhost:3025"
cert_path = "tf.crt"
key_path = "tf.key"
root_ca_path = "tf.ca"
}

Provider resource versioning

Since Teleport 15, you must set the version on each resource, and version cannot be changed in-place. Terraform will delete the resource and create a new one if a version change is required.

This is not enforced on previous Teleport provider versions, but we recommend doing so. When the version is not specified, Terraform will pick the latest one by default. However, version upgrades don't re-apply the resource defaults. This could lead to different results if you create a new resource or upgrade an existing one. To mitigate this, you should explicitly set the resource version.

warning

Upgrading the Terraform Provider to a new version with teleport_role resources without a specified version can change the role behavior and access rules. You must set the role version before upgrading to ensure the role access rules don't change.

The default role version is the highest supported:

  • v12 default role version is v5
  • v13 default role version is v6
  • v14 default role version is v7

For example, before upgrading from v12 to v13, edit every unversioned role to pin the v5 version:

resource "teleport_role" "test" {
version = "v5"
metadata = {
name = "my-role"
}
// ...
}

teleport_access_list

NameTypeRequiredDescription
headerobjectheader is the header for the resource.
specobjectspec is the specification for the access list.

header is the header for the resource.

NameTypeRequiredDescription
kindstringkind is a resource kind.
metadataobjectmetadata is resource metadata.
sub_kindstringsub_kind is an optional resource sub kind, used in some resources.
versionstring*Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

header.metadata

metadata is resource metadata.

NameTypeRequiredDescription
descriptionstringdescription is object description.
expiresRFC3339 time
labelsmap of stringslabels is a set of labels.
namestring*name is an object name.
namespacestringnamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringrevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

spec is the specification for the access list.

NameTypeRequiredDescription
auditobject*audit describes the frequency that this access list must be audited.
descriptionstringdescription is an optional plaintext description of the access list.
grantsobject*grants describes the access granted by membership to this access list.
membershipstringmembership defines how list membership is applied. There are two possible values: explicit (default): To be considered ag member of the access list, a user must both meet the membership_requires conditions AND be explicitly added to the list. implicit: Any user meeting the membership_requires conditions will automatically be considered a member of this list.
membership_requiresobjectmembership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list.
owner_grantsobjectowner_grants describes the access granted by owners to this access list.
ownersobject*owners is a list of owners of the access list.
ownershipstringownership defines how list ownership of this list is determined. There are two possible values: explicit (default): To be considered an owner of the access list, a user must both meet the ownership_requires conditions AND be explicitly added to the list. implicit: Any user meeting the ownership_requires conditions will automatically be considered an owner of this list.
ownership_requiresobjectownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.
titlestringtitle is a plaintext short description of the access list.

spec.audit

audit describes the frequency that this access list must be audited.

NameTypeRequiredDescription
next_audit_dateRFC3339 time
notificationsobjectnotifications is the configuration for notifying users.
recurrenceobject*recurrence is the recurrence definition
spec.audit.notifications

notifications is the configuration for notifying users.

NameTypeRequiredDescription
startduration
spec.audit.recurrence

recurrence is the recurrence definition

NameTypeRequiredDescription
day_of_monthnumberday_of_month is the day of month that reviews will be scheduled on. Supported values are 0, 1, 15, and 31.
frequencynumber*frequency is the frequency of reviews. This represents the period in months between two reviews. Supported values are 0, 1, 3, 6, and 12.

spec.grants

grants describes the access granted by membership to this access list.

NameTypeRequiredDescription
rolesarray of stringsroles are the roles that are granted to users who are members of the access list.
traitsobjecttraits are the traits that are granted to users who are members of the access list.
spec.grants.traits

traits are the traits that are granted to users who are members of the access list.

NameTypeRequiredDescription
keystringkey is the name of the trait.
valuesarray of stringsvalues is the list of trait values.

spec.membership_requires

membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list.

NameTypeRequiredDescription
rolesarray of stringsroles are the user roles that must be present for the user to obtain access.
traitsobjecttraits are the traits that must be present for the user to obtain access.
spec.membership_requires.traits

traits are the traits that must be present for the user to obtain access.

NameTypeRequiredDescription
keystringkey is the name of the trait.
valuesarray of stringsvalues is the list of trait values.

spec.owner_grants

owner_grants describes the access granted by owners to this access list.

NameTypeRequiredDescription
rolesarray of stringsroles are the roles that are granted to users who are members of the access list.
traitsobjecttraits are the traits that are granted to users who are members of the access list.
spec.owner_grants.traits

traits are the traits that are granted to users who are members of the access list.

NameTypeRequiredDescription
keystringkey is the name of the trait.
valuesarray of stringsvalues is the list of trait values.

spec.owners

owners is a list of owners of the access list.

NameTypeRequiredDescription
descriptionstringdescription is the plaintext description of the owner and why they are an owner.
namestringname is the username of the owner.

spec.ownership_requires

ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.

NameTypeRequiredDescription
rolesarray of stringsroles are the user roles that must be present for the user to obtain access.
traitsobjecttraits are the traits that must be present for the user to obtain access.
spec.ownership_requires.traits

traits are the traits that must be present for the user to obtain access.

NameTypeRequiredDescription
keystringkey is the name of the trait.
valuesarray of stringsvalues is the list of trait values.

Example:

resource "teleport_access_list" "crane-operation" {
header = {
metadata = {
name = "crane-operation"
labels = {
example = "yes"
}
}
}
spec = {
description = "Used to grant access to the crane."
owners = [
{
name = "gru"
description = "The supervillain."
}
]
membership_requires = {
roles = ["minion"]
}
ownership_requires = {
roles = ["supervillain"]
}
grants = {
roles = ["crane-operator"]
traits = [{
key = "allowed-machines"
values = ["crane", "forklift"]
}]
}
title = "Crane operation"
audit = {
recurrence = {
frequency = 3 # audit every 3 months
day_of_month = 15 # audit happen 15's day of the month. Possible values are 1, 15, and 31.
}
}
}
}

teleport_app

NameTypeRequiredDescription
metadataobjectMetadata is the app resource metadata.
specobjectSpec is the app resource spec.
sub_kindstringSubKind is an optional resource subkind.
versionstring*Version is the resource version. It must be specified. Supported values are:v3.

metadata

Metadata is the app resource metadata.

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is the app resource spec.

NameTypeRequiredDescription
awsobjectAWS contains additional options for AWS applications.
cloudstringCloud identifies the cloud instance the app represents.
dynamic_labelsobjectDynamicLabels are the app's command labels.
insecure_skip_verifyboolInsecureSkipVerify disables app's TLS certificate verification.
public_addrstringPublicAddr is the public address the application is accessible at.
rewriteobjectRewrite is a list of rewriting rules to apply to requests and responses.
uristringURI is the web app endpoint.
user_groupsarray of stringsUserGroups are a list of user group IDs that this app is associated with.

spec.aws

AWS contains additional options for AWS applications.

NameTypeRequiredDescription
external_idstringExternalID is the AWS External ID used when assuming roles in this app.

spec.dynamic_labels

DynamicLabels are the app's command labels.

NameTypeRequiredDescription
commandarray of stringsCommand is a command to run
perioddurationPeriod is a time between command runs
resultstringResult captures standard output

spec.rewrite

Rewrite is a list of rewriting rules to apply to requests and responses.

NameTypeRequiredDescription
headersobjectHeaders is a list of headers to inject when passing the request over to the application.
jwt_claimsstringJWTClaims configures whether roles/traits are included in the JWT token.
redirectarray of stringsRedirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header.
spec.rewrite.headers

Headers is a list of headers to inject when passing the request over to the application.

NameTypeRequiredDescription
namestringName is the http header name.
valuestringValue is the http header value.

Example:

# Teleport App

resource "teleport_app" "example" {
metadata = {
name = "example"
description = "Test app"
labels = {
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}

spec = {
uri = "localhost:3000"
}
}

teleport_auth_preference

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
specobject*Spec is an AuthPreference specification
sub_kindstringSubKind is an optional resource sub kind, used in some resources
versionstring*Version is the resource version. It must be specified. Supported values are: v2.

metadata

Metadata is resource metadata

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is an AuthPreference specification

NameTypeRequiredDescription
allow_headlessbool
allow_local_authbool
allow_passwordlessbool
connector_namestringConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used.
default_session_ttldurationDefaultSessionTTL is the TTL to use for user certs when an explicit TTL is not requested.
device_trustobjectDeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.
disconnect_expired_certbool
hardware_keyobjectHardwareKey are the settings for hardware key support.
idpobjectIDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
locking_modestringLockingMode is the cluster-wide locking mode default.
message_of_the_daystring
oktaobjectOkta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise.
piv_slotstringDeprecated, replaced by HardwareKey settings.
require_session_mfanumberRequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
second_factorstringSecondFactor is the type of second factor.
typestringType is the type of authentication.
u2fobjectU2F are the settings for the U2F device.
webauthnobjectWebauthn are the settings for server-side Web Authentication support.

spec.device_trust

DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.

NameTypeRequiredDescription
auto_enrollboolEnable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled. tsh takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off".
ekcert_allowed_casarray of stringsAllow list of EKCert CAs in PEM format. If present, only TPM devices that present an EKCert that is signed by a CA specified here may be enrolled (existing enrollments are unchanged). If not present, then the CA of TPM EKCerts will not be checked during enrollment, this allows any device to enroll.
modestringMode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise.

spec.hardware_key

HardwareKey are the settings for hardware key support.

NameTypeRequiredDescription
piv_slotstringPIVSlot is a PIV slot that Teleport clients should use instead of the default based on private key policy. For example, "9a" or "9e".
serial_number_validationobjectSerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled.
spec.hardware_key.serial_number_validation

SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled.

NameTypeRequiredDescription
enabledboolEnabled indicates whether hardware key serial number validation is enabled.
serial_number_trait_namestringSerialNumberTraitName is an optional custom user trait name for hardware key serial numbers to replace the default: "hardware_key_serial_numbers". Note: Values for this user trait should be a comma-separated list of serial numbers, or a list of comm-separated lists. e.g ["123", "345,678"]

spec.idp

IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.

NameTypeRequiredDescription
samlobjectSAML are options related to the Teleport SAML IdP.
spec.idp.saml

SAML are options related to the Teleport SAML IdP.

NameTypeRequiredDescription
enabledbool

spec.okta

Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise.

NameTypeRequiredDescription
sync_perioddurationSyncPeriod is the duration between synchronization calls in nanoseconds.

spec.u2f

U2F are the settings for the U2F device.

NameTypeRequiredDescription
app_idstringAppID returns the application ID for universal second factor.
device_attestation_casarray of stringsDeviceAttestationCAs contains the trusted attestation CAs for U2F devices.
facetsarray of stringsFacets returns the facets for universal second factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation.

spec.webauthn

Webauthn are the settings for server-side Web Authentication support.

NameTypeRequiredDescription
attestation_allowed_casarray of stringsAllow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed.
attestation_denied_casarray of stringsDeny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied.
rp_idstringRPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register.

Example:

# AuthPreference resource

resource "teleport_auth_preference" "example" {
metadata = {
description = "Auth preference"
labels = {
"example" = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}

spec = {
disconnect_expired_cert = true
}
}

teleport_bot

NameTypeRequiredDescription
namestring*The name of the bot, i.e. the unprefixed User name
role_namestringThe name of the generated bot role
rolesarray of strings*A list of roles the created bot should be allowed to assume via role impersonation.
token_idstring*The bot joining token. If unset, a new random token is created and its name returned, otherwise a preexisting Bot token may be provided for IAM/OIDC joining.
token_ttlstringThe desired TTL for the token if one is created. If unset, a server default is used
traitsmap of string arrays
user_namestringThe name of the generated bot user

Example:

# Teleport Machine ID Bot creation example

locals {
bot_name = "example"
}

resource "random_password" "bot_token" {
length = 32
special = false
}

resource "time_offset" "bot_example_token_expiry" {
offset_hours = 1
}

resource "teleport_provision_token" "bot_example" {
metadata = {
expires = time_offset.bot_example_token_expiry.rfc3339
description = "Bot join token for ${local.bot_name} generated by Terraform"

name = random_password.bot_token.result
}

spec = {
roles = ["Bot"]
bot_name = local.bot_name
join_method = "token"
}
}

resource "teleport_bot" "example" {
name = local.bot_name
token_id = teleport_provision_token.bot_example.metadata.name
roles = ["access"]
}

teleport_cluster_maintenance_config

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
noncenumberNonce is used to protect against concurrent modification of the maintenance window. Clients should treat nonces as opaque.
specobject
sub_kindstringSubKind is an optional resource sub kind, used in some resources
versionstring*Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

metadata

Metadata is resource metadata

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

NameTypeRequiredDescription
agent_upgradesobjectAgentUpgrades encodes the agent upgrade window.

spec.agent_upgrades

AgentUpgrades encodes the agent upgrade window.

NameTypeRequiredDescription
utc_start_hournumberUTCStartHour is the start hour of the maintenance window in UTC.
weekdaysarray of stringsWeekdays is an optional list of weekdays. If not specified, an agent upgrade window occurs every day.

Example:

# Teleport Cluster Networking config

resource "teleport_cluster_maintenance_config" "example" {
metadata = {
description = "Maintenance config"
}

spec = {
agent_upgrades = {
utc_start_hour = 1
weekdays = [ "monday" ]
}
}
}

teleport_cluster_networking_config

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
specobjectSpec is a ClusterNetworkingConfig specification
sub_kindstringSubKind is an optional resource sub kind, used in some resources
versionstringVersion is the resource version. It must be specified. Supported values are:v2.

metadata

Metadata is resource metadata

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a ClusterNetworkingConfig specification

NameTypeRequiredDescription
assist_command_execution_workersnumberAssistCommandExecutionWorkers determines the number of workers that will execute arbitrary Assist commands on servers in parallel
case_insensitive_routingboolCaseInsensitiveRouting causes proxies to use case-insensitive hostname matching.
client_idle_timeoutdurationClientIdleTimeout sets global cluster default setting for client idle timeouts.
idle_timeout_messagestringClientIdleTimeoutMessage is the message sent to the user when a connection times out.
keep_alive_count_maxnumberKeepAliveCountMax is the number of keep-alive messages that can be missed before the server disconnects the connection to the client.
keep_alive_intervaldurationKeepAliveInterval is the interval at which the server sends keep-alive messages to the client.
proxy_listener_modenumberProxyListenerMode is proxy listener mode used by Teleport Proxies. 0 is "separate"; 1 is "multiplex".
proxy_ping_intervaldurationProxyPingInterval defines in which interval the TLS routing ping message should be sent. This is applicable only when using ping-wrapped connections, regular TLS routing connections are not affected.
routing_strategynumberRoutingStrategy determines the strategy used to route to nodes. 0 is "unambiguous_match"; 1 is "most_recent".
session_control_timeoutdurationSessionControlTimeout is the session control lease expiry and defines the upper limit of how long a node may be out of contact with the auth server before it begins terminating controlled sessions.
tunnel_strategyobjectTunnelStrategyV1 determines the tunnel strategy used in the cluster.
web_idle_timeoutdurationWebIdleTimeout sets global cluster default setting for the web UI idle timeouts.

spec.tunnel_strategy

TunnelStrategyV1 determines the tunnel strategy used in the cluster.

NameTypeRequiredDescription
agent_meshobject
proxy_peeringobject
spec.tunnel_strategy.agent_mesh
NameTypeRequiredDescription
activeboolAutomatically generated field preventing empty message errors
spec.tunnel_strategy.proxy_peering
NameTypeRequiredDescription
agent_connection_countnumber

Example:

# Teleport Cluster Networking config

resource "teleport_cluster_networking_config" "example" {
metadata = {
description = "Networking config"
labels = {
"example" = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}

spec = {
client_idle_timeout = "1h"
}
}

teleport_database

NameTypeRequiredDescription
metadataobjectMetadata is the database metadata.
specobjectSpec is the database spec.
sub_kindstringSubKind is an optional resource subkind.
versionstring*Version is the resource version. It must be specified. Supported values are: v3.

metadata

Metadata is the database metadata.

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is the database spec.

NameTypeRequiredDescription
adobjectAD is the Active Directory configuration for the database.
admin_userobjectAdminUser is the database admin user for automatic user provisioning.
awsobjectAWS contains AWS specific settings for RDS/Aurora/Redshift databases.
azureobjectAzure contains Azure specific database metadata.
ca_certstringCACert is the PEM-encoded database CA certificate. DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0.
dynamic_labelsobjectDynamicLabels is the database dynamic labels.
gcpobjectGCP contains parameters specific to GCP Cloud SQL databases.
mongo_atlasobjectMongoAtlas contains Atlas metadata about the database.
mysqlobjectMySQL is an additional section with MySQL database options.
oracleobjectOracle is an additional Oracle configuration options.
protocolstring*Protocol is the database protocol: postgres, mysql, mongodb, etc.
tlsobjectTLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name.
uristring*URI is the database connection endpoint.

spec.ad

AD is the Active Directory configuration for the database.

NameTypeRequiredDescription
domainstringDomain is the Active Directory domain the database resides in.
kdc_host_namestringKDCHostName is the host name for a KDC for x509 Authentication.
keytab_filestringKeytabFile is the path to the Kerberos keytab file.
krb5_filestringKrb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
ldap_certstringLDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication.
spnstringSPN is the service principal name for the database.

spec.admin_user

AdminUser is the database admin user for automatic user provisioning.

NameTypeRequiredDescription
default_databasestringDefaultDatabase is the database that the privileged database user logs into by default. Depending on the database type, this database may be used to store procedures or data for managing database users.
namestringName is the username of the privileged database user.

spec.aws

AWS contains AWS specific settings for RDS/Aurora/Redshift databases.

NameTypeRequiredDescription
account_idstringAccountID is the AWS account ID this database belongs to.
assume_role_arnstringAssumeRoleARN is an optional AWS role ARN to assume when accessing a database. Set this field and ExternalID to enable access across AWS accounts.
elasticacheobjectElastiCache contains AWS ElastiCache Redis specific metadata.
external_idstringExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
iam_policy_statusnumberIAMPolicyStatus indicates whether the IAM Policy is configured properly for database access. If not, the user must update the AWS profile identity to allow access to the Database. Eg for an RDS Database: the underlying AWS profile allows for rds-db:connect for the Database.
memorydbobjectMemoryDB contains AWS MemoryDB specific metadata.
opensearchobjectOpenSearch contains AWS OpenSearch specific metadata.
rdsobjectRDS contains RDS specific metadata.
rdsproxyobjectRDSProxy contains AWS Proxy specific metadata.
redshiftobjectRedshift contains Redshift specific metadata.
redshift_serverlessobjectRedshiftServerless contains AWS Redshift Serverless specific metadata.
regionstringRegion is a AWS cloud region.
secret_storeobjectSecretStore contains secret store configurations.
session_tagsmap of stringsSessionTags is a list of AWS STS session tags.
spec.aws.elasticache

ElastiCache contains AWS ElastiCache Redis specific metadata.

NameTypeRequiredDescription
endpoint_typestringEndpointType is the type of the endpoint.
replication_group_idstringReplicationGroupID is the Redis replication group ID.
transit_encryption_enabledboolTransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled.
user_group_idsarray of stringsUserGroupIDs is a list of user group IDs.
spec.aws.memorydb

MemoryDB contains AWS MemoryDB specific metadata.

NameTypeRequiredDescription
acl_namestringACLName is the name of the ACL associated with the cluster.
cluster_namestringClusterName is the name of the MemoryDB cluster.
endpoint_typestringEndpointType is the type of the endpoint.
tls_enabledboolTLSEnabled indicates whether in-transit encryption (TLS) is enabled.
spec.aws.opensearch

OpenSearch contains AWS OpenSearch specific metadata.

NameTypeRequiredDescription
domain_idstringDomainID is the ID of the domain.
domain_namestringDomainName is the name of the domain.
endpoint_typestringEndpointType is the type of the endpoint.
spec.aws.rds

RDS contains RDS specific metadata.

NameTypeRequiredDescription
cluster_idstringClusterID is the RDS cluster (Aurora) identifier.
iam_authboolIAMAuth indicates whether database IAM authentication is enabled.
instance_idstringInstanceID is the RDS instance identifier.
resource_idstringResourceID is the RDS instance resource identifier (db-xxx).
subnetsarray of stringsSubnets is a list of subnets for the RDS instance.
vpc_idstringVPCID is the VPC where the RDS is running.
spec.aws.rdsproxy

RDSProxy contains AWS Proxy specific metadata.

NameTypeRequiredDescription
custom_endpoint_namestringCustomEndpointName is the identifier of an RDS Proxy custom endpoint.
namestringName is the identifier of an RDS Proxy.
resource_idstringResourceID is the RDS instance resource identifier (prx-xxx).
spec.aws.redshift

Redshift contains Redshift specific metadata.

NameTypeRequiredDescription
cluster_idstringClusterID is the Redshift cluster identifier.
spec.aws.redshift_serverless

RedshiftServerless contains AWS Redshift Serverless specific metadata.

NameTypeRequiredDescription
endpoint_namestringEndpointName is the VPC endpoint name.
workgroup_idstringWorkgroupID is the workgroup ID.
workgroup_namestringWorkgroupName is the workgroup name.
spec.aws.secret_store

SecretStore contains secret store configurations.

NameTypeRequiredDescription
key_prefixstringKeyPrefix specifies the secret key prefix.
kms_key_idstringKMSKeyID specifies the AWS KMS key for encryption.

spec.azure

Azure contains Azure specific database metadata.

NameTypeRequiredDescription
is_flexi_serverboolIsFlexiServer is true if the database is an Azure Flexible server.
namestringName is the Azure database server name.
redisobjectRedis contains Azure Cache for Redis specific database metadata.
resource_idstringResourceID is the Azure fully qualified ID for the resource.
spec.azure.redis

Redis contains Azure Cache for Redis specific database metadata.

NameTypeRequiredDescription
clustering_policystringClusteringPolicy is the clustering policy for Redis Enterprise.

spec.dynamic_labels

DynamicLabels is the database dynamic labels.

NameTypeRequiredDescription
commandarray of stringsCommand is a command to run
perioddurationPeriod is a time between command runs
resultstringResult captures standard output

spec.gcp

GCP contains parameters specific to GCP Cloud SQL databases.

NameTypeRequiredDescription
instance_idstringInstanceID is the Cloud SQL instance ID.
project_idstringProjectID is the GCP project ID the Cloud SQL instance resides in.

spec.mongo_atlas

MongoAtlas contains Atlas metadata about the database.

NameTypeRequiredDescription
namestringName is the Atlas database instance name.

spec.mysql

MySQL is an additional section with MySQL database options.

NameTypeRequiredDescription
server_versionstringServerVersion is the server version reported by DB proxy if the runtime information is not available.

spec.oracle

Oracle is an additional Oracle configuration options.

NameTypeRequiredDescription
audit_userstringAuditUser is the Oracle database user privilege to access internal Oracle audit trail.

spec.tls

TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name.

NameTypeRequiredDescription
ca_certstringCACert is an optional user provided CA certificate used for verifying database TLS connection.
modenumberMode is a TLS connection mode. 0 is "verify-full"; 1 is "verify-ca", 2 is "insecure".
server_namestringServerName allows to provide custom hostname. This value will override the servername/hostname on a certificate during validation.

Example:

# Teleport Database

resource "teleport_database" "example" {
metadata = {
name = "example"
description = "Test database"
labels = {
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}

spec = {
protocol = "postgres"
uri = "localhost"
}
}

teleport_github_connector

NameTypeRequiredDescription
metadataobjectMetadata holds resource metadata.
specobject*Spec is an Github connector specification.
sub_kindstringSubKind is an optional resource sub kind, used in some resources.
versionstring*Version is the resource version. It must be specified. Supported values are: v3.

metadata

Metadata holds resource metadata.

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is an Github connector specification.

NameTypeRequiredDescription
api_endpoint_urlstringAPIEndpointURL is the URL of the API endpoint of the Github instance this connector is for.
client_idstring*ClientID is the Github OAuth app client ID.
client_secretstring*ClientSecret is the Github OAuth app client secret.
displaystringDisplay is the connector display name.
endpoint_urlstringEndpointURL is the URL of the GitHub instance this connector is for.
redirect_urlstringRedirectURL is the authorization callback URL.
teams_to_loginsobjectTeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead.
teams_to_rolesobjectTeamsToRoles maps Github team memberships onto allowed roles.

spec.teams_to_logins

TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead.

NameTypeRequiredDescription
kubernetes_groupsarray of stringsKubeGroups is a list of allowed kubernetes groups for this org/team.
kubernetes_usersarray of stringsKubeUsers is a list of allowed kubernetes users to impersonate for this org/team.
loginsarray of stringsLogins is a list of allowed logins for this org/team.
organizationstringOrganization is a Github organization a user belongs to.
teamstringTeam is a team within the organization a user belongs to.

spec.teams_to_roles

TeamsToRoles maps Github team memberships onto allowed roles.

NameTypeRequiredDescription
organizationstringOrganization is a Github organization a user belongs to.
rolesarray of stringsRoles is a list of allowed logins for this org/team.
teamstringTeam is a team within the organization a user belongs to.

Example:

# Terraform Github connector

variable "github_secret" {}

resource "teleport_github_connector" "github" {
# This section tells Terraform that role example must be created before the GitHub connector
depends_on = [
teleport_role.example
]

metadata = {
name = "example"
labels = {
example = "yes"
}
}

spec = {
client_id = "client"
client_secret = var.github_secret

teams_to_roles = [{
organization = "gravitational"
team = "devs"
roles = ["example"]
}]
}
}

teleport_login_rule

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata.
prioritynumber*Priority is the priority of the login rule relative to other login rules in the same cluster. Login rules with a lower numbered priority will be evaluated first.
traits_expressionstringTraitsExpression is a predicate expression which should return the desired traits for the user upon login.
traits_mapobjectTraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait.
versionstring*Version is the resource version.

metadata

Metadata is resource metadata.

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

traits_map

TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait.

NameTypeRequiredDescription
valuesarray of strings

Example:

# Teleport Login Rule resource

resource "teleport_login_rule" "example" {
metadata = {
description = "Example Login Rule"
labels = {
"example" = "yes"
}
}

version = "v1"
priority = 0
traits_map = {
"logins" = {
values = [
"external.logins",
"external.username",
]
}
"groups" = {
values = [
"external.groups",
]
}
}
}

teleport_oidc_connector

NameTypeRequiredDescription
metadataobjectMetadata holds resource metadata.
specobject*Spec is an OIDC connector specification.
sub_kindstringSubKind is an optional resource sub kind, used in some resources.
versionstring*Version is the resource version. It must be specified. Supported values are: v3.

metadata

Metadata holds resource metadata.

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is an OIDC connector specification.

NameTypeRequiredDescription
acr_valuesstringACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.
allow_unverified_emailboolAllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.
claims_to_rolesobjectClaimsToRoles specifies a dynamic mapping from claims to roles.
client_idstringClientID is the id of the authentication client (Teleport Auth server).
client_secretstringClientSecret is used to authenticate the client.
displaystringDisplay is the friendly name for this provider.
google_admin_emailstringGoogleAdminEmail is the email of a google admin to impersonate.
google_service_accountstringGoogleServiceAccount is a string containing google service account credentials.
google_service_account_uristringGoogleServiceAccountURI is a path to a google service account uri.
issuer_urlstringIssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
max_ageduration
promptstringPrompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
providerstringProvider is the external identity provider.
redirect_urlarray of strings
scopearray of stringsScope specifies additional scopes set by provider.
username_claimstringUsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

spec.claims_to_roles

ClaimsToRoles specifies a dynamic mapping from claims to roles.

NameTypeRequiredDescription
claimstringClaim is a claim name.
rolesarray of stringsRoles is a list of static teleport roles to match.
valuestringValue is a claim value to match.

Example:

# Teleport OIDC connector
#
# Please note that OIDC connector will work in Enterprise version only. Check the setup docs:
# https://goteleport.com/docs/enterprise/sso/oidc/

variable "oidc_secret" {}

resource "teleport_oidc_connector" "example" {
metadata = {
name = "example"
labels = {
test = "yes"
}
}

spec = {
client_id = "client"
client_secret = var.oidc_secret

claims_to_roles = [{
claim = "test"
roles = ["terraform"]
}]

redirect_url = ["https://example.com/redirect"]
}
}

teleport_okta_import_rule

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
specobject*Spec is the specification for the Okta import rule.
sub_kindstringSubKind is an optional resource sub kind, used in some resources
versionstring*Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

metadata

Metadata is resource metadata

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is the specification for the Okta import rule.

NameTypeRequiredDescription
mappingsobjectMappings is a list of matches that will map match conditions to labels.
prioritynumberPriority represents the priority of the rule application. Lower numbered rules will be applied first.

spec.mappings

Mappings is a list of matches that will map match conditions to labels.

NameTypeRequiredDescription
add_labelsmap of stringsAddLabels specifies which labels to add if any of the previous matches match.
matchobjectMatch is a set of matching rules for this mapping. If any of these match, then the mapping will be applied.
spec.mappings.match

Match is a set of matching rules for this mapping. If any of these match, then the mapping will be applied.

NameTypeRequiredDescription
app_idsarray of stringsAppIDs is a list of app IDs to match against.
app_name_regexesarray of stringsAppNameRegexes is a list of regexes to match against app names.
group_idsarray of stringsGroupIDs is a list of group IDs to match against.
group_name_regexesarray of stringsGroupNameRegexes is a list of regexes to match against group names.

Example:

# Teleport Okta Import Rule resource

resource "teleport_okta_import_rule" "example" {
metadata = {
description = "Example Okta Import Rule"
labels = {
"example" = "yes"
}
}

version = "v1"

spec = {
priority = 100
mappings = [
{
add_labels = {
"label1": "value1"
}
match = [
{
app_ids = ["1", "2", "3"]
},
],
},
{
add_labels = {
"label2": "value2"
}
match = [
{
group_ids = ["1", "2", "3"]
},
],
},
{
add_labels = {
"label3" : "value3",
}
match = [
{
group_name_regexes = ["^.*$"]
},
],
},
{
add_labels = {
"label4" : "value4",
}
match = [
{
app_name_regexes = ["^.*$"]
},
],
}
]
}
}

teleport_provision_token

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
specobject*Spec is a provisioning token V2 spec
sub_kindstringSubKind is an optional resource sub kind, used in some resources
versionstring*Version is the resource version. It must be specified. Supported values are:v2.

metadata

Metadata is resource metadata

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestringName is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a provisioning token V2 spec

NameTypeRequiredDescription
allowobjectAllow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
aws_iid_ttldurationAWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token.
azureobjectAzure allows the configuration of options specific to the "azure" join method.
bot_namestringBotName is the name of the bot this token grants access to, if any
circleciobjectCircleCI allows the configuration of options specific to the "circleci" join method.
gcpobjectGCP allows the configuration of options specific to the "gcp" join method.
githubobjectGitHub allows the configuration of options specific to the "github" join method.
gitlabobjectGitLab allows the configuration of options specific to the "gitlab" join method.
join_methodstringJoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam".
kubernetesobjectKubernetes allows the configuration of options specific to the "kubernetes" join method.
rolesarray of strings*Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token
spaceliftobjectSpacelift allows the configuration of options specific to the "spacelift" join method.
suggested_agent_matcher_labelsmap of string arrays
suggested_labelsmap of string arrays

spec.allow

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

NameTypeRequiredDescription
aws_accountstringAWSAccount is the AWS account ID.
aws_arnstringAWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?".
aws_regionsarray of stringsAWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from.
aws_rolestringAWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API.

spec.azure

Azure allows the configuration of options specific to the "azure" join method.

NameTypeRequiredDescription
allowobjectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.
spec.azure.allow

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

NameTypeRequiredDescription
resource_groupsarray of stringsResourceGroups is a list of Azure resource groups the node is allowed to join from.
subscriptionstringSubscription is the Azure subscription.

spec.circleci

CircleCI allows the configuration of options specific to the "circleci" join method.

NameTypeRequiredDescription
allowobjectAllow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
organization_idstring
spec.circleci.allow

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

NameTypeRequiredDescription
context_idstring
project_idstring

spec.gcp

GCP allows the configuration of options specific to the "gcp" join method.

NameTypeRequiredDescription
allowobjectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.
spec.gcp.allow

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

NameTypeRequiredDescription
locationsarray of stringsLocations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b").
project_idsarray of stringsProjectIDs is a list of project IDs (e.g. "<example-id-123456>").
service_accountsarray of stringsServiceAccounts is a list of service account emails (e.g. "<project-number>-compute@developer.gserviceaccount.com").

spec.github

GitHub allows the configuration of options specific to the "github" join method.

NameTypeRequiredDescription
allowobjectAllow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
enterprise_server_hoststringEnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server.
enterprise_slugstringEnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the include_enterprise_slug option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if enterprise_server_host is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.
spec.github.allow

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

NameTypeRequiredDescription
actorstringThe personal account that initiated the workflow run.
environmentstringThe name of the environment used by the job.
refstringThe git ref that triggered the workflow run.
ref_typestringThe type of ref, for example: "branch".
repositorystringThe repository from where the workflow is running. This includes the name of the owner e.g gravitational/teleport
repository_ownerstringThe name of the organization in which the repository is stored.
substringSub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run.
workflowstringThe name of the workflow.

spec.gitlab

GitLab allows the configuration of options specific to the "gitlab" join method.

NameTypeRequiredDescription
allowobjectAllow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
domainstringDomain is the domain of your GitLab instance. This will default to gitlab.com - but can be set to the domain of your self-hosted GitLab e.g gitlab.example.com.
spec.gitlab.allow

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

NameTypeRequiredDescription
ci_config_ref_uristringCIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main.
ci_config_shastringCIConfigSHA is the git commit SHA for the ci_config_ref_uri.
deployment_tierstringDeploymentTier is the deployment tier of the environment the job specifies
environmentstringEnvironment limits access by the environment the job deploys to (if one is associated)
environment_protectedbool
namespace_pathstringNamespacePath is used to limit access to jobs in a group or user's projects. Example: mygroup This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
pipeline_sourcestringPipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: web
project_pathstringProjectPath is used to limit access to jobs belonging to an individual project. Example: mygroup/myproject This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
project_visibilitystringProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public.
refstringRef allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
ref_protectedbool
ref_typestringRefType allows access to be limited to jobs triggered by a specific git ref type. Example: branch or tag
substringSub roughly uniquely identifies the workload. Example: project_path:mygroup/my-project:ref_type:branch:ref:main project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
user_emailstringUserEmail is the email of the user executing the job
user_idstringUserID is the ID of the user executing the job
user_loginstringUserLogin is the username of the user executing the job

spec.kubernetes

Kubernetes allows the configuration of options specific to the "kubernetes" join method.

NameTypeRequiredDescription
allowobjectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.
static_jwksobjectStaticJWKS is the configuration specific to the static_jwks type.
typestringType controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - in_cluster - static_jwks If unset, this defaults to in_cluster.
spec.kubernetes.allow

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

NameTypeRequiredDescription
service_accountstringServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account".
spec.kubernetes.static_jwks

StaticJWKS is the configuration specific to the static_jwks type.

NameTypeRequiredDescription
jwksstringJWKS should be the JSON Web Key Set formatted public keys of that the Kubernetes Cluster uses to sign service account tokens. This can be fetched from /openid/v1/jwks on the Kubernetes API Server.

spec.spacelift

Spacelift allows the configuration of options specific to the "spacelift" join method.

NameTypeRequiredDescription
allowobjectAllow is a list of Rules, nodes using this token must match one allow rule to use this token.
hostnamestringHostname is the hostname of the Spacelift tenant that tokens will originate from. E.g example.app.spacelift.io
spec.spacelift.allow

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

NameTypeRequiredDescription
caller_idstringCallerID is the ID of the caller, ie. the stack or module that generated the run.
caller_typestringCallerType is the type of the caller, ie. the entity that owns the run - either stack or module.
scopestringScope is the scope of the token - either read or write. See https://docs.spacelift.io/integrations/cloud-providers/oidc/#about-scopes
space_idstringSpaceID is the ID of the space in which the run that owns the token was executed.

Example:

# Teleport Provision Token resource

resource "teleport_provision_token" "example" {
metadata = {
expires = "2022-10-12T07:20:51Z"
description = "Example token"

labels = {
example = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}

spec = {
roles = ["Node", "Auth"]
}
}

resource "teleport_provision_token" "iam-token" {
metadata = {
name = "iam-token"
}
spec = {
roles = ["Bot"]
bot_name = "mybot"
join_method = "iam"
allow = [{
aws_account = "123456789012"
}]
}
}

teleport_role

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
specobjectSpec is a role specification
sub_kindstringSubKind is an optional resource sub kind, used in some resources
versionstring*Version is the resource version. It must be specified. Supported values are: v3, v4, v5, v6, v7.

metadata

Metadata is resource metadata

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a role specification

NameTypeRequiredDescription
allowobjectAllow is the set of conditions evaluated to grant access.
denyobjectDeny is the set of conditions evaluated to deny access. Deny takes priority over allow.
optionsobjectOptions is for OpenSSH options like agent forwarding.

spec.allow

Allow is the set of conditions evaluated to grant access.

NameTypeRequiredDescription
app_labelsmap of string arrays
app_labels_expressionstringAppLabelsExpression is a predicate expression used to allow/deny access to Apps.
aws_role_arnsarray of stringsAWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
azure_identitiesarray of stringsAzureIdentities is a list of Azure identities this role is allowed to assume.
cluster_labelsmap of string arrays
cluster_labels_expressionstringClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
db_labelsmap of string arrays
db_labels_expressionstringDatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
db_namesarray of stringsDatabaseNames is a list of database names this role is allowed to connect to.
db_permissionsobjectDatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
db_rolesarray of stringsDatabaseRoles is a list of databases roles for automatic user creation.
db_service_labelsmap of string arrays
db_service_labels_expressionstringDatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
db_usersarray of stringsDatabaseUsers is a list of databases users this role is allowed to connect as.
desktop_groupsarray of stringsDesktopGroups is a list of groups for created desktop users to be added to
gcp_service_accountsarray of stringsGCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
group_labelsmap of string arrays
group_labels_expressionstringGroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
host_groupsarray of stringsHostGroups is a list of groups for created users to be added to
host_sudoersarray of stringsHostSudoers is a list of entries to include in a users sudoer file
impersonateobjectImpersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
join_sessionsobjectJoinSessions specifies policies to allow users to join other sessions.
kubernetes_groupsarray of stringsKubeGroups is a list of kubernetes groups
kubernetes_labelsmap of string arrays
kubernetes_labels_expressionstringKubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
kubernetes_resourcesobjectKubernetesResources is the Kubernetes Resources this Role grants access to.
kubernetes_usersarray of stringsKubeUsers is an optional kubernetes users to impersonate
loginsarray of stringsLogins is a list of *nix system logins.
node_labelsmap of string arrays
node_labels_expressionstringNodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
requestobject
require_session_joinobjectRequireSessionJoin specifies policies for required users to start a session.
review_requestsobjectReviewRequests defines conditions for submitting access reviews.
rulesobjectRules is a list of rules and their access levels. Rules are a high level construct used for access control.
spiffeobjectSPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
windows_desktop_labelsmap of string arrays
windows_desktop_labels_expressionstringWindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
windows_desktop_loginsarray of stringsWindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
spec.allow.db_permissions

DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.

NameTypeRequiredDescription
matchmap of string arrays
permissionsarray of stringsPermission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...
spec.allow.impersonate

Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.

NameTypeRequiredDescription
rolesarray of stringsRoles is a list of resources this role is allowed to impersonate
usersarray of stringsUsers is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
wherestringWhere specifies optional advanced matcher
spec.allow.join_sessions

JoinSessions specifies policies to allow users to join other sessions.

NameTypeRequiredDescription
kindsarray of stringsKinds are the session kinds this policy applies to.
modesarray of stringsModes is a list of permitted participant modes for this policy.
namestringName is the name of the policy.
rolesarray of stringsRoles is a list of roles that you can join the session of.
spec.allow.kubernetes_resources

KubernetesResources is the Kubernetes Resources this Role grants access to.

NameTypeRequiredDescription
kindstringKind specifies the Kubernetes Resource type. At the moment only "pod" is supported.
namestringName is the resource name. It supports wildcards.
namespacestringNamespace is the resource namespace. It supports wildcards.
verbsarray of stringsVerbs are the allowed Kubernetes verbs for the following resource.
spec.allow.request
NameTypeRequiredDescription
annotationsmap of string arrays
claims_to_rolesobjectClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
max_durationdurationMaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
rolesarray of stringsRoles is the name of roles which will match the request rule.
search_as_rolesarray of stringsSearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
suggested_reviewersarray of stringsSuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
thresholdsobjectThresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
spec.allow.request.claims_to_roles

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

NameTypeRequiredDescription
claimstringClaim is a claim name.
rolesarray of stringsRoles is a list of static teleport roles to match.
valuestringValue is a claim value to match.
spec.allow.request.thresholds

Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

NameTypeRequiredDescription
approvenumberApprove is the number of matching approvals needed for state-transition.
denynumberDeny is the number of denials needed for state-transition.
filterstringFilter is an optional predicate used to determine which reviews count toward this threshold.
namestringName is the optional human-readable name of the threshold.
spec.allow.require_session_join

RequireSessionJoin specifies policies for required users to start a session.

NameTypeRequiredDescription
countnumberCount is the amount of people that need to be matched for this policy to be fulfilled.
filterstringFilter is a predicate that determines what users count towards this policy.
kindsarray of stringsKinds are the session kinds this policy applies to.
modesarray of stringsModes is the list of modes that may be used to fulfill this policy.
namestringName is the name of the policy.
on_leavestringOnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.
spec.allow.review_requests

ReviewRequests defines conditions for submitting access reviews.

NameTypeRequiredDescription
claims_to_rolesobjectClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
preview_as_rolesarray of stringsPreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
rolesarray of stringsRoles is the name of roles which may be reviewed.
wherestringWhere is an optional predicate which further limits which requests are reviewable.
spec.allow.review_requests.claims_to_roles

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

NameTypeRequiredDescription
claimstringClaim is a claim name.
rolesarray of stringsRoles is a list of static teleport roles to match.
valuestringValue is a claim value to match.
spec.allow.rules

Rules is a list of rules and their access levels. Rules are a high level construct used for access control.

NameTypeRequiredDescription
actionsarray of stringsActions specifies optional actions taken when this rule matches
resourcesarray of stringsResources is a list of resources
verbsarray of stringsVerbs is a list of verbs
wherestringWhere specifies optional advanced matcher
spec.allow.spiffe

SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.

NameTypeRequiredDescription
dns_sansarray of stringsDNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
ip_sansarray of stringsIPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
pathstringPath specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

spec.deny

Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.

NameTypeRequiredDescription
app_labelsmap of string arrays
app_labels_expressionstringAppLabelsExpression is a predicate expression used to allow/deny access to Apps.
aws_role_arnsarray of stringsAWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
azure_identitiesarray of stringsAzureIdentities is a list of Azure identities this role is allowed to assume.
cluster_labelsmap of string arrays
cluster_labels_expressionstringClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
db_labelsmap of string arrays
db_labels_expressionstringDatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
db_namesarray of stringsDatabaseNames is a list of database names this role is allowed to connect to.
db_permissionsobjectDatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
db_rolesarray of stringsDatabaseRoles is a list of databases roles for automatic user creation.
db_service_labelsmap of string arrays
db_service_labels_expressionstringDatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
db_usersarray of stringsDatabaseUsers is a list of databases users this role is allowed to connect as.
desktop_groupsarray of stringsDesktopGroups is a list of groups for created desktop users to be added to
gcp_service_accountsarray of stringsGCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
group_labelsmap of string arrays
group_labels_expressionstringGroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
host_groupsarray of stringsHostGroups is a list of groups for created users to be added to
host_sudoersarray of stringsHostSudoers is a list of entries to include in a users sudoer file
impersonateobjectImpersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
join_sessionsobjectJoinSessions specifies policies to allow users to join other sessions.
kubernetes_groupsarray of stringsKubeGroups is a list of kubernetes groups
kubernetes_labelsmap of string arrays
kubernetes_labels_expressionstringKubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
kubernetes_resourcesobjectKubernetesResources is the Kubernetes Resources this Role grants access to.
kubernetes_usersarray of stringsKubeUsers is an optional kubernetes users to impersonate
loginsarray of stringsLogins is a list of *nix system logins.
node_labelsmap of string arrays
node_labels_expressionstringNodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
requestobject
require_session_joinobjectRequireSessionJoin specifies policies for required users to start a session.
review_requestsobjectReviewRequests defines conditions for submitting access reviews.
rulesobjectRules is a list of rules and their access levels. Rules are a high level construct used for access control.
spiffeobjectSPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
windows_desktop_labelsmap of string arrays
windows_desktop_labels_expressionstringWindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
windows_desktop_loginsarray of stringsWindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
spec.deny.db_permissions

DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.

NameTypeRequiredDescription
matchmap of string arrays
permissionsarray of stringsPermission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...
spec.deny.impersonate

Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.

NameTypeRequiredDescription
rolesarray of stringsRoles is a list of resources this role is allowed to impersonate
usersarray of stringsUsers is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
wherestringWhere specifies optional advanced matcher
spec.deny.join_sessions

JoinSessions specifies policies to allow users to join other sessions.

NameTypeRequiredDescription
kindsarray of stringsKinds are the session kinds this policy applies to.
modesarray of stringsModes is a list of permitted participant modes for this policy.
namestringName is the name of the policy.
rolesarray of stringsRoles is a list of roles that you can join the session of.
spec.deny.kubernetes_resources

KubernetesResources is the Kubernetes Resources this Role grants access to.

NameTypeRequiredDescription
kindstringKind specifies the Kubernetes Resource type. At the moment only "pod" is supported.
namestringName is the resource name. It supports wildcards.
namespacestringNamespace is the resource namespace. It supports wildcards.
verbsarray of stringsVerbs are the allowed Kubernetes verbs for the following resource.
spec.deny.request
NameTypeRequiredDescription
annotationsmap of string arrays
claims_to_rolesobjectClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
max_durationdurationMaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
rolesarray of stringsRoles is the name of roles which will match the request rule.
search_as_rolesarray of stringsSearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
suggested_reviewersarray of stringsSuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
thresholdsobjectThresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
spec.deny.request.claims_to_roles

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

NameTypeRequiredDescription
claimstringClaim is a claim name.
rolesarray of stringsRoles is a list of static teleport roles to match.
valuestringValue is a claim value to match.
spec.deny.request.thresholds

Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

NameTypeRequiredDescription
approvenumberApprove is the number of matching approvals needed for state-transition.
denynumberDeny is the number of denials needed for state-transition.
filterstringFilter is an optional predicate used to determine which reviews count toward this threshold.
namestringName is the optional human-readable name of the threshold.
spec.deny.require_session_join

RequireSessionJoin specifies policies for required users to start a session.

NameTypeRequiredDescription
countnumberCount is the amount of people that need to be matched for this policy to be fulfilled.
filterstringFilter is a predicate that determines what users count towards this policy.
kindsarray of stringsKinds are the session kinds this policy applies to.
modesarray of stringsModes is the list of modes that may be used to fulfill this policy.
namestringName is the name of the policy.
on_leavestringOnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.
spec.deny.review_requests

ReviewRequests defines conditions for submitting access reviews.

NameTypeRequiredDescription
claims_to_rolesobjectClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
preview_as_rolesarray of stringsPreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
rolesarray of stringsRoles is the name of roles which may be reviewed.
wherestringWhere is an optional predicate which further limits which requests are reviewable.
spec.deny.review_requests.claims_to_roles

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

NameTypeRequiredDescription
claimstringClaim is a claim name.
rolesarray of stringsRoles is a list of static teleport roles to match.
valuestringValue is a claim value to match.
spec.deny.rules

Rules is a list of rules and their access levels. Rules are a high level construct used for access control.

NameTypeRequiredDescription
actionsarray of stringsActions specifies optional actions taken when this rule matches
resourcesarray of stringsResources is a list of resources
verbsarray of stringsVerbs is a list of verbs
wherestringWhere specifies optional advanced matcher
spec.deny.spiffe

SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.

NameTypeRequiredDescription
dns_sansarray of stringsDNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
ip_sansarray of stringsIPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
pathstringPath specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

spec.options

Options is for OpenSSH options like agent forwarding.

NameTypeRequiredDescription
cert_extensionsobjectCertExtensions specifies the key/values
cert_formatstringCertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH.
client_idle_timeoutdurationClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration.
create_db_userbool
create_db_user_modenumberCreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop".
create_desktop_userbool
create_host_userbool
create_host_user_modenumberCreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop".
desktop_clipboardbool
desktop_directory_sharingbool
device_trust_modestringDeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. Reserved for future use, not yet used by Teleport.
disconnect_expired_certboolDisconnectExpiredCert sets disconnect clients on expired certificates.
enhanced_recordingarray of stringsBPF defines what events to record for the BPF-based session recorder.
forward_agentboolForwardAgent is SSH agent forwarding.
idpobjectIDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
lockstringLock specifies the locking mode (strict
max_connectionsnumberMaxConnections defines the maximum number of concurrent connections a user may hold.
max_kubernetes_connectionsnumberMaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold.
max_session_ttldurationMaxSessionTTL defines how long a SSH session can last for.
max_sessionsnumberMaxSessions defines the maximum number of concurrent sessions per connection.
permit_x11_forwardingboolPermitX11Forwarding authorizes use of X11 forwarding.
pin_source_ipboolPinSourceIP forces the same client IP for certificate generation and usage
port_forwardingbool
record_sessionobjectRecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.
request_accessstringRequestAccess defines the access request strategy (optional
request_promptstringRequestPrompt is an optional message which tells users what they aught to request.
require_session_mfanumberRequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
ssh_file_copybool
spec.options.cert_extensions

CertExtensions specifies the key/values

NameTypeRequiredDescription
modenumberMode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension".
namestringName specifies the key to be used in the cert extension.
typenumberType represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh".
valuestringValue specifies the value to be used in the cert extension.
spec.options.idp

IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.

NameTypeRequiredDescription
samlobjectSAML are options related to the Teleport SAML IdP.
spec.options.idp.saml

SAML are options related to the Teleport SAML IdP.

NameTypeRequiredDescription
enabledbool
spec.options.record_session

RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.

NameTypeRequiredDescription
defaultstringDefault indicates the default value for the services.
desktopbool
sshstringSSH indicates the session mode used on SSH sessions.

Example:

# Teleport Role resource

resource "teleport_role" "example" {
metadata = {
name = "example"
description = "Example Teleport Role"
expires = "2022-10-12T07:20:51Z"
labels = {
example = "yes"
}
}

spec = {
options = {
forward_agent = false
max_session_ttl = "7m"
port_forwarding = false
client_idle_timeout = "1h"
disconnect_expired_cert = true
permit_x11_forwarding = false
request_access = "denied"
}

allow = {
logins = ["example"]

rules = [{
resources = ["user", "role"]
verbs = ["list"]
}]

request = {
roles = ["example"]
claims_to_roles = [{
claim = "example"
value = "example"
roles = ["example"]
}]
}

node_labels = {
example = ["yes"]
}
}

deny = {
logins = ["anonymous"]
}
}
}

teleport_saml_connector

NameTypeRequiredDescription
metadataobjectMetadata holds resource metadata.
specobject*Spec is an SAML connector specification.
sub_kindstringSubKind is an optional resource sub kind, used in some resources.
versionstring*Version is the resource version. It must be specified. Supported values are: v2.

metadata

Metadata holds resource metadata.

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is an SAML connector specification.

NameTypeRequiredDescription
acsstring*AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).
allow_idp_initiatedboolAllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins.
assertion_key_pairobjectEncryptionKeyPair is a key pair used for decrypting SAML assertions.
attributes_to_rolesobject*AttributesToRoles is a list of mappings of attribute statements to roles.
audiencestringAudience uniquely identifies our service provider.
certstringCert is the identity provider certificate PEM. IDP signs <Response> responses using this certificate.
displaystringDisplay controls how this connector is displayed.
entity_descriptorstringEntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
entity_descriptor_urlstringEntityDescriptorURL is a URL that supplies a configuration XML.
issuerstringIssuer is the identity provider issuer.
providerstringProvider is the external identity provider.
service_provider_issuerstringServiceProviderIssuer is the issuer of the service provider (Teleport).
signing_key_pairobjectSigningKeyPair is an x509 key pair used to sign AuthnRequest.
ssostringSSO is the URL of the identity provider's SSO service.

spec.assertion_key_pair

EncryptionKeyPair is a key pair used for decrypting SAML assertions.

NameTypeRequiredDescription
certstringCert is a PEM-encoded x509 certificate.
private_keystringPrivateKey is a PEM encoded x509 private key.

spec.attributes_to_roles

AttributesToRoles is a list of mappings of attribute statements to roles.

NameTypeRequiredDescription
namestringName is an attribute statement name.
rolesarray of stringsRoles is a list of static teleport roles to map to.
valuestringValue is an attribute statement value to match.

spec.signing_key_pair

SigningKeyPair is an x509 key pair used to sign AuthnRequest.

NameTypeRequiredDescription
certstringCert is a PEM-encoded x509 certificate.
private_keystringPrivateKey is a PEM encoded x509 private key.

Example:

# Teleport SAML connector
#
# Please note that SAML connector will work in Enterprise version only. Check the setup docs:
# https://goteleport.com/docs/enterprise/sso/okta/

resource "teleport_saml_connector" "example" {
# This block will tell Terraform to never update private key from our side if a keys are managed
# from an outside of Terraform.

# lifecycle {
# ignore_changes = [
# spec[0].signing_key_pair[0].cert,
# spec[0].signing_key_pair[0].private_key,
# spec[0].assertion_key_pair[0].cert,
# spec[0].assertion_key_pair[0].private_key,
# ]
# }

# This section tells Terraform that role example must be created before the SAML connector
depends_on = [
teleport_role.example
]

metadata = {
name = "example"
}

spec = {
attributes_to_roles = [{
name = "groups"
roles = ["example"]
value = "okta-admin"
},
{
name = "groups"
roles = ["example"]
value = "okta-dev"
}]

acs = "https://localhost:3025/v1/webapi/saml/acs"
entity_descriptor = ""
}
}

teleport_session_recording_config

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
specobjectSpec is a SessionRecordingConfig specification
sub_kindstringSubKind is an optional resource sub kind, used in some resources
versionstring*Version is the resource version. It must be specified. Supported values are:v2.

metadata

Metadata is resource metadata

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a SessionRecordingConfig specification

NameTypeRequiredDescription
modestringMode controls where (or if) the session is recorded.
proxy_checks_host_keysbool

Example:

# Teleport session recording config

resource "teleport_session_recording_config" "example" {
metadata = {
description = "Session recording config"
labels = {
"example" = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}

spec = {
proxy_checks_host_keys = true
}
}

teleport_trusted_cluster

NameTypeRequiredDescription
metadataobjectMetadata holds resource metadata.
specobject*Spec is a Trusted Cluster specification.
sub_kindstringSubKind is an optional resource sub kind, used in some resources.
versionstring*Version is the resource version. It must be specified. Supported values are: v2.

metadata

Metadata holds resource metadata.

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a Trusted Cluster specification.

NameTypeRequiredDescription
enabledboolEnabled is a bool that indicates if the TrustedCluster is enabled or disabled. Setting Enabled to false has a side effect of deleting the user and host certificate authority (CA).
role_mapobjectRoleMap specifies role mappings to remote roles.
rolesarray of stringsRoles is a list of roles that users will be assuming when connecting to this cluster.
tokenstringToken is the authorization token provided by another cluster needed by this cluster to join.
tunnel_addrstringReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default reverse tunnel port>.
web_proxy_addrstringProxyAddress is the address of the web proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default web proxy server port>.

spec.role_map

RoleMap specifies role mappings to remote roles.

NameTypeRequiredDescription
localarray of stringsLocal specifies local roles to map to
remotestringRemote specifies remote role name to map from

Example:

# Teleport trusted cluster
#
# https://goteleport.com/docs/setup/admin/trustedclusters/

resource "teleport_trusted_cluster" "cluster" {
metadata = {
name = "primary"
labels = {
test = "yes"
}
}

spec = {
enabled = false
role_map = [{
remote = "test"
local = ["admin"]
}]
proxy_addr = "localhost:3080"
token = "salami"
}
}

teleport_trusted_device

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
specobjectSpecification of the device.
versionstring*Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

metadata

Metadata is resource metadata

NameTypeRequiredDescription
labelsmap of stringsLabels is a set of labels
namestringName is an object name
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Specification of the device.

NameTypeRequiredDescription
asset_tagstring*
enroll_statusstring
os_typestring*
ownerstring
sourceobject

spec.source

NameTypeRequiredDescription
namestring
originstring

Example:

# Trusted device resource

resource "teleport_trusted_device" "TESTDEVICE1" {
spec = {
asset_tag = "TESTDEVICE1"
os_type = "macos"
}
}

teleport_user

NameTypeRequiredDescription
metadataobjectMetadata is resource metadata
specobjectSpec is a user specification
sub_kindstringSubKind is an optional resource sub kind, used in some resources
versionstring*Version is the resource version. It must be specified. Supported values are: v2.

metadata

Metadata is resource metadata

NameTypeRequiredDescription
descriptionstringDescription is object description
expiresRFC3339 timeExpires is a global expiry time header can be set on any resource in the system.
labelsmap of stringsLabels is a set of labels
namestring*Name is an object name
namespacestringNamespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revisionstringRevision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a user specification

NameTypeRequiredDescription
github_identitiesobjectGithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity
oidc_identitiesobjectOIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity
rolesarray of stringsRoles is a list of roles assigned to user
saml_identitiesobjectSAMLIdentities lists associated SAML identities that let user log in using externally verified identity
traitsmap of string arrays
trusted_device_idsarray of stringsTrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.

spec.github_identities

GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity

NameTypeRequiredDescription
connector_idstringConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
usernamestringUsername is username supplied by external identity provider

spec.oidc_identities

OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity

NameTypeRequiredDescription
connector_idstringConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
usernamestringUsername is username supplied by external identity provider

spec.saml_identities

SAMLIdentities lists associated SAML identities that let user log in using externally verified identity

NameTypeRequiredDescription
connector_idstringConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
usernamestringUsername is username supplied by external identity provider

Example:

# Teleport User resource

resource "teleport_user" "example" {
# Tells Terraform that the role could not be destroyed while this user exists
depends_on = [
teleport_role.example
]

metadata = {
name = "example"
description = "Example Teleport User"

expires = "2022-10-12T07:20:50Z"

labels = {
example = "yes"
}
}

spec = {
roles = ["example"]

oidc_identities = [{
connector_id = "oidc1"
username = "example"
}]

traits = {
"logins1" = ["example"]
"logins2" = ["example"]
}

github_identities = [{
connector_id = "github"
username = "example"
}]

saml_identities = [{
connector_id = "example-saml"
username = "example"
}]
}
}