Terraform provider resources
Supported resources:
- teleport_access_list
- teleport_app
- teleport_auth_preference
- teleport_bot
- teleport_cluster_maintenance_config
- teleport_cluster_networking_config
- teleport_database
- teleport_github_connector
- teleport_login_rule
- teleport_oidc_connector
- teleport_okta_import_rule
- teleport_provision_token
- teleport_role
- teleport_saml_connector
- teleport_session_recording_config
- teleport_trusted_cluster
- teleport_trusted_device
- teleport_user
Provider configuration
Ensure your Terraform version is v1.0.0 or higher.
Add the following configuration section to your terraform
configuration block:
terraform {
required_providers {
teleport = {
version = "~> 15.0"
source = "terraform.releases.teleport.dev/gravitational/teleport"
}
}
}
The provider supports the following options:
Name | Type | Description | Environment Variable |
---|---|---|---|
addr | string | Teleport auth or proxy address in "host:port" format. | TF_TELEPORT_ADDR |
cert_path | string | Path to Teleport certificate file. | TF_TELEPORT_CERT |
cert_base64 | string | Teleport certificate as base64. | TF_TELEPORT_CERT_BASE64 |
identity_file_path | string | Path to Teleport identity file. | TF_TELEPORT_IDENTITY_FILE_PATH |
identity_file_base64 | string | Teleport identity file as base64. | TF_TELEPORT_IDENTITY_FILE_BASE64 |
key_path | string | Path to Teleport key file. | TF_TELEPORT_KEY |
key_base64 | string | Teleport key as base64. | TF_TELEPORT_KEY_BASE64 |
profile_dir | string | Teleport profile path. | TF_TELEPORT_PROFILE_PATH |
profile_name | string | Teleport profile name. | TF_TELEPORT_PROFILE_NAME |
root_ca_path | string | Path to Teleport CA file. | TF_TELEPORT_ROOT_CA |
root_ca_base64 | string | Teleport CA as base64. | TF_TELEPORT_ROOT_CA_BASE64 |
retry_base_duration | string | Base duration between retries. Format | TF_TELEPORT_RETRY_BASE_DURATION |
retry_cap_duration | string | Max duration between retries. Format | TF_TELEPORT_RETRY_CAP_DURATION |
retry_max_tries | string | Max number of retries. | TF_TELEPORT_RETRY_MAX_TRIES |
You need to specify at least one of:
cert_path
,key_path
,root_ca_path
andaddr
to connect using key files.cert_base64
,key_base64
,root_ca_base64
andaddr
to connect using a base64-encoded key.identity_file_path
oridentity_file_base64
andaddr
to connect using an identity file.profile_name
,profile_dir
(both can be empty) andaddr
to connect using current profile from~/.tsh
The retry_*
values are used to retry the API calls to Teleport when the cache is stale.
If more than one are provided, they will be tried in the order above until one succeeds.
Example:
provider "teleport" {
addr = "localhost:3025"
cert_path = "tf.crt"
key_path = "tf.key"
root_ca_path = "tf.ca"
}
Provider resource versioning
Since Teleport 15, you must set the version on each resource, and version cannot be changed in-place. Terraform will delete the resource and create a new one if a version change is required.
This is not enforced on previous Teleport provider versions, but we recommend doing so. When the version is not specified, Terraform will pick the latest one by default. However, version upgrades don't re-apply the resource defaults. This could lead to different results if you create a new resource or upgrade an existing one. To mitigate this, you should explicitly set the resource version.
Upgrading the Terraform Provider to a new version with teleport_role
resources without a specified version can change the role behavior and access
rules. You must set the role version before upgrading to ensure the role
access rules don't change.
The default role version is the highest supported:
- v12 default role version is
v5
- v13 default role version is
v6
- v14 default role version is
v7
For example, before upgrading from v12 to v13, edit every unversioned role
to pin the v5
version:
resource "teleport_role" "test" {
version = "v5"
metadata = {
name = "my-role"
}
// ...
}
teleport_access_list
Name | Type | Required | Description |
---|---|---|---|
header | object | header is the header for the resource. | |
spec | object | spec is the specification for the access list. |
header
header is the header for the resource.
Name | Type | Required | Description |
---|---|---|---|
kind | string | kind is a resource kind. | |
metadata | object | metadata is resource metadata. | |
sub_kind | string | sub_kind is an optional resource sub kind, used in some resources. | |
version | string | * | Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1 |
header.metadata
metadata is resource metadata.
Name | Type | Required | Description |
---|---|---|---|
description | string | description is object description. | |
expires | RFC3339 time | ||
labels | map of strings | labels is a set of labels. | |
name | string | * | name is an object name. |
namespace | string | namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
spec is the specification for the access list.
Name | Type | Required | Description |
---|---|---|---|
audit | object | * | audit describes the frequency that this access list must be audited. |
description | string | description is an optional plaintext description of the access list. | |
grants | object | * | grants describes the access granted by membership to this access list. |
membership | string | membership defines how list membership is applied. There are two possible values: explicit (default): To be considered ag member of the access list, a user must both meet the membership_requires conditions AND be explicitly added to the list. implicit : Any user meeting the membership_requires conditions will automatically be considered a member of this list. | |
membership_requires | object | membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list. | |
owner_grants | object | owner_grants describes the access granted by owners to this access list. | |
owners | object | * | owners is a list of owners of the access list. |
ownership | string | ownership defines how list ownership of this list is determined. There are two possible values: explicit (default): To be considered an owner of the access list, a user must both meet the ownership_requires conditions AND be explicitly added to the list. implicit : Any user meeting the ownership_requires conditions will automatically be considered an owner of this list. | |
ownership_requires | object | ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. | |
title | string | title is a plaintext short description of the access list. |
spec.audit
audit describes the frequency that this access list must be audited.
Name | Type | Required | Description |
---|---|---|---|
next_audit_date | RFC3339 time | ||
notifications | object | notifications is the configuration for notifying users. | |
recurrence | object | * | recurrence is the recurrence definition |
spec.audit.notifications
notifications is the configuration for notifying users.
Name | Type | Required | Description |
---|---|---|---|
start | duration |
spec.audit.recurrence
recurrence is the recurrence definition
Name | Type | Required | Description |
---|---|---|---|
day_of_month | number | day_of_month is the day of month that reviews will be scheduled on. Supported values are 0, 1, 15, and 31. | |
frequency | number | * | frequency is the frequency of reviews. This represents the period in months between two reviews. Supported values are 0, 1, 3, 6, and 12. |
spec.grants
grants describes the access granted by membership to this access list.
Name | Type | Required | Description |
---|---|---|---|
roles | array of strings | roles are the roles that are granted to users who are members of the access list. | |
traits | object | traits are the traits that are granted to users who are members of the access list. |
spec.grants.traits
traits are the traits that are granted to users who are members of the access list.
Name | Type | Required | Description |
---|---|---|---|
key | string | key is the name of the trait. | |
values | array of strings | values is the list of trait values. |
spec.membership_requires
membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list.
Name | Type | Required | Description |
---|---|---|---|
roles | array of strings | roles are the user roles that must be present for the user to obtain access. | |
traits | object | traits are the traits that must be present for the user to obtain access. |
spec.membership_requires.traits
traits are the traits that must be present for the user to obtain access.
Name | Type | Required | Description |
---|---|---|---|
key | string | key is the name of the trait. | |
values | array of strings | values is the list of trait values. |
spec.owner_grants
owner_grants describes the access granted by owners to this access list.
Name | Type | Required | Description |
---|---|---|---|
roles | array of strings | roles are the roles that are granted to users who are members of the access list. | |
traits | object | traits are the traits that are granted to users who are members of the access list. |
spec.owner_grants.traits
traits are the traits that are granted to users who are members of the access list.
Name | Type | Required | Description |
---|---|---|---|
key | string | key is the name of the trait. | |
values | array of strings | values is the list of trait values. |
spec.owners
owners is a list of owners of the access list.
Name | Type | Required | Description |
---|---|---|---|
description | string | description is the plaintext description of the owner and why they are an owner. | |
name | string | name is the username of the owner. |
spec.ownership_requires
ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.
Name | Type | Required | Description |
---|---|---|---|
roles | array of strings | roles are the user roles that must be present for the user to obtain access. | |
traits | object | traits are the traits that must be present for the user to obtain access. |
spec.ownership_requires.traits
traits are the traits that must be present for the user to obtain access.
Name | Type | Required | Description |
---|---|---|---|
key | string | key is the name of the trait. | |
values | array of strings | values is the list of trait values. |
Example:
resource "teleport_access_list" "crane-operation" {
header = {
metadata = {
name = "crane-operation"
labels = {
example = "yes"
}
}
}
spec = {
description = "Used to grant access to the crane."
owners = [
{
name = "gru"
description = "The supervillain."
}
]
membership_requires = {
roles = ["minion"]
}
ownership_requires = {
roles = ["supervillain"]
}
grants = {
roles = ["crane-operator"]
traits = [{
key = "allowed-machines"
values = ["crane", "forklift"]
}]
}
title = "Crane operation"
audit = {
recurrence = {
frequency = 3 # audit every 3 months
day_of_month = 15 # audit happen 15's day of the month. Possible values are 1, 15, and 31.
}
}
}
}
teleport_app
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is the app resource metadata. | |
spec | object | Spec is the app resource spec. | |
sub_kind | string | SubKind is an optional resource subkind. | |
version | string | * | Version is the resource version. It must be specified. Supported values are:v3 . |
metadata
Metadata is the app resource metadata.
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is the app resource spec.
Name | Type | Required | Description |
---|---|---|---|
aws | object | AWS contains additional options for AWS applications. | |
cloud | string | Cloud identifies the cloud instance the app represents. | |
dynamic_labels | object | DynamicLabels are the app's command labels. | |
insecure_skip_verify | bool | InsecureSkipVerify disables app's TLS certificate verification. | |
public_addr | string | PublicAddr is the public address the application is accessible at. | |
rewrite | object | Rewrite is a list of rewriting rules to apply to requests and responses. | |
uri | string | URI is the web app endpoint. | |
user_groups | array of strings | UserGroups are a list of user group IDs that this app is associated with. |
spec.aws
AWS contains additional options for AWS applications.
Name | Type | Required | Description |
---|---|---|---|
external_id | string | ExternalID is the AWS External ID used when assuming roles in this app. |
spec.dynamic_labels
DynamicLabels are the app's command labels.
Name | Type | Required | Description |
---|---|---|---|
command | array of strings | Command is a command to run | |
period | duration | Period is a time between command runs | |
result | string | Result captures standard output |
spec.rewrite
Rewrite is a list of rewriting rules to apply to requests and responses.
Name | Type | Required | Description |
---|---|---|---|
headers | object | Headers is a list of headers to inject when passing the request over to the application. | |
jwt_claims | string | JWTClaims configures whether roles/traits are included in the JWT token. | |
redirect | array of strings | Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header. |
spec.rewrite.headers
Headers is a list of headers to inject when passing the request over to the application.
Name | Type | Required | Description |
---|---|---|---|
name | string | Name is the http header name. | |
value | string | Value is the http header value. |
Example:
# Teleport App
resource "teleport_app" "example" {
metadata = {
name = "example"
description = "Test app"
labels = {
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}
spec = {
uri = "localhost:3000"
}
}
teleport_auth_preference
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
spec | object | * | Spec is an AuthPreference specification |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources | |
version | string | * | Version is the resource version. It must be specified. Supported values are: v2 . |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is an AuthPreference specification
Name | Type | Required | Description |
---|---|---|---|
allow_headless | bool | ||
allow_local_auth | bool | ||
allow_passwordless | bool | ||
connector_name | string | ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used. | |
default_session_ttl | duration | DefaultSessionTTL is the TTL to use for user certs when an explicit TTL is not requested. | |
device_trust | object | DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. | |
disconnect_expired_cert | bool | ||
hardware_key | object | HardwareKey are the settings for hardware key support. | |
idp | object | IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. | |
locking_mode | string | LockingMode is the cluster-wide locking mode default. | |
message_of_the_day | string | ||
okta | object | Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise. | |
piv_slot | string | Deprecated, replaced by HardwareKey settings. | |
require_session_mfa | number | RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". | |
second_factor | string | SecondFactor is the type of second factor. | |
type | string | Type is the type of authentication. | |
u2f | object | U2F are the settings for the U2F device. | |
webauthn | object | Webauthn are the settings for server-side Web Authentication support. |
spec.device_trust
DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.
Name | Type | Required | Description |
---|---|---|---|
auto_enroll | bool | Enable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled. tsh takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off". | |
ekcert_allowed_cas | array of strings | Allow list of EKCert CAs in PEM format. If present, only TPM devices that present an EKCert that is signed by a CA specified here may be enrolled (existing enrollments are unchanged). If not present, then the CA of TPM EKCerts will not be checked during enrollment, this allows any device to enroll. | |
mode | string | Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise. |
spec.hardware_key
HardwareKey are the settings for hardware key support.
Name | Type | Required | Description |
---|---|---|---|
piv_slot | string | PIVSlot is a PIV slot that Teleport clients should use instead of the default based on private key policy. For example, "9a" or "9e". | |
serial_number_validation | object | SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled. |
spec.hardware_key.serial_number_validation
SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled.
Name | Type | Required | Description |
---|---|---|---|
enabled | bool | Enabled indicates whether hardware key serial number validation is enabled. | |
serial_number_trait_name | string | SerialNumberTraitName is an optional custom user trait name for hardware key serial numbers to replace the default: "hardware_key_serial_numbers". Note: Values for this user trait should be a comma-separated list of serial numbers, or a list of comm-separated lists. e.g ["123", "345,678"] |
spec.idp
IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
Name | Type | Required | Description |
---|---|---|---|
saml | object | SAML are options related to the Teleport SAML IdP. |
spec.idp.saml
SAML are options related to the Teleport SAML IdP.
Name | Type | Required | Description |
---|---|---|---|
enabled | bool |
spec.okta
Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise.
Name | Type | Required | Description |
---|---|---|---|
sync_period | duration | SyncPeriod is the duration between synchronization calls in nanoseconds. |
spec.u2f
U2F are the settings for the U2F device.
Name | Type | Required | Description |
---|---|---|---|
app_id | string | AppID returns the application ID for universal second factor. | |
device_attestation_cas | array of strings | DeviceAttestationCAs contains the trusted attestation CAs for U2F devices. | |
facets | array of strings | Facets returns the facets for universal second factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation. |
spec.webauthn
Webauthn are the settings for server-side Web Authentication support.
Name | Type | Required | Description |
---|---|---|---|
attestation_allowed_cas | array of strings | Allow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed. | |
attestation_denied_cas | array of strings | Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied. | |
rp_id | string | RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register. |
Example:
# AuthPreference resource
resource "teleport_auth_preference" "example" {
metadata = {
description = "Auth preference"
labels = {
"example" = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}
spec = {
disconnect_expired_cert = true
}
}
teleport_bot
Name | Type | Required | Description |
---|---|---|---|
name | string | * | The name of the bot, i.e. the unprefixed User name |
role_name | string | The name of the generated bot role | |
roles | array of strings | * | A list of roles the created bot should be allowed to assume via role impersonation. |
token_id | string | * | The bot joining token. If unset, a new random token is created and its name returned, otherwise a preexisting Bot token may be provided for IAM/OIDC joining. |
token_ttl | string | The desired TTL for the token if one is created. If unset, a server default is used | |
traits | map of string arrays | ||
user_name | string | The name of the generated bot user |
Example:
# Teleport Machine ID Bot creation example
locals {
bot_name = "example"
}
resource "random_password" "bot_token" {
length = 32
special = false
}
resource "time_offset" "bot_example_token_expiry" {
offset_hours = 1
}
resource "teleport_provision_token" "bot_example" {
metadata = {
expires = time_offset.bot_example_token_expiry.rfc3339
description = "Bot join token for ${local.bot_name} generated by Terraform"
name = random_password.bot_token.result
}
spec = {
roles = ["Bot"]
bot_name = local.bot_name
join_method = "token"
}
}
resource "teleport_bot" "example" {
name = local.bot_name
token_id = teleport_provision_token.bot_example.metadata.name
roles = ["access"]
}
teleport_cluster_maintenance_config
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
nonce | number | Nonce is used to protect against concurrent modification of the maintenance window. Clients should treat nonces as opaque. | |
spec | object | ||
sub_kind | string | SubKind is an optional resource sub kind, used in some resources | |
version | string | * | Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1 |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Name | Type | Required | Description |
---|---|---|---|
agent_upgrades | object | AgentUpgrades encodes the agent upgrade window. |
spec.agent_upgrades
AgentUpgrades encodes the agent upgrade window.
Name | Type | Required | Description |
---|---|---|---|
utc_start_hour | number | UTCStartHour is the start hour of the maintenance window in UTC. | |
weekdays | array of strings | Weekdays is an optional list of weekdays. If not specified, an agent upgrade window occurs every day. |
Example:
# Teleport Cluster Networking config
resource "teleport_cluster_maintenance_config" "example" {
metadata = {
description = "Maintenance config"
}
spec = {
agent_upgrades = {
utc_start_hour = 1
weekdays = [ "monday" ]
}
}
}
teleport_cluster_networking_config
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
spec | object | Spec is a ClusterNetworkingConfig specification | |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources | |
version | string | Version is the resource version. It must be specified. Supported values are:v2 . |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is a ClusterNetworkingConfig specification
Name | Type | Required | Description |
---|---|---|---|
assist_command_execution_workers | number | AssistCommandExecutionWorkers determines the number of workers that will execute arbitrary Assist commands on servers in parallel | |
case_insensitive_routing | bool | CaseInsensitiveRouting causes proxies to use case-insensitive hostname matching. | |
client_idle_timeout | duration | ClientIdleTimeout sets global cluster default setting for client idle timeouts. | |
idle_timeout_message | string | ClientIdleTimeoutMessage is the message sent to the user when a connection times out. | |
keep_alive_count_max | number | KeepAliveCountMax is the number of keep-alive messages that can be missed before the server disconnects the connection to the client. | |
keep_alive_interval | duration | KeepAliveInterval is the interval at which the server sends keep-alive messages to the client. | |
proxy_listener_mode | number | ProxyListenerMode is proxy listener mode used by Teleport Proxies. 0 is "separate"; 1 is "multiplex". | |
proxy_ping_interval | duration | ProxyPingInterval defines in which interval the TLS routing ping message should be sent. This is applicable only when using ping-wrapped connections, regular TLS routing connections are not affected. | |
routing_strategy | number | RoutingStrategy determines the strategy used to route to nodes. 0 is "unambiguous_match"; 1 is "most_recent". | |
session_control_timeout | duration | SessionControlTimeout is the session control lease expiry and defines the upper limit of how long a node may be out of contact with the auth server before it begins terminating controlled sessions. | |
tunnel_strategy | object | TunnelStrategyV1 determines the tunnel strategy used in the cluster. | |
web_idle_timeout | duration | WebIdleTimeout sets global cluster default setting for the web UI idle timeouts. |
spec.tunnel_strategy
TunnelStrategyV1 determines the tunnel strategy used in the cluster.
Name | Type | Required | Description |
---|---|---|---|
agent_mesh | object | ||
proxy_peering | object |
spec.tunnel_strategy.agent_mesh
Name | Type | Required | Description |
---|---|---|---|
active | bool | Automatically generated field preventing empty message errors |
spec.tunnel_strategy.proxy_peering
Name | Type | Required | Description |
---|---|---|---|
agent_connection_count | number |
Example:
# Teleport Cluster Networking config
resource "teleport_cluster_networking_config" "example" {
metadata = {
description = "Networking config"
labels = {
"example" = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}
spec = {
client_idle_timeout = "1h"
}
}
teleport_database
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is the database metadata. | |
spec | object | Spec is the database spec. | |
sub_kind | string | SubKind is an optional resource subkind. | |
version | string | * | Version is the resource version. It must be specified. Supported values are: v3 . |
metadata
Metadata is the database metadata.
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is the database spec.
Name | Type | Required | Description |
---|---|---|---|
ad | object | AD is the Active Directory configuration for the database. | |
admin_user | object | AdminUser is the database admin user for automatic user provisioning. | |
aws | object | AWS contains AWS specific settings for RDS/Aurora/Redshift databases. | |
azure | object | Azure contains Azure specific database metadata. | |
ca_cert | string | CACert is the PEM-encoded database CA certificate. DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0. | |
dynamic_labels | object | DynamicLabels is the database dynamic labels. | |
gcp | object | GCP contains parameters specific to GCP Cloud SQL databases. | |
mongo_atlas | object | MongoAtlas contains Atlas metadata about the database. | |
mysql | object | MySQL is an additional section with MySQL database options. | |
oracle | object | Oracle is an additional Oracle configuration options. | |
protocol | string | * | Protocol is the database protocol: postgres, mysql, mongodb, etc. |
tls | object | TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name. | |
uri | string | * | URI is the database connection endpoint. |
spec.ad
AD is the Active Directory configuration for the database.
Name | Type | Required | Description |
---|---|---|---|
domain | string | Domain is the Active Directory domain the database resides in. | |
kdc_host_name | string | KDCHostName is the host name for a KDC for x509 Authentication. | |
keytab_file | string | KeytabFile is the path to the Kerberos keytab file. | |
krb5_file | string | Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf. | |
ldap_cert | string | LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication. | |
spn | string | SPN is the service principal name for the database. |
spec.admin_user
AdminUser is the database admin user for automatic user provisioning.
Name | Type | Required | Description |
---|---|---|---|
default_database | string | DefaultDatabase is the database that the privileged database user logs into by default. Depending on the database type, this database may be used to store procedures or data for managing database users. | |
name | string | Name is the username of the privileged database user. |
spec.aws
AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
Name | Type | Required | Description |
---|---|---|---|
account_id | string | AccountID is the AWS account ID this database belongs to. | |
assume_role_arn | string | AssumeRoleARN is an optional AWS role ARN to assume when accessing a database. Set this field and ExternalID to enable access across AWS accounts. | |
elasticache | object | ElastiCache contains AWS ElastiCache Redis specific metadata. | |
external_id | string | ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts. | |
iam_policy_status | number | IAMPolicyStatus indicates whether the IAM Policy is configured properly for database access. If not, the user must update the AWS profile identity to allow access to the Database. Eg for an RDS Database: the underlying AWS profile allows for rds-db:connect for the Database. | |
memorydb | object | MemoryDB contains AWS MemoryDB specific metadata. | |
opensearch | object | OpenSearch contains AWS OpenSearch specific metadata. | |
rds | object | RDS contains RDS specific metadata. | |
rdsproxy | object | RDSProxy contains AWS Proxy specific metadata. | |
redshift | object | Redshift contains Redshift specific metadata. | |
redshift_serverless | object | RedshiftServerless contains AWS Redshift Serverless specific metadata. | |
region | string | Region is a AWS cloud region. | |
secret_store | object | SecretStore contains secret store configurations. | |
session_tags | map of strings | SessionTags is a list of AWS STS session tags. |
spec.aws.elasticache
ElastiCache contains AWS ElastiCache Redis specific metadata.
Name | Type | Required | Description |
---|---|---|---|
endpoint_type | string | EndpointType is the type of the endpoint. | |
replication_group_id | string | ReplicationGroupID is the Redis replication group ID. | |
transit_encryption_enabled | bool | TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled. | |
user_group_ids | array of strings | UserGroupIDs is a list of user group IDs. |
spec.aws.memorydb
MemoryDB contains AWS MemoryDB specific metadata.
Name | Type | Required | Description |
---|---|---|---|
acl_name | string | ACLName is the name of the ACL associated with the cluster. | |
cluster_name | string | ClusterName is the name of the MemoryDB cluster. | |
endpoint_type | string | EndpointType is the type of the endpoint. | |
tls_enabled | bool | TLSEnabled indicates whether in-transit encryption (TLS) is enabled. |
spec.aws.opensearch
OpenSearch contains AWS OpenSearch specific metadata.
Name | Type | Required | Description |
---|---|---|---|
domain_id | string | DomainID is the ID of the domain. | |
domain_name | string | DomainName is the name of the domain. | |
endpoint_type | string | EndpointType is the type of the endpoint. |
spec.aws.rds
RDS contains RDS specific metadata.
Name | Type | Required | Description |
---|---|---|---|
cluster_id | string | ClusterID is the RDS cluster (Aurora) identifier. | |
iam_auth | bool | IAMAuth indicates whether database IAM authentication is enabled. | |
instance_id | string | InstanceID is the RDS instance identifier. | |
resource_id | string | ResourceID is the RDS instance resource identifier (db-xxx). | |
subnets | array of strings | Subnets is a list of subnets for the RDS instance. | |
vpc_id | string | VPCID is the VPC where the RDS is running. |
spec.aws.rdsproxy
RDSProxy contains AWS Proxy specific metadata.
Name | Type | Required | Description |
---|---|---|---|
custom_endpoint_name | string | CustomEndpointName is the identifier of an RDS Proxy custom endpoint. | |
name | string | Name is the identifier of an RDS Proxy. | |
resource_id | string | ResourceID is the RDS instance resource identifier (prx-xxx). |
spec.aws.redshift
Redshift contains Redshift specific metadata.
Name | Type | Required | Description |
---|---|---|---|
cluster_id | string | ClusterID is the Redshift cluster identifier. |
spec.aws.redshift_serverless
RedshiftServerless contains AWS Redshift Serverless specific metadata.
Name | Type | Required | Description |
---|---|---|---|
endpoint_name | string | EndpointName is the VPC endpoint name. | |
workgroup_id | string | WorkgroupID is the workgroup ID. | |
workgroup_name | string | WorkgroupName is the workgroup name. |
spec.aws.secret_store
SecretStore contains secret store configurations.
Name | Type | Required | Description |
---|---|---|---|
key_prefix | string | KeyPrefix specifies the secret key prefix. | |
kms_key_id | string | KMSKeyID specifies the AWS KMS key for encryption. |
spec.azure
Azure contains Azure specific database metadata.
Name | Type | Required | Description |
---|---|---|---|
is_flexi_server | bool | IsFlexiServer is true if the database is an Azure Flexible server. | |
name | string | Name is the Azure database server name. | |
redis | object | Redis contains Azure Cache for Redis specific database metadata. | |
resource_id | string | ResourceID is the Azure fully qualified ID for the resource. |
spec.azure.redis
Redis contains Azure Cache for Redis specific database metadata.
Name | Type | Required | Description |
---|---|---|---|
clustering_policy | string | ClusteringPolicy is the clustering policy for Redis Enterprise. |
spec.dynamic_labels
DynamicLabels is the database dynamic labels.
Name | Type | Required | Description |
---|---|---|---|
command | array of strings | Command is a command to run | |
period | duration | Period is a time between command runs | |
result | string | Result captures standard output |
spec.gcp
GCP contains parameters specific to GCP Cloud SQL databases.
Name | Type | Required | Description |
---|---|---|---|
instance_id | string | InstanceID is the Cloud SQL instance ID. | |
project_id | string | ProjectID is the GCP project ID the Cloud SQL instance resides in. |
spec.mongo_atlas
MongoAtlas contains Atlas metadata about the database.
Name | Type | Required | Description |
---|---|---|---|
name | string | Name is the Atlas database instance name. |
spec.mysql
MySQL is an additional section with MySQL database options.
Name | Type | Required | Description |
---|---|---|---|
server_version | string | ServerVersion is the server version reported by DB proxy if the runtime information is not available. |
spec.oracle
Oracle is an additional Oracle configuration options.
Name | Type | Required | Description |
---|---|---|---|
audit_user | string | AuditUser is the Oracle database user privilege to access internal Oracle audit trail. |
spec.tls
TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name.
Name | Type | Required | Description |
---|---|---|---|
ca_cert | string | CACert is an optional user provided CA certificate used for verifying database TLS connection. | |
mode | number | Mode is a TLS connection mode. 0 is "verify-full"; 1 is "verify-ca", 2 is "insecure". | |
server_name | string | ServerName allows to provide custom hostname. This value will override the servername/hostname on a certificate during validation. |
Example:
# Teleport Database
resource "teleport_database" "example" {
metadata = {
name = "example"
description = "Test database"
labels = {
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}
spec = {
protocol = "postgres"
uri = "localhost"
}
}
teleport_github_connector
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata holds resource metadata. | |
spec | object | * | Spec is an Github connector specification. |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources. | |
version | string | * | Version is the resource version. It must be specified. Supported values are: v3 . |
metadata
Metadata holds resource metadata.
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is an Github connector specification.
Name | Type | Required | Description |
---|---|---|---|
api_endpoint_url | string | APIEndpointURL is the URL of the API endpoint of the Github instance this connector is for. | |
client_id | string | * | ClientID is the Github OAuth app client ID. |
client_secret | string | * | ClientSecret is the Github OAuth app client secret. |
display | string | Display is the connector display name. | |
endpoint_url | string | EndpointURL is the URL of the GitHub instance this connector is for. | |
redirect_url | string | RedirectURL is the authorization callback URL. | |
teams_to_logins | object | TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead. | |
teams_to_roles | object | TeamsToRoles maps Github team memberships onto allowed roles. |
spec.teams_to_logins
TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead.
Name | Type | Required | Description |
---|---|---|---|
kubernetes_groups | array of strings | KubeGroups is a list of allowed kubernetes groups for this org/team. | |
kubernetes_users | array of strings | KubeUsers is a list of allowed kubernetes users to impersonate for this org/team. | |
logins | array of strings | Logins is a list of allowed logins for this org/team. | |
organization | string | Organization is a Github organization a user belongs to. | |
team | string | Team is a team within the organization a user belongs to. |
spec.teams_to_roles
TeamsToRoles maps Github team memberships onto allowed roles.
Name | Type | Required | Description |
---|---|---|---|
organization | string | Organization is a Github organization a user belongs to. | |
roles | array of strings | Roles is a list of allowed logins for this org/team. | |
team | string | Team is a team within the organization a user belongs to. |
Example:
# Terraform Github connector
variable "github_secret" {}
resource "teleport_github_connector" "github" {
# This section tells Terraform that role example must be created before the GitHub connector
depends_on = [
teleport_role.example
]
metadata = {
name = "example"
labels = {
example = "yes"
}
}
spec = {
client_id = "client"
client_secret = var.github_secret
teams_to_roles = [{
organization = "gravitational"
team = "devs"
roles = ["example"]
}]
}
}
teleport_login_rule
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata. | |
priority | number | * | Priority is the priority of the login rule relative to other login rules in the same cluster. Login rules with a lower numbered priority will be evaluated first. |
traits_expression | string | TraitsExpression is a predicate expression which should return the desired traits for the user upon login. | |
traits_map | object | TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait. | |
version | string | * | Version is the resource version. |
metadata
Metadata is resource metadata.
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
traits_map
TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait.
Name | Type | Required | Description |
---|---|---|---|
values | array of strings |
Example:
# Teleport Login Rule resource
resource "teleport_login_rule" "example" {
metadata = {
description = "Example Login Rule"
labels = {
"example" = "yes"
}
}
version = "v1"
priority = 0
traits_map = {
"logins" = {
values = [
"external.logins",
"external.username",
]
}
"groups" = {
values = [
"external.groups",
]
}
}
}
teleport_oidc_connector
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata holds resource metadata. | |
spec | object | * | Spec is an OIDC connector specification. |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources. | |
version | string | * | Version is the resource version. It must be specified. Supported values are: v3 . |
metadata
Metadata holds resource metadata.
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is an OIDC connector specification.
Name | Type | Required | Description |
---|---|---|---|
acr_values | string | ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers. | |
allow_unverified_email | bool | AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails. | |
claims_to_roles | object | ClaimsToRoles specifies a dynamic mapping from claims to roles. | |
client_id | string | ClientID is the id of the authentication client (Teleport Auth server). | |
client_secret | string | ClientSecret is used to authenticate the client. | |
display | string | Display is the friendly name for this provider. | |
google_admin_email | string | GoogleAdminEmail is the email of a google admin to impersonate. | |
google_service_account | string | GoogleServiceAccount is a string containing google service account credentials. | |
google_service_account_uri | string | GoogleServiceAccountURI is a path to a google service account uri. | |
issuer_url | string | IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. | |
max_age | duration | ||
prompt | string | Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. | |
provider | string | Provider is the external identity provider. | |
redirect_url | array of strings | ||
scope | array of strings | Scope specifies additional scopes set by provider. | |
username_claim | string | UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username. |
spec.claims_to_roles
ClaimsToRoles specifies a dynamic mapping from claims to roles.
Name | Type | Required | Description |
---|---|---|---|
claim | string | Claim is a claim name. | |
roles | array of strings | Roles is a list of static teleport roles to match. | |
value | string | Value is a claim value to match. |
Example:
# Teleport OIDC connector
#
# Please note that OIDC connector will work in Enterprise version only. Check the setup docs:
# https://goteleport.com/docs/enterprise/sso/oidc/
variable "oidc_secret" {}
resource "teleport_oidc_connector" "example" {
metadata = {
name = "example"
labels = {
test = "yes"
}
}
spec = {
client_id = "client"
client_secret = var.oidc_secret
claims_to_roles = [{
claim = "test"
roles = ["terraform"]
}]
redirect_url = ["https://example.com/redirect"]
}
}
teleport_okta_import_rule
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
spec | object | * | Spec is the specification for the Okta import rule. |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources | |
version | string | * | Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1 |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is the specification for the Okta import rule.
Name | Type | Required | Description |
---|---|---|---|
mappings | object | Mappings is a list of matches that will map match conditions to labels. | |
priority | number | Priority represents the priority of the rule application. Lower numbered rules will be applied first. |
spec.mappings
Mappings is a list of matches that will map match conditions to labels.
Name | Type | Required | Description |
---|---|---|---|
add_labels | map of strings | AddLabels specifies which labels to add if any of the previous matches match. | |
match | object | Match is a set of matching rules for this mapping. If any of these match, then the mapping will be applied. |
spec.mappings.match
Match is a set of matching rules for this mapping. If any of these match, then the mapping will be applied.
Name | Type | Required | Description |
---|---|---|---|
app_ids | array of strings | AppIDs is a list of app IDs to match against. | |
app_name_regexes | array of strings | AppNameRegexes is a list of regexes to match against app names. | |
group_ids | array of strings | GroupIDs is a list of group IDs to match against. | |
group_name_regexes | array of strings | GroupNameRegexes is a list of regexes to match against group names. |
Example:
# Teleport Okta Import Rule resource
resource "teleport_okta_import_rule" "example" {
metadata = {
description = "Example Okta Import Rule"
labels = {
"example" = "yes"
}
}
version = "v1"
spec = {
priority = 100
mappings = [
{
add_labels = {
"label1": "value1"
}
match = [
{
app_ids = ["1", "2", "3"]
},
],
},
{
add_labels = {
"label2": "value2"
}
match = [
{
group_ids = ["1", "2", "3"]
},
],
},
{
add_labels = {
"label3" : "value3",
}
match = [
{
group_name_regexes = ["^.*$"]
},
],
},
{
add_labels = {
"label4" : "value4",
}
match = [
{
app_name_regexes = ["^.*$"]
},
],
}
]
}
}
teleport_provision_token
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
spec | object | * | Spec is a provisioning token V2 spec |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources | |
version | string | * | Version is the resource version. It must be specified. Supported values are:v2 . |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | Name is an object name | |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is a provisioning token V2 spec
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | |
aws_iid_ttl | duration | AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. | |
azure | object | Azure allows the configuration of options specific to the "azure" join method. | |
bot_name | string | BotName is the name of the bot this token grants access to, if any | |
circleci | object | CircleCI allows the configuration of options specific to the "circleci" join method. | |
gcp | object | GCP allows the configuration of options specific to the "gcp" join method. | |
github | object | GitHub allows the configuration of options specific to the "github" join method. | |
gitlab | object | GitLab allows the configuration of options specific to the "gitlab" join method. | |
join_method | string | JoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam". | |
kubernetes | object | Kubernetes allows the configuration of options specific to the "kubernetes" join method. | |
roles | array of strings | * | Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token |
spacelift | object | Spacelift allows the configuration of options specific to the "spacelift" join method. | |
suggested_agent_matcher_labels | map of string arrays | ||
suggested_labels | map of string arrays |
spec.allow
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
Name | Type | Required | Description |
---|---|---|---|
aws_account | string | AWSAccount is the AWS account ID. | |
aws_arn | string | AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?". | |
aws_regions | array of strings | AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from. | |
aws_role | string | AWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API. |
spec.azure
Azure allows the configuration of options specific to the "azure" join method.
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is a list of Rules, nodes using this token must match one allow rule to use this token. |
spec.azure.allow
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
Name | Type | Required | Description |
---|---|---|---|
resource_groups | array of strings | ResourceGroups is a list of Azure resource groups the node is allowed to join from. | |
subscription | string | Subscription is the Azure subscription. |
spec.circleci
CircleCI allows the configuration of options specific to the "circleci" join method.
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | |
organization_id | string |
spec.circleci.allow
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
Name | Type | Required | Description |
---|---|---|---|
context_id | string | ||
project_id | string |
spec.gcp
GCP allows the configuration of options specific to the "gcp" join method.
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is a list of Rules, nodes using this token must match one allow rule to use this token. |
spec.gcp.allow
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
Name | Type | Required | Description |
---|---|---|---|
locations | array of strings | Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b"). | |
project_ids | array of strings | ProjectIDs is a list of project IDs (e.g. "<example-id-123456>"). | |
service_accounts | array of strings | ServiceAccounts is a list of service account emails (e.g. "<project-number>-compute@developer.gserviceaccount.com"). |
spec.github
GitHub allows the configuration of options specific to the "github" join method.
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | |
enterprise_server_host | string | EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server. | |
enterprise_slug | string | EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the include_enterprise_slug option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if enterprise_server_host is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. |
spec.github.allow
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
Name | Type | Required | Description |
---|---|---|---|
actor | string | The personal account that initiated the workflow run. | |
environment | string | The name of the environment used by the job. | |
ref | string | The git ref that triggered the workflow run. | |
ref_type | string | The type of ref, for example: "branch". | |
repository | string | The repository from where the workflow is running. This includes the name of the owner e.g gravitational/teleport | |
repository_owner | string | The name of the organization in which the repository is stored. | |
sub | string | Sub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run. | |
workflow | string | The name of the workflow. |
spec.gitlab
GitLab allows the configuration of options specific to the "gitlab" join method.
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | |
domain | string | Domain is the domain of your GitLab instance. This will default to gitlab.com - but can be set to the domain of your self-hosted GitLab e.g gitlab.example.com . |
spec.gitlab.allow
Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
Name | Type | Required | Description |
---|---|---|---|
ci_config_ref_uri | string | CIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main. | |
ci_config_sha | string | CIConfigSHA is the git commit SHA for the ci_config_ref_uri. | |
deployment_tier | string | DeploymentTier is the deployment tier of the environment the job specifies | |
environment | string | Environment limits access by the environment the job deploys to (if one is associated) | |
environment_protected | bool | ||
namespace_path | string | NamespacePath is used to limit access to jobs in a group or user's projects. Example: mygroup This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | |
pipeline_source | string | PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: web | |
project_path | string | ProjectPath is used to limit access to jobs belonging to an individual project. Example: mygroup/myproject This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | |
project_visibility | string | ProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public. | |
ref | string | Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | |
ref_protected | bool | ||
ref_type | string | RefType allows access to be limited to jobs triggered by a specific git ref type. Example: branch or tag | |
sub | string | Sub roughly uniquely identifies the workload. Example: project_path:mygroup/my-project:ref_type:branch:ref:main project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | |
user_email | string | UserEmail is the email of the user executing the job | |
user_id | string | UserID is the ID of the user executing the job | |
user_login | string | UserLogin is the username of the user executing the job |
spec.kubernetes
Kubernetes allows the configuration of options specific to the "kubernetes" join method.
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is a list of Rules, nodes using this token must match one allow rule to use this token. | |
static_jwks | object | StaticJWKS is the configuration specific to the static_jwks type. | |
type | string | Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - in_cluster - static_jwks If unset, this defaults to in_cluster . |
spec.kubernetes.allow
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
Name | Type | Required | Description |
---|---|---|---|
service_account | string | ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account". |
spec.kubernetes.static_jwks
StaticJWKS is the configuration specific to the static_jwks
type.
Name | Type | Required | Description |
---|---|---|---|
jwks | string | JWKS should be the JSON Web Key Set formatted public keys of that the Kubernetes Cluster uses to sign service account tokens. This can be fetched from /openid/v1/jwks on the Kubernetes API Server. |
spec.spacelift
Spacelift allows the configuration of options specific to the "spacelift" join method.
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is a list of Rules, nodes using this token must match one allow rule to use this token. | |
hostname | string | Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g example.app.spacelift.io |
spec.spacelift.allow
Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
Name | Type | Required | Description |
---|---|---|---|
caller_id | string | CallerID is the ID of the caller, ie. the stack or module that generated the run. | |
caller_type | string | CallerType is the type of the caller, ie. the entity that owns the run - either stack or module . | |
scope | string | Scope is the scope of the token - either read or write . See https://docs.spacelift.io/integrations/cloud-providers/oidc/#about-scopes | |
space_id | string | SpaceID is the ID of the space in which the run that owns the token was executed. |
Example:
# Teleport Provision Token resource
resource "teleport_provision_token" "example" {
metadata = {
expires = "2022-10-12T07:20:51Z"
description = "Example token"
labels = {
example = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}
spec = {
roles = ["Node", "Auth"]
}
}
resource "teleport_provision_token" "iam-token" {
metadata = {
name = "iam-token"
}
spec = {
roles = ["Bot"]
bot_name = "mybot"
join_method = "iam"
allow = [{
aws_account = "123456789012"
}]
}
}
teleport_role
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
spec | object | Spec is a role specification | |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources | |
version | string | * | Version is the resource version. It must be specified. Supported values are: v3 , v4 , v5 , v6 , v7 . |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is a role specification
Name | Type | Required | Description |
---|---|---|---|
allow | object | Allow is the set of conditions evaluated to grant access. | |
deny | object | Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. | |
options | object | Options is for OpenSSH options like agent forwarding. |
spec.allow
Allow is the set of conditions evaluated to grant access.
Name | Type | Required | Description |
---|---|---|---|
app_labels | map of string arrays | ||
app_labels_expression | string | AppLabelsExpression is a predicate expression used to allow/deny access to Apps. | |
aws_role_arns | array of strings | AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. | |
azure_identities | array of strings | AzureIdentities is a list of Azure identities this role is allowed to assume. | |
cluster_labels | map of string arrays | ||
cluster_labels_expression | string | ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. | |
db_labels | map of string arrays | ||
db_labels_expression | string | DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. | |
db_names | array of strings | DatabaseNames is a list of database names this role is allowed to connect to. | |
db_permissions | object | DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. | |
db_roles | array of strings | DatabaseRoles is a list of databases roles for automatic user creation. | |
db_service_labels | map of string arrays | ||
db_service_labels_expression | string | DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. | |
db_users | array of strings | DatabaseUsers is a list of databases users this role is allowed to connect as. | |
desktop_groups | array of strings | DesktopGroups is a list of groups for created desktop users to be added to | |
gcp_service_accounts | array of strings | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. | |
group_labels | map of string arrays | ||
group_labels_expression | string | GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. | |
host_groups | array of strings | HostGroups is a list of groups for created users to be added to | |
host_sudoers | array of strings | HostSudoers is a list of entries to include in a users sudoer file | |
impersonate | object | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. | |
join_sessions | object | JoinSessions specifies policies to allow users to join other sessions. | |
kubernetes_groups | array of strings | KubeGroups is a list of kubernetes groups | |
kubernetes_labels | map of string arrays | ||
kubernetes_labels_expression | string | KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. | |
kubernetes_resources | object | KubernetesResources is the Kubernetes Resources this Role grants access to. | |
kubernetes_users | array of strings | KubeUsers is an optional kubernetes users to impersonate | |
logins | array of strings | Logins is a list of *nix system logins. | |
node_labels | map of string arrays | ||
node_labels_expression | string | NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. | |
request | object | ||
require_session_join | object | RequireSessionJoin specifies policies for required users to start a session. | |
review_requests | object | ReviewRequests defines conditions for submitting access reviews. | |
rules | object | Rules is a list of rules and their access levels. Rules are a high level construct used for access control. | |
spiffe | object | SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. | |
windows_desktop_labels | map of string arrays | ||
windows_desktop_labels_expression | string | WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. | |
windows_desktop_logins | array of strings | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. |
spec.allow.db_permissions
DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
Name | Type | Required | Description |
---|---|---|---|
match | map of string arrays | ||
permissions | array of strings | Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ... |
spec.allow.impersonate
Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
Name | Type | Required | Description |
---|---|---|---|
roles | array of strings | Roles is a list of resources this role is allowed to impersonate | |
users | array of strings | Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern | |
where | string | Where specifies optional advanced matcher |
spec.allow.join_sessions
JoinSessions specifies policies to allow users to join other sessions.
Name | Type | Required | Description |
---|---|---|---|
kinds | array of strings | Kinds are the session kinds this policy applies to. | |
modes | array of strings | Modes is a list of permitted participant modes for this policy. | |
name | string | Name is the name of the policy. | |
roles | array of strings | Roles is a list of roles that you can join the session of. |
spec.allow.kubernetes_resources
KubernetesResources is the Kubernetes Resources this Role grants access to.
Name | Type | Required | Description |
---|---|---|---|
kind | string | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. | |
name | string | Name is the resource name. It supports wildcards. | |
namespace | string | Namespace is the resource namespace. It supports wildcards. | |
verbs | array of strings | Verbs are the allowed Kubernetes verbs for the following resource. |
spec.allow.request
Name | Type | Required | Description |
---|---|---|---|
annotations | map of string arrays | ||
claims_to_roles | object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. | |
max_duration | duration | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. | |
roles | array of strings | Roles is the name of roles which will match the request rule. | |
search_as_roles | array of strings | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. | |
suggested_reviewers | array of strings | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. | |
thresholds | object | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. |
spec.allow.request.claims_to_roles
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
Name | Type | Required | Description |
---|---|---|---|
claim | string | Claim is a claim name. | |
roles | array of strings | Roles is a list of static teleport roles to match. | |
value | string | Value is a claim value to match. |
spec.allow.request.thresholds
Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
Name | Type | Required | Description |
---|---|---|---|
approve | number | Approve is the number of matching approvals needed for state-transition. | |
deny | number | Deny is the number of denials needed for state-transition. | |
filter | string | Filter is an optional predicate used to determine which reviews count toward this threshold. | |
name | string | Name is the optional human-readable name of the threshold. |
spec.allow.require_session_join
RequireSessionJoin specifies policies for required users to start a session.
Name | Type | Required | Description |
---|---|---|---|
count | number | Count is the amount of people that need to be matched for this policy to be fulfilled. | |
filter | string | Filter is a predicate that determines what users count towards this policy. | |
kinds | array of strings | Kinds are the session kinds this policy applies to. | |
modes | array of strings | Modes is the list of modes that may be used to fulfill this policy. | |
name | string | Name is the name of the policy. | |
on_leave | string | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. |
spec.allow.review_requests
ReviewRequests defines conditions for submitting access reviews.
Name | Type | Required | Description |
---|---|---|---|
claims_to_roles | object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. | |
preview_as_roles | array of strings | PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources. | |
roles | array of strings | Roles is the name of roles which may be reviewed. | |
where | string | Where is an optional predicate which further limits which requests are reviewable. |
spec.allow.review_requests.claims_to_roles
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
Name | Type | Required | Description |
---|---|---|---|
claim | string | Claim is a claim name. | |
roles | array of strings | Roles is a list of static teleport roles to match. | |
value | string | Value is a claim value to match. |
spec.allow.rules
Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
Name | Type | Required | Description |
---|---|---|---|
actions | array of strings | Actions specifies optional actions taken when this rule matches | |
resources | array of strings | Resources is a list of resources | |
verbs | array of strings | Verbs is a list of verbs | |
where | string | Where specifies optional advanced matcher |
spec.allow.spiffe
SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
Name | Type | Required | Description |
---|---|---|---|
dns_sans | array of strings | DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com | |
ip_sans | array of strings | IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42 | |
path | string | Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar |
spec.deny
Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.
Name | Type | Required | Description |
---|---|---|---|
app_labels | map of string arrays | ||
app_labels_expression | string | AppLabelsExpression is a predicate expression used to allow/deny access to Apps. | |
aws_role_arns | array of strings | AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. | |
azure_identities | array of strings | AzureIdentities is a list of Azure identities this role is allowed to assume. | |
cluster_labels | map of string arrays | ||
cluster_labels_expression | string | ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. | |
db_labels | map of string arrays | ||
db_labels_expression | string | DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. | |
db_names | array of strings | DatabaseNames is a list of database names this role is allowed to connect to. | |
db_permissions | object | DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. | |
db_roles | array of strings | DatabaseRoles is a list of databases roles for automatic user creation. | |
db_service_labels | map of string arrays | ||
db_service_labels_expression | string | DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. | |
db_users | array of strings | DatabaseUsers is a list of databases users this role is allowed to connect as. | |
desktop_groups | array of strings | DesktopGroups is a list of groups for created desktop users to be added to | |
gcp_service_accounts | array of strings | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. | |
group_labels | map of string arrays | ||
group_labels_expression | string | GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. | |
host_groups | array of strings | HostGroups is a list of groups for created users to be added to | |
host_sudoers | array of strings | HostSudoers is a list of entries to include in a users sudoer file | |
impersonate | object | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. | |
join_sessions | object | JoinSessions specifies policies to allow users to join other sessions. | |
kubernetes_groups | array of strings | KubeGroups is a list of kubernetes groups | |
kubernetes_labels | map of string arrays | ||
kubernetes_labels_expression | string | KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. | |
kubernetes_resources | object | KubernetesResources is the Kubernetes Resources this Role grants access to. | |
kubernetes_users | array of strings | KubeUsers is an optional kubernetes users to impersonate | |
logins | array of strings | Logins is a list of *nix system logins. | |
node_labels | map of string arrays | ||
node_labels_expression | string | NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. | |
request | object | ||
require_session_join | object | RequireSessionJoin specifies policies for required users to start a session. | |
review_requests | object | ReviewRequests defines conditions for submitting access reviews. | |
rules | object | Rules is a list of rules and their access levels. Rules are a high level construct used for access control. | |
spiffe | object | SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. | |
windows_desktop_labels | map of string arrays | ||
windows_desktop_labels_expression | string | WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. | |
windows_desktop_logins | array of strings | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. |
spec.deny.db_permissions
DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
Name | Type | Required | Description |
---|---|---|---|
match | map of string arrays | ||
permissions | array of strings | Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ... |
spec.deny.impersonate
Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
Name | Type | Required | Description |
---|---|---|---|
roles | array of strings | Roles is a list of resources this role is allowed to impersonate | |
users | array of strings | Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern | |
where | string | Where specifies optional advanced matcher |
spec.deny.join_sessions
JoinSessions specifies policies to allow users to join other sessions.
Name | Type | Required | Description |
---|---|---|---|
kinds | array of strings | Kinds are the session kinds this policy applies to. | |
modes | array of strings | Modes is a list of permitted participant modes for this policy. | |
name | string | Name is the name of the policy. | |
roles | array of strings | Roles is a list of roles that you can join the session of. |
spec.deny.kubernetes_resources
KubernetesResources is the Kubernetes Resources this Role grants access to.
Name | Type | Required | Description |
---|---|---|---|
kind | string | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. | |
name | string | Name is the resource name. It supports wildcards. | |
namespace | string | Namespace is the resource namespace. It supports wildcards. | |
verbs | array of strings | Verbs are the allowed Kubernetes verbs for the following resource. |
spec.deny.request
Name | Type | Required | Description |
---|---|---|---|
annotations | map of string arrays | ||
claims_to_roles | object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. | |
max_duration | duration | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. | |
roles | array of strings | Roles is the name of roles which will match the request rule. | |
search_as_roles | array of strings | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. | |
suggested_reviewers | array of strings | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. | |
thresholds | object | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. |
spec.deny.request.claims_to_roles
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
Name | Type | Required | Description |
---|---|---|---|
claim | string | Claim is a claim name. | |
roles | array of strings | Roles is a list of static teleport roles to match. | |
value | string | Value is a claim value to match. |
spec.deny.request.thresholds
Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
Name | Type | Required | Description |
---|---|---|---|
approve | number | Approve is the number of matching approvals needed for state-transition. | |
deny | number | Deny is the number of denials needed for state-transition. | |
filter | string | Filter is an optional predicate used to determine which reviews count toward this threshold. | |
name | string | Name is the optional human-readable name of the threshold. |
spec.deny.require_session_join
RequireSessionJoin specifies policies for required users to start a session.
Name | Type | Required | Description |
---|---|---|---|
count | number | Count is the amount of people that need to be matched for this policy to be fulfilled. | |
filter | string | Filter is a predicate that determines what users count towards this policy. | |
kinds | array of strings | Kinds are the session kinds this policy applies to. | |
modes | array of strings | Modes is the list of modes that may be used to fulfill this policy. | |
name | string | Name is the name of the policy. | |
on_leave | string | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. |
spec.deny.review_requests
ReviewRequests defines conditions for submitting access reviews.
Name | Type | Required | Description |
---|---|---|---|
claims_to_roles | object | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. | |
preview_as_roles | array of strings | PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources. | |
roles | array of strings | Roles is the name of roles which may be reviewed. | |
where | string | Where is an optional predicate which further limits which requests are reviewable. |
spec.deny.review_requests.claims_to_roles
ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
Name | Type | Required | Description |
---|---|---|---|
claim | string | Claim is a claim name. | |
roles | array of strings | Roles is a list of static teleport roles to match. | |
value | string | Value is a claim value to match. |
spec.deny.rules
Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
Name | Type | Required | Description |
---|---|---|---|
actions | array of strings | Actions specifies optional actions taken when this rule matches | |
resources | array of strings | Resources is a list of resources | |
verbs | array of strings | Verbs is a list of verbs | |
where | string | Where specifies optional advanced matcher |
spec.deny.spiffe
SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
Name | Type | Required | Description |
---|---|---|---|
dns_sans | array of strings | DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com | |
ip_sans | array of strings | IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42 | |
path | string | Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar |
spec.options
Options is for OpenSSH options like agent forwarding.
Name | Type | Required | Description |
---|---|---|---|
cert_extensions | object | CertExtensions specifies the key/values | |
cert_format | string | CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH. | |
client_idle_timeout | duration | ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration. | |
create_db_user | bool | ||
create_db_user_mode | number | CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". | |
create_desktop_user | bool | ||
create_host_user | bool | ||
create_host_user_mode | number | CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". | |
desktop_clipboard | bool | ||
desktop_directory_sharing | bool | ||
device_trust_mode | string | DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. Reserved for future use, not yet used by Teleport. | |
disconnect_expired_cert | bool | DisconnectExpiredCert sets disconnect clients on expired certificates. | |
enhanced_recording | array of strings | BPF defines what events to record for the BPF-based session recorder. | |
forward_agent | bool | ForwardAgent is SSH agent forwarding. | |
idp | object | IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. | |
lock | string | Lock specifies the locking mode (strict | |
max_connections | number | MaxConnections defines the maximum number of concurrent connections a user may hold. | |
max_kubernetes_connections | number | MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold. | |
max_session_ttl | duration | MaxSessionTTL defines how long a SSH session can last for. | |
max_sessions | number | MaxSessions defines the maximum number of concurrent sessions per connection. | |
permit_x11_forwarding | bool | PermitX11Forwarding authorizes use of X11 forwarding. | |
pin_source_ip | bool | PinSourceIP forces the same client IP for certificate generation and usage | |
port_forwarding | bool | ||
record_session | object | RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. | |
request_access | string | RequestAccess defines the access request strategy (optional | |
request_prompt | string | RequestPrompt is an optional message which tells users what they aught to request. | |
require_session_mfa | number | RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". | |
ssh_file_copy | bool |
spec.options.cert_extensions
CertExtensions specifies the key/values
Name | Type | Required | Description |
---|---|---|---|
mode | number | Mode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension". | |
name | string | Name specifies the key to be used in the cert extension. | |
type | number | Type represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh". | |
value | string | Value specifies the value to be used in the cert extension. |
spec.options.idp
IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
Name | Type | Required | Description |
---|---|---|---|
saml | object | SAML are options related to the Teleport SAML IdP. |
spec.options.idp.saml
SAML are options related to the Teleport SAML IdP.
Name | Type | Required | Description |
---|---|---|---|
enabled | bool |
spec.options.record_session
RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.
Name | Type | Required | Description |
---|---|---|---|
default | string | Default indicates the default value for the services. | |
desktop | bool | ||
ssh | string | SSH indicates the session mode used on SSH sessions. |
Example:
# Teleport Role resource
resource "teleport_role" "example" {
metadata = {
name = "example"
description = "Example Teleport Role"
expires = "2022-10-12T07:20:51Z"
labels = {
example = "yes"
}
}
spec = {
options = {
forward_agent = false
max_session_ttl = "7m"
port_forwarding = false
client_idle_timeout = "1h"
disconnect_expired_cert = true
permit_x11_forwarding = false
request_access = "denied"
}
allow = {
logins = ["example"]
rules = [{
resources = ["user", "role"]
verbs = ["list"]
}]
request = {
roles = ["example"]
claims_to_roles = [{
claim = "example"
value = "example"
roles = ["example"]
}]
}
node_labels = {
example = ["yes"]
}
}
deny = {
logins = ["anonymous"]
}
}
}
teleport_saml_connector
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata holds resource metadata. | |
spec | object | * | Spec is an SAML connector specification. |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources. | |
version | string | * | Version is the resource version. It must be specified. Supported values are: v2 . |
metadata
Metadata holds resource metadata.
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is an SAML connector specification.
Name | Type | Required | Description |
---|---|---|---|
acs | string | * | AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side). |
allow_idp_initiated | bool | AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins. | |
assertion_key_pair | object | EncryptionKeyPair is a key pair used for decrypting SAML assertions. | |
attributes_to_roles | object | * | AttributesToRoles is a list of mappings of attribute statements to roles. |
audience | string | Audience uniquely identifies our service provider. | |
cert | string | Cert is the identity provider certificate PEM. IDP signs <Response> responses using this certificate. | |
display | string | Display controls how this connector is displayed. | |
entity_descriptor | string | EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. | |
entity_descriptor_url | string | EntityDescriptorURL is a URL that supplies a configuration XML. | |
issuer | string | Issuer is the identity provider issuer. | |
provider | string | Provider is the external identity provider. | |
service_provider_issuer | string | ServiceProviderIssuer is the issuer of the service provider (Teleport). | |
signing_key_pair | object | SigningKeyPair is an x509 key pair used to sign AuthnRequest. | |
sso | string | SSO is the URL of the identity provider's SSO service. |
spec.assertion_key_pair
EncryptionKeyPair is a key pair used for decrypting SAML assertions.
Name | Type | Required | Description |
---|---|---|---|
cert | string | Cert is a PEM-encoded x509 certificate. | |
private_key | string | PrivateKey is a PEM encoded x509 private key. |
spec.attributes_to_roles
AttributesToRoles is a list of mappings of attribute statements to roles.
Name | Type | Required | Description |
---|---|---|---|
name | string | Name is an attribute statement name. | |
roles | array of strings | Roles is a list of static teleport roles to map to. | |
value | string | Value is an attribute statement value to match. |
spec.signing_key_pair
SigningKeyPair is an x509 key pair used to sign AuthnRequest.
Name | Type | Required | Description |
---|---|---|---|
cert | string | Cert is a PEM-encoded x509 certificate. | |
private_key | string | PrivateKey is a PEM encoded x509 private key. |
Example:
# Teleport SAML connector
#
# Please note that SAML connector will work in Enterprise version only. Check the setup docs:
# https://goteleport.com/docs/enterprise/sso/okta/
resource "teleport_saml_connector" "example" {
# This block will tell Terraform to never update private key from our side if a keys are managed
# from an outside of Terraform.
# lifecycle {
# ignore_changes = [
# spec[0].signing_key_pair[0].cert,
# spec[0].signing_key_pair[0].private_key,
# spec[0].assertion_key_pair[0].cert,
# spec[0].assertion_key_pair[0].private_key,
# ]
# }
# This section tells Terraform that role example must be created before the SAML connector
depends_on = [
teleport_role.example
]
metadata = {
name = "example"
}
spec = {
attributes_to_roles = [{
name = "groups"
roles = ["example"]
value = "okta-admin"
},
{
name = "groups"
roles = ["example"]
value = "okta-dev"
}]
acs = "https://localhost:3025/v1/webapi/saml/acs"
entity_descriptor = ""
}
}
teleport_session_recording_config
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
spec | object | Spec is a SessionRecordingConfig specification | |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources | |
version | string | * | Version is the resource version. It must be specified. Supported values are:v2 . |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is a SessionRecordingConfig specification
Name | Type | Required | Description |
---|---|---|---|
mode | string | Mode controls where (or if) the session is recorded. | |
proxy_checks_host_keys | bool |
Example:
# Teleport session recording config
resource "teleport_session_recording_config" "example" {
metadata = {
description = "Session recording config"
labels = {
"example" = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}
spec = {
proxy_checks_host_keys = true
}
}
teleport_trusted_cluster
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata holds resource metadata. | |
spec | object | * | Spec is a Trusted Cluster specification. |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources. | |
version | string | * | Version is the resource version. It must be specified. Supported values are: v2 . |
metadata
Metadata holds resource metadata.
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is a Trusted Cluster specification.
Name | Type | Required | Description |
---|---|---|---|
enabled | bool | Enabled is a bool that indicates if the TrustedCluster is enabled or disabled. Setting Enabled to false has a side effect of deleting the user and host certificate authority (CA). | |
role_map | object | RoleMap specifies role mappings to remote roles. | |
roles | array of strings | Roles is a list of roles that users will be assuming when connecting to this cluster. | |
token | string | Token is the authorization token provided by another cluster needed by this cluster to join. | |
tunnel_addr | string | ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default reverse tunnel port>. | |
web_proxy_addr | string | ProxyAddress is the address of the web proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default web proxy server port>. |
spec.role_map
RoleMap specifies role mappings to remote roles.
Name | Type | Required | Description |
---|---|---|---|
local | array of strings | Local specifies local roles to map to | |
remote | string | Remote specifies remote role name to map from |
Example:
# Teleport trusted cluster
#
# https://goteleport.com/docs/setup/admin/trustedclusters/
resource "teleport_trusted_cluster" "cluster" {
metadata = {
name = "primary"
labels = {
test = "yes"
}
}
spec = {
enabled = false
role_map = [{
remote = "test"
local = ["admin"]
}]
proxy_addr = "localhost:3080"
token = "salami"
}
}
teleport_trusted_device
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
spec | object | Specification of the device. | |
version | string | * | Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1 |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
labels | map of strings | Labels is a set of labels | |
name | string | Name is an object name | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Specification of the device.
Name | Type | Required | Description |
---|---|---|---|
asset_tag | string | * | |
enroll_status | string | ||
os_type | string | * | |
owner | string | ||
source | object |
spec.source
Name | Type | Required | Description |
---|---|---|---|
name | string | ||
origin | string |
Example:
# Trusted device resource
resource "teleport_trusted_device" "TESTDEVICE1" {
spec = {
asset_tag = "TESTDEVICE1"
os_type = "macos"
}
}
teleport_user
Name | Type | Required | Description |
---|---|---|---|
metadata | object | Metadata is resource metadata | |
spec | object | Spec is a user specification | |
sub_kind | string | SubKind is an optional resource sub kind, used in some resources | |
version | string | * | Version is the resource version. It must be specified. Supported values are: v2 . |
metadata
Metadata is resource metadata
Name | Type | Required | Description |
---|---|---|---|
description | string | Description is object description | |
expires | RFC3339 time | Expires is a global expiry time header can be set on any resource in the system. | |
labels | map of strings | Labels is a set of labels | |
name | string | * | Name is an object name |
namespace | string | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | |
revision | string | Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. |
spec
Spec is a user specification
Name | Type | Required | Description |
---|---|---|---|
github_identities | object | GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity | |
oidc_identities | object | OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity | |
roles | array of strings | Roles is a list of roles assigned to user | |
saml_identities | object | SAMLIdentities lists associated SAML identities that let user log in using externally verified identity | |
traits | map of string arrays | ||
trusted_device_ids | array of strings | TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits. |
spec.github_identities
GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity
Name | Type | Required | Description |
---|---|---|---|
connector_id | string | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | |
username | string | Username is username supplied by external identity provider |
spec.oidc_identities
OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity
Name | Type | Required | Description |
---|---|---|---|
connector_id | string | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | |
username | string | Username is username supplied by external identity provider |
spec.saml_identities
SAMLIdentities lists associated SAML identities that let user log in using externally verified identity
Name | Type | Required | Description |
---|---|---|---|
connector_id | string | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | |
username | string | Username is username supplied by external identity provider |
Example:
# Teleport User resource
resource "teleport_user" "example" {
# Tells Terraform that the role could not be destroyed while this user exists
depends_on = [
teleport_role.example
]
metadata = {
name = "example"
description = "Example Teleport User"
expires = "2022-10-12T07:20:50Z"
labels = {
example = "yes"
}
}
spec = {
roles = ["example"]
oidc_identities = [{
connector_id = "oidc1"
username = "example"
}]
traits = {
"logins1" = ["example"]
"logins2" = ["example"]
}
github_identities = [{
connector_id = "github"
username = "example"
}]
saml_identities = [{
connector_id = "example-saml"
username = "example"
}]
}
}