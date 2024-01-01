Version: 18.x

On this page

Discovery Config Reference Report an issue with this page

Kind: discovery_config

Version: v1

Describes extra discovery matchers that are added to DiscoveryServices that share the same Discovery Group.

Example:

kind: "string" sub_kind: "string" version: "string" metadata: spec: status:

Field Name Description Type kind A resource kind. string metadata Metadata for the resource. Metadata spec The specification for the discovery config. Spec status The status for the discovery config. Status sub_kind An optional resource sub kind, used in some resources. string version The resource version. string

Matches AWS EC2 instances and AWS Databases

Example:

types: - "string" - "string" - "string" regions: - "string" - "string" - "string" assume_role: tags: install: ssm: integration: "string" kube_app_discovery: true setup_access_for_arn: "string" organization:

Field Name Description Type assume_role ARN is the AWS role to assume for database discovery. Assume Role install Sets the join method when installing on discovered EC2 nodes Installer Params integration The integration name used to generate credentials to interact with AWS APIs. Environment credentials will not be used when this value is set. string kube_app_discovery Controls whether Kubernetes App Discovery will be enabled for agents running on discovered clusters, currently only affects AWS EKS discovery in integration mode. Boolean organization An AWS Organization matcher for discovering resources accross multiple accounts under an Organization. AWS Organization Matcher regions AWS regions to query for databases. []string setup_access_for_arn The role that the Discovery Service should create EKS Access Entries for. This value should match the IAM identity that Teleport Kubernetes Service uses. If this value is empty, the Discovery Service will attempt to set up access for its own identity (self). string ssm Provides options to use when sending a document command to an EC2 node AWSSSM tags AWS resource Tags to match. Labels types AWS database types to match, "ec2", "rds", "redshift", "elasticache", or "memorydb". []string

Specifies an Organization and rules for discovering accounts under that organization.

Example:

organization_id: "string" organizational_units:

Field Name Description Type organization_id The AWS Organization ID to match against. Required. string organizational_units Contains rules for matchings AWS accounts based on their Organizational Units. AWS Organization Units Matcher

Contains rules for matching accounts under an Organization. Accounts that belong to an excluded Organizational Unit, and its children, will be excluded even if they were included.

Example:

include: - "string" - "string" - "string" exclude: - "string" - "string" - "string"

Field Name Description Type exclude A list of AWS Organizational Unit IDs to exclude. Only exact matches or wildcard (*) are supported. If empty, no Organizational Units are excluded by default. []string include A list of AWS Organizational Unit IDs to match. Only exact matches or wildcard (*) are supported. If empty, all Organizational Units are included by default. []string

Provides options to use when executing SSM documents

Example:

document_name: "string"

Field Name Description Type document_name The name of the document to use when executing an SSM command string

A configuration for AWS Access Graph service poll service.

Example:

regions: - "string" - "string" - "string" assume_role: integration: "string" cloud_trail_logs: eks_audit_logs:

Field Name Description Type assume_role ARN is the AWS role to assume for database discovery. Assume Role cloud_trail_logs Configuration settings for collecting AWS CloudTrail logs via an SQS queue. Access Graph AWS Sync Cloud Trail Logs eks_audit_logs Access Graph AWS Sync EKS Audit Logs integration The integration name used to generate credentials to interact with AWS APIs. string regions AWS regions to import resources from. []string

Defines settings for ingesting AWS CloudTrail logs by polling an SQS queue that receives notifications about new log files.

Example:

region: "string" sqs_queue: "string"

Field Name Description Type region The AWS region of the SQS queue for CloudTrail notifications, ex.: "us-east-2". string sqs_queue The name or URL for CloudTrail log events, ex.: "demo-cloudtrail-queue". string

Defines the settings for ingesting Kubernetes apiserver audit logs from EKS clusters.

Example:

tags:

Field Name Description Type tags The tags of EKS clusters for which apiserver audit logs should be fetched. Labels

A configuration for Azure Access Graph service poll service.

Example:

subscription_id: "string" integration: "string"

Field Name Description Type integration The integration name used to generate credentials to interact with AWS APIs. string subscription_id Is the ID of the Azure subscription to sync resources from string

A configuration for Access Graph service.

Example:

aws: - - - poll_interval: azure: - - -

Field Name Description Type aws A configuration for AWS Access Graph service poll service. []Access Graph AWS Sync azure A configuration for Azure Access Graph service poll service. []Access Graph Azure Sync poll_interval The frequency at which to poll for resources

Provides a role ARN and ExternalID to assume an AWS role when interacting with AWS resources.

Example:

role_arn: "string" external_id: "string"

Field Name Description Type external_id The external ID used to assume a role in another account. string role_arn The fully specified AWS IAM role ARN. string

The set of Azure-specific installation parameters.

Example:

client_id: "string"

Field Name Description Type client_id The client ID of the managed identity discovered nodes should use to join the cluster. string

Matches Azure resources. It defines which resource types, filters and some configuration params.

Example:

subscriptions: - "string" - "string" - "string" resource_groups: - "string" - "string" - "string" types: - "string" - "string" - "string" regions: - "string" - "string" - "string" tags: install_params: integration: "string"

Field Name Description Type install_params Sets the join method when installing on discovered Azure nodes. Installer Params integration The integration name used to generate credentials to interact with Azure APIs. Environment credentials will not be used when this value is set. string regions Azure locations to match for databases. []string resource_groups Azure resource groups to query for resources. []string subscriptions Azure subscriptions to query for resources. []string tags Azure tags on resources to match. Labels types Azure types to match: "mysql", "postgres", "aks", "vm" []string

Matches GCP resources.

Example:

types: - "string" - "string" - "string" locations: - "string" - "string" - "string" tags: project_ids: - "string" - "string" - "string" service_accounts: - "string" - "string" - "string" install_params: labels:

Field Name Description Type install_params Sets the join method when installing on discovered GCP nodes. Installer Params labels GCP labels to match. Labels locations GKE locations to search resources for. []string project_ids The GCP project ID where the resources are deployed. []string service_accounts The emails of service accounts attached to VMs. []string tags Obsolete and only exists for backwards compatibility. Use Labels instead. Labels types GKE resource types to match: "gke", "vm". []string

Defines HTTP proxy settings for making HTTP and HTTPS requests.

Example:

http_proxy: "string" https_proxy: "string" no_proxy: "string"

Field Name Description Type http_proxy The URL for the HTTP proxy to use when making requests. When applied, this will set the HTTP_PROXY environment variable. string https_proxy The URL for the HTTPS Proxy to use when making requests. When applied, this will set the HTTPS_PROXY environment variable. string no_proxy A comma separated list of URLs that will be excluded from proxying. When applied, this will set the NO_PROXY environment variable. string

The mode used to enroll the node into the cluster.

InstallParams sets join method to use on discovered nodes

Example:

join_method: join_token: "string" script_name: "string" install_teleport: true sshd_config: "string" proxy_addr: "string" azure: enroll_mode: suffix: "string" update_group: "string" http_proxy_settings:

Field Name Description Type azure The set of Azure-specific installation parameters. Azure Installer Params enroll_mode Indicates the enrollment mode to be used when adding a node. Valid values: 0: uses eice for EC2 matchers which use an integration and script for all the other methods 1: uses script mode 2: uses eice mode Install Param Enroll Mode http_proxy_settings Defines HTTP proxy settings for making HTTP requests. When set, this will set the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables before running the installation. HTTP Proxy Settings install_teleport Disables agentless discovery Boolean join_method The method to use when joining the cluster Join Method join_token The token to use when joining the cluster string proxy_addr The address of the proxy the discovered node should use to connect to the cluster. string script_name The name of the teleport installer script resource for the cloud instance to execute string sshd_config Provides the path to write sshd configuration changes string suffix Indicates the installation suffix for the teleport installation. Set this value if you want multiple installations of Teleport. See --install-suffix flag in teleport-update program. Note: only supported for Amazon EC2. Suffix name can only contain alphanumeric characters and hyphens. string update_group Indicates the update group for the teleport installation. This value is used to group installations in order to update them in batches. See --group flag in teleport-update program. Note: only supported for Amazon EC2. Group name can only contain alphanumeric characters and hyphens. string

The method used for new nodes to join the cluster.

Matches Kubernetes services.

Example:

types: - "string" - "string" - "string" namespaces: - "string" - "string" - "string" labels:

Field Name Description Type labels Kubernetes services labels to match. Labels namespaces Kubernetes namespaces in which to discover services []string types Kubernetes services types to match. Currently only 'app' is supported. []string

A wrapper around map that can marshal and unmarshal itself from scalar and list values

Resource metadata

Example:

name: "string" description: "string" labels: "string": "string" "string": "string" "string": "string" expires: revision: "string"

Field Name Description Type description Object description string expires A global expiry time header can be set on any resource in the system. labels A set of labels map[string]string name An object name string revision An opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource. string

The specification for a discovery config.

Example:

discovery_group: "string" aws: - - - azure: - - - gcp: - - - kube: - - - access_graph:

Field Name Description Type access_graph The configuration for the Access Graph Cloud sync. Access Graph Sync aws A list of matchers for the supported resources in AWS. []AWS Matcher azure A list of matchers for the supported resources in Azure. []Azure Matcher discovery_group The Discovery Group for the current DiscoveryConfig. DiscoveryServices should include all the matchers if the DiscoveryGroup matches with their own group. string gcp A list of matchers for the supported resources in GCP. []GCP Matcher kube A list of matchers for the supported resources in Kubernetes. []Kubernetes Matcher

Holds dynamic information about the discovery configuration running status such as errors, state and count of the resources.

Example:

state: "string" error_message: "string" discovered_resources: 1 last_sync_time: integration_discovered_resources: "string": "string": "string":