Hardening Infrastructure Security Against SSO Identity Provider Compromise
Jul 11
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Fork me on GitHub

Teleport

Reference for the teleport_role Terraform data-source

Version 16.x

Schema

Required

  • version (String) Version is the resource version. It must be specified. Supported values are: v3, v4, v5, v6, v7.

Optional

  • metadata (Attributes) Metadata is resource metadata (see below for nested schema)
  • spec (Attributes) Spec is a role specification (see below for nested schema)
  • sub_kind (String) SubKind is an optional resource sub kind, used in some resources

Nested Schema for metadata

Required:

  • name (String) Name is an object name

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels

Nested Schema for spec

Optional:

  • allow (Attributes) Allow is the set of conditions evaluated to grant access. (see below for nested schema)
  • deny (Attributes) Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. (see below for nested schema)
  • options (Attributes) Options is for OpenSSH options like agent forwarding. (see below for nested schema)

Nested Schema for spec.allow

Optional:

  • app_labels (Map of List of String)
  • app_labels_expression (String) AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
  • aws_role_arns (List of String) AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
  • azure_identities (List of String) AzureIdentities is a list of Azure identities this role is allowed to assume.
  • cluster_labels (Map of List of String)
  • cluster_labels_expression (String) ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
  • db_labels (Map of List of String)
  • db_labels_expression (String) DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
  • db_names (List of String) DatabaseNames is a list of database names this role is allowed to connect to.
  • db_permissions (Attributes List) DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. (see below for nested schema)
  • db_roles (List of String) DatabaseRoles is a list of databases roles for automatic user creation.
  • db_service_labels (Map of List of String)
  • db_service_labels_expression (String) DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
  • db_users (List of String) DatabaseUsers is a list of databases users this role is allowed to connect as.
  • desktop_groups (List of String) DesktopGroups is a list of groups for created desktop users to be added to
  • gcp_service_accounts (List of String) GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
  • group_labels (Map of List of String)
  • group_labels_expression (String) GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
  • host_groups (List of String) HostGroups is a list of groups for created users to be added to
  • host_sudoers (List of String) HostSudoers is a list of entries to include in a users sudoer file
  • impersonate (Attributes) Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. (see below for nested schema)
  • join_sessions (Attributes List) JoinSessions specifies policies to allow users to join other sessions. (see below for nested schema)
  • kubernetes_groups (List of String) KubeGroups is a list of kubernetes groups
  • kubernetes_labels (Map of List of String)
  • kubernetes_labels_expression (String) KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
  • kubernetes_resources (Attributes List) KubernetesResources is the Kubernetes Resources this Role grants access to. (see below for nested schema)
  • kubernetes_users (List of String) KubeUsers is an optional kubernetes users to impersonate
  • logins (List of String) Logins is a list of *nix system logins.
  • node_labels (Map of List of String)
  • node_labels_expression (String) NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
  • request (Attributes) (see below for nested schema)
  • require_session_join (Attributes List) RequireSessionJoin specifies policies for required users to start a session. (see below for nested schema)
  • review_requests (Attributes) ReviewRequests defines conditions for submitting access reviews. (see below for nested schema)
  • rules (Attributes List) Rules is a list of rules and their access levels. Rules are a high level construct used for access control. (see below for nested schema)
  • spiffe (Attributes List) SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. (see below for nested schema)
  • windows_desktop_labels (Map of List of String)
  • windows_desktop_labels_expression (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
  • windows_desktop_logins (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.

Nested Schema for spec.allow.db_permissions

Optional:

  • match (Map of List of String)
  • permissions (List of String) Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...

Nested Schema for spec.allow.impersonate

Optional:

  • roles (List of String) Roles is a list of resources this role is allowed to impersonate
  • users (List of String) Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
  • where (String) Where specifies optional advanced matcher

Nested Schema for spec.allow.join_sessions

Optional:

  • kinds (List of String) Kinds are the session kinds this policy applies to.
  • modes (List of String) Modes is a list of permitted participant modes for this policy.
  • name (String) Name is the name of the policy.
  • roles (List of String) Roles is a list of roles that you can join the session of.

Nested Schema for spec.allow.kubernetes_resources

Optional:

  • kind (String) Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported.
  • name (String) Name is the resource name. It supports wildcards.
  • namespace (String) Namespace is the resource namespace. It supports wildcards.
  • verbs (List of String) Verbs are the allowed Kubernetes verbs for the following resource.

Nested Schema for spec.allow.request

Optional:

  • annotations (Map of List of String)
  • claims_to_roles (Attributes List) ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. (see below for nested schema)
  • max_duration (String) MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
  • roles (List of String) Roles is the name of roles which will match the request rule.
  • search_as_roles (List of String) SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
  • suggested_reviewers (List of String) SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
  • thresholds (Attributes List) Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. (see below for nested schema)

Nested Schema for spec.allow.request.claims_to_roles

Optional:

  • claim (String) Claim is a claim name.
  • roles (List of String) Roles is a list of static teleport roles to match.
  • value (String) Value is a claim value to match.

Nested Schema for spec.allow.request.thresholds

Optional:

  • approve (Number) Approve is the number of matching approvals needed for state-transition.
  • deny (Number) Deny is the number of denials needed for state-transition.
  • filter (String) Filter is an optional predicate used to determine which reviews count toward this threshold.
  • name (String) Name is the optional human-readable name of the threshold.

Nested Schema for spec.allow.require_session_join

Optional:

  • count (Number) Count is the amount of people that need to be matched for this policy to be fulfilled.
  • filter (String) Filter is a predicate that determines what users count towards this policy.
  • kinds (List of String) Kinds are the session kinds this policy applies to.
  • modes (List of String) Modes is the list of modes that may be used to fulfill this policy.
  • name (String) Name is the name of the policy.
  • on_leave (String) OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.

Nested Schema for spec.allow.review_requests

Optional:

  • claims_to_roles (Attributes List) ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. (see below for nested schema)
  • preview_as_roles (List of String) PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
  • roles (List of String) Roles is the name of roles which may be reviewed.
  • where (String) Where is an optional predicate which further limits which requests are reviewable.

Nested Schema for spec.allow.review_requests.claims_to_roles

Optional:

  • claim (String) Claim is a claim name.
  • roles (List of String) Roles is a list of static teleport roles to match.
  • value (String) Value is a claim value to match.

Nested Schema for spec.allow.rules

Optional:

  • actions (List of String) Actions specifies optional actions taken when this rule matches
  • resources (List of String) Resources is a list of resources
  • verbs (List of String) Verbs is a list of verbs
  • where (String) Where specifies optional advanced matcher

Nested Schema for spec.allow.spiffe

Optional:

  • dns_sans (List of String) DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
  • ip_sans (List of String) IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
  • path (String) Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

Nested Schema for spec.deny

Optional:

  • app_labels (Map of List of String)
  • app_labels_expression (String) AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
  • aws_role_arns (List of String) AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
  • azure_identities (List of String) AzureIdentities is a list of Azure identities this role is allowed to assume.
  • cluster_labels (Map of List of String)
  • cluster_labels_expression (String) ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
  • db_labels (Map of List of String)
  • db_labels_expression (String) DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
  • db_names (List of String) DatabaseNames is a list of database names this role is allowed to connect to.
  • db_permissions (Attributes List) DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. (see below for nested schema)
  • db_roles (List of String) DatabaseRoles is a list of databases roles for automatic user creation.
  • db_service_labels (Map of List of String)
  • db_service_labels_expression (String) DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
  • db_users (List of String) DatabaseUsers is a list of databases users this role is allowed to connect as.
  • desktop_groups (List of String) DesktopGroups is a list of groups for created desktop users to be added to
  • gcp_service_accounts (List of String) GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
  • group_labels (Map of List of String)
  • group_labels_expression (String) GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
  • host_groups (List of String) HostGroups is a list of groups for created users to be added to
  • host_sudoers (List of String) HostSudoers is a list of entries to include in a users sudoer file
  • impersonate (Attributes) Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. (see below for nested schema)
  • join_sessions (Attributes List) JoinSessions specifies policies to allow users to join other sessions. (see below for nested schema)
  • kubernetes_groups (List of String) KubeGroups is a list of kubernetes groups
  • kubernetes_labels (Map of List of String)
  • kubernetes_labels_expression (String) KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
  • kubernetes_resources (Attributes List) KubernetesResources is the Kubernetes Resources this Role grants access to. (see below for nested schema)
  • kubernetes_users (List of String) KubeUsers is an optional kubernetes users to impersonate
  • logins (List of String) Logins is a list of *nix system logins.
  • node_labels (Map of List of String)
  • node_labels_expression (String) NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
  • request (Attributes) (see below for nested schema)
  • require_session_join (Attributes List) RequireSessionJoin specifies policies for required users to start a session. (see below for nested schema)
  • review_requests (Attributes) ReviewRequests defines conditions for submitting access reviews. (see below for nested schema)
  • rules (Attributes List) Rules is a list of rules and their access levels. Rules are a high level construct used for access control. (see below for nested schema)
  • spiffe (Attributes List) SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. (see below for nested schema)
  • windows_desktop_labels (Map of List of String)
  • windows_desktop_labels_expression (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
  • windows_desktop_logins (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.

Nested Schema for spec.deny.db_permissions

Optional:

  • match (Map of List of String)
  • permissions (List of String) Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...

Nested Schema for spec.deny.impersonate

Optional:

  • roles (List of String) Roles is a list of resources this role is allowed to impersonate
  • users (List of String) Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
  • where (String) Where specifies optional advanced matcher

Nested Schema for spec.deny.join_sessions

Optional:

  • kinds (List of String) Kinds are the session kinds this policy applies to.
  • modes (List of String) Modes is a list of permitted participant modes for this policy.
  • name (String) Name is the name of the policy.
  • roles (List of String) Roles is a list of roles that you can join the session of.

Nested Schema for spec.deny.kubernetes_resources

Optional:

  • kind (String) Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported.
  • name (String) Name is the resource name. It supports wildcards.
  • namespace (String) Namespace is the resource namespace. It supports wildcards.
  • verbs (List of String) Verbs are the allowed Kubernetes verbs for the following resource.

Nested Schema for spec.deny.request

Optional:

  • annotations (Map of List of String)
  • claims_to_roles (Attributes List) ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. (see below for nested schema)
  • max_duration (String) MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
  • roles (List of String) Roles is the name of roles which will match the request rule.
  • search_as_roles (List of String) SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
  • suggested_reviewers (List of String) SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
  • thresholds (Attributes List) Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. (see below for nested schema)

Nested Schema for spec.deny.request.claims_to_roles

Optional:

  • claim (String) Claim is a claim name.
  • roles (List of String) Roles is a list of static teleport roles to match.
  • value (String) Value is a claim value to match.

Nested Schema for spec.deny.request.thresholds

Optional:

  • approve (Number) Approve is the number of matching approvals needed for state-transition.
  • deny (Number) Deny is the number of denials needed for state-transition.
  • filter (String) Filter is an optional predicate used to determine which reviews count toward this threshold.
  • name (String) Name is the optional human-readable name of the threshold.

Nested Schema for spec.deny.require_session_join

Optional:

  • count (Number) Count is the amount of people that need to be matched for this policy to be fulfilled.
  • filter (String) Filter is a predicate that determines what users count towards this policy.
  • kinds (List of String) Kinds are the session kinds this policy applies to.
  • modes (List of String) Modes is the list of modes that may be used to fulfill this policy.
  • name (String) Name is the name of the policy.
  • on_leave (String) OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.

Nested Schema for spec.deny.review_requests

Optional:

  • claims_to_roles (Attributes List) ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. (see below for nested schema)
  • preview_as_roles (List of String) PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
  • roles (List of String) Roles is the name of roles which may be reviewed.
  • where (String) Where is an optional predicate which further limits which requests are reviewable.

Nested Schema for spec.deny.review_requests.claims_to_roles

Optional:

  • claim (String) Claim is a claim name.
  • roles (List of String) Roles is a list of static teleport roles to match.
  • value (String) Value is a claim value to match.

Nested Schema for spec.deny.rules

Optional:

  • actions (List of String) Actions specifies optional actions taken when this rule matches
  • resources (List of String) Resources is a list of resources
  • verbs (List of String) Verbs is a list of verbs
  • where (String) Where specifies optional advanced matcher

Nested Schema for spec.deny.spiffe

Optional:

  • dns_sans (List of String) DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
  • ip_sans (List of String) IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
  • path (String) Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

Nested Schema for spec.options

Optional:

  • cert_extensions (Attributes List) CertExtensions specifies the key/values (see below for nested schema)
  • cert_format (String) CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH.
  • client_idle_timeout (String) ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration.
  • create_db_user (Boolean)
  • create_db_user_mode (Number) CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop".
  • create_desktop_user (Boolean)
  • create_host_user (Boolean)
  • create_host_user_mode (Number) CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop".
  • desktop_clipboard (Boolean)
  • desktop_directory_sharing (Boolean)
  • device_trust_mode (String) DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. Reserved for future use, not yet used by Teleport.
  • disconnect_expired_cert (Boolean) DisconnectExpiredCert sets disconnect clients on expired certificates.
  • enhanced_recording (List of String) BPF defines what events to record for the BPF-based session recorder.
  • forward_agent (Boolean) ForwardAgent is SSH agent forwarding.
  • idp (Attributes) IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. (see below for nested schema)
  • lock (String) Lock specifies the locking mode (strict|best_effort) to be applied with the role.
  • max_connections (Number) MaxConnections defines the maximum number of concurrent connections a user may hold.
  • max_kubernetes_connections (Number) MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold.
  • max_session_ttl (String) MaxSessionTTL defines how long a SSH session can last for.
  • max_sessions (Number) MaxSessions defines the maximum number of concurrent sessions per connection.
  • permit_x11_forwarding (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
  • pin_source_ip (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
  • port_forwarding (Boolean)
  • record_session (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see below for nested schema)
  • request_access (String) RequestAccess defines the access request strategy (optional|note|always) where optional is the default.
  • request_prompt (String) RequestPrompt is an optional message which tells users what they aught to request.
  • require_session_mfa (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
  • ssh_file_copy (Boolean)

Nested Schema for spec.options.cert_extensions

Optional:

  • mode (Number) Mode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension".
  • name (String) Name specifies the key to be used in the cert extension.
  • type (Number) Type represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh".
  • value (String) Value specifies the value to be used in the cert extension.

Nested Schema for spec.options.idp

Optional:

Nested Schema for spec.options.idp.saml

Optional:

  • enabled (Boolean)

Nested Schema for spec.options.record_session

Optional:

  • default (String) Default indicates the default value for the services.
  • desktop (Boolean)
  • ssh (String) SSH indicates the session mode used on SSH sessions.