Teleport 16: Advancing Infrastructure Defense in Depth with Device Trust, MFA, and VNET
Jul 25
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

Reference for the teleport_auth_preference Terraform resource

Example Usage

# AuthPreference resource

resource "teleport_auth_preference" "example" {
  metadata = {
    description = "Auth preference"
    labels = {
      "example"             = "yes"
      "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    disconnect_expired_cert = true
  }
}

Schema

Required

  • spec (Attributes) Spec is an AuthPreference specification (see below for nested schema)
  • version (String) Version is the resource version. It must be specified. Supported values are: v2.

Optional

  • metadata (Attributes) Metadata is resource metadata (see below for nested schema)
  • sub_kind (String) SubKind is an optional resource sub kind, used in some resources

Nested Schema for spec

Optional:

  • allow_headless (Boolean)
  • allow_local_auth (Boolean)
  • allow_passwordless (Boolean)
  • connector_name (String) ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used.
  • default_session_ttl (String) DefaultSessionTTL is the TTL to use for user certs when an explicit TTL is not requested.
  • device_trust (Attributes) DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. (see below for nested schema)
  • disconnect_expired_cert (Boolean)
  • hardware_key (Attributes) HardwareKey are the settings for hardware key support. (see below for nested schema)
  • idp (Attributes) IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. (see below for nested schema)
  • locking_mode (String) LockingMode is the cluster-wide locking mode default.
  • message_of_the_day (String)
  • okta (Attributes) Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise. (see below for nested schema)
  • piv_slot (String) TODO(Joerger): DELETE IN 17.0.0 Deprecated, replaced by HardwareKey settings.
  • require_session_mfa (Number) RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
  • second_factor (String) SecondFactor is the type of second factor.
  • type (String) Type is the type of authentication.
  • u2f (Attributes) U2F are the settings for the U2F device. (see below for nested schema)
  • webauthn (Attributes) Webauthn are the settings for server-side Web Authentication support. (see below for nested schema)

Nested Schema for spec.device_trust

Optional:

  • auto_enroll (Boolean) Enable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled. tsh takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off".
  • ekcert_allowed_cas (List of String) Allow list of EKCert CAs in PEM format. If present, only TPM devices that present an EKCert that is signed by a CA specified here may be enrolled (existing enrollments are unchanged). If not present, then the CA of TPM EKCerts will not be checked during enrollment, this allows any device to enroll.
  • mode (String) Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise.

Nested Schema for spec.hardware_key

Optional:

  • piv_slot (String) PIVSlot is a PIV slot that Teleport clients should use instead of the default based on private key policy. For example, "9a" or "9e".
  • serial_number_validation (Attributes) SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled. (see below for nested schema)

Nested Schema for spec.hardware_key.serial_number_validation

Optional:

  • enabled (Boolean) Enabled indicates whether hardware key serial number validation is enabled.
  • serial_number_trait_name (String) SerialNumberTraitName is an optional custom user trait name for hardware key serial numbers to replace the default: "hardware_key_serial_numbers". Note: Values for this user trait should be a comma-separated list of serial numbers, or a list of comm-separated lists. e.g ["123", "345,678"]

Nested Schema for spec.idp

Optional:

Nested Schema for spec.idp.saml

Optional:

  • enabled (Boolean)

Nested Schema for spec.okta

Optional:

  • sync_period (String) SyncPeriod is the duration between synchronization calls in nanoseconds.

Nested Schema for spec.u2f

Optional:

  • app_id (String) AppID returns the application ID for universal second factor.
  • device_attestation_cas (List of String) DeviceAttestationCAs contains the trusted attestation CAs for U2F devices.
  • facets (List of String) Facets returns the facets for universal second factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation.

Nested Schema for spec.webauthn

Optional:

  • attestation_allowed_cas (List of String) Allow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed.
  • attestation_denied_cas (List of String) Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied.
  • rp_id (String) RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register.

Nested Schema for metadata

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels