Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Reference for the teleport_database Terraform resource

Example Usage

# Teleport Database

resource "teleport_database" "example" {
  version = "v3"
  metadata = {
    name        = "example"
    description = "Test database"
    labels = {
      "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    protocol = "postgres"
    uri      = "localhost"
  }
}

Schema

Required

  • version (String) Version is the resource version. It must be specified. Supported values are: v3.

Optional

Nested Schema for metadata

Required:

  • name (String) Name is an object name

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels

Nested Schema for spec

Required:

  • protocol (String) Protocol is the database protocol: postgres, mysql, mongodb, etc.
  • uri (String) URI is the database connection endpoint.

Optional:

  • ad (Attributes) AD is the Active Directory configuration for the database. (see below for nested schema)
  • admin_user (Attributes) AdminUser is the database admin user for automatic user provisioning. (see below for nested schema)
  • aws (Attributes) AWS contains AWS specific settings for RDS/Aurora/Redshift databases. (see below for nested schema)
  • azure (Attributes) Azure contains Azure specific database metadata. (see below for nested schema)
  • ca_cert (String) CACert is the PEM-encoded database CA certificate. DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0.
  • dynamic_labels (Attributes Map) DynamicLabels is the database dynamic labels. (see below for nested schema)
  • gcp (Attributes) GCP contains parameters specific to GCP Cloud SQL databases. (see below for nested schema)
  • mongo_atlas (Attributes) MongoAtlas contains Atlas metadata about the database. (see below for nested schema)
  • mysql (Attributes) MySQL is an additional section with MySQL database options. (see below for nested schema)
  • oracle (Attributes) Oracle is an additional Oracle configuration options. (see below for nested schema)
  • tls (Attributes) TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name. (see below for nested schema)

Nested Schema for spec.ad

Optional:

  • domain (String) Domain is the Active Directory domain the database resides in.
  • kdc_host_name (String) KDCHostName is the host name for a KDC for x509 Authentication.
  • keytab_file (String) KeytabFile is the path to the Kerberos keytab file.
  • krb5_file (String) Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
  • ldap_cert (String) LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication.
  • spn (String) SPN is the service principal name for the database.

Nested Schema for spec.admin_user

Optional:

  • default_database (String) DefaultDatabase is the database that the privileged database user logs into by default. Depending on the database type, this database may be used to store procedures or data for managing database users.
  • name (String) Name is the username of the privileged database user.

Nested Schema for spec.aws

Optional:

  • account_id (String) AccountID is the AWS account ID this database belongs to.
  • assume_role_arn (String) AssumeRoleARN is an optional AWS role ARN to assume when accessing a database. Set this field and ExternalID to enable access across AWS accounts.
  • docdb (Attributes) DocumentDB contains AWS DocumentDB specific metadata. (see below for nested schema)
  • elasticache (Attributes) ElastiCache contains AWS ElastiCache Redis specific metadata. (see below for nested schema)
  • external_id (String) ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
  • iam_policy_status (Number) IAMPolicyStatus indicates whether the IAM Policy is configured properly for database access. If not, the user must update the AWS profile identity to allow access to the Database. Eg for an RDS Database: the underlying AWS profile allows for rds-db:connect for the Database.
  • memorydb (Attributes) MemoryDB contains AWS MemoryDB specific metadata. (see below for nested schema)
  • opensearch (Attributes) OpenSearch contains AWS OpenSearch specific metadata. (see below for nested schema)
  • rds (Attributes) RDS contains RDS specific metadata. (see below for nested schema)
  • rdsproxy (Attributes) RDSProxy contains AWS Proxy specific metadata. (see below for nested schema)
  • redshift (Attributes) Redshift contains Redshift specific metadata. (see below for nested schema)
  • redshift_serverless (Attributes) RedshiftServerless contains AWS Redshift Serverless specific metadata. (see below for nested schema)
  • region (String) Region is a AWS cloud region.
  • secret_store (Attributes) SecretStore contains secret store configurations. (see below for nested schema)
  • session_tags (Map of String) SessionTags is a list of AWS STS session tags.

Nested Schema for spec.aws.docdb

Optional:

  • cluster_id (String) ClusterID is the cluster identifier.
  • endpoint_type (String) EndpointType is the type of the endpoint.
  • instance_id (String) InstanceID is the instance identifier.

Nested Schema for spec.aws.elasticache

Optional:

  • endpoint_type (String) EndpointType is the type of the endpoint.
  • replication_group_id (String) ReplicationGroupID is the Redis replication group ID.
  • transit_encryption_enabled (Boolean) TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled.
  • user_group_ids (List of String) UserGroupIDs is a list of user group IDs.

Nested Schema for spec.aws.memorydb

Optional:

  • acl_name (String) ACLName is the name of the ACL associated with the cluster.
  • cluster_name (String) ClusterName is the name of the MemoryDB cluster.
  • endpoint_type (String) EndpointType is the type of the endpoint.
  • tls_enabled (Boolean) TLSEnabled indicates whether in-transit encryption (TLS) is enabled.

Nested Schema for spec.aws.opensearch

Optional:

  • domain_id (String) DomainID is the ID of the domain.
  • domain_name (String) DomainName is the name of the domain.
  • endpoint_type (String) EndpointType is the type of the endpoint.

Nested Schema for spec.aws.rds

Optional:

  • cluster_id (String) ClusterID is the RDS cluster (Aurora) identifier.
  • iam_auth (Boolean) IAMAuth indicates whether database IAM authentication is enabled.
  • instance_id (String) InstanceID is the RDS instance identifier.
  • resource_id (String) ResourceID is the RDS instance resource identifier (db-xxx).
  • security_groups (List of String) SecurityGroups is a list of attached security groups for the RDS instance.
  • subnets (List of String) Subnets is a list of subnets for the RDS instance.
  • vpc_id (String) VPCID is the VPC where the RDS is running.

Nested Schema for spec.aws.rdsproxy

Optional:

  • custom_endpoint_name (String) CustomEndpointName is the identifier of an RDS Proxy custom endpoint.
  • name (String) Name is the identifier of an RDS Proxy.
  • resource_id (String) ResourceID is the RDS instance resource identifier (prx-xxx).

Nested Schema for spec.aws.redshift

Optional:

  • cluster_id (String) ClusterID is the Redshift cluster identifier.

Nested Schema for spec.aws.redshift_serverless

Optional:

  • endpoint_name (String) EndpointName is the VPC endpoint name.
  • workgroup_id (String) WorkgroupID is the workgroup ID.
  • workgroup_name (String) WorkgroupName is the workgroup name.

Nested Schema for spec.aws.secret_store

Optional:

  • key_prefix (String) KeyPrefix specifies the secret key prefix.
  • kms_key_id (String) KMSKeyID specifies the AWS KMS key for encryption.

Nested Schema for spec.azure

Optional:

  • is_flexi_server (Boolean) IsFlexiServer is true if the database is an Azure Flexible server.
  • name (String) Name is the Azure database server name.
  • redis (Attributes) Redis contains Azure Cache for Redis specific database metadata. (see below for nested schema)
  • resource_id (String) ResourceID is the Azure fully qualified ID for the resource.

Nested Schema for spec.azure.redis

Optional:

  • clustering_policy (String) ClusteringPolicy is the clustering policy for Redis Enterprise.

Nested Schema for spec.dynamic_labels

Optional:

  • command (List of String) Command is a command to run
  • period (String) Period is a time between command runs
  • result (String) Result captures standard output

Nested Schema for spec.gcp

Optional:

  • instance_id (String) InstanceID is the Cloud SQL instance ID.
  • project_id (String) ProjectID is the GCP project ID the Cloud SQL instance resides in.

Nested Schema for spec.mongo_atlas

Optional:

  • name (String) Name is the Atlas database instance name.

Nested Schema for spec.mysql

Optional:

  • server_version (String) ServerVersion is the server version reported by DB proxy if the runtime information is not available.

Nested Schema for spec.oracle

Optional:

  • audit_user (String) AuditUser is the Oracle database user privilege to access internal Oracle audit trail.

Nested Schema for spec.tls

Optional:

  • ca_cert (String) CACert is an optional user provided CA certificate used for verifying database TLS connection.
  • mode (Number) Mode is a TLS connection mode. 0 is "verify-full"; 1 is "verify-ca", 2 is "insecure".
  • server_name (String) ServerName allows to provide custom hostname. This value will override the servername/hostname on a certificate during validation.
  • trust_system_cert_pool (Boolean) TrustSystemCertPool allows Teleport to trust certificate authorities available on the host system. If not set (by default), Teleport only trusts self-signed databases with TLS certificates signed by Teleport's Database Server CA or the ca_cert specified in this TLS setting. For cloud-hosted databases, Teleport downloads the corresponding required CAs for validation.