Teleport
Reference for the teleport_oidc_connector Terraform resource
- Version 17.x
- Version 16.x
- Version 15.x
- Version 14.x
- Older Versions
Example Usage
# Teleport OIDC connector
#
# Please note that the OIDC connector will work in Teleport Enterprise only.
variable "oidc_secret" {}
resource "teleport_oidc_connector" "example" {
metadata = {
name = "example"
labels = {
test = "yes"
}
}
spec = {
client_id = "client"
client_secret = var.oidc_secret
claims_to_roles = [{
claim = "test"
roles = ["terraform"]
}]
redirect_url = ["https://example.com/redirect"]
}
}
Schema
Required
spec
(Attributes) Spec is an OIDC connector specification. (see below for nested schema)version
(String) Version is the resource version. It must be specified. Supported values are:v3
.
Optional
metadata
(Attributes) Metadata holds resource metadata. (see below for nested schema)sub_kind
(String) SubKind is an optional resource sub kind, used in some resources.
Nested Schema for spec
Optional:
acr_values
(String) ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.allow_unverified_email
(Boolean) AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.claims_to_roles
(Attributes List) ClaimsToRoles specifies a dynamic mapping from claims to roles. (see below for nested schema)client_id
(String) ClientID is the id of the authentication client (Teleport Auth server).client_redirect_settings
(Attributes) ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. (see below for nested schema)client_secret
(String, Sensitive) ClientSecret is used to authenticate the client.display
(String) Display is the friendly name for this provider.google_admin_email
(String) GoogleAdminEmail is the email of a google admin to impersonate.google_service_account
(String, Sensitive) GoogleServiceAccount is a string containing google service account credentials.google_service_account_uri
(String) GoogleServiceAccountURI is a path to a google service account uri.issuer_url
(String) IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.max_age
(String)prompt
(String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.provider
(String) Provider is the external identity provider.redirect_url
(List of String)scope
(List of String) Scope specifies additional scopes set by provider.username_claim
(String) UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.
Nested Schema for spec.claims_to_roles
Optional:
claim
(String) Claim is a claim name.roles
(List of String) Roles is a list of static teleport roles to match.value
(String) Value is a claim value to match.
Nested Schema for spec.client_redirect_settings
Optional:
allowed_https_hostnames
(List of String) a list of hostnames allowed for https client redirect URLsinsecure_allowed_cidr_ranges
(List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
Nested Schema for metadata
Required:
name
(String) Name is an object name
Optional:
description
(String) Description is object descriptionexpires
(String) Expires is a global expiry time header can be set on any resource in the system.labels
(Map of String) Labels is a set of labels