Teleport 16: Advancing Infrastructure Defense in Depth with Device Trust, MFA, and VNET
Jul 25
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

Reference for the teleport_oidc_connector Terraform resource

Example Usage

# Teleport OIDC connector
# 
# Please note that OIDC connector will work in Enterprise version only. Check the setup docs:
# https://goteleport.com/docs/enterprise/sso/oidc/

variable "oidc_secret" {}

resource "teleport_oidc_connector" "example" {
  metadata = {
    name = "example"
    labels = {
      test = "yes"
    }
  }

  spec = {
    client_id     = "client"
    client_secret = var.oidc_secret

    claims_to_roles = [{
      claim = "test"
      roles = ["terraform"]
    }]

    redirect_url = ["https://example.com/redirect"]
  }
}

Schema

Required

  • spec (Attributes) Spec is an OIDC connector specification. (see below for nested schema)
  • version (String) Version is the resource version. It must be specified. Supported values are: v3.

Optional

  • metadata (Attributes) Metadata holds resource metadata. (see below for nested schema)
  • sub_kind (String) SubKind is an optional resource sub kind, used in some resources.

Nested Schema for spec

Optional:

  • acr_values (String) ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.
  • allow_unverified_email (Boolean) AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.
  • claims_to_roles (Attributes List) ClaimsToRoles specifies a dynamic mapping from claims to roles. (see below for nested schema)
  • client_id (String) ClientID is the id of the authentication client (Teleport Auth server).
  • client_redirect_settings (Attributes) ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. (see below for nested schema)
  • client_secret (String, Sensitive) ClientSecret is used to authenticate the client.
  • display (String) Display is the friendly name for this provider.
  • google_admin_email (String) GoogleAdminEmail is the email of a google admin to impersonate.
  • google_service_account (String, Sensitive) GoogleServiceAccount is a string containing google service account credentials.
  • google_service_account_uri (String) GoogleServiceAccountURI is a path to a google service account uri.
  • issuer_url (String) IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
  • max_age (String)
  • prompt (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
  • provider (String) Provider is the external identity provider.
  • redirect_url (List of String)
  • scope (List of String) Scope specifies additional scopes set by provider.
  • username_claim (String) UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

Nested Schema for spec.claims_to_roles

Optional:

  • claim (String) Claim is a claim name.
  • roles (List of String) Roles is a list of static teleport roles to match.
  • value (String) Value is a claim value to match.

Nested Schema for spec.client_redirect_settings

Optional:

  • allowed_https_hostnames (List of String) a list of hostnames allowed for https client redirect URLs

Nested Schema for metadata

Required:

  • name (String) Name is an object name

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels