Skip to main content

Reference for the teleport_provision_token Terraform resource

Example Usage

# Teleport Provision Token resource

resource "teleport_provision_token" "example" {
  metadata = {
    expires     = "2022-10-12T07:20:51Z"
    description = "Example token"

    labels = {
      example               = "yes"
      "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    roles = ["Node", "Auth"]
  }
}

resource "teleport_provision_token" "iam-token" {
  metadata = {
    name = "iam-token"
  }
  spec = {
    roles       = ["Bot"]
    bot_name    = "mybot"
    join_method = "iam"
    allow = [{
      aws_account = "123456789012"
    }]
  }
}

Schema

Required

  • spec (Attributes) Spec is a provisioning token V2 spec (see below for nested schema)
  • version (String) Version is the resource version. It must be specified. Supported values are:v2.

Optional

  • metadata (Attributes) Metadata is resource metadata (see below for nested schema)
  • sub_kind (String) SubKind is an optional resource sub kind, used in some resources

Nested Schema for spec

Required:

  • roles (List of String) Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token

Optional:

  • allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
  • aws_iid_ttl (String) AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token.
  • azure (Attributes) Azure allows the configuration of options specific to the "azure" join method. (see below for nested schema)
  • bitbucket (Attributes) Bitbucket allows the configuration of options specific to the "bitbucket" join method. (see below for nested schema)
  • bot_name (String) BotName is the name of the bot this token grants access to, if any
  • circleci (Attributes) CircleCI allows the configuration of options specific to the "circleci" join method. (see below for nested schema)
  • gcp (Attributes) GCP allows the configuration of options specific to the "gcp" join method. (see below for nested schema)
  • github (Attributes) GitHub allows the configuration of options specific to the "github" join method. (see below for nested schema)
  • gitlab (Attributes) GitLab allows the configuration of options specific to the "gitlab" join method. (see below for nested schema)
  • join_method (String) JoinMethod is the joining method required in order to use this token. Supported joining methods include: azure, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm
  • kubernetes (Attributes) Kubernetes allows the configuration of options specific to the "kubernetes" join method. (see below for nested schema)
  • spacelift (Attributes) Spacelift allows the configuration of options specific to the "spacelift" join method. (see below for nested schema)
  • suggested_agent_matcher_labels (Map of List of String) SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to db_service.resources.labels. Currently, only node-join scripts create a configuration according to the suggestion.
  • suggested_labels (Map of List of String) SuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion.
  • terraform_cloud (Attributes) TerraformCloud allows the configuration of options specific to the "terraform_cloud" join method. (see below for nested schema)
  • tpm (Attributes) TPM allows the configuration of options specific to the "tpm" join method. (see below for nested schema)

Nested Schema for spec.allow

Optional:

  • aws_account (String) AWSAccount is the AWS account ID.
  • aws_arn (String) AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?".
  • aws_regions (List of String) AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from.
  • aws_role (String) AWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API.

Nested Schema for spec.azure

Optional:

  • allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)

Nested Schema for spec.azure.allow

Optional:

  • resource_groups (List of String) ResourceGroups is a list of Azure resource groups the node is allowed to join from.
  • subscription (String) Subscription is the Azure subscription.

Nested Schema for spec.bitbucket

Optional:

  • allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
  • audience (String) Audience is a Bitbucket-specified audience value for this token. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.
  • identity_provider_url (String) IdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC tokens. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.

Nested Schema for spec.bitbucket.allow

Optional:

  • branch_name (String) BranchName is the name of the branch on which this pipeline executed.
  • deployment_environment_uuid (String) DeploymentEnvironmentUUID is the UUID of the deployment environment targeted by this pipelines run, if any. These values may be found in the "Pipelines -> OpenID Connect -> Deployment environments" section of the repository settings.
  • repository_uuid (String) RepositoryUUID is the UUID of the repository for which this token was issued. Bitbucket UUIDs must begin and end with braces, e.g. {...}. This value may be found in the Pipelines -> OpenID Connect section of the repository settings.
  • workspace_uuid (String) WorkspaceUUID is the UUID of the workspace for which this token was issued. Bitbucket UUIDs must begin and end with braces, e.g. {...}. This value may be found in the Pipelines -> OpenID Connect section of the repository settings.

Nested Schema for spec.circleci

Optional:

  • allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
  • organization_id (String)

Nested Schema for spec.circleci.allow

Optional:

  • context_id (String)
  • project_id (String)

Nested Schema for spec.gcp

Optional:

  • allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)

Nested Schema for spec.gcp.allow

Optional:

  • locations (List of String) Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b").
  • project_ids (List of String) ProjectIDs is a list of project IDs (e.g. <example-id-123456>).
  • service_accounts (List of String) ServiceAccounts is a list of service account emails (e.g. <project-number>[email protected]).

Nested Schema for spec.github

Optional:

  • allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
  • enterprise_server_host (String) EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service.
  • enterprise_slug (String) EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the include_enterprise_slug option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if enterprise_server_host is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.
  • static_jwks (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service.

Nested Schema for spec.github.allow

Optional:

  • actor (String) The personal account that initiated the workflow run.
  • environment (String) The name of the environment used by the job.
  • ref (String) The git ref that triggered the workflow run.
  • ref_type (String) The type of ref, for example: "branch".
  • repository (String) The repository from where the workflow is running. This includes the name of the owner e.g gravitational/teleport
  • repository_owner (String) The name of the organization in which the repository is stored.
  • sub (String) Sub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run.
  • workflow (String) The name of the workflow.

Nested Schema for spec.gitlab

Optional:

  • allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
  • domain (String) Domain is the domain of your GitLab instance. This will default to gitlab.com - but can be set to the domain of your self-hosted GitLab e.g gitlab.example.com.

Nested Schema for spec.gitlab.allow

Optional:

  • ci_config_ref_uri (String) CIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main.
  • ci_config_sha (String) CIConfigSHA is the git commit SHA for the ci_config_ref_uri.
  • deployment_tier (String) DeploymentTier is the deployment tier of the environment the job specifies
  • environment (String) Environment limits access by the environment the job deploys to (if one is associated)
  • environment_protected (Boolean) EnvironmentProtected is true if the Git ref is protected, false otherwise.
  • namespace_path (String) NamespacePath is used to limit access to jobs in a group or user's projects. Example: mygroup This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
  • pipeline_source (String) PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: web
  • project_path (String) ProjectPath is used to limit access to jobs belonging to an individual project. Example: mygroup/myproject This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
  • project_visibility (String) ProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public.
  • ref (String) Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
  • ref_protected (Boolean) RefProtected is true if the Git ref is protected, false otherwise.
  • ref_type (String) RefType allows access to be limited to jobs triggered by a specific git ref type. Example: branch or tag
  • sub (String) Sub roughly uniquely identifies the workload. Example: project_path:mygroup/my-project:ref_type:branch:ref:main project_path:GROUP/PROJECT:ref_type:TYPE:ref:BRANCH_NAME This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
  • user_email (String) UserEmail is the email of the user executing the job
  • user_id (String) UserID is the ID of the user executing the job
  • user_login (String) UserLogin is the username of the user executing the job

Nested Schema for spec.kubernetes

Optional:

  • allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
  • static_jwks (Attributes) StaticJWKS is the configuration specific to the static_jwks type. (see below for nested schema)
  • type (String) Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - in_cluster - static_jwks If unset, this defaults to in_cluster.

Nested Schema for spec.kubernetes.allow

Optional:

  • service_account (String) ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account".

Nested Schema for spec.kubernetes.static_jwks

Optional:

  • jwks (String) JWKS should be the JSON Web Key Set formatted public keys of that the Kubernetes Cluster uses to sign service account tokens. This can be fetched from /openid/v1/jwks on the Kubernetes API Server.

Nested Schema for spec.spacelift

Optional:

  • allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
  • hostname (String) Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g example.app.spacelift.io

Nested Schema for spec.spacelift.allow

Optional:

  • caller_id (String) CallerID is the ID of the caller, ie. the stack or module that generated the run.
  • caller_type (String) CallerType is the type of the caller, ie. the entity that owns the run - either stack or module.
  • scope (String) Scope is the scope of the token - either read or write. See https://docs.spacelift.io/integrations/cloud-providers/oidc/#about-scopes
  • space_id (String) SpaceID is the ID of the space in which the run that owns the token was executed.

Nested Schema for spec.terraform_cloud

Optional:

  • allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
  • audience (String) Audience is the JWT audience as configured in the TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo is set in Terraform Cloud, this value should be foo. If the variable is set to match the cluster name, it does not need to be set here.
  • hostname (String) Hostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be app.terraform.io. Otherwise, it must both match the iss (issuer) field included in JWTs, and provide standard JWKS endpoints.

Nested Schema for spec.terraform_cloud.allow

Optional:

  • organization_id (String) OrganizationID is the ID of the HCP Terraform organization. At least one organization value is required, either ID or name.
  • organization_name (String) OrganizationName is the human-readable name of the HCP Terraform organization. At least one organization value is required, either ID or name.
  • project_id (String) ProjectID is the ID of the HCP Terraform project. At least one project or workspace value is required, either ID or name.
  • project_name (String) ProjectName is the human-readable name for the HCP Terraform project. At least one project or workspace value is required, either ID or name.
  • run_phase (String) RunPhase is the phase of the run the token was issued for, e.g. plan or apply
  • workspace_id (String) WorkspaceID is the ID of the HCP Terraform workspace. At least one project or workspace value is required, either ID or name.
  • workspace_name (String) WorkspaceName is the human-readable name of the HCP Terraform workspace. At least one project or workspace value is required, either ID or name.

Nested Schema for spec.tpm

Optional:

  • allow (Attributes List) Allow is a list of Rules, the presented delegated identity must match one allow rule to permit joining. (see below for nested schema)
  • ekcert_allowed_cas (List of String) EKCertAllowedCAs is a list of CA certificates that will be used to validate TPM EKCerts. When specified, joining TPMs must present an EKCert signed by one of the specified CAs. TPMs that do not present an EKCert will be not permitted to join. When unspecified, TPMs will be allowed to join with either an EKCert or an EKPubHash.

Nested Schema for spec.tpm.allow

Optional:

  • description (String) Description is a human-readable description of the rule. It has no bearing on whether or not a TPM is allowed to join, but can be used to associate a rule with a specific host (e.g the asset tag of the server in which the TPM resides). Example: "build-server-100"
  • ek_certificate_serial (String) EKCertificateSerial is the serial number of the EKCert in hexadecimal with colon separated nibbles. This value will not be checked when a TPM does not have an EKCert configured. Example: 73:df:dc:bd:af:ef:8a:d8:15:2e:96:71:7a:3e:7f:a4
  • ek_public_hash (String) EKPublicHash is the SHA256 hash of the EKPub marshaled in PKIX format and encoded in hexadecimal. This value will also be checked when a TPM has submitted an EKCert, and the public key in the EKCert will be used for this check. Example: d4b45864d9d6fabfc568d74f26c35ababde2105337d7af9a6605e1c56c891aa6

Nested Schema for metadata

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels
  • name (String, Sensitive) Name is an object name