Hardening Infrastructure Security Against SSO Identity Provider Compromise
Jul 11
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Fork me on GitHub

Teleport

Reference for the teleport_server Terraform resource

Version 16.x

Example Usage 

resource "teleport_server" "ssh_agentless" {
  version  = "v2"
  sub_kind = "openssh"
  // Name is not required for servers, this is a special case.
  // When a name is not set, an UUID will be generated by Teleport and
  // imported back into Terraform.
  // Giving unique IDs to servers allows UUID-based dialing (as opposed to
  // host-based dialing and IP-based dialing) which is more robust than its
  // counterparts as it can point to a specific server if multiple servers
  // share the same hostname/ip.
  spec = {
    addr     = "127.0.0.1:22"
    hostname = "test.local"
  }
}

resource "teleport_server" "ssh_agentless_eice" {
  version  = "v2"
  sub_kind = "openssh-ec2-ice"
  metadata = {
    // It is recommended to put the account and instance ID as a name for EC2 Instance Connect
    // When dialing to this instance, teleport will detect that this is an
    // AWS instance ID an will contact this specific instance. This is more
    // robust than host-based and IP-based dialing (because several server
    // can have similar hostnames).
    name = "123456789012-i-0123456789abcdef"
  }
  spec = {
    addr     = "127.0.0.1:22"
    hostname = "test.local"

    cloud_metadata = {
      aws = {
        account_id  = "123"
        instance_id = "123"
        region      = "us-east-1"
        vpc_id      = "123"
        integration = "foo"
        subnet_id   = "123"
      }
    }
  }
}

Schema

Required

  • sub_kind (String) SubKind is an optional resource sub kind, used in some resources
  • version (String) Version is version

Optional

Nested Schema for metadata

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels
  • name (String) Name is an object name

Nested Schema for spec

Optional:

  • addr (String) Addr is a host:port address where this server can be reached.
  • cloud_metadata (Attributes) CloudMetadata contains info about the cloud instance the server is running on, if any. (see below for nested schema)
  • hostname (String) Hostname is server hostname
  • peer_addr (String) PeerAddr is the address a proxy server is reachable at by its peer proxies.
  • proxy_ids (List of String) ProxyIDs is a list of proxy IDs this server is expected to be connected to.
  • public_addrs (List of String) PublicAddrs is a list of public addresses where this server can be reached.
  • rotation (Attributes) Rotation specifies server rotation (see below for nested schema)
  • use_tunnel (Boolean) UseTunnel indicates that connections to this server should occur over a reverse tunnel.
  • version (String) TeleportVersion is the teleport version that the server is running on

Nested Schema for spec.cloud_metadata

Optional:

Nested Schema for spec.cloud_metadata.aws

Optional:

  • account_id (String) AccountID is an AWS account ID.
  • instance_id (String) InstanceID is an EC2 instance ID.
  • integration (String) Integration is the integration name that added this Node. When connecting to it, it will use this integration to issue AWS API calls in order to set up the connection. This includes sending an SSH Key and then opening a tunnel (EC2 Instance Connect Endpoint) so Teleport can connect to it.
  • region (String) Region is the AWS EC2 Instance Region.
  • subnet_id (String) SubnetID is the Subnet ID in use by the instance.
  • vpc_id (String) VPCID is the AWS VPC ID where the Instance is running.

Nested Schema for spec.rotation

Optional:

  • current_id (String) CurrentID is the ID of the rotation operation to differentiate between rotation attempts.
  • grace_period (String) GracePeriod is a period during which old and new CA are valid for checking purposes, but only new CA is issuing certificates.
  • last_rotated (String) LastRotated specifies the last time of the completed rotation.
  • mode (String) Mode sets manual or automatic rotation mode.
  • phase (String) Phase is the current rotation phase.
  • schedule (Attributes) Schedule is a rotation schedule - used in automatic mode to switch between phases. (see below for nested schema)
  • started (String) Started is set to the time when rotation has been started in case if the state of the rotation is "in_progress".
  • state (String) State could be one of "init" or "in_progress".

Nested Schema for spec.rotation.schedule

Optional:

  • standby (String) Standby specifies time to switch to the "Standby" phase.
  • update_clients (String) UpdateClients specifies time to switch to the "Update clients" phase
  • update_servers (String) UpdateServers specifies time to switch to the "Update servers" phase.