Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Reference for the teleport_user Terraform resource

Example Usage

# Teleport User resource

resource "teleport_user" "example" {
  version = "v2"
  # Tells Terraform that the role could not be destroyed while this user exists
  depends_on = [
    teleport_role.example
  ]

  metadata = {
    name        = "example"
    description = "Example Teleport User"

    expires = "2022-10-12T07:20:50Z"

    labels = {
      example = "yes"
    }
  }

  spec = {
    roles = ["example"]

    oidc_identities = [{
      connector_id = "oidc1"
      username     = "example"
    }]

    traits = {
      "logins1" = ["example"]
      "logins2" = ["example"]
    }

    github_identities = [{
      connector_id = "github"
      username     = "example"
    }]

    saml_identities = [{
      connector_id = "example-saml"
      username     = "example"
    }]
  }
}

Schema

Required

  • version (String) Version is the resource version. It must be specified. Supported values are: v2.

Optional

Nested Schema for metadata

Required:

  • name (String) Name is an object name

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels

Nested Schema for spec

Optional:

  • github_identities (Attributes List) GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity (see below for nested schema)
  • oidc_identities (Attributes List) OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity (see below for nested schema)
  • roles (List of String) Roles is a list of roles assigned to user
  • saml_identities (Attributes List) SAMLIdentities lists associated SAML identities that let user log in using externally verified identity (see below for nested schema)
  • traits (Map of List of String) Traits are key/value pairs received from an identity provider (through OIDC claims or SAML assertions) or from a system administrator for local accounts. Traits are used to populate role variables.
  • trusted_device_ids (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only. Managed by the Device Trust subsystem, avoid manual edits.

Nested Schema for spec.github_identities

Optional:

  • connector_id (String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
  • samlSingleLogoutUrl (String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.
  • username (String) Username is username supplied by external identity provider

Nested Schema for spec.oidc_identities

Optional:

  • connector_id (String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
  • samlSingleLogoutUrl (String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.
  • username (String) Username is username supplied by external identity provider

Nested Schema for spec.saml_identities

Optional:

  • connector_id (String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
  • samlSingleLogoutUrl (String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.
  • username (String) Username is username supplied by external identity provider

Nested Schema for status

Optional:

  • mfa_weakest_device (Number) mfa_weakest_device reflects what the system knows about the user's weakest MFA device. Note that this is a "best effort" property, in that it can be UNSPECIFIED.
  • password_state (Number) password_state reflects what the system knows about the user's password. Note that this is a "best effort" property, in that it can be UNSPECIFIED for users who were created before this property was introduced and didn't perform any password-related activity since then. See RFD 0159 for details. Do NOT use this value for authentication purposes!