Skip to main content
Version: 16.x

Reference for the teleport_workload_identity Terraform resource

Example Usage

resource "teleport_workload_identity" "example" {
  version = "v1"
  metadata = {
    name = "example"
  }
  spec = {
    rules = {
      allow = [
        {
          conditions = [{
            attribute = "user.name"
            equals    = "noah"
          }]
        }
      ]
    }
    spiffe = {
      id   = "/my/spiffe/id/path"
      hint = "my-hint"
    }
  }
}

Schema

Optional

  • metadata (Attributes) Common metadata that all resources share. (see below for nested schema)
  • spec (Attributes) The configured properties of the WorkloadIdentity (see below for nested schema)
  • sub_kind (String) Differentiates variations of the same kind. All resources should contain one, even if it is never populated.
  • version (String) The version of the resource being represented.

Nested Schema for metadata

Optional:

  • description (String) description is object description.
  • expires (String) expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) labels is a set of labels.
  • name (String) name is an object name.

Nested Schema for spec

Optional:

  • rules (Attributes) The rules which are evaluated before the WorkloadIdentity can be issued. (see below for nested schema)
  • spiffe (Attributes) Configuration pertaining to the issuance of SPIFFE-compatible workload identity credentials. (see below for nested schema)

Nested Schema for spec.rules

Optional:

  • allow (Attributes List) A list of rules used to determine if a WorkloadIdentity can be issued. If none are provided, it will be considered a pass. If any are provided, then at least one must pass for the rules to be considered passed. (see below for nested schema)

Nested Schema for spec.rules.allow

Optional:

  • conditions (Attributes List) The conditions that must be met for this rule to be considered passed. (see below for nested schema)

Nested Schema for spec.rules.allow.conditions

Optional:

  • attribute (String) The name of the attribute to evaluate the condition against.
  • equals (String) An exact string that the attribute must match.

Nested Schema for spec.spiffe

Optional:

  • hint (String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials.
  • id (String) The path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash ("/"). This field supports templating using attributes.