Fork me on GitHub
Teleport

Terraform provider resources

Supported resources:

Provider configuration

Add the following configuration section to your terraform configuration block:

terraform {
  required_providers {
    teleport = {
      version = ">= 7.1.3"
      source  = "gravitational.com/teleport/teleport"
    }
  }
}

The provider supports the following options:

NameTypeDescription
addrstringTeleport auth or proxy host:port
cert_pathstringPath to Teleport certificate file
identity_file_pathstringPath to Teleport identity file
key_pathstringPath to Teleport key file
profile_dirstringTeleport profile path
profile_namestringTeleport profile name
root_ca_pathstringPath to Teleport CA file

You need to specify either:

  • cert_path, key_path,root_ca_path and addr to connect using key files.
  • identity_file_path and addr to connect using identity file.
  • profile_name and profile_dir (both can be empty) and Teleport will try to connect using current profile from ~/.tsh

Example:

provider "teleport" {
  addr         = "localhost:3025"
  cert_path    = "tf.crt"
  key_path     = "tf.key"
  root_ca_path = "tf.ca"
}

teleport_user

The user resource allows to manage local non-interactive Teleport users: CI/CD bots and plugins.

metadata

Metadata specifies the resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*User name
descriptionstringUser description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

Example:

resource "teleport_user" "example" {
  metadata {
    name        = "example"
    description = "Example Teleport User"
    expires     = "2022-10-12T07:20:50.3Z"
    labels      = {
      example = "yes"
    }
  }
}

spec

Spec contains parameters of a resource.

NameTypeDescription
rolesstring listUser role names
traitssetUser traits
traits.keystringTrait name
traits.valuestring listTrait values
github_identitiesobject listList of associated Github OAuth2 identities
github_identities.connector_idstringAn id of registered Github connector, e.g. 'github.com'
github_identities.usernamestringGithub username
oidc_identitiesobject listList of OpenID Connect identities
oidc_identities.connector_idstringAn id of registered OIDC connector, e.g. 'google-example.com'
oidc_identities.usernamestringOIDC username
saml_identitiesobject listList of SAML identities
saml_identities.connector_idstringAn id of registered SAML connector, e.g. 'google-example.com'
saml_identities.usernamestringSAML username

Example:

resource "teleport_user" "example" {
  spec {
    roles = ["example"]

    oidc_identities {
      connector_id = "oidc1.example.com"
      username     = "example"
    }

    oidc_identities {
      connector_id = "oidc2.example.com"
      username     = "example"
    }

    traits {
      key   = "trait1"
      value = ["example", "test"]
    }

    traits {
      key   = "trait2"
      value = ["foo", "bar"]
    }

    github_identities {
      connector_id = "github.com"
      username     = "example"
    }

    saml_identities {
      connector_id = "saml.example.com"
      username     = "example"
    }
  }
}

teleport_role

The role resource specifies a set of permissions assigned to local and SSO users.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Role name
descriptionstringRole description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Role specification consists of two sections: allow and deny. They are identical and contain the following fields:

spec.allow and spec.deny

NameTypeDescription
database_namesstring listList of database names this role is allowed to connect to
database_usersstring listList of database users this role is allowed to connect as
kube_groupsstring listList of Kubernetes groups
kube_usersstring listList of Kubernetes users to impersonate
loginsstring listLogins is a list of *nix system logins
app_labelssetApplication labels
app_labels.namestringApplication name
app_labels.valuesstring listList of labels
cluster_labelssetCluster labels
cluster_labels.namestringCluster name
cluster_labels.valuesstring listList of labels
database_labelssetDatabase labels
database_labels.namestringDatabase name
database_labels.valuesstring listList of labels
kubernetes_labelssetKubernetes labels
kubernetes_labels.namestringKubernetes cluster name
kubernetes_labels.valuesstring listList of labels
node_labelssetNode labels
node_labels.namestringNode name
node_labels.valuesstring listList of labels
impersonateobjectSpecifies whether users are allowed to issue certificates for other users or groups
impersonate.rolesstring listlist of roles this role is allowed to impersonate
impersonate.usersstring listList of users this role is allowed to impersonate
impersonate.wherestringOptional advanced matcher
rulessetList of rules and their access levels. Rules are a high level construct used for access control
rules.actionsstring listActions specifies optional actions taken when this rule matches
rules.resourcesstring listList of resources
rules.verbsstring listList of verbs
rules.wherestringAdditional advanced matcher

spec.allow.request and spec.deny.request

Request matcher represents matcher for allow/deny restrictions on access-requests.

NameTypeDescription
rolesstring listName of roles which will match the request rule
suggested_reviewersstring listList of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
annotationssetAnnotations
annotations.keystringAnnotation name
annotations.valuestring listAnnotation values
claims_to_rolessetSpecifies a mapping from claims (traits) to teleport roles
claims_to_roles.claimstringClaim name
claims_to_roles.rolesstring listList of static Teleport roles to match
claims_to_roles.valuestringClaim value to match
thresholdssetList of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
thresholds.namestringThreshold name
thresholds.approvenumberNumber of matching approvals needed for state-transition
thresholds.denynumberNumber of denials needed for state-transition
thresholds.filterstringOptional predicate used to determine which reviews count toward this threshold.

spec.allow.review_requests and spec.deny.review_requests

Allow or deny access reviews matching the criteria.

NameTypeDescription
rolesstring listName of roles which may be reviewed
wherestringOptional predicate which further limits which requests are reviewable
claims_to_roles.claimstringClaim name
claims_to_roles.rolesstring listList of static Teleport roles to match
claims_to_roles.valuestringClaim value to match

spec.options

Options specify session, connection and auditing permissions of the role.

NameTypeDescription
bpfstring listEvents to record for the BPF-based session recorder
certificate_formatstringThe format of the user certificate to allow compatibility with older versions of OpenSSH
client_idle_timeoutdurationSets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration
disconnect_expired_certboolSets disconnect clients on expired certificates
forward_agentboolSSH agent forwarding
max_connectionsnumberThe maximum number of concurrent connections a user may hold
max_session_ttlnumberHow long a SSH session can last for
max_sessionsnumberMaximum number of concurrent sessions per connection
permit_x11forwardingboolAuthorizes use of X11 forwarding
port_forwardingboolPort forwarding
request_accessstringAccess request strategy (optional
request_promptstringAn optional message which tells users what they aught to
require_session_mfaboolSpecifies whether a user is required to do an MFA check for every session

teleport_provision_token

Provision tokens authenticate teleport nodes and proxies when they first join the cluster.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Token name
descriptionstringToken description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstring*Expiry time in RFC8829 format

spec

Spec contains parameters of a resource. It has a single field: roles, a list of roles associated with a token. It will be converted to metadata in the SSH and X509 certificates issued to the user of the token.

teleport_github_connector

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Connector name
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
client_idstringGithub OAuth app client ID
client_secretstringGithub OAuth app client secret
displaystringConnector display name
redirect_urlstringAuthorization callback URL
teams_to_loginssetMaps Github team memberships onto allowed logins/roles.
teams_to_logins.kube_groupsstring listList of allowed kubernetes groups for this org/team
teams_to_logins.kube_usersstring listList of allowed kubernetes users to impersonate for this org/team
teams_to_logins.loginsstring listList of allowed logins for this org/team
teams_to_logins.organizationstringGithub organization a user belongs to
teams_to_logins.teamstringTeam within the organization a user belongs to

teleport_oidc_connector

An OIDC connector resource specifies OpenID Connect identity provider for Teleport.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Connector name
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
acrstringAuthentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers
client_idstringThe id of the authentication client (Teleport Auth server)
client_secretstringUsed to authenticate the client
displaystringConnector display name
google_admin_emailstringThe email of a google admin to impersonate
google_service_accountstringString containing google service account credentials
google_service_account_uristringPath to a google service account uri
issuer_urlstringThe endpoint of the provider, e.g. https://accounts.google.com
promptstringAn optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility
providerstringThe external identity provider
redirect_urlstringAn URL that will redirect the client's browser back to the identity provider after successful authentication. This should match the URL on the Provider's side
scopestring listSpecifies additional scopes set by provider
claims_to_rolessetSpecifies a mapping from claims (traits) to teleport roles
claims_to_roles.claimstringClaim name
claims_to_roles.rolesstring listList of static Teleport roles to match
claims_to_roles.valuestringClaim value to match

teleport_saml_connector

An OIDC connector resource specifies SAML identity provider for Teleport.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Connector name
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
assertion_consumer_servicestringURL for assertion consumer service on the service provider (Teleport's side)
audiencestringAudience uniquely identifies our service provider
certstringCert is the identity provider certificate PEM. IDP signs Response responses using this certificate
displaystringConnector display name
entity_descriptorstringXML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
entity_descriptor_urlstringURL that supplies a configuration XML
issuerstringIdentity provider issuer
providerstringExternal identity provider
service_provider_issuerstringThe issuer of the service provider (Teleport)
ssostringSSO is the URL of the identity provider's SSO service
attributes_to_rolessetList of mappings of attribute statements to roles
attributes_to_roles.namestringAttribute statement name
attributes_to_roles.rolesstring listList of static Teleport roles to map to
attributes_to_roles.valuestringAttribute statement value to match
encryption_key_pairobjectPublic and private key used for encryption
encryption_key_pair.certstringPEM-encoded x509 certificate
encryption_key_pair.private_keystringPEM-encoded x509 private key
signing_key_pairobjectPublic and private key used for signing
signing_key_pair.certstringPEM-encoded x509 certificate
signing_key_pair.private_keystringPEM-encoded x509 private key

teleport_trusted_cluster

A trusted cluster resource connects dials and connects this cluster to another, root cluster.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Connector name
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
enabledboolIndicates if the trusted cluster is enabled or disabled. Setting Enabled to false has a side effect of deleting the user and host certificate authority (CA).
proxy_addressstringThe address of the web proxy server of the cluster to join. If not set, it is derived from metadata.name:default web proxy server port.
reverse_tunnel_addressstringThe address of the SSH proxy server of the cluster to join. If not set, it is derived from metadata.name:default reverse tunnel port.
rolesstring listList of roles that users will be assuming when connecting to this cluster
tokenstringThe authorization token provided by another cluster needed by this cluster to join
role_mapsetRole mappings to remote roles
role_map.localstring listLocal roles to map to
role_map.remotestringRemote role name to map from

teleport_auth_preference

The auth preferenfce resource defines cluster auth preference for the Teleport cluster. This resource is a singleton. It gots reset on deletion.

metadata

Metadata specifies a resource description, labels and optional expiry date and time.

NameTypeRequiredDescription
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
typestringType is the type of authentication
second_factorstringSecondFactor is the type of second factor
connector_namestringConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used
u2fsetU2F defines settings for U2F device
u2f.app_idstringThe application ID for universal second factor
u2f.facetsstring listThe facets for universal second factor
`u2f.device_attestation_c_asstring listTrusted attestation CAs for U2F devices
require_session_mfaboolCauses all sessions in this cluster to require MFA checks
disconnect_expired_certboolIf true, connections with expired client certificates will get disconnected
allow_local_authboolIf true, local authentication is enabled
Have a suggestion or can’t find something?
IMPROVE THE DOCS