Fork me on GitHub
Teleport

Terraform provider resources

Improve

Supported resources:

Provider configuration

Add the following configuration section to your terraform configuration block:

terraform {
  required_providers {
    teleport = {
      version = ">= 9.3.7"
      source  = "terraform.releases.teleport.dev/gravitational/teleport"
    }
  }
}

The provider supports the following options:

NameTypeDescriptionEnvironment Variable
addrstringTeleport auth or proxy address in "host:port" format.TF_TELEPORT_ADDR
cert_pathstringPath to Teleport certificate file.TF_TELEPORT_CERT
cert_base64stringTeleport certificate as base64.TF_TELEPORT_CERT_BASE64
identity_file_pathstringPath to Teleport identity file.TF_TELEPORT_IDENTITY_FILE_PATH
key_pathstringPath to Teleport key file.TF_TELEPORT_KEY
key_base64stringTeleport key as base64.TF_TELEPORT_KEY_BASE64
profile_dirstringTeleport profile path.TF_TELEPORT_PROFILE_PATH
profile_namestringTeleport profile name.TF_TELEPORT_PROFILE_NAME
root_ca_pathstringPath to Teleport CA file.TF_TELEPORT_ROOT_CA
root_ca_base64stringTeleport CA as base64.TF_TELEPORT_ROOT_CA_BASE64
retry_base_durationstringBase durantion between retries. FormatTF_TELEPORT_RETRY_BASE_DURATION
retry_cap_durationstringMax duration between retries. FormatTF_TELEPORT_RETRY_CAP_DURATION
retry_max_triesstringMax number of retries.TF_TELEPORT_RETRY_MAX_TRIES

You need to specify at least one of:

  • cert_path, key_path,root_ca_path and addr to connect using key files.
  • cert_base64, key_base64,root_ca_base64 and addr to connect using a base64-encoded key.
  • identity_file_path and addr to connect using identity file.
  • profile_name and profile_dir (both can be empty) and Teleport will try to connect using current profile from ~/.tsh

The retry_* values are used to retry the API calls to Teleport when the cache is stale.

If more than one are provided, they will be tried in the order above until one succeeds.

Example:

provider "teleport" {
  addr         = "localhost:3025"
  cert_path    = "tf.crt"
  key_path     = "tf.key"
  root_ca_path = "tf.ca"
}

teleport_user

The user resource allows to manage local non-interactive Teleport users: CI/CD bots and plugins.

metadata

Metadata specifies the resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*User name
descriptionstringUser description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

Example:

resource "teleport_user" "example" {
  metadata = {
    name        = "example"
    description = "Example Teleport User"
    expires     = "2022-10-12T07:20:50.3Z"
    labels      = {
      example = "yes"
    }
  }
}

spec

Spec contains parameters of a resource.

NameTypeDescription
rolesstring listUser role names
traitssetUser traits
traits.keystringTrait name
traits.valuestring listTrait values
github_identitiesobject listList of associated GitHub OAuth2 identities
github_identities.connector_idstringAn id of registered GitHub connector, e.g. 'github.com'
github_identities.usernamestringGitHub username
oidc_identitiesobject listList of OpenID Connect identities
oidc_identities.connector_idstringAn id of registered OIDC connector, e.g. 'google-example.com'
oidc_identities.usernamestringOIDC username
saml_identitiesobject listList of SAML identities
saml_identities.connector_idstringAn id of registered SAML connector, e.g. 'google-example.com'
saml_identities.usernamestringSAML username

Example:

resource "teleport_user" "example" {
  metadata = {
    name        = "example"
  }
  spec = {
    roles = ["example"]

    oidc_identities = [
      {
        connector_id = "oidc1.example.com"
        username     = "example"
      },
      {
        connector_id = "oidc2.example.com"
        username     = "example"
      }
    ]

    traits = {
      key   = ["trait1"]
      value = ["example", "test"]
    }

    traits = {
      key   = ["trait2"]
      value = ["foo", "bar"]
    }

    github_identities = [
      {
        connector_id = "github.com"
        username     = "example"
      }
    ]

    saml_identities = [
      {
        connector_id = "saml.example.com"
        username     = "example"
      }
    ]
  }
}

teleport_role

The role resource specifies a set of permissions assigned to local and SSO users.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Role name
descriptionstringRole description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

version

version is an optional string that specifies the role version (default v3).

spec

Role specification consists of two sections: allow and deny. They are identical and contain the following fields:

spec.allow and spec.deny

NameTypeDescription
db_namesstring listList of database names this role is allowed to connect to
db_usersstring listList of database users this role is allowed to connect as
kubernetes_groupsstring listList of Kubernetes groups
kubernetes_usersstring listList of Kubernetes users to impersonate
loginsstring listLogins is a list of *nix system logins
app_labelssetApplication labels
app_labels.keystringApplication name
app_labels.valuesstring listList of labels
cluster_labelssetCluster labels
cluster_labels.keystringCluster name
cluster_labels.valuesstring listList of labels
db_labelssetDatabase labels
db_labels.keystringDatabase name
db_labels.valuesstring listList of labels
kubernetes_labelssetKubernetes labels
kubernetes_labels.keystringKubernetes cluster name
kubernetes_labels.valuesstring listList of labels
node_labelssetNode labels
node_labels.keystringNode name
node_labels.valuesstring listList of labels
impersonateobjectSpecifies whether users are allowed to issue certificates for other users or groups
impersonate.rolesstring listlist of roles this role is allowed to impersonate
impersonate.usersstring listList of users this role is allowed to impersonate
impersonate.wherestringOptional advanced matcher
rulessetList of rules and their access levels. Rules are a high level construct used for access control
rules.actionsstring listActions specifies optional actions taken when this rule matches
rules.resourcesstring listList of resources
rules.verbsstring listList of verbs
rules.wherestringAdditional advanced matcher

spec.allow.request and spec.deny.request

Request matcher represents matcher for allow/deny restrictions on access-requests.

NameTypeDescription
rolesstring listName of roles which will match the request rule
suggested_reviewersstring listList of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
annotationssetAnnotations
annotations.keystringAnnotation name
annotations.valuestring listAnnotation values
claims_to_rolessetSpecifies a mapping from claims (traits) to teleport roles
claims_to_roles.claimstringClaim name
claims_to_roles.rolesstring listList of static Teleport roles to match
claims_to_roles.valuestringClaim value to match
thresholdssetList of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.
thresholds.namestringThreshold name
thresholds.approvenumberNumber of matching approvals needed for state-transition
thresholds.denynumberNumber of denials needed for state-transition
thresholds.filterstringOptional predicate used to determine which reviews count toward this threshold.

spec.allow.review_requests and spec.deny.review_requests

Allow or deny access reviews matching the criteria.

NameTypeDescription
rolesstring listName of roles which may be reviewed
wherestringOptional predicate which further limits which requests are reviewable
claims_to_roles.claimstringClaim name
claims_to_roles.rolesstring listList of static Teleport roles to match
claims_to_roles.valuestringClaim value to match

spec.options

Options specify session, connection and auditing permissions of the role.

NameTypeDescription
cert_formatstringThe format of the user certificate to allow compatibility with older versions of OpenSSH
client_idle_timeoutdurationSets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration
disconnect_expired_certboolSets disconnect clients on expired certificates
enhanced_recordingstring listEvents to record for the BPF-based session recorder
forward_agentboolSSH agent forwarding
max_connectionsnumberThe maximum number of concurrent connections a user may hold
max_session_ttlnumberHow long a SSH session can last for
max_sessionsnumberMaximum number of concurrent sessions per connection
permit_x11_forwardingboolAuthorizes use of X11 forwarding
port_forwardingboolPort forwarding
request_accessstringAccess request strategy (optional|note|always)
request_promptstringAn optional message which tells users what they aught to
require_session_mfaboolSpecifies whether a user is required to do an MFA check for every session

teleport_provision_token

Provision tokens authenticate teleport nodes and proxies when they first join the cluster.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Token name
descriptionstringToken description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstring*Expiry time in RFC8829 format

spec

Spec contains parameters of a resource. It has a single field: roles, a list of roles associated with a token. It will be converted to metadata in the SSH and X509 certificates issued to the user of the token.

teleport_github_connector

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Connector name
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
client_idstringGitHub OAuth app client ID
client_secretstringGitHub OAuth app client secret
displaystringConnector display name
redirect_urlstringAuthorization callback URL
teams_to_loginssetMaps GitHub team memberships onto allowed logins/roles.
teams_to_logins.kubernetes_groupsstring listList of allowed kubernetes groups for this org/team
teams_to_logins.kubernetes_usersstring listList of allowed kubernetes users to impersonate for this org/team
teams_to_logins.loginsstring listList of allowed logins for this org/team
teams_to_logins.organizationstringGitHub organization a user belongs to
teams_to_logins.teamstringTeam within the organization a user belongs to

teleport_oidc_connector

An OIDC connector resource specifies OpenID Connect identity provider for Teleport.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Connector name
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
acr_valuesstringAuthentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers
client_idstringThe id of the authentication client (Teleport Auth server)
client_secretstringUsed to authenticate the client
displaystringConnector display name
google_admin_emailstringThe email of a google admin to impersonate
google_service_accountstringString containing google service account credentials
google_service_account_uristringPath to a google service account uri
issuer_urlstringThe endpoint of the provider, e.g. https://accounts.google.com
promptstringAn optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility
providerstringThe external identity provider
redirect_urlstringAn URL that will redirect the client's browser back to the identity provider after successful authentication. This should match the URL on the Provider's side
scopestring listSpecifies additional scopes set by provider
claims_to_rolessetSpecifies a mapping from claims (traits) to teleport roles
claims_to_roles.claimstringClaim name
claims_to_roles.rolesstring listList of static Teleport roles to match
claims_to_roles.valuestringClaim value to match

teleport_saml_connector

An OIDC connector resource specifies SAML identity provider for Teleport.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Connector name
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
acsstringURL for assertion consumer service on the service provider (Teleport's side)
audiencestringAudience uniquely identifies our service provider
certstringCert is the identity provider certificate PEM. IDP signs Response responses using this certificate
displaystringConnector display name
entity_descriptorstringXML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
entity_descriptor_urlstringURL that supplies a configuration XML
issuerstringIdentity provider issuer
providerstringExternal identity provider
service_provider_issuerstringThe issuer of the service provider (Teleport)
ssostringSSO is the URL of the identity provider's SSO service
attributes_to_rolessetList of mappings of attribute statements to roles
attributes_to_roles.namestringAttribute statement name
attributes_to_roles.rolesstring listList of static Teleport roles to map to
attributes_to_roles.valuestringAttribute statement value to match
assertion_key_pairobjectPublic and private key used for encryption
assertion_key_pair.certstringPEM-encoded x509 certificate
assertion_key_pair.private_keystringPEM-encoded x509 private key
signing_key_pairobjectPublic and private key used for signing
signing_key_pair.certstringPEM-encoded x509 certificate
signing_key_pair.private_keystringPEM-encoded x509 private key

teleport_trusted_cluster

A trusted cluster resource connects dials and connects this cluster to another, root cluster.

metadata

Metadata specifies a resource name, description, labels and optional expiry date and time.

NameTypeRequiredDescription
namestring*Connector name
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
enabledboolIndicates if the trusted cluster is enabled or disabled. Setting Enabled to false has a side effect of deleting the user and host certificate authority (CA).
`web_proxy_addrstringThe address of the web proxy server of the cluster to join. If not set, it is derived from metadata.name:default web proxy server port.
tunnel_addressstringThe address of the SSH proxy server of the cluster to join. If not set, it is derived from metadata.name:default reverse tunnel port.
rolesstring listList of roles that users will be assuming when connecting to this cluster
tokenstringThe authorization token provided by another cluster needed by this cluster to join
role_mapsetRole mappings to remote roles
role_map.localstring listLocal roles to map to
role_map.remotestringRemote role name to map from

teleport_auth_preference

The auth preferenfce resource defines cluster auth preference for the Teleport cluster. This resource is a singleton. It gots reset on deletion.

metadata

Metadata specifies a resource description, labels and optional expiry date and time.

NameTypeRequiredDescription
descriptionstringConnector description
labelsstring mapResource labels
namespacestringResource namespace ("default" by default)
expiresstringExpiry time in RFC8829 format

spec

Spec contains parameters of a resource.

NameTypeDescription
typestringType is the type of authentication
second_factorstringSecondFactor is the type of second factor
connector_namestringConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used
u2fsetU2F defines settings for U2F device
u2f.app_idstringThe application ID for universal second factor
u2f.facetsstring listThe facets for universal second factor
u2f.device_attestation_casstring listTrusted attestation CAs for U2F devices
require_session_mfaboolCauses all sessions in this cluster to require MFA checks
disconnect_expired_certboolIf true, connections with expired client certificates will get disconnected
allow_local_authboolIf true, local authentication is enabled