Ensure your Terraform version is v1.0.0 or higher.

Add the following configuration section to your terraform configuration block:

terraform { required_providers { teleport = { version = "~> 15.0" source = "terraform.releases.teleport.dev/gravitational/teleport" } } }

The provider supports the following options:

Name Type Description Environment Variable addr string Teleport auth or proxy address in "host :port " format. TF_TELEPORT_ADDR cert_path string Path to Teleport certificate file. TF_TELEPORT_CERT cert_base64 string Teleport certificate as base64. TF_TELEPORT_CERT_BASE64 identity_file_path string Path to Teleport identity file. TF_TELEPORT_IDENTITY_FILE_PATH identity_file_base64 string Teleport identity file as base64. TF_TELEPORT_IDENTITY_FILE_BASE64 key_path string Path to Teleport key file. TF_TELEPORT_KEY key_base64 string Teleport key as base64. TF_TELEPORT_KEY_BASE64 profile_dir string Teleport profile path. TF_TELEPORT_PROFILE_PATH profile_name string Teleport profile name. TF_TELEPORT_PROFILE_NAME root_ca_path string Path to Teleport CA file. TF_TELEPORT_ROOT_CA root_ca_base64 string Teleport CA as base64. TF_TELEPORT_ROOT_CA_BASE64 retry_base_duration string Base duration between retries. Format TF_TELEPORT_RETRY_BASE_DURATION retry_cap_duration string Max duration between retries. Format TF_TELEPORT_RETRY_CAP_DURATION retry_max_tries string Max number of retries. TF_TELEPORT_RETRY_MAX_TRIES

You need to specify at least one of:

cert_path , key_path , root_ca_path and addr to connect using key files.

, , and to connect using key files. cert_base64 , key_base64 , root_ca_base64 and addr to connect using a base64-encoded key.

, , and to connect using a base64-encoded key. identity_file_path or identity_file_base64 and addr to connect using an identity file.

or and to connect using an identity file. profile_name , profile_dir (both can be empty) and addr to connect using current profile from ~/.tsh

The retry_* values are used to retry the API calls to Teleport when the cache is stale.

If more than one are provided, they will be tried in the order above until one succeeds.

Example:

provider "teleport" { addr = "localhost:3025" cert_path = "tf.crt" key_path = "tf.key" root_ca_path = "tf.ca" }

Since Teleport 15, you must set the version on each resource, and version cannot be changed in-place. Terraform will delete the resource and create a new one if a version change is required.

This is not enforced on previous Teleport provider versions, but we recommend doing so. When the version is not specified, Terraform will pick the latest one by default. However, version upgrades don't re-apply the resource defaults. This could lead to different results if you create a new resource or upgrade an existing one. To mitigate this, you should explicitly set the resource version.

warning Upgrading the Terraform Provider to a new version with teleport_role resources without a specified version can change the role behavior and access rules. You must set the role version before upgrading to ensure the role access rules don't change. The default role version is the highest supported: v12 default role version is v5

v13 default role version is v6

v14 default role version is v7 For example, before upgrading from v12 to v13, edit every unversioned role to pin the v5 version: resource "teleport_role" "test" { version = "v5" metadata = { name = "my-role" } // ... }

Name Type Required Description header object header is the header for the resource. spec object spec is the specification for the access list.

header is the header for the resource.

Name Type Required Description kind string kind is a resource kind. metadata object metadata is resource metadata. sub_kind string sub_kind is an optional resource sub kind, used in some resources. version string * Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

metadata is resource metadata.

Name Type Required Description description string description is object description. expires RFC3339 time labels map of strings labels is a set of labels. name string * name is an object name. namespace string namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec is the specification for the access list.

Name Type Required Description audit object * audit describes the frequency that this access list must be audited. description string description is an optional plaintext description of the access list. grants object * grants describes the access granted by membership to this access list. membership string membership defines how list membership is applied. There are two possible values: explicit (default): To be considered ag member of the access list, a user must both meet the membership_requires conditions AND be explicitly added to the list. implicit : Any user meeting the membership_requires conditions will automatically be considered a member of this list. membership_requires object membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list. owner_grants object owner_grants describes the access granted by owners to this access list. owners object * owners is a list of owners of the access list. ownership string ownership defines how list ownership of this list is determined. There are two possible values: explicit (default): To be considered an owner of the access list, a user must both meet the ownership_requires conditions AND be explicitly added to the list. implicit : Any user meeting the ownership_requires conditions will automatically be considered an owner of this list. ownership_requires object ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. title string title is a plaintext short description of the access list.

audit describes the frequency that this access list must be audited.

Name Type Required Description next_audit_date RFC3339 time notifications object notifications is the configuration for notifying users. recurrence object * recurrence is the recurrence definition

notifications is the configuration for notifying users.

Name Type Required Description start duration

recurrence is the recurrence definition

Name Type Required Description day_of_month number day_of_month is the day of month that reviews will be scheduled on. Supported values are 0, 1, 15, and 31. frequency number * frequency is the frequency of reviews. This represents the period in months between two reviews. Supported values are 0, 1, 3, 6, and 12.

grants describes the access granted by membership to this access list.

Name Type Required Description roles array of strings roles are the roles that are granted to users who are members of the access list. traits object traits are the traits that are granted to users who are members of the access list.

traits are the traits that are granted to users who are members of the access list.

Name Type Required Description key string key is the name of the trait. values array of strings values is the list of trait values.

membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list.

Name Type Required Description roles array of strings roles are the user roles that must be present for the user to obtain access. traits object traits are the traits that must be present for the user to obtain access.

traits are the traits that must be present for the user to obtain access.

Name Type Required Description key string key is the name of the trait. values array of strings values is the list of trait values.

owner_grants describes the access granted by owners to this access list.

Name Type Required Description roles array of strings roles are the roles that are granted to users who are members of the access list. traits object traits are the traits that are granted to users who are members of the access list.

traits are the traits that are granted to users who are members of the access list.

Name Type Required Description key string key is the name of the trait. values array of strings values is the list of trait values.

owners is a list of owners of the access list.

Name Type Required Description description string description is the plaintext description of the owner and why they are an owner. name string name is the username of the owner.

ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.

Name Type Required Description roles array of strings roles are the user roles that must be present for the user to obtain access. traits object traits are the traits that must be present for the user to obtain access.

traits are the traits that must be present for the user to obtain access.

Name Type Required Description key string key is the name of the trait. values array of strings values is the list of trait values.

Example:

resource "teleport_access_list" "crane-operation" { header = { metadata = { name = "crane-operation" labels = { example = "yes" } } } spec = { description = "Used to grant access to the crane." owners = [ { name = "gru" description = "The supervillain." } ] membership_requires = { roles = ["minion"] } ownership_requires = { roles = ["supervillain"] } grants = { roles = ["crane-operator"] traits = [{ key = "allowed-machines" values = ["crane", "forklift"] }] } title = "Crane operation" audit = { recurrence = { frequency = 3 # audit every 3 months day_of_month = 15 # audit happen 15's day of the month. Possible values are 1, 15, and 31. } } } }

Name Type Required Description metadata object Metadata is the app resource metadata. spec object Spec is the app resource spec. sub_kind string SubKind is an optional resource subkind. version string * Version is the resource version. It must be specified. Supported values are: v3 .

Metadata is the app resource metadata.

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is the app resource spec.

Name Type Required Description aws object AWS contains additional options for AWS applications. cloud string Cloud identifies the cloud instance the app represents. dynamic_labels object DynamicLabels are the app's command labels. insecure_skip_verify bool InsecureSkipVerify disables app's TLS certificate verification. public_addr string PublicAddr is the public address the application is accessible at. rewrite object Rewrite is a list of rewriting rules to apply to requests and responses. uri string URI is the web app endpoint. user_groups array of strings UserGroups are a list of user group IDs that this app is associated with.

AWS contains additional options for AWS applications.

Name Type Required Description external_id string ExternalID is the AWS External ID used when assuming roles in this app.

DynamicLabels are the app's command labels.

Name Type Required Description command array of strings Command is a command to run period duration Period is a time between command runs result string Result captures standard output

Rewrite is a list of rewriting rules to apply to requests and responses.

Name Type Required Description headers object Headers is a list of headers to inject when passing the request over to the application. jwt_claims string JWTClaims configures whether roles/traits are included in the JWT token. redirect array of strings Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header.

Headers is a list of headers to inject when passing the request over to the application.

Name Type Required Description name string Name is the http header name. value string Value is the http header value.

Example:

# Teleport App resource "teleport_app" "example" { metadata = { name = "example" description = "Test app" labels = { "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default } } spec = { uri = "localhost:3000" } }

Name Type Required Description metadata object Metadata is resource metadata spec object * Spec is an AuthPreference specification sub_kind string SubKind is an optional resource sub kind, used in some resources version string * Version is the resource version. It must be specified. Supported values are: v2 .

Metadata is resource metadata

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is an AuthPreference specification

Name Type Required Description allow_headless bool allow_local_auth bool allow_passwordless bool connector_name string ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used. default_session_ttl duration DefaultSessionTTL is the TTL to use for user certs when an explicit TTL is not requested. device_trust object DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. disconnect_expired_cert bool hardware_key object HardwareKey are the settings for hardware key support. idp object IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. locking_mode string LockingMode is the cluster-wide locking mode default. message_of_the_day string okta object Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise. piv_slot string Deprecated, replaced by HardwareKey settings. require_session_mfa number RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". second_factor string SecondFactor is the type of second factor. type string Type is the type of authentication. u2f object U2F are the settings for the U2F device. webauthn object Webauthn are the settings for server-side Web Authentication support.

DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.

Name Type Required Description auto_enroll bool Enable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled. tsh takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off". ekcert_allowed_cas array of strings Allow list of EKCert CAs in PEM format. If present, only TPM devices that present an EKCert that is signed by a CA specified here may be enrolled (existing enrollments are unchanged). If not present, then the CA of TPM EKCerts will not be checked during enrollment, this allows any device to enroll. mode string Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise.

HardwareKey are the settings for hardware key support.

Name Type Required Description piv_slot string PIVSlot is a PIV slot that Teleport clients should use instead of the default based on private key policy. For example, "9a" or "9e". serial_number_validation object SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled.

SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled.

Name Type Required Description enabled bool Enabled indicates whether hardware key serial number validation is enabled. serial_number_trait_name string SerialNumberTraitName is an optional custom user trait name for hardware key serial numbers to replace the default: "hardware_key_serial_numbers". Note: Values for this user trait should be a comma-separated list of serial numbers, or a list of comm-separated lists. e.g ["123", "345,678"]

IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.

Name Type Required Description saml object SAML are options related to the Teleport SAML IdP.

SAML are options related to the Teleport SAML IdP.

Name Type Required Description enabled bool

Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise.

Name Type Required Description sync_period duration SyncPeriod is the duration between synchronization calls in nanoseconds.

U2F are the settings for the U2F device.

Name Type Required Description app_id string AppID returns the application ID for universal second factor. device_attestation_cas array of strings DeviceAttestationCAs contains the trusted attestation CAs for U2F devices. facets array of strings Facets returns the facets for universal second factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation.

Webauthn are the settings for server-side Web Authentication support.

Name Type Required Description attestation_allowed_cas array of strings Allow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed. attestation_denied_cas array of strings Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied. rp_id string RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register.

Example:

# AuthPreference resource resource "teleport_auth_preference" "example" { metadata = { description = "Auth preference" labels = { "example" = "yes" "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default } } spec = { disconnect_expired_cert = true } }

Name Type Required Description name string * The name of the bot, i.e. the unprefixed User name role_name string The name of the generated bot role roles array of strings * A list of roles the created bot should be allowed to assume via role impersonation. token_id string * The bot joining token. If unset, a new random token is created and its name returned, otherwise a preexisting Bot token may be provided for IAM/OIDC joining. token_ttl string The desired TTL for the token if one is created. If unset, a server default is used traits map of string arrays user_name string The name of the generated bot user

Example:

# Teleport Machine ID Bot creation example locals { bot_name = "example" } resource "random_password" "bot_token" { length = 32 special = false } resource "time_offset" "bot_example_token_expiry" { offset_hours = 1 } resource "teleport_provision_token" "bot_example" { metadata = { expires = time_offset.bot_example_token_expiry.rfc3339 description = "Bot join token for ${local.bot_name} generated by Terraform" name = random_password.bot_token.result } spec = { roles = ["Bot"] bot_name = local.bot_name join_method = "token" } } resource "teleport_bot" "example" { name = local.bot_name token_id = teleport_provision_token.bot_example.metadata.name roles = ["access"] }

Name Type Required Description metadata object Metadata is resource metadata nonce number Nonce is used to protect against concurrent modification of the maintenance window. Clients should treat nonces as opaque. spec object sub_kind string SubKind is an optional resource sub kind, used in some resources version string * Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

Metadata is resource metadata

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Name Type Required Description agent_upgrades object AgentUpgrades encodes the agent upgrade window.

AgentUpgrades encodes the agent upgrade window.

Name Type Required Description utc_start_hour number UTCStartHour is the start hour of the maintenance window in UTC. weekdays array of strings Weekdays is an optional list of weekdays. If not specified, an agent upgrade window occurs every day.

Example:

# Teleport Cluster Networking config resource "teleport_cluster_maintenance_config" "example" { metadata = { description = "Maintenance config" } spec = { agent_upgrades = { utc_start_hour = 1 weekdays = [ "monday" ] } } }

Name Type Required Description metadata object Metadata is resource metadata spec object Spec is a ClusterNetworkingConfig specification sub_kind string SubKind is an optional resource sub kind, used in some resources version string Version is the resource version. It must be specified. Supported values are: v2 .

Metadata is resource metadata

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is a ClusterNetworkingConfig specification

Name Type Required Description assist_command_execution_workers number AssistCommandExecutionWorkers determines the number of workers that will execute arbitrary Assist commands on servers in parallel case_insensitive_routing bool CaseInsensitiveRouting causes proxies to use case-insensitive hostname matching. client_idle_timeout duration ClientIdleTimeout sets global cluster default setting for client idle timeouts. idle_timeout_message string ClientIdleTimeoutMessage is the message sent to the user when a connection times out. keep_alive_count_max number KeepAliveCountMax is the number of keep-alive messages that can be missed before the server disconnects the connection to the client. keep_alive_interval duration KeepAliveInterval is the interval at which the server sends keep-alive messages to the client. proxy_listener_mode number ProxyListenerMode is proxy listener mode used by Teleport Proxies. 0 is "separate"; 1 is "multiplex". proxy_ping_interval duration ProxyPingInterval defines in which interval the TLS routing ping message should be sent. This is applicable only when using ping-wrapped connections, regular TLS routing connections are not affected. routing_strategy number RoutingStrategy determines the strategy used to route to nodes. 0 is "unambiguous_match"; 1 is "most_recent". session_control_timeout duration SessionControlTimeout is the session control lease expiry and defines the upper limit of how long a node may be out of contact with the auth server before it begins terminating controlled sessions. tunnel_strategy object TunnelStrategyV1 determines the tunnel strategy used in the cluster. web_idle_timeout duration WebIdleTimeout sets global cluster default setting for the web UI idle timeouts.

TunnelStrategyV1 determines the tunnel strategy used in the cluster.

Name Type Required Description agent_mesh object proxy_peering object

Name Type Required Description active bool Automatically generated field preventing empty message errors

Name Type Required Description agent_connection_count number

Example:

# Teleport Cluster Networking config resource "teleport_cluster_networking_config" "example" { metadata = { description = "Networking config" labels = { "example" = "yes" "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default } } spec = { client_idle_timeout = "1h" } }

Name Type Required Description metadata object Metadata is the database metadata. spec object Spec is the database spec. sub_kind string SubKind is an optional resource subkind. version string * Version is the resource version. It must be specified. Supported values are: v3 .

Metadata is the database metadata.

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is the database spec.

Name Type Required Description ad object AD is the Active Directory configuration for the database. admin_user object AdminUser is the database admin user for automatic user provisioning. aws object AWS contains AWS specific settings for RDS/Aurora/Redshift databases. azure object Azure contains Azure specific database metadata. ca_cert string CACert is the PEM-encoded database CA certificate. DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0. dynamic_labels object DynamicLabels is the database dynamic labels. gcp object GCP contains parameters specific to GCP Cloud SQL databases. mongo_atlas object MongoAtlas contains Atlas metadata about the database. mysql object MySQL is an additional section with MySQL database options. oracle object Oracle is an additional Oracle configuration options. protocol string * Protocol is the database protocol: postgres, mysql, mongodb, etc. tls object TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name. uri string * URI is the database connection endpoint.

AD is the Active Directory configuration for the database.

Name Type Required Description domain string Domain is the Active Directory domain the database resides in. kdc_host_name string KDCHostName is the host name for a KDC for x509 Authentication. keytab_file string KeytabFile is the path to the Kerberos keytab file. krb5_file string Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf. ldap_cert string LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication. spn string SPN is the service principal name for the database.

AdminUser is the database admin user for automatic user provisioning.

Name Type Required Description default_database string DefaultDatabase is the database that the privileged database user logs into by default. Depending on the database type, this database may be used to store procedures or data for managing database users. name string Name is the username of the privileged database user.

AWS contains AWS specific settings for RDS/Aurora/Redshift databases.

Name Type Required Description account_id string AccountID is the AWS account ID this database belongs to. assume_role_arn string AssumeRoleARN is an optional AWS role ARN to assume when accessing a database. Set this field and ExternalID to enable access across AWS accounts. elasticache object ElastiCache contains AWS ElastiCache Redis specific metadata. external_id string ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts. iam_policy_status number IAMPolicyStatus indicates whether the IAM Policy is configured properly for database access. If not, the user must update the AWS profile identity to allow access to the Database. Eg for an RDS Database: the underlying AWS profile allows for rds-db:connect for the Database. memorydb object MemoryDB contains AWS MemoryDB specific metadata. opensearch object OpenSearch contains AWS OpenSearch specific metadata. rds object RDS contains RDS specific metadata. rdsproxy object RDSProxy contains AWS Proxy specific metadata. redshift object Redshift contains Redshift specific metadata. redshift_serverless object RedshiftServerless contains AWS Redshift Serverless specific metadata. region string Region is a AWS cloud region. secret_store object SecretStore contains secret store configurations. session_tags map of strings SessionTags is a list of AWS STS session tags.

ElastiCache contains AWS ElastiCache Redis specific metadata.

Name Type Required Description endpoint_type string EndpointType is the type of the endpoint. replication_group_id string ReplicationGroupID is the Redis replication group ID. transit_encryption_enabled bool TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled. user_group_ids array of strings UserGroupIDs is a list of user group IDs.

MemoryDB contains AWS MemoryDB specific metadata.

Name Type Required Description acl_name string ACLName is the name of the ACL associated with the cluster. cluster_name string ClusterName is the name of the MemoryDB cluster. endpoint_type string EndpointType is the type of the endpoint. tls_enabled bool TLSEnabled indicates whether in-transit encryption (TLS) is enabled.

OpenSearch contains AWS OpenSearch specific metadata.

Name Type Required Description domain_id string DomainID is the ID of the domain. domain_name string DomainName is the name of the domain. endpoint_type string EndpointType is the type of the endpoint.

RDS contains RDS specific metadata.

Name Type Required Description cluster_id string ClusterID is the RDS cluster (Aurora) identifier. iam_auth bool IAMAuth indicates whether database IAM authentication is enabled. instance_id string InstanceID is the RDS instance identifier. resource_id string ResourceID is the RDS instance resource identifier (db-xxx). subnets array of strings Subnets is a list of subnets for the RDS instance. vpc_id string VPCID is the VPC where the RDS is running.

RDSProxy contains AWS Proxy specific metadata.

Name Type Required Description custom_endpoint_name string CustomEndpointName is the identifier of an RDS Proxy custom endpoint. name string Name is the identifier of an RDS Proxy. resource_id string ResourceID is the RDS instance resource identifier (prx-xxx).

Redshift contains Redshift specific metadata.

Name Type Required Description cluster_id string ClusterID is the Redshift cluster identifier.

RedshiftServerless contains AWS Redshift Serverless specific metadata.

Name Type Required Description endpoint_name string EndpointName is the VPC endpoint name. workgroup_id string WorkgroupID is the workgroup ID. workgroup_name string WorkgroupName is the workgroup name.

SecretStore contains secret store configurations.

Name Type Required Description key_prefix string KeyPrefix specifies the secret key prefix. kms_key_id string KMSKeyID specifies the AWS KMS key for encryption.

Azure contains Azure specific database metadata.

Name Type Required Description is_flexi_server bool IsFlexiServer is true if the database is an Azure Flexible server. name string Name is the Azure database server name. redis object Redis contains Azure Cache for Redis specific database metadata. resource_id string ResourceID is the Azure fully qualified ID for the resource.

Redis contains Azure Cache for Redis specific database metadata.

Name Type Required Description clustering_policy string ClusteringPolicy is the clustering policy for Redis Enterprise.

DynamicLabels is the database dynamic labels.

Name Type Required Description command array of strings Command is a command to run period duration Period is a time between command runs result string Result captures standard output

GCP contains parameters specific to GCP Cloud SQL databases.

Name Type Required Description instance_id string InstanceID is the Cloud SQL instance ID. project_id string ProjectID is the GCP project ID the Cloud SQL instance resides in.

MongoAtlas contains Atlas metadata about the database.

Name Type Required Description name string Name is the Atlas database instance name.

MySQL is an additional section with MySQL database options.

Name Type Required Description server_version string ServerVersion is the server version reported by DB proxy if the runtime information is not available.

Oracle is an additional Oracle configuration options.

Name Type Required Description audit_user string AuditUser is the Oracle database user privilege to access internal Oracle audit trail.

TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name.

Name Type Required Description ca_cert string CACert is an optional user provided CA certificate used for verifying database TLS connection. mode number Mode is a TLS connection mode. 0 is "verify-full"; 1 is "verify-ca", 2 is "insecure". server_name string ServerName allows to provide custom hostname. This value will override the servername/hostname on a certificate during validation.

Example:

# Teleport Database resource "teleport_database" "example" { metadata = { name = "example" description = "Test database" labels = { "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default } } spec = { protocol = "postgres" uri = "localhost" } }

Name Type Required Description metadata object Metadata holds resource metadata. spec object * Spec is an Github connector specification. sub_kind string SubKind is an optional resource sub kind, used in some resources. version string * Version is the resource version. It must be specified. Supported values are: v3 .

Metadata holds resource metadata.

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is an Github connector specification.

Name Type Required Description api_endpoint_url string APIEndpointURL is the URL of the API endpoint of the Github instance this connector is for. client_id string * ClientID is the Github OAuth app client ID. client_secret string * ClientSecret is the Github OAuth app client secret. display string Display is the connector display name. endpoint_url string EndpointURL is the URL of the GitHub instance this connector is for. redirect_url string RedirectURL is the authorization callback URL. teams_to_logins object TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead. teams_to_roles object TeamsToRoles maps Github team memberships onto allowed roles.

TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead.

Name Type Required Description kubernetes_groups array of strings KubeGroups is a list of allowed kubernetes groups for this org/team. kubernetes_users array of strings KubeUsers is a list of allowed kubernetes users to impersonate for this org/team. logins array of strings Logins is a list of allowed logins for this org/team. organization string Organization is a Github organization a user belongs to. team string Team is a team within the organization a user belongs to.

TeamsToRoles maps Github team memberships onto allowed roles.

Name Type Required Description organization string Organization is a Github organization a user belongs to. roles array of strings Roles is a list of allowed logins for this org/team. team string Team is a team within the organization a user belongs to.

Example:

# Terraform Github connector variable "github_secret" {} resource "teleport_github_connector" "github" { # This section tells Terraform that role example must be created before the GitHub connector depends_on = [ teleport_role.example ] metadata = { name = "example" labels = { example = "yes" } } spec = { client_id = "client" client_secret = var.github_secret teams_to_roles = [{ organization = "gravitational" team = "devs" roles = ["example"] }] } }

Name Type Required Description metadata object Metadata is resource metadata. priority number * Priority is the priority of the login rule relative to other login rules in the same cluster. Login rules with a lower numbered priority will be evaluated first. traits_expression string TraitsExpression is a predicate expression which should return the desired traits for the user upon login. traits_map object TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait. version string * Version is the resource version.

Metadata is resource metadata.

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait.

Name Type Required Description values array of strings

Example:

# Teleport Login Rule resource resource "teleport_login_rule" "example" { metadata = { description = "Example Login Rule" labels = { "example" = "yes" } } version = "v1" priority = 0 traits_map = { "logins" = { values = [ "external.logins", "external.username", ] } "groups" = { values = [ "external.groups", ] } } }

Name Type Required Description metadata object Metadata holds resource metadata. spec object * Spec is an OIDC connector specification. sub_kind string SubKind is an optional resource sub kind, used in some resources. version string * Version is the resource version. It must be specified. Supported values are: v3 .

Metadata holds resource metadata.

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is an OIDC connector specification.

Name Type Required Description acr_values string ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers. allow_unverified_email bool AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails. claims_to_roles object ClaimsToRoles specifies a dynamic mapping from claims to roles. client_id string ClientID is the id of the authentication client (Teleport Auth server). client_secret string ClientSecret is used to authenticate the client. display string Display is the friendly name for this provider. google_admin_email string GoogleAdminEmail is the email of a google admin to impersonate. google_service_account string GoogleServiceAccount is a string containing google service account credentials. google_service_account_uri string GoogleServiceAccountURI is a path to a google service account uri. issuer_url string IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. max_age duration prompt string Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. provider string Provider is the external identity provider. redirect_url array of strings scope array of strings Scope specifies additional scopes set by provider. username_claim string UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

ClaimsToRoles specifies a dynamic mapping from claims to roles.

Name Type Required Description claim string Claim is a claim name. roles array of strings Roles is a list of static teleport roles to match. value string Value is a claim value to match.

Example:

# Teleport OIDC connector # # Please note that OIDC connector will work in Enterprise version only. Check the setup docs: # https://goteleport.com/docs/enterprise/sso/oidc/ variable "oidc_secret" {} resource "teleport_oidc_connector" "example" { metadata = { name = "example" labels = { test = "yes" } } spec = { client_id = "client" client_secret = var.oidc_secret claims_to_roles = [{ claim = "test" roles = ["terraform"] }] redirect_url = ["https://example.com/redirect"] } }

Name Type Required Description metadata object Metadata is resource metadata spec object * Spec is the specification for the Okta import rule. sub_kind string SubKind is an optional resource sub kind, used in some resources version string * Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

Metadata is resource metadata

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is the specification for the Okta import rule.

Name Type Required Description mappings object Mappings is a list of matches that will map match conditions to labels. priority number Priority represents the priority of the rule application. Lower numbered rules will be applied first.

Mappings is a list of matches that will map match conditions to labels.

Name Type Required Description add_labels map of strings AddLabels specifies which labels to add if any of the previous matches match. match object Match is a set of matching rules for this mapping. If any of these match, then the mapping will be applied.

Match is a set of matching rules for this mapping. If any of these match, then the mapping will be applied.

Name Type Required Description app_ids array of strings AppIDs is a list of app IDs to match against. app_name_regexes array of strings AppNameRegexes is a list of regexes to match against app names. group_ids array of strings GroupIDs is a list of group IDs to match against. group_name_regexes array of strings GroupNameRegexes is a list of regexes to match against group names.

Example:

# Teleport Okta Import Rule resource resource "teleport_okta_import_rule" "example" { metadata = { description = "Example Okta Import Rule" labels = { "example" = "yes" } } version = "v1" spec = { priority = 100 mappings = [ { add_labels = { "label1": "value1" } match = [ { app_ids = ["1", "2", "3"] }, ], }, { add_labels = { "label2": "value2" } match = [ { group_ids = ["1", "2", "3"] }, ], }, { add_labels = { "label3" : "value3", } match = [ { group_name_regexes = ["^.*$"] }, ], }, { add_labels = { "label4" : "value4", } match = [ { app_name_regexes = ["^.*$"] }, ], } ] } }

Name Type Required Description metadata object Metadata is resource metadata spec object * Spec is a provisioning token V2 spec sub_kind string SubKind is an optional resource sub kind, used in some resources version string * Version is the resource version. It must be specified. Supported values are: v2 .

Metadata is resource metadata

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is a provisioning token V2 spec

Name Type Required Description allow object Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. aws_iid_ttl duration AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. azure object Azure allows the configuration of options specific to the "azure" join method. bot_name string BotName is the name of the bot this token grants access to, if any circleci object CircleCI allows the configuration of options specific to the "circleci" join method. gcp object GCP allows the configuration of options specific to the "gcp" join method. github object GitHub allows the configuration of options specific to the "github" join method. gitlab object GitLab allows the configuration of options specific to the "gitlab" join method. join_method string JoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam". kubernetes object Kubernetes allows the configuration of options specific to the "kubernetes" join method. roles array of strings * Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token spacelift object Spacelift allows the configuration of options specific to the "spacelift" join method. suggested_agent_matcher_labels map of string arrays suggested_labels map of string arrays

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

Name Type Required Description aws_account string AWSAccount is the AWS account ID. aws_arn string AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?". aws_regions array of strings AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from. aws_role string AWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API.

Azure allows the configuration of options specific to the "azure" join method.

Name Type Required Description allow object Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Name Type Required Description resource_groups array of strings ResourceGroups is a list of Azure resource groups the node is allowed to join from. subscription string Subscription is the Azure subscription.

CircleCI allows the configuration of options specific to the "circleci" join method.

Name Type Required Description allow object Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. organization_id string

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

Name Type Required Description context_id string project_id string

GCP allows the configuration of options specific to the "gcp" join method.

Name Type Required Description allow object Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Name Type Required Description locations array of strings Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b"). project_ids array of strings ProjectIDs is a list of project IDs (e.g. "<example-id-123456>"). service_accounts array of strings ServiceAccounts is a list of service account emails (e.g. "<project-number> [email protected] ").

GitHub allows the configuration of options specific to the "github" join method.

Name Type Required Description allow object Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. enterprise_server_host string EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server. enterprise_slug string EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the include_enterprise_slug option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if enterprise_server_host is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

Name Type Required Description actor string The personal account that initiated the workflow run. environment string The name of the environment used by the job. ref string The git ref that triggered the workflow run. ref_type string The type of ref, for example: "branch". repository string The repository from where the workflow is running. This includes the name of the owner e.g gravitational/teleport repository_owner string The name of the organization in which the repository is stored. sub string Sub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run. workflow string The name of the workflow.

GitLab allows the configuration of options specific to the "gitlab" join method.

Name Type Required Description allow object Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. domain string Domain is the domain of your GitLab instance. This will default to gitlab.com - but can be set to the domain of your self-hosted GitLab e.g gitlab.example.com .

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

Name Type Required Description ci_config_ref_uri string CIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main. ci_config_sha string CIConfigSHA is the git commit SHA for the ci_config_ref_uri. deployment_tier string DeploymentTier is the deployment tier of the environment the job specifies environment string Environment limits access by the environment the job deploys to (if one is associated) environment_protected bool namespace_path string NamespacePath is used to limit access to jobs in a group or user's projects. Example: mygroup This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. pipeline_source string PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: web project_path string ProjectPath is used to limit access to jobs belonging to an individual project. Example: mygroup/myproject This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. project_visibility string ProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public. ref string Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. ref_protected bool ref_type string RefType allows access to be limited to jobs triggered by a specific git ref type. Example: branch or tag sub string Sub roughly uniquely identifies the workload. Example: project_path:mygroup/my-project:ref_type:branch:ref:main project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. user_email string UserEmail is the email of the user executing the job user_id string UserID is the ID of the user executing the job user_login string UserLogin is the username of the user executing the job

Kubernetes allows the configuration of options specific to the "kubernetes" join method.

Name Type Required Description allow object Allow is a list of Rules, nodes using this token must match one allow rule to use this token. static_jwks object StaticJWKS is the configuration specific to the static_jwks type. type string Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - in_cluster - static_jwks If unset, this defaults to in_cluster .

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Name Type Required Description service_account string ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace :service-account ".

StaticJWKS is the configuration specific to the static_jwks type.

Name Type Required Description jwks string JWKS should be the JSON Web Key Set formatted public keys of that the Kubernetes Cluster uses to sign service account tokens. This can be fetched from /openid/v1/jwks on the Kubernetes API Server.

Spacelift allows the configuration of options specific to the "spacelift" join method.

Name Type Required Description allow object Allow is a list of Rules, nodes using this token must match one allow rule to use this token. hostname string Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g example.app.spacelift.io

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Name Type Required Description caller_id string CallerID is the ID of the caller, ie. the stack or module that generated the run. caller_type string CallerType is the type of the caller, ie. the entity that owns the run - either stack or module . scope string Scope is the scope of the token - either read or write . See https://docs.spacelift.io/integrations/cloud-providers/oidc/#about-scopes space_id string SpaceID is the ID of the space in which the run that owns the token was executed.

Example:

# Teleport Provision Token resource resource "teleport_provision_token" "example" { metadata = { expires = "2022-10-12T07:20:51Z" description = "Example token" labels = { example = "yes" "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default } } spec = { roles = ["Node", "Auth"] } } resource "teleport_provision_token" "iam-token" { metadata = { name = "iam-token" } spec = { roles = ["Bot"] bot_name = "mybot" join_method = "iam" allow = [{ aws_account = "123456789012" }] } }

Name Type Required Description metadata object Metadata is resource metadata spec object Spec is a role specification sub_kind string SubKind is an optional resource sub kind, used in some resources version string * Version is the resource version. It must be specified. Supported values are: v3 , v4 , v5 , v6 , v7 .

Metadata is resource metadata

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is a role specification

Name Type Required Description allow object Allow is the set of conditions evaluated to grant access. deny object Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. options object Options is for OpenSSH options like agent forwarding.

Allow is the set of conditions evaluated to grant access.

Name Type Required Description app_labels map of string arrays app_labels_expression string AppLabelsExpression is a predicate expression used to allow/deny access to Apps. aws_role_arns array of strings AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. azure_identities array of strings AzureIdentities is a list of Azure identities this role is allowed to assume. cluster_labels map of string arrays cluster_labels_expression string ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. db_labels map of string arrays db_labels_expression string DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. db_names array of strings DatabaseNames is a list of database names this role is allowed to connect to. db_permissions object DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. db_roles array of strings DatabaseRoles is a list of databases roles for automatic user creation. db_service_labels map of string arrays db_service_labels_expression string DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. db_users array of strings DatabaseUsers is a list of databases users this role is allowed to connect as. desktop_groups array of strings DesktopGroups is a list of groups for created desktop users to be added to gcp_service_accounts array of strings GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. group_labels map of string arrays group_labels_expression string GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. host_groups array of strings HostGroups is a list of groups for created users to be added to host_sudoers array of strings HostSudoers is a list of entries to include in a users sudoer file impersonate object Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. join_sessions object JoinSessions specifies policies to allow users to join other sessions. kubernetes_groups array of strings KubeGroups is a list of kubernetes groups kubernetes_labels map of string arrays kubernetes_labels_expression string KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. kubernetes_resources object KubernetesResources is the Kubernetes Resources this Role grants access to. kubernetes_users array of strings KubeUsers is an optional kubernetes users to impersonate logins array of strings Logins is a list of *nix system logins. node_labels map of string arrays node_labels_expression string NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. request object require_session_join object RequireSessionJoin specifies policies for required users to start a session. review_requests object ReviewRequests defines conditions for submitting access reviews. rules object Rules is a list of rules and their access levels. Rules are a high level construct used for access control. spiffe object SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. windows_desktop_labels map of string arrays windows_desktop_labels_expression string WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. windows_desktop_logins array of strings WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.

DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.

Name Type Required Description match map of string arrays permissions array of strings Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...

Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.

Name Type Required Description roles array of strings Roles is a list of resources this role is allowed to impersonate users array of strings Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern where string Where specifies optional advanced matcher

JoinSessions specifies policies to allow users to join other sessions.

Name Type Required Description kinds array of strings Kinds are the session kinds this policy applies to. modes array of strings Modes is a list of permitted participant modes for this policy. name string Name is the name of the policy. roles array of strings Roles is a list of roles that you can join the session of.

KubernetesResources is the Kubernetes Resources this Role grants access to.

Name Type Required Description kind string Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. name string Name is the resource name. It supports wildcards. namespace string Namespace is the resource namespace. It supports wildcards. verbs array of strings Verbs are the allowed Kubernetes verbs for the following resource.

Name Type Required Description annotations map of string arrays claims_to_roles object ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. max_duration duration MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. roles array of strings Roles is the name of roles which will match the request rule. search_as_roles array of strings SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. suggested_reviewers array of strings SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. thresholds object Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

Name Type Required Description claim string Claim is a claim name. roles array of strings Roles is a list of static teleport roles to match. value string Value is a claim value to match.

Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

Name Type Required Description approve number Approve is the number of matching approvals needed for state-transition. deny number Deny is the number of denials needed for state-transition. filter string Filter is an optional predicate used to determine which reviews count toward this threshold. name string Name is the optional human-readable name of the threshold.

RequireSessionJoin specifies policies for required users to start a session.

Name Type Required Description count number Count is the amount of people that need to be matched for this policy to be fulfilled. filter string Filter is a predicate that determines what users count towards this policy. kinds array of strings Kinds are the session kinds this policy applies to. modes array of strings Modes is the list of modes that may be used to fulfill this policy. name string Name is the name of the policy. on_leave string OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.

ReviewRequests defines conditions for submitting access reviews.

Name Type Required Description claims_to_roles object ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. preview_as_roles array of strings PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources. roles array of strings Roles is the name of roles which may be reviewed. where string Where is an optional predicate which further limits which requests are reviewable.

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

Name Type Required Description claim string Claim is a claim name. roles array of strings Roles is a list of static teleport roles to match. value string Value is a claim value to match.

Rules is a list of rules and their access levels. Rules are a high level construct used for access control.

Name Type Required Description actions array of strings Actions specifies optional actions taken when this rule matches resources array of strings Resources is a list of resources verbs array of strings Verbs is a list of verbs where string Where specifies optional advanced matcher

SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.

Name Type Required Description dns_sans array of strings DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com ip_sans array of strings IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42 path string Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.

Name Type Required Description app_labels map of string arrays app_labels_expression string AppLabelsExpression is a predicate expression used to allow/deny access to Apps. aws_role_arns array of strings AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. azure_identities array of strings AzureIdentities is a list of Azure identities this role is allowed to assume. cluster_labels map of string arrays cluster_labels_expression string ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. db_labels map of string arrays db_labels_expression string DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. db_names array of strings DatabaseNames is a list of database names this role is allowed to connect to. db_permissions object DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. db_roles array of strings DatabaseRoles is a list of databases roles for automatic user creation. db_service_labels map of string arrays db_service_labels_expression string DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. db_users array of strings DatabaseUsers is a list of databases users this role is allowed to connect as. desktop_groups array of strings DesktopGroups is a list of groups for created desktop users to be added to gcp_service_accounts array of strings GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. group_labels map of string arrays group_labels_expression string GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. host_groups array of strings HostGroups is a list of groups for created users to be added to host_sudoers array of strings HostSudoers is a list of entries to include in a users sudoer file impersonate object Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. join_sessions object JoinSessions specifies policies to allow users to join other sessions. kubernetes_groups array of strings KubeGroups is a list of kubernetes groups kubernetes_labels map of string arrays kubernetes_labels_expression string KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. kubernetes_resources object KubernetesResources is the Kubernetes Resources this Role grants access to. kubernetes_users array of strings KubeUsers is an optional kubernetes users to impersonate logins array of strings Logins is a list of *nix system logins. node_labels map of string arrays node_labels_expression string NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. request object require_session_join object RequireSessionJoin specifies policies for required users to start a session. review_requests object ReviewRequests defines conditions for submitting access reviews. rules object Rules is a list of rules and their access levels. Rules are a high level construct used for access control. spiffe object SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. windows_desktop_labels map of string arrays windows_desktop_labels_expression string WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. windows_desktop_logins array of strings WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.

DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.

Name Type Required Description match map of string arrays permissions array of strings Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...

Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.

Name Type Required Description roles array of strings Roles is a list of resources this role is allowed to impersonate users array of strings Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern where string Where specifies optional advanced matcher

JoinSessions specifies policies to allow users to join other sessions.

Name Type Required Description kinds array of strings Kinds are the session kinds this policy applies to. modes array of strings Modes is a list of permitted participant modes for this policy. name string Name is the name of the policy. roles array of strings Roles is a list of roles that you can join the session of.

KubernetesResources is the Kubernetes Resources this Role grants access to.

Name Type Required Description kind string Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. name string Name is the resource name. It supports wildcards. namespace string Namespace is the resource namespace. It supports wildcards. verbs array of strings Verbs are the allowed Kubernetes verbs for the following resource.

Name Type Required Description annotations map of string arrays claims_to_roles object ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. max_duration duration MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. roles array of strings Roles is the name of roles which will match the request rule. search_as_roles array of strings SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. suggested_reviewers array of strings SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. thresholds object Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

Name Type Required Description claim string Claim is a claim name. roles array of strings Roles is a list of static teleport roles to match. value string Value is a claim value to match.

Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

Name Type Required Description approve number Approve is the number of matching approvals needed for state-transition. deny number Deny is the number of denials needed for state-transition. filter string Filter is an optional predicate used to determine which reviews count toward this threshold. name string Name is the optional human-readable name of the threshold.

RequireSessionJoin specifies policies for required users to start a session.

Name Type Required Description count number Count is the amount of people that need to be matched for this policy to be fulfilled. filter string Filter is a predicate that determines what users count towards this policy. kinds array of strings Kinds are the session kinds this policy applies to. modes array of strings Modes is the list of modes that may be used to fulfill this policy. name string Name is the name of the policy. on_leave string OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.

ReviewRequests defines conditions for submitting access reviews.

Name Type Required Description claims_to_roles object ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. preview_as_roles array of strings PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources. roles array of strings Roles is the name of roles which may be reviewed. where string Where is an optional predicate which further limits which requests are reviewable.

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

Name Type Required Description claim string Claim is a claim name. roles array of strings Roles is a list of static teleport roles to match. value string Value is a claim value to match.

Rules is a list of rules and their access levels. Rules are a high level construct used for access control.

Name Type Required Description actions array of strings Actions specifies optional actions taken when this rule matches resources array of strings Resources is a list of resources verbs array of strings Verbs is a list of verbs where string Where specifies optional advanced matcher

SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.

Name Type Required Description dns_sans array of strings DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com ip_sans array of strings IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42 path string Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

Options is for OpenSSH options like agent forwarding.

Name Type Required Description cert_extensions object CertExtensions specifies the key/values cert_format string CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH. client_idle_timeout duration ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration. create_db_user bool create_db_user_mode number CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". create_desktop_user bool create_host_user bool create_host_user_mode number CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". desktop_clipboard bool desktop_directory_sharing bool device_trust_mode string DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. Reserved for future use, not yet used by Teleport. disconnect_expired_cert bool DisconnectExpiredCert sets disconnect clients on expired certificates. enhanced_recording array of strings BPF defines what events to record for the BPF-based session recorder. forward_agent bool ForwardAgent is SSH agent forwarding. idp object IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. lock string Lock specifies the locking mode (strict max_connections number MaxConnections defines the maximum number of concurrent connections a user may hold. max_kubernetes_connections number MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold. max_session_ttl duration MaxSessionTTL defines how long a SSH session can last for. max_sessions number MaxSessions defines the maximum number of concurrent sessions per connection. permit_x11_forwarding bool PermitX11Forwarding authorizes use of X11 forwarding. pin_source_ip bool PinSourceIP forces the same client IP for certificate generation and usage port_forwarding bool record_session object RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. request_access string RequestAccess defines the access request strategy (optional request_prompt string RequestPrompt is an optional message which tells users what they aught to request. require_session_mfa number RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". ssh_file_copy bool

CertExtensions specifies the key/values

Name Type Required Description mode number Mode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension". name string Name specifies the key to be used in the cert extension. type number Type represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh". value string Value specifies the value to be used in the cert extension.

IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.

Name Type Required Description saml object SAML are options related to the Teleport SAML IdP.

SAML are options related to the Teleport SAML IdP.

Name Type Required Description enabled bool

RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.

Name Type Required Description default string Default indicates the default value for the services. desktop bool ssh string SSH indicates the session mode used on SSH sessions.

Example:

# Teleport Role resource resource "teleport_role" "example" { metadata = { name = "example" description = "Example Teleport Role" expires = "2022-10-12T07:20:51Z" labels = { example = "yes" } } spec = { options = { forward_agent = false max_session_ttl = "7m" port_forwarding = false client_idle_timeout = "1h" disconnect_expired_cert = true permit_x11_forwarding = false request_access = "denied" } allow = { logins = ["example"] rules = [{ resources = ["user", "role"] verbs = ["list"] }] request = { roles = ["example"] claims_to_roles = [{ claim = "example" value = "example" roles = ["example"] }] } node_labels = { example = ["yes"] } } deny = { logins = ["anonymous"] } } }

Name Type Required Description metadata object Metadata holds resource metadata. spec object * Spec is an SAML connector specification. sub_kind string SubKind is an optional resource sub kind, used in some resources. version string * Version is the resource version. It must be specified. Supported values are: v2 .

Metadata holds resource metadata.

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is an SAML connector specification.

Name Type Required Description acs string * AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side). allow_idp_initiated bool AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins. assertion_key_pair object EncryptionKeyPair is a key pair used for decrypting SAML assertions. attributes_to_roles object * AttributesToRoles is a list of mappings of attribute statements to roles. audience string Audience uniquely identifies our service provider. cert string Cert is the identity provider certificate PEM. IDP signs <Response> responses using this certificate. display string Display controls how this connector is displayed. entity_descriptor string EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. entity_descriptor_url string EntityDescriptorURL is a URL that supplies a configuration XML. issuer string Issuer is the identity provider issuer. provider string Provider is the external identity provider. service_provider_issuer string ServiceProviderIssuer is the issuer of the service provider (Teleport). signing_key_pair object SigningKeyPair is an x509 key pair used to sign AuthnRequest. sso string SSO is the URL of the identity provider's SSO service.

EncryptionKeyPair is a key pair used for decrypting SAML assertions.

Name Type Required Description cert string Cert is a PEM-encoded x509 certificate. private_key string PrivateKey is a PEM encoded x509 private key.

AttributesToRoles is a list of mappings of attribute statements to roles.

Name Type Required Description name string Name is an attribute statement name. roles array of strings Roles is a list of static teleport roles to map to. value string Value is an attribute statement value to match.

SigningKeyPair is an x509 key pair used to sign AuthnRequest.

Name Type Required Description cert string Cert is a PEM-encoded x509 certificate. private_key string PrivateKey is a PEM encoded x509 private key.

Example:

# Teleport SAML connector # # Please note that SAML connector will work in Enterprise version only. Check the setup docs: # https://goteleport.com/docs/enterprise/sso/okta/ resource "teleport_saml_connector" "example" { # This block will tell Terraform to never update private key from our side if a keys are managed # from an outside of Terraform. # lifecycle { # ignore_changes = [ # spec[0].signing_key_pair[0].cert, # spec[0].signing_key_pair[0].private_key, # spec[0].assertion_key_pair[0].cert, # spec[0].assertion_key_pair[0].private_key, # ] # } # This section tells Terraform that role example must be created before the SAML connector depends_on = [ teleport_role.example ] metadata = { name = "example" } spec = { attributes_to_roles = [{ name = "groups" roles = ["example"] value = "okta-admin" }, { name = "groups" roles = ["example"] value = "okta-dev" }] acs = "https://localhost:3025/v1/webapi/saml/acs" entity_descriptor = "" } }

Name Type Required Description metadata object Metadata is resource metadata spec object Spec is a SessionRecordingConfig specification sub_kind string SubKind is an optional resource sub kind, used in some resources version string * Version is the resource version. It must be specified. Supported values are: v2 .

Metadata is resource metadata

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is a SessionRecordingConfig specification

Name Type Required Description mode string Mode controls where (or if) the session is recorded. proxy_checks_host_keys bool

Example:

# Teleport session recording config resource "teleport_session_recording_config" "example" { metadata = { description = "Session recording config" labels = { "example" = "yes" "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default } } spec = { proxy_checks_host_keys = true } }

Name Type Required Description metadata object Metadata holds resource metadata. spec object * Spec is a Trusted Cluster specification. sub_kind string SubKind is an optional resource sub kind, used in some resources. version string * Version is the resource version. It must be specified. Supported values are: v2 .

Metadata holds resource metadata.

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is a Trusted Cluster specification.

Name Type Required Description enabled bool Enabled is a bool that indicates if the TrustedCluster is enabled or disabled. Setting Enabled to false has a side effect of deleting the user and host certificate authority (CA). role_map object RoleMap specifies role mappings to remote roles. roles array of strings Roles is a list of roles that users will be assuming when connecting to this cluster. token string Token is the authorization token provided by another cluster needed by this cluster to join. tunnel_addr string ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default reverse tunnel port>. web_proxy_addr string ProxyAddress is the address of the web proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default web proxy server port>.

RoleMap specifies role mappings to remote roles.

Name Type Required Description local array of strings Local specifies local roles to map to remote string Remote specifies remote role name to map from

Example:

# Teleport trusted cluster # # https://goteleport.com/docs/setup/admin/trustedclusters/ resource "teleport_trusted_cluster" "cluster" { metadata = { name = "primary" labels = { test = "yes" } } spec = { enabled = false role_map = [{ remote = "test" local = ["admin"] }] proxy_addr = "localhost:3080" token = "salami" } }

Name Type Required Description metadata object Metadata is resource metadata spec object Specification of the device. version string * Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

Metadata is resource metadata

Name Type Required Description labels map of strings Labels is a set of labels name string Name is an object name revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Specification of the device.

Name Type Required Description asset_tag string * enroll_status string os_type string * owner string source object

Name Type Required Description name string origin string

Example:

# Trusted device resource resource "teleport_trusted_device" "TESTDEVICE1" { spec = { asset_tag = "TESTDEVICE1" os_type = "macos" } }

Name Type Required Description metadata object Metadata is resource metadata spec object Spec is a user specification sub_kind string SubKind is an optional resource sub kind, used in some resources version string * Version is the resource version. It must be specified. Supported values are: v2 .

Metadata is resource metadata

Name Type Required Description description string Description is object description expires RFC3339 time Expires is a global expiry time header can be set on any resource in the system. labels map of strings Labels is a set of labels name string * Name is an object name namespace string Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. revision string Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

Spec is a user specification

Name Type Required Description github_identities object GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity oidc_identities object OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity roles array of strings Roles is a list of roles assigned to user saml_identities object SAMLIdentities lists associated SAML identities that let user log in using externally verified identity traits map of string arrays trusted_device_ids array of strings TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.

GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity

Name Type Required Description connector_id string ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' username string Username is username supplied by external identity provider

OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity

Name Type Required Description connector_id string ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' username string Username is username supplied by external identity provider

SAMLIdentities lists associated SAML identities that let user log in using externally verified identity

Name Type Required Description connector_id string ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' username string Username is username supplied by external identity provider

Example: