Reference for the teleport_role Terraform data-source
This page describes the supported values of the teleport_role
data source of the
Teleport Terraform provider.
Schema
Required
version
(String) Version is the resource version. It must be specified. Supported values are:v3
,v4
,v5
,v6
,v7
.
Optional
metadata
(Attributes) Metadata is resource metadata (see below for nested schema)spec
(Attributes) Spec is a role specification (see below for nested schema)sub_kind
(String) SubKind is an optional resource sub kind, used in some resources
Nested Schema for metadata
Required:
name
(String) Name is an object name
Optional:
description
(String) Description is object descriptionexpires
(String) Expires is a global expiry time header can be set on any resource in the system.labels
(Map of String) Labels is a set of labels
Nested Schema for spec
Optional:
allow
(Attributes) Allow is the set of conditions evaluated to grant access. (see below for nested schema)deny
(Attributes) Deny is the set of conditions evaluated to deny access. Deny takes priority over allow. (see below for nested schema)options
(Attributes) Options is for OpenSSH options like agent forwarding. (see below for nested schema)
Nested Schema for spec.allow
Optional:
account_assignments
(Attributes List) AccountAssignments holds the list of account assignments affected by this condition. (see below for nested schema)app_labels
(Map of List of String) AppLabels is a map of labels used as part of the RBAC system.app_labels_expression
(String) AppLabelsExpression is a predicate expression used to allow/deny access to Apps.aws_role_arns
(List of String) AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.azure_identities
(List of String) AzureIdentities is a list of Azure identities this role is allowed to assume.cluster_labels
(Map of List of String) ClusterLabels is a map of node labels (used to dynamically grant access to clusters).cluster_labels_expression
(String) ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.db_labels
(Map of List of String) DatabaseLabels are used in RBAC system to allow/deny access to databases.db_labels_expression
(String) DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.db_names
(List of String) DatabaseNames is a list of database names this role is allowed to connect to.db_permissions
(Attributes List) DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. (see below for nested schema)db_roles
(List of String) DatabaseRoles is a list of databases roles for automatic user creation.db_service_labels
(Map of List of String) DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services.db_service_labels_expression
(String) DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.db_users
(List of String) DatabaseUsers is a list of databases users this role is allowed to connect as.desktop_groups
(List of String) DesktopGroups is a list of groups for created desktop users to be added togcp_service_accounts
(List of String) GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.github_permissions
(Attributes List) GitHubPermissions defines GitHub integration related permissions. (see below for nested schema)group_labels
(Map of List of String) GroupLabels is a map of labels used as part of the RBAC system.group_labels_expression
(String) GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.host_groups
(List of String) HostGroups is a list of groups for created users to be added tohost_sudoers
(List of String) HostSudoers is a list of entries to include in a users sudoer fileimpersonate
(Attributes) Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. (see below for nested schema)join_sessions
(Attributes List) JoinSessions specifies policies to allow users to join other sessions. (see below for nested schema)kubernetes_groups
(List of String) KubeGroups is a list of kubernetes groupskubernetes_labels
(Map of List of String) KubernetesLabels is a map of kubernetes cluster labels used for RBAC.kubernetes_labels_expression
(String) KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.kubernetes_resources
(Attributes List) KubernetesResources is the Kubernetes Resources this Role grants access to. (see below for nested schema)kubernetes_users
(List of String) KubeUsers is an optional kubernetes users to impersonatelogins
(List of String) Logins is a list of *nix system logins.node_labels
(Map of List of String) NodeLabels is a map of node labels (used to dynamically grant access to nodes).node_labels_expression
(String) NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.request
(Attributes) (see below for nested schema)require_session_join
(Attributes List) RequireSessionJoin specifies policies for required users to start a session. (see below for nested schema)review_requests
(Attributes) ReviewRequests defines conditions for submitting access reviews. (see below for nested schema)rules
(Attributes List) Rules is a list of rules and their access levels. Rules are a high level construct used for access control. (see below for nested schema)spiffe
(Attributes List) SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. (see below for nested schema)windows_desktop_labels
(Map of List of String) WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.windows_desktop_labels_expression
(String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.windows_desktop_logins
(List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.workload_identity_labels
(Map of List of String) WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.workload_identity_labels_expression
(String) WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.
Nested Schema for spec.allow.account_assignments
Optional:
account
(String)permission_set
(String)
Nested Schema for spec.allow.db_permissions
Optional:
match
(Map of List of String) Match is a list of object labels that must be matched for the permission to be granted.permissions
(List of String) Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...
Nested Schema for spec.allow.github_permissions
Optional:
orgs
(List of String)
Nested Schema for spec.allow.impersonate
Optional:
roles
(List of String) Roles is a list of resources this role is allowed to impersonateusers
(List of String) Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard patternwhere
(String) Where specifies optional advanced matcher