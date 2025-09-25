Reference for the teleport_app Terraform data-source
Schema
Required
version(String) Version is the resource version. It must be specified. Supported values are:
v3.
Optional
metadata(Attributes) Metadata is the app resource metadata. (see below for nested schema)
spec(Attributes) Spec is the app resource spec. (see below for nested schema)
sub_kind(String) SubKind is an optional resource subkind.
Nested Schema for
metadata
Required:
name(String) Name is an object name
Optional:
description(String) Description is object description
expires(String) Expires is a global expiry time header can be set on any resource in the system.
labels(Map of String) Labels is a set of labels
Nested Schema for
spec
Optional:
aws(Attributes) AWS contains additional options for AWS applications. (see below for nested schema)
cloud(String) Cloud identifies the cloud instance the app represents.
cors(Attributes) CORSPolicy defines the Cross-Origin Resource Sharing settings for the app. (see below for nested schema)
dynamic_labels(Attributes Map) DynamicLabels are the app's command labels. (see below for nested schema)
identity_center(Attributes) IdentityCenter encasulates AWS identity-center specific information. Only valid for Identity Center account apps. (see below for nested schema)
insecure_skip_verify(Boolean) InsecureSkipVerify disables app's TLS certificate verification.
integration(String) Integration is the integration name that must be used to access this Application. Only applicable to AWS App Access. If present, the Application must use the Integration's credentials instead of ambient credentials to access Cloud APIs.
mcp(Attributes) MCP contains MCP server related configurations. (see below for nested schema)
public_addr(String) PublicAddr is the public address the application is accessible at.
required_app_names(List of String) RequiredAppNames is a list of app names that are required for this app to function. Any app listed here will be part of the authentication redirect flow and authenticate along side this app.
rewrite(Attributes) Rewrite is a list of rewriting rules to apply to requests and responses. (see below for nested schema)
tcp_ports(Attributes List) TCPPorts is a list of ports and port ranges that an app agent can forward connections to. Only applicable to TCP App Access. If this field is not empty, URI is expected to contain no port number and start with the tcp protocol. (see below for nested schema)
uri(String) URI is the web app endpoint.
use_any_proxy_public_addr(Boolean) UseAnyProxyPublicAddr will rebuild this app's fqdn based on the proxy public addr that the request originated from. This should be true if your proxy has multiple proxy public addrs and you want the app to be accessible from any of them. If
public_addris explicitly set in the app spec, setting this value to true will overwrite that public address in the web UI.
user_groups(List of String) UserGroups are a list of user group IDs that this app is associated with.
Nested Schema for
spec.aws
Optional:
external_id(String) ExternalID is the AWS External ID used when assuming roles in this app.
roles_anywhere_profile(Attributes) RolesAnywhereProfile contains the IAM Roles Anywhere fields associated with this Application. These fields are set when performing the synchronization of AWS IAM Roles Anywhere Profiles into Teleport Apps. (see below for nested schema)
Nested Schema for
spec.aws.roles_anywhere_profile
Optional:
accept_role_session_name(Boolean) Whether this Roles Anywhere Profile accepts a custom role session name. When not supported, the AWS Session Name will be the X.509 certificate's serial number. When supported, the AWS Session Name will be the identity's username. This values comes from: https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_ProfileDetail.html / acceptRoleSessionName
profile_arn(String) ProfileARN is the AWS IAM Roles Anywhere Profile ARN that originated this Teleport App.
Nested Schema for
spec.cors
Optional:
allow_credentials(Boolean) allow_credentials indicates whether credentials are allowed.
allowed_headers(List of String) allowed_headers specifies which headers can be used when accessing the app.
allowed_methods(List of String) allowed_methods specifies which methods are allowed when accessing the app.
allowed_origins(List of String) allowed_origins specifies which origins are allowed to access the app.
exposed_headers(List of String) exposed_headers indicates which headers are made available to scripts via the browser.
max_age(Number) max_age indicates how long (in seconds) the results of a preflight request can be cached.
Nested Schema for
spec.dynamic_labels
Optional:
command(List of String) Command is a command to run
period(String) Period is a time between command runs
result(String) Result captures standard output
Nested Schema for
spec.identity_center
Optional:
account_id(String) Account ID is the AWS-assigned ID of the account
permission_sets(Attributes List) PermissionSets lists the available permission sets on the given account (see below for nested schema)
Nested Schema for
spec.identity_center.permission_sets
Optional:
arn(String) ARN is the fully-formed ARN of the Permission Set.
assignment_name(String) AssignmentID is the ID of the Teleport Account Assignment resource that represents this permission being assigned on the enclosing Account.
name(String) Name is the human-readable name of the Permission Set.
Nested Schema for
spec.mcp
Optional:
args(List of String) Args to execute with the command.
command(String) Command to launch stdio-based MCP servers.
run_as_host_user(String) RunAsHostUser is the host user account under which the command will be executed. Required for stdio-based MCP servers.
Nested Schema for
spec.rewrite
Optional:
headers(Attributes List) Headers is a list of headers to inject when passing the request over to the application. (see below for nested schema)
jwt_claims(String) JWTClaims configures whether roles/traits are included in the JWT token.
redirect(List of String) Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header.
Nested Schema for
spec.rewrite.headers
Optional:
name(String) Name is the http header name.
value(String) Value is the http header value.
Nested Schema for
spec.tcp_ports
Optional:
end_port(Number) EndPort describes the end of the range, inclusive. If set, it must be between 2 and 65535 and be greater than Port when describing a port range. When omitted or set to zero, it signifies that the port range defines a single port.
port(Number) Port describes the start of the range. It must be between 1 and 65535.