Skip to main content
Version: 19.x (unreleased)

Reference for the teleport_scoped_role Terraform data-source

Report an IssueView as Markdown

This page describes the supported values of the teleport_scoped_role data source of the Teleport Terraform provider.

Schema

Required

  • metadata (Attributes) Metadata contains the resource metadata. (see below for nested schema)
  • scope (String) Scope is the scope of the role resource.
  • spec (Attributes) Spec is the role specification. (see below for nested schema)
  • version (String) Version is the resource version.

Optional

  • sub_kind (String) SubKind is the resource sub-kind.

Nested Schema for metadata

Required:

  • name (String) name is an object name.

Optional:

  • description (String) description is object description.
  • expires (String) expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) labels is a set of labels.

Nested Schema for spec

Required:

  • assignable_scopes (List of String) AssignableScopes is a list of scopes to which this role can be assigned.

Optional:

  • defaults (Attributes) Defaults specifies default values for controls common across multiple protocols. If the same control specified in defaults is also specified in a protocol block, the value in the protocol block takes precedence. (see below for nested schema)
  • kube (Attributes) The kubernetes specific configuration for a scoped role. (see below for nested schema)
  • rules (Attributes List) Rules describes basic resource:verb permissions (e.g. scoped_role:read). (see below for nested schema)
  • ssh (Attributes) Ssh specifies controls that govern SSH access. (see below for nested schema)

Nested Schema for spec.defaults

Optional:

  • client_idle_timeout (String) ClientIdleTimeout sets the default idle timeout for access sessions across all protocols that do not specify their own value. Must be a valid Go duration string (e.g. "30m", "1h").
  • disconnect_expired_cert (Boolean) DisconnectExpiredCert defines the default behavior of all protocols when certs expire for a session. If unset, cluster wide defaults are used.
  • lock (Attributes) Lock specifies the default locking mode for access sessions across all protocols that do not specify their own value. If unset, cluster wide defaults are used. (see below for nested schema)
  • session_recording (Attributes) SessionRecording configures the session recording strategy for all protocols that don't explicitly set their session recording mode. (see below for nested schema)

Nested Schema for spec.defaults.lock

Optional:

  • mode (String) Allowed values: strict or best_effort. Defaults to value cluster wide auth preference if not set.

Nested Schema for spec.defaults.session_recording

Optional:

  • mode (String) Mode sets the session recording mode. Allowed values: strict or best_effort.

Nested Schema for spec.kube

Optional:

  • client_idle_timeout (String) Overrides the defaults block idle timeout specifically for kube sessions. Must be a valid Go duration string (e.g. "30m", "1h"). If empty, the defaults block value (or global default) applies.
  • disconnect_expired_cert (Boolean) DisconnectExpiredCert controls whether Kube sessions are disconnected when the user certificate expires.
  • groups (List of String) The list of kubernetes groups this role allows.
  • labels (Attributes List) The map of kubernetes cluster labels used for RBAC. (see below for nested schema)
  • lock (Attributes) Lock configures the role's locking behavior for kubernetes sessions. (see below for nested schema)
  • users (List of String) An optional list of impersonatable kubernetes users this role allows.

Nested Schema for spec.kube.labels

Optional:

  • name (String) The name of the label.
  • values (List of String) The values associated with the label.

Nested Schema for spec.kube.lock

Optional:

  • mode (String) Allowed values: strict or best_effort. Defaults to value cluster wide auth preference if not set.

Nested Schema for spec.rules

Optional:

  • resources (List of String) Resources is a list of resource kinds (e.g. 'scoped_token') that the below verbs apply to.
  • verbs (List of String) Verbs is the list of action verbs (e.g. 'read') that apply to the above resources.

Nested Schema for spec.ssh

Optional:

  • client_idle_timeout (String) ClientIdleTimeout overrides the defaults block idle timeout specifically for SSH sessions. Must be a valid Go duration string (e.g. "30m", "1h"). If empty, the defaults block value (or global default) applies.
  • disconnect_expired_cert (Boolean) DisconnectExpiredCert controls whether SSH sessions are disconnected when the user certificate expires. Defaults to value cluster wide auth preference if not set.
  • enhanced_recording (Attributes) EnhancedRecording is the set of BPF events to record for enhanced session recording. (see below for nested schema)
  • file_copy (Boolean) FileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to allowing the user to download and upload files by default.
  • forward_agent (Boolean) ForwardAgent enables SSH agent forwarding.
  • host_sudoers (List of String) Sudoers is a list of entries to include in a users sudoer file
  • host_user_creation (Attributes) HostUserCreation configures the creation of host users. (see below for nested schema)
  • labels (Attributes List) Labels is the set of node labels used to dynamically select which nodes this role applies to. (see below for nested schema)
  • lock (Attributes) Lock configures the role's locking behavior for SSH sessions. (see below for nested schema)
  • logins (List of String) Logins is the list of OS logins this role permits on matching nodes.
  • max_sessions (Number) MaxSessions defines the maximum number of concurrent sessions per connection.
  • permit_x11_forwarding (Boolean) PermitX11Forwarding, when true, authorizes use of X11 forwarding over SSH sessions. If not set, X11 forwarding is not permitted.
  • port_forwarding (Attributes) SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. (see below for nested schema)
  • session_recording (Attributes) SessionRecording configures the session recording strategy for SSH sessions. (see below for nested schema)

Nested Schema for spec.ssh.enhanced_recording

Optional:

  • command (Boolean) Command enables session.command in audit logs
  • disk (Boolean) Disk enables session.disk in audit logs
  • network (Boolean) Network enables session.network in audit logs

Nested Schema for spec.ssh.host_user_creation

Optional:

  • groups (List of String) Groups is a list of host groups to add the user to.
  • mode (String) Mode specifies how the host user should be created.
  • shell (String) Shell is the shell to set for the user.

Nested Schema for spec.ssh.labels

Optional:

  • name (String) The name of the label.
  • values (List of String) The values associated with the label.

Nested Schema for spec.ssh.lock

Optional:

  • mode (String) Allowed values: strict or best_effort. Defaults to value cluster wide auth preference if not set.

Nested Schema for spec.ssh.port_forwarding

Optional:

Nested Schema for spec.ssh.port_forwarding.local

Optional:

  • enabled (Boolean)

Nested Schema for spec.ssh.port_forwarding.remote

Optional:

  • enabled (Boolean)

Nested Schema for spec.ssh.session_recording

Optional:

  • mode (String) Mode sets the session recording mode. Allowed values: strict or best_effort.