Version: 19.x (unreleased)

On this page

Reference for the teleport_workload_identity Terraform resource Report an issue with this page

This page describes the supported values of the teleport_workload_identity resource of the Teleport Terraform provider.

resource "teleport_workload_identity" "example" { version = "v1" metadata = { name = "example" } spec = { rules = { allow = [ { conditions = [{ attribute = "user.name" eq = { value = "my-user" } }] } ] } spiffe = { id = "/my/spiffe/id/path" hint = "my-hint" } } }

metadata (Attributes) Common metadata that all resources share. (see below for nested schema)

(Attributes) Common metadata that all resources share. (see below for nested schema) spec (Attributes) The configured properties of the WorkloadIdentity (see below for nested schema)

(Attributes) The configured properties of the WorkloadIdentity (see below for nested schema) sub_kind (String) Differentiates variations of the same kind. All resources should contain one, even if it is never populated.

(String) Differentiates variations of the same kind. All resources should contain one, even if it is never populated. version (String) The version of the resource being represented.

Optional:

description (String) description is object description.

(String) description is object description. expires (String) expires is a global expiry time header can be set on any resource in the system.

(String) expires is a global expiry time header can be set on any resource in the system. labels (Map of String) labels is a set of labels.

(Map of String) labels is a set of labels. name (String) name is an object name.

Optional:

rules (Attributes) The rules which are evaluated before the WorkloadIdentity can be issued. (see below for nested schema)

(Attributes) The rules which are evaluated before the WorkloadIdentity can be issued. (see below for nested schema) spiffe (Attributes) Configuration pertaining to the issuance of SPIFFE-compatible workload identity credentials. (see below for nested schema)

Optional:

allow (Attributes List) A list of rules used to determine if a WorkloadIdentity can be issued. If none are provided, it will be considered a pass. If any are provided, then at least one must pass for the rules to be considered passed. (see below for nested schema)

Optional:

conditions (Attributes List) The conditions that must be met for this rule to be considered passed. Mutually exclusive with expression. (see below for nested schema)

(Attributes List) The conditions that must be met for this rule to be considered passed. Mutually exclusive with expression. (see below for nested schema) expression (String) An expression written in Teleport's predicate language that must evaluate to true for this rule to be considered passed. Mutually exclusive with conditions.

Optional:

attribute (String) The name of the attribute to evaluate the condition against.

(String) The name of the attribute to evaluate the condition against. eq (Attributes) The attribute casted to a string must be equal to the value. (see below for nested schema)

(Attributes) The attribute casted to a string must be equal to the value. (see below for nested schema) in (Attributes) The attribute casted to a string must be in the list of values. (see below for nested schema)

(Attributes) The attribute casted to a string must be in the list of values. (see below for nested schema) not_eq (Attributes) The attribute casted to a string must not be equal to the value. (see below for nested schema)

(Attributes) The attribute casted to a string must not be equal to the value. (see below for nested schema) not_in (Attributes) The attribute casted to a string must not be in the list of values. (see below for nested schema)

Optional:

value (String) The value to compare the attribute against.

Optional:

values (List of String) The list of values to compare the attribute against.

Optional:

value (String) The value to compare the attribute against.

Optional:

values (List of String) The list of values to compare the attribute against.

Optional:

hint (String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials.

(String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials. id (String) The path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash ("/"). This field supports templating using attributes.

(String) The path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash ("/"). This field supports templating using attributes. jwt (Attributes) Configuration specific to JWT-SVIDs. (see below for nested schema)

(Attributes) Configuration specific to JWT-SVIDs. (see below for nested schema) x509 (Attributes) Configuration specific to X509-SVIDs. (see below for nested schema)

Optional:

maximum_ttl (String) Control the maximum TTL of JWT-SVIDs issued using this WorkloadIdentity. If a JWT-SVID is requested with a TTL greater than this value, then the returned JWT-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 24 hours.

Optional:

dns_sans (List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes.

(List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes. maximum_ttl (String) Control the maximum TTL of X509-SVIDs issued using this WorkloadIdentity. If a X509-SVID is requested with a TTL greater than this value, then the returned X509-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 14 days.

(String) Control the maximum TTL of X509-SVIDs issued using this WorkloadIdentity. If a X509-SVID is requested with a TTL greater than this value, then the returned X509-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 14 days. subject_template (Attributes) Used to configure the Subject Distinguished Name (DN) of the X509-SVID. In most circumstances, it is recommended to prefer relying on the SPIFFE ID encoded in the URI SAN. However, the Subject DN may be needed to support legacy systems designed for X509 and not SPIFFE/WIMSE. If not provided, the X509-SVID will be issued with an empty Subject DN. (see below for nested schema)

Optional: