Reference for the teleport_auth_preference Terraform resource
Example Usage
# AuthPreference resource
resource "teleport_auth_preference" "example" {
version = "v2"
metadata = {
description = "Auth preference"
labels = {
"example" = "yes"
"teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
}
}
spec = {
disconnect_expired_cert = true
}
}
Schema
Required
spec
(Attributes) Spec is an AuthPreference specification (see below for nested schema)version
(String) Version is the resource version. It must be specified. Supported values are:v2
.
Optional
metadata
(Attributes) Metadata is resource metadata (see below for nested schema)sub_kind
(String) SubKind is an optional resource sub kind, used in some resources
Nested Schema for spec
Optional:
allow_headless
(Boolean) AllowHeadless enables/disables headless support. Headless authentication requires Webauthn to work. Defaults to true if the Webauthn is configured, defaults to false otherwise.allow_local_auth
(Boolean) AllowLocalAuth is true if local authentication is enabled.allow_passwordless
(Boolean) AllowPasswordless enables/disables passwordless support. Passwordless requires Webauthn to work. Defaults to true if the Webauthn is configured, defaults to false otherwise.connector_name
(String) ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used.default_session_ttl
(String) DefaultSessionTTL is the TTL to use for user certs when an explicit TTL is not requested.device_trust
(Attributes) DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. (see below for nested schema)disconnect_expired_cert
(Boolean) DisconnectExpiredCert provides disconnect expired certificate setting - if true, connections with expired client certificates will get disconnectedhardware_key
(Attributes) HardwareKey are the settings for hardware key support. (see below for nested schema)idp
(Attributes) IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. (see below for nested schema)locking_mode
(String) LockingMode is the cluster-wide locking mode default.message_of_the_day
(String)okta
(Attributes) Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise. (see below for nested schema)piv_slot
(String) TODO(Joerger): DELETE IN 17.0.0 Deprecated, replaced by HardwareKey settings.require_session_mfa
(Number) RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".second_factor
(String) SecondFactor is the type of mult-factor.type
(String) Type is the type of authentication.u2f
(Attributes) U2F are the settings for the U2F device. (see below for nested schema)webauthn
(Attributes) Webauthn are the settings for server-side Web Authentication support. (see below for nested schema)
Nested Schema for spec.device_trust
Optional:
auto_enroll
(Boolean) Enable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled.tsh
takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off".ekcert_allowed_cas
(List of String) Allow list of EKCert CAs in PEM format. If present, only TPM devices that present an EKCert that is signed by a CA specified here may be enrolled (existing enrollments are unchanged). If not present, then the CA of TPM EKCerts will not be checked during enrollment, this allows any device to enroll.mode
(String) Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise.
Nested Schema for spec.hardware_key
Optional:
piv_slot
(String) PIVSlot is a PIV slot that Teleport clients should use instead of the default based on private key policy. For example, "9a" or "9e".serial_number_validation
(Attributes) SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled. (see below for nested schema)
Nested Schema for spec.hardware_key.serial_number_validation
Optional:
enabled
(Boolean) Enabled indicates whether hardware key serial number validation is enabled.serial_number_trait_name
(String) SerialNumberTraitName is an optional custom user trait name for hardware key serial numbers to replace the default: "hardware_key_serial_numbers". Note: Values for this user trait should be a comma-separated list of serial numbers, or a list of comm-separated lists. e.g ["123", "345,678"]
Nested Schema for spec.idp
Optional:
saml
(Attributes) SAML are options related to the Teleport SAML IdP. (see below for nested schema)
Nested Schema for spec.idp.saml
Optional:
enabled
(Boolean) Enabled is set to true if this option allows access to the Teleport SAML IdP.
Nested Schema for spec.okta
Optional:
sync_period
(String) SyncPeriod is the duration between synchronization calls in nanoseconds.
Nested Schema for spec.u2f
Optional:
app_id
(String) AppID returns the application ID for universal mult-factor.device_attestation_cas
(List of String) DeviceAttestationCAs contains the trusted attestation CAs for U2F devices.facets
(List of String) Facets returns the facets for universal mult-factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation.
Nested Schema for spec.webauthn
Optional:
attestation_allowed_cas
(List of String) Allow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed.attestation_denied_cas
(List of String) Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied.rp_id
(String) RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the multi-factor will need to re-register.
Nested Schema for metadata
Optional:
description
(String) Description is object descriptionexpires
(String) Expires is a global expiry time header can be set on any resource in the system.labels
(Map of String) Labels is a set of labels