Reference for the teleport_user Terraform resource
Example Usage
# Teleport User resource
resource "teleport_user" "example" {
version = "v2"
# Tells Terraform that the role could not be destroyed while this user exists
depends_on = [
teleport_role.example
]
metadata = {
name = "example"
description = "Example Teleport User"
expires = "2022-10-12T07:20:50Z"
labels = {
example = "yes"
}
}
spec = {
roles = ["example"]
oidc_identities = [{
connector_id = "oidc1"
username = "example"
}]
traits = {
"logins1" = ["example"]
"logins2" = ["example"]
}
github_identities = [{
connector_id = "github"
username = "example"
}]
saml_identities = [{
connector_id = "example-saml"
username = "example"
}]
}
}
Schema
Required
version
(String) Version is the resource version. It must be specified. Supported values are:v2
.
Optional
metadata
(Attributes) Metadata is resource metadata (see below for nested schema)spec
(Attributes) Spec is a user specification (see below for nested schema)status
(Attributes) (see below for nested schema)sub_kind
(String) SubKind is an optional resource sub kind, used in some resources
Nested Schema for metadata
Required:
name
(String) Name is an object name
Optional:
description
(String) Description is object descriptionexpires
(String) Expires is a global expiry time header can be set on any resource in the system.labels
(Map of String) Labels is a set of labels
Nested Schema for spec
Optional:
github_identities
(Attributes List) GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity (see below for nested schema)oidc_identities
(Attributes List) OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity (see below for nested schema)roles
(List of String) Roles is a list of roles assigned to usersaml_identities
(Attributes List) SAMLIdentities lists associated SAML identities that let user log in using externally verified identity (see below for nested schema)traits
(Map of List of String) Traits are key/value pairs received from an identity provider (through OIDC claims or SAML assertions) or from a system administrator for local accounts. Traits are used to populate role variables.trusted_device_ids
(List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only. Managed by the Device Trust subsystem, avoid manual edits.
Nested Schema for spec.github_identities
Optional:
connector_id
(String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'samlSingleLogoutUrl
(String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.username
(String) Username is username supplied by external identity provider
Nested Schema for spec.oidc_identities
Optional:
connector_id
(String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'samlSingleLogoutUrl
(String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.username
(String) Username is username supplied by external identity provider
Nested Schema for spec.saml_identities
Optional:
connector_id
(String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'samlSingleLogoutUrl
(String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.username
(String) Username is username supplied by external identity provider
Nested Schema for status
Optional:
mfa_weakest_device
(Number) mfa_weakest_device reflects what the system knows about the user's weakest MFA device. Note that this is a "best effort" property, in that it can be UNSPECIFIED.password_state
(Number) password_state reflects what the system knows about the user's password. Note that this is a "best effort" property, in that it can be UNSPECIFIED for users who were created before this property was introduced and didn't perform any password-related activity since then. See RFD 0159 for details. Do NOT use this value for authentication purposes!