Terraform provider resources

Supported resources:

• teleport_access_list
• teleport_app
• teleport_auth_preference
• teleport_bot
• teleport_cluster_maintenance_config
• teleport_cluster_networking_config
• teleport_database
• teleport_github_connector
• teleport_login_rule
• teleport_oidc_connector
• teleport_okta_import_rule
• teleport_provision_token
• teleport_role
• teleport_saml_connector
• teleport_session_recording_config
• teleport_trusted_cluster
• teleport_trusted_device
• teleport_user

Provider configuration

Ensure your Terraform version is v1.0.0 or higher.

Add the following configuration section to your terraform configuration block:

terraform {
  required_providers {
    teleport = {
      version = "~> 15.0"
      source  = "terraform.releases.teleport.dev/gravitational/teleport"
    }
  }
}

The provider supports the following options:

Name	Type	Description	Environment Variable
addr	string	Teleport auth or proxy address in "host:port" format.	TF_TELEPORT_ADDR
cert_path	string	Path to Teleport certificate file.	TF_TELEPORT_CERT
cert_base64	string	Teleport certificate as base64.	TF_TELEPORT_CERT_BASE64
identity_file_path	string	Path to Teleport identity file.	TF_TELEPORT_IDENTITY_FILE_PATH
identity_file_base64	string	Teleport identity file as base64.	TF_TELEPORT_IDENTITY_FILE_BASE64
key_path	string	Path to Teleport key file.	TF_TELEPORT_KEY
key_base64	string	Teleport key as base64.	TF_TELEPORT_KEY_BASE64
profile_dir	string	Teleport profile path.	TF_TELEPORT_PROFILE_PATH
profile_name	string	Teleport profile name.	TF_TELEPORT_PROFILE_NAME
root_ca_path	string	Path to Teleport CA file.	TF_TELEPORT_ROOT_CA
root_ca_base64	string	Teleport CA as base64.	TF_TELEPORT_ROOT_CA_BASE64
retry_base_duration	string	Base duration between retries. Format	TF_TELEPORT_RETRY_BASE_DURATION
retry_cap_duration	string	Max duration between retries. Format	TF_TELEPORT_RETRY_CAP_DURATION
retry_max_tries	string	Max number of retries.	TF_TELEPORT_RETRY_MAX_TRIES

You need to specify at least one of:

• cert_path, key_path,root_ca_path and addr to connect using key files.
• cert_base64, key_base64,root_ca_base64 and addr to connect using a base64-encoded key.
• identity_file_path or identity_file_base64 and addr to connect using an identity file.
• profile_name, profile_dir (both can be empty) and addr to connect using current profile from ~/.tsh

The retry_* values are used to retry the API calls to Teleport when the cache is stale.

If more than one are provided, they will be tried in the order above until one succeeds.

Example:

provider "teleport" {
  addr         = "localhost:3025"
  cert_path    = "tf.crt"
  key_path     = "tf.key"
  root_ca_path = "tf.ca"
}

Provider resource versioning

Since Teleport 15, you must set the version on each resource, and version cannot be changed in-place. Terraform will delete the resource and create a new one if a version change is required.

This is not enforced on previous Teleport provider versions, but we recommend doing so. When the version is not specified, Terraform will pick the latest one by default. However, version upgrades don't re-apply the resource defaults. This could lead to different results if you create a new resource or upgrade an existing one. To mitigate this, you should explicitly set the resource version.

warning

Upgrading the Terraform Provider to a new version with teleport_role resources without a specified version can change the role behavior and access rules. You must set the role version before upgrading to ensure the role access rules don't change.

The default role version is the highest supported:

• v12 default role version is v5
• v13 default role version is v6
• v14 default role version is v7

For example, before upgrading from v12 to v13, edit every unversioned role to pin the v5 version:

resource "teleport_role" "test" {
  version = "v5"
  metadata = {
    name = "my-role"
  }
  // ...
}

teleport_access_list

Name	Type	Required	Description
header	object		header is the header for the resource.
spec	object		spec is the specification for the access list.

header

header is the header for the resource.

Name	Type	Required	Description
kind	string		kind is a resource kind.
metadata	object		metadata is resource metadata.
sub_kind	string		sub_kind is an optional resource sub kind, used in some resources.
version	string	*	Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

header.metadata

metadata is resource metadata.

Name	Type	Required	Description
description	string		description is object description.
expires	RFC3339 time
labels	map of strings		labels is a set of labels.
name	string	*	name is an object name.
namespace	string		namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

spec is the specification for the access list.

Name	Type	Required	Description
audit	object	*	audit describes the frequency that this access list must be audited.
description	string		description is an optional plaintext description of the access list.
grants	object	*	grants describes the access granted by membership to this access list.
membership	string		membership defines how list membership is applied. There are two possible values: explicit (default): To be considered ag member of the access list, a user must both meet the membership_requires conditions AND be explicitly added to the list. implicit: Any user meeting the membership_requires conditions will automatically be considered a member of this list.
membership_requires	object		membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list.
owner_grants	object		owner_grants describes the access granted by owners to this access list.
owners	object	*	owners is a list of owners of the access list.
ownership	string		ownership defines how list ownership of this list is determined. There are two possible values: explicit (default): To be considered an owner of the access list, a user must both meet the ownership_requires conditions AND be explicitly added to the list. implicit: Any user meeting the ownership_requires conditions will automatically be considered an owner of this list.
ownership_requires	object		ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.
title	string		title is a plaintext short description of the access list.

spec.audit

audit describes the frequency that this access list must be audited.

Name	Type	Required	Description
next_audit_date	RFC3339 time
notifications	object		notifications is the configuration for notifying users.
recurrence	object	*	recurrence is the recurrence definition

spec.audit.notifications

notifications is the configuration for notifying users.

Name	Type	Required	Description
start	duration

spec.audit.recurrence

recurrence is the recurrence definition

Name	Type	Required	Description
day_of_month	number		day_of_month is the day of month that reviews will be scheduled on. Supported values are 0, 1, 15, and 31.
frequency	number	*	frequency is the frequency of reviews. This represents the period in months between two reviews. Supported values are 0, 1, 3, 6, and 12.

spec.grants

grants describes the access granted by membership to this access list.

Name	Type	Required	Description
roles	array of strings		roles are the roles that are granted to users who are members of the access list.
traits	object		traits are the traits that are granted to users who are members of the access list.

spec.grants.traits

traits are the traits that are granted to users who are members of the access list.

Name	Type	Required	Description
key	string		key is the name of the trait.
values	array of strings		values is the list of trait values.

spec.membership_requires

membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list.

Name	Type	Required	Description
roles	array of strings		roles are the user roles that must be present for the user to obtain access.
traits	object		traits are the traits that must be present for the user to obtain access.

spec.membership_requires.traits

traits are the traits that must be present for the user to obtain access.

Name	Type	Required	Description
key	string		key is the name of the trait.
values	array of strings		values is the list of trait values.

spec.owner_grants

owner_grants describes the access granted by owners to this access list.

Name	Type	Required	Description
roles	array of strings		roles are the roles that are granted to users who are members of the access list.
traits	object		traits are the traits that are granted to users who are members of the access list.

spec.owner_grants.traits

traits are the traits that are granted to users who are members of the access list.

Name	Type	Required	Description
key	string		key is the name of the trait.
values	array of strings		values is the list of trait values.

spec.owners

owners is a list of owners of the access list.

Name	Type	Required	Description
description	string		description is the plaintext description of the owner and why they are an owner.
name	string		name is the username of the owner.

spec.ownership_requires

ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.

Name	Type	Required	Description
roles	array of strings		roles are the user roles that must be present for the user to obtain access.
traits	object		traits are the traits that must be present for the user to obtain access.

spec.ownership_requires.traits

traits are the traits that must be present for the user to obtain access.

Name	Type	Required	Description
key	string		key is the name of the trait.
values	array of strings		values is the list of trait values.

Example:

resource "teleport_access_list" "crane-operation" {
  header = {
    metadata = {
      name = "crane-operation"
      labels = {
        example = "yes"
      }
    }
  }
  spec = {
    description = "Used to grant access to the crane."
    owners = [
      {
        name = "gru"
        description = "The supervillain."
      }
    ]
    membership_requires = {
      roles = ["minion"]
    }
    ownership_requires = {
      roles = ["supervillain"]
    }
    grants = {
      roles = ["crane-operator"]
      traits = [{
        key = "allowed-machines"
        values = ["crane", "forklift"]
      }]
    }
    title = "Crane operation"
    audit = {
      recurrence = {
        frequency = 3 # audit every 3 months
        day_of_month = 15 # audit happen 15's day of the month. Possible values are 1, 15, and 31.
      }
    }
  }
}

teleport_app

Name	Type	Required	Description
metadata	object		Metadata is the app resource metadata.
spec	object		Spec is the app resource spec.
sub_kind	string		SubKind is an optional resource subkind.
version	string	*	Version is the resource version. It must be specified. Supported values are:v3.

metadata

Metadata is the app resource metadata.

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is the app resource spec.

Name	Type	Required	Description
aws	object		AWS contains additional options for AWS applications.
cloud	string		Cloud identifies the cloud instance the app represents.
dynamic_labels	object		DynamicLabels are the app's command labels.
insecure_skip_verify	bool		InsecureSkipVerify disables app's TLS certificate verification.
public_addr	string		PublicAddr is the public address the application is accessible at.
rewrite	object		Rewrite is a list of rewriting rules to apply to requests and responses.
uri	string		URI is the web app endpoint.
user_groups	array of strings		UserGroups are a list of user group IDs that this app is associated with.

spec.aws

AWS contains additional options for AWS applications.

Name	Type	Required	Description
external_id	string		ExternalID is the AWS External ID used when assuming roles in this app.

spec.dynamic_labels

DynamicLabels are the app's command labels.

Name	Type	Required	Description
command	array of strings		Command is a command to run
period	duration		Period is a time between command runs
result	string		Result captures standard output

spec.rewrite

Rewrite is a list of rewriting rules to apply to requests and responses.

Name	Type	Required	Description
headers	object		Headers is a list of headers to inject when passing the request over to the application.
jwt_claims	string		JWTClaims configures whether roles/traits are included in the JWT token.
redirect	array of strings		Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header.

spec.rewrite.headers

Headers is a list of headers to inject when passing the request over to the application.

Name	Type	Required	Description
name	string		Name is the http header name.
value	string		Value is the http header value.

Example:

# Teleport App

resource "teleport_app" "example" {
  metadata = {
    name = "example"
    description = "Test app"
    labels = {
        "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    uri = "localhost:3000"
  }
}

teleport_auth_preference

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
spec	object	*	Spec is an AuthPreference specification
sub_kind	string		SubKind is an optional resource sub kind, used in some resources
version	string	*	Version is the resource version. It must be specified. Supported values are: v2.

metadata

Metadata is resource metadata

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is an AuthPreference specification

Name	Type	Required	Description
allow_headless	bool
allow_local_auth	bool
allow_passwordless	bool
connector_name	string		ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used.
default_session_ttl	duration		DefaultSessionTTL is the TTL to use for user certs when an explicit TTL is not requested.
device_trust	object		DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.
disconnect_expired_cert	bool
hardware_key	object		HardwareKey are the settings for hardware key support.
idp	object		IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
locking_mode	string		LockingMode is the cluster-wide locking mode default.
message_of_the_day	string
okta	object		Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise.
piv_slot	string		Deprecated, replaced by HardwareKey settings.
require_session_mfa	number		RequireMFAType is the type of MFA requirement enforced for this cluster. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
second_factor	string		SecondFactor is the type of second factor.
type	string		Type is the type of authentication.
u2f	object		U2F are the settings for the U2F device.
webauthn	object		Webauthn are the settings for server-side Web Authentication support.

spec.device_trust

DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.

Name	Type	Required	Description
auto_enroll	bool		Enable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled. tsh takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off".
ekcert_allowed_cas	array of strings		Allow list of EKCert CAs in PEM format. If present, only TPM devices that present an EKCert that is signed by a CA specified here may be enrolled (existing enrollments are unchanged). If not present, then the CA of TPM EKCerts will not be checked during enrollment, this allows any device to enroll.
mode	string		Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise.

spec.hardware_key

HardwareKey are the settings for hardware key support.

Name	Type	Required	Description
piv_slot	string		PIVSlot is a PIV slot that Teleport clients should use instead of the default based on private key policy. For example, "9a" or "9e".
serial_number_validation	object		SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled.

spec.hardware_key.serial_number_validation

SerialNumberValidation holds settings for hardware key serial number validation. By default, serial number validation is disabled.

Name	Type	Required	Description
enabled	bool		Enabled indicates whether hardware key serial number validation is enabled.
serial_number_trait_name	string		SerialNumberTraitName is an optional custom user trait name for hardware key serial numbers to replace the default: "hardware_key_serial_numbers". Note: Values for this user trait should be a comma-separated list of serial numbers, or a list of comm-separated lists. e.g ["123", "345,678"]

spec.idp

IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.

Name	Type	Required	Description
saml	object		SAML are options related to the Teleport SAML IdP.

spec.idp.saml

SAML are options related to the Teleport SAML IdP.

Name	Type	Required	Description
enabled	bool

spec.okta

Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise.

Name	Type	Required	Description
sync_period	duration		SyncPeriod is the duration between synchronization calls in nanoseconds.

spec.u2f

U2F are the settings for the U2F device.

Name	Type	Required	Description
app_id	string		AppID returns the application ID for universal second factor.
device_attestation_cas	array of strings		DeviceAttestationCAs contains the trusted attestation CAs for U2F devices.
facets	array of strings		Facets returns the facets for universal second factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation.

spec.webauthn

Webauthn are the settings for server-side Web Authentication support.

Name	Type	Required	Description
attestation_allowed_cas	array of strings		Allow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed.
attestation_denied_cas	array of strings		Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied.
rp_id	string		RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register.

Example:

# AuthPreference resource

resource "teleport_auth_preference" "example" {
  metadata = {
    description = "Auth preference"
    labels = {
      "example" = "yes"
      "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    disconnect_expired_cert = true
  }
}

teleport_bot

Name	Type	Required	Description
name	string	*	The name of the bot, i.e. the unprefixed User name
role_name	string		The name of the generated bot role
roles	array of strings	*	A list of roles the created bot should be allowed to assume via role impersonation.
token_id	string	*	The bot joining token. If unset, a new random token is created and its name returned, otherwise a preexisting Bot token may be provided for IAM/OIDC joining.
token_ttl	string		The desired TTL for the token if one is created. If unset, a server default is used
traits	map of string arrays
user_name	string		The name of the generated bot user

Example:

# Teleport Machine ID Bot creation example

locals {
  bot_name = "example"
}

resource "random_password" "bot_token" {
  length           = 32
  special          = false
}

resource "time_offset" "bot_example_token_expiry" {
  offset_hours = 1
}

resource "teleport_provision_token" "bot_example" {
  metadata = {
    expires = time_offset.bot_example_token_expiry.rfc3339
    description = "Bot join token for ${local.bot_name} generated by Terraform"

    name = random_password.bot_token.result
  }

  spec = {
    roles = ["Bot"]
    bot_name = local.bot_name
    join_method = "token"
  }
}

resource "teleport_bot" "example" {
  name = local.bot_name
  token_id = teleport_provision_token.bot_example.metadata.name
  roles = ["access"]
}

teleport_cluster_maintenance_config

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
nonce	number		Nonce is used to protect against concurrent modification of the maintenance window. Clients should treat nonces as opaque.
spec	object
sub_kind	string		SubKind is an optional resource sub kind, used in some resources
version	string	*	Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

metadata

Metadata is resource metadata

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Name	Type	Required	Description
agent_upgrades	object		AgentUpgrades encodes the agent upgrade window.

spec.agent_upgrades

AgentUpgrades encodes the agent upgrade window.

Name	Type	Required	Description
utc_start_hour	number		UTCStartHour is the start hour of the maintenance window in UTC.
weekdays	array of strings		Weekdays is an optional list of weekdays. If not specified, an agent upgrade window occurs every day.

Example:

# Teleport Cluster Networking config

resource "teleport_cluster_maintenance_config" "example" {
   metadata = {
    description = "Maintenance config"
  }

  spec = {
	agent_upgrades = {
	  utc_start_hour = 1
	  weekdays = [ "monday" ]
	}
  }
}

teleport_cluster_networking_config

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
spec	object		Spec is a ClusterNetworkingConfig specification
sub_kind	string		SubKind is an optional resource sub kind, used in some resources
version	string		Version is the resource version. It must be specified. Supported values are:v2.

metadata

Metadata is resource metadata

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a ClusterNetworkingConfig specification

Name	Type	Required	Description
assist_command_execution_workers	number		AssistCommandExecutionWorkers determines the number of workers that will execute arbitrary Assist commands on servers in parallel
case_insensitive_routing	bool		CaseInsensitiveRouting causes proxies to use case-insensitive hostname matching.
client_idle_timeout	duration		ClientIdleTimeout sets global cluster default setting for client idle timeouts.
idle_timeout_message	string		ClientIdleTimeoutMessage is the message sent to the user when a connection times out.
keep_alive_count_max	number		KeepAliveCountMax is the number of keep-alive messages that can be missed before the server disconnects the connection to the client.
keep_alive_interval	duration		KeepAliveInterval is the interval at which the server sends keep-alive messages to the client.
proxy_listener_mode	number		ProxyListenerMode is proxy listener mode used by Teleport Proxies. 0 is "separate"; 1 is "multiplex".
proxy_ping_interval	duration		ProxyPingInterval defines in which interval the TLS routing ping message should be sent. This is applicable only when using ping-wrapped connections, regular TLS routing connections are not affected.
routing_strategy	number		RoutingStrategy determines the strategy used to route to nodes. 0 is "unambiguous_match"; 1 is "most_recent".
session_control_timeout	duration		SessionControlTimeout is the session control lease expiry and defines the upper limit of how long a node may be out of contact with the auth server before it begins terminating controlled sessions.
tunnel_strategy	object		TunnelStrategyV1 determines the tunnel strategy used in the cluster.
web_idle_timeout	duration		WebIdleTimeout sets global cluster default setting for the web UI idle timeouts.

spec.tunnel_strategy

TunnelStrategyV1 determines the tunnel strategy used in the cluster.

Name	Type	Required	Description
agent_mesh	object
proxy_peering	object

spec.tunnel_strategy.agent_mesh

Name	Type	Required	Description
active	bool		Automatically generated field preventing empty message errors

spec.tunnel_strategy.proxy_peering

Name	Type	Required	Description
agent_connection_count	number

Example:

# Teleport Cluster Networking config

resource "teleport_cluster_networking_config" "example" {
   metadata = {
    description = "Networking config"
    labels = {
      "example" = "yes"
      "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    client_idle_timeout = "1h"
  }
}

teleport_database

Name	Type	Required	Description
metadata	object		Metadata is the database metadata.
spec	object		Spec is the database spec.
sub_kind	string		SubKind is an optional resource subkind.
version	string	*	Version is the resource version. It must be specified. Supported values are: v3.

metadata

Metadata is the database metadata.

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is the database spec.

Name	Type	Required	Description
ad	object		AD is the Active Directory configuration for the database.
admin_user	object		AdminUser is the database admin user for automatic user provisioning.
aws	object		AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
azure	object		Azure contains Azure specific database metadata.
ca_cert	string		CACert is the PEM-encoded database CA certificate. DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0.
dynamic_labels	object		DynamicLabels is the database dynamic labels.
gcp	object		GCP contains parameters specific to GCP Cloud SQL databases.
mongo_atlas	object		MongoAtlas contains Atlas metadata about the database.
mysql	object		MySQL is an additional section with MySQL database options.
oracle	object		Oracle is an additional Oracle configuration options.
protocol	string	*	Protocol is the database protocol: postgres, mysql, mongodb, etc.
tls	object		TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name.
uri	string	*	URI is the database connection endpoint.

spec.ad

AD is the Active Directory configuration for the database.

Name	Type	Required	Description
domain	string		Domain is the Active Directory domain the database resides in.
kdc_host_name	string		KDCHostName is the host name for a KDC for x509 Authentication.
keytab_file	string		KeytabFile is the path to the Kerberos keytab file.
krb5_file	string		Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
ldap_cert	string		LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication.
spn	string		SPN is the service principal name for the database.

spec.admin_user

AdminUser is the database admin user for automatic user provisioning.

Name	Type	Required	Description
default_database	string		DefaultDatabase is the database that the privileged database user logs into by default. Depending on the database type, this database may be used to store procedures or data for managing database users.
name	string		Name is the username of the privileged database user.

spec.aws

AWS contains AWS specific settings for RDS/Aurora/Redshift databases.

Name	Type	Required	Description
account_id	string		AccountID is the AWS account ID this database belongs to.
assume_role_arn	string		AssumeRoleARN is an optional AWS role ARN to assume when accessing a database. Set this field and ExternalID to enable access across AWS accounts.
elasticache	object		ElastiCache contains AWS ElastiCache Redis specific metadata.
external_id	string		ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
iam_policy_status	number		IAMPolicyStatus indicates whether the IAM Policy is configured properly for database access. If not, the user must update the AWS profile identity to allow access to the Database. Eg for an RDS Database: the underlying AWS profile allows for rds-db:connect for the Database.
memorydb	object		MemoryDB contains AWS MemoryDB specific metadata.
opensearch	object		OpenSearch contains AWS OpenSearch specific metadata.
rds	object		RDS contains RDS specific metadata.
rdsproxy	object		RDSProxy contains AWS Proxy specific metadata.
redshift	object		Redshift contains Redshift specific metadata.
redshift_serverless	object		RedshiftServerless contains AWS Redshift Serverless specific metadata.
region	string		Region is a AWS cloud region.
secret_store	object		SecretStore contains secret store configurations.
session_tags	map of strings		SessionTags is a list of AWS STS session tags.

spec.aws.elasticache

ElastiCache contains AWS ElastiCache Redis specific metadata.

Name	Type	Required	Description
endpoint_type	string		EndpointType is the type of the endpoint.
replication_group_id	string		ReplicationGroupID is the Redis replication group ID.
transit_encryption_enabled	bool		TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled.
user_group_ids	array of strings		UserGroupIDs is a list of user group IDs.

spec.aws.memorydb

MemoryDB contains AWS MemoryDB specific metadata.

Name	Type	Required	Description
acl_name	string		ACLName is the name of the ACL associated with the cluster.
cluster_name	string		ClusterName is the name of the MemoryDB cluster.
endpoint_type	string		EndpointType is the type of the endpoint.
tls_enabled	bool		TLSEnabled indicates whether in-transit encryption (TLS) is enabled.

spec.aws.opensearch

OpenSearch contains AWS OpenSearch specific metadata.

Name	Type	Required	Description
domain_id	string		DomainID is the ID of the domain.
domain_name	string		DomainName is the name of the domain.
endpoint_type	string		EndpointType is the type of the endpoint.

spec.aws.rds

RDS contains RDS specific metadata.

Name	Type	Required	Description
cluster_id	string		ClusterID is the RDS cluster (Aurora) identifier.
iam_auth	bool		IAMAuth indicates whether database IAM authentication is enabled.
instance_id	string		InstanceID is the RDS instance identifier.
resource_id	string		ResourceID is the RDS instance resource identifier (db-xxx).
subnets	array of strings		Subnets is a list of subnets for the RDS instance.
vpc_id	string		VPCID is the VPC where the RDS is running.

spec.aws.rdsproxy

RDSProxy contains AWS Proxy specific metadata.

Name	Type	Required	Description
custom_endpoint_name	string		CustomEndpointName is the identifier of an RDS Proxy custom endpoint.
name	string		Name is the identifier of an RDS Proxy.
resource_id	string		ResourceID is the RDS instance resource identifier (prx-xxx).

spec.aws.redshift

Redshift contains Redshift specific metadata.

Name	Type	Required	Description
cluster_id	string		ClusterID is the Redshift cluster identifier.

spec.aws.redshift_serverless

RedshiftServerless contains AWS Redshift Serverless specific metadata.

Name	Type	Required	Description
endpoint_name	string		EndpointName is the VPC endpoint name.
workgroup_id	string		WorkgroupID is the workgroup ID.
workgroup_name	string		WorkgroupName is the workgroup name.

spec.aws.secret_store

SecretStore contains secret store configurations.

Name	Type	Required	Description
key_prefix	string		KeyPrefix specifies the secret key prefix.
kms_key_id	string		KMSKeyID specifies the AWS KMS key for encryption.

spec.azure

Azure contains Azure specific database metadata.

Name	Type	Required	Description
is_flexi_server	bool		IsFlexiServer is true if the database is an Azure Flexible server.
name	string		Name is the Azure database server name.
redis	object		Redis contains Azure Cache for Redis specific database metadata.
resource_id	string		ResourceID is the Azure fully qualified ID for the resource.

spec.azure.redis

Redis contains Azure Cache for Redis specific database metadata.

Name	Type	Required	Description
clustering_policy	string		ClusteringPolicy is the clustering policy for Redis Enterprise.

spec.dynamic_labels

DynamicLabels is the database dynamic labels.

Name	Type	Required	Description
command	array of strings		Command is a command to run
period	duration		Period is a time between command runs
result	string		Result captures standard output

spec.gcp

GCP contains parameters specific to GCP Cloud SQL databases.

Name	Type	Required	Description
instance_id	string		InstanceID is the Cloud SQL instance ID.
project_id	string		ProjectID is the GCP project ID the Cloud SQL instance resides in.

spec.mongo_atlas

MongoAtlas contains Atlas metadata about the database.

Name	Type	Required	Description
name	string		Name is the Atlas database instance name.

spec.mysql

MySQL is an additional section with MySQL database options.

Name	Type	Required	Description
server_version	string		ServerVersion is the server version reported by DB proxy if the runtime information is not available.

spec.oracle

Oracle is an additional Oracle configuration options.

Name	Type	Required	Description
audit_user	string		AuditUser is the Oracle database user privilege to access internal Oracle audit trail.

spec.tls

TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name.

Name	Type	Required	Description
ca_cert	string		CACert is an optional user provided CA certificate used for verifying database TLS connection.
mode	number		Mode is a TLS connection mode. 0 is "verify-full"; 1 is "verify-ca", 2 is "insecure".
server_name	string		ServerName allows to provide custom hostname. This value will override the servername/hostname on a certificate during validation.

Example:

# Teleport Database

resource "teleport_database" "example" {
    metadata = {
        name = "example"
        description = "Test database"
        labels = {
            "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
        }
    }

    spec = {
        protocol = "postgres"
        uri = "localhost"
    }
}

teleport_github_connector

Name	Type	Required	Description
metadata	object		Metadata holds resource metadata.
spec	object	*	Spec is an Github connector specification.
sub_kind	string		SubKind is an optional resource sub kind, used in some resources.
version	string	*	Version is the resource version. It must be specified. Supported values are: v3.

metadata

Metadata holds resource metadata.

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is an Github connector specification.

Name	Type	Required	Description
api_endpoint_url	string		APIEndpointURL is the URL of the API endpoint of the Github instance this connector is for.
client_id	string	*	ClientID is the Github OAuth app client ID.
client_secret	string	*	ClientSecret is the Github OAuth app client secret.
display	string		Display is the connector display name.
endpoint_url	string		EndpointURL is the URL of the GitHub instance this connector is for.
redirect_url	string		RedirectURL is the authorization callback URL.
teams_to_logins	object		TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead.
teams_to_roles	object		TeamsToRoles maps Github team memberships onto allowed roles.

spec.teams_to_logins

TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead.

Name	Type	Required	Description
kubernetes_groups	array of strings		KubeGroups is a list of allowed kubernetes groups for this org/team.
kubernetes_users	array of strings		KubeUsers is a list of allowed kubernetes users to impersonate for this org/team.
logins	array of strings		Logins is a list of allowed logins for this org/team.
organization	string		Organization is a Github organization a user belongs to.
team	string		Team is a team within the organization a user belongs to.

spec.teams_to_roles

TeamsToRoles maps Github team memberships onto allowed roles.

Name	Type	Required	Description
organization	string		Organization is a Github organization a user belongs to.
roles	array of strings		Roles is a list of allowed logins for this org/team.
team	string		Team is a team within the organization a user belongs to.

Example:

# Terraform Github connector

variable "github_secret" {}

resource "teleport_github_connector" "github" {
  # This section tells Terraform that role example must be created before the GitHub connector
  depends_on = [
    teleport_role.example
  ]

  metadata = {
     name = "example"
     labels = {
       example = "yes"
     }
  }
  
  spec = {
    client_id = "client"
    client_secret = var.github_secret

    teams_to_roles = [{
       organization = "gravitational"
       team = "devs"
       roles = ["example"]
    }]
  }
}

teleport_login_rule

Name	Type	Required	Description
metadata	object		Metadata is resource metadata.
priority	number	*	Priority is the priority of the login rule relative to other login rules in the same cluster. Login rules with a lower numbered priority will be evaluated first.
traits_expression	string		TraitsExpression is a predicate expression which should return the desired traits for the user upon login.
traits_map	object		TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait.
version	string	*	Version is the resource version.

metadata

Metadata is resource metadata.

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

traits_map

TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait.

Name	Type	Required	Description
values	array of strings

Example:

# Teleport Login Rule resource

resource "teleport_login_rule" "example" {
  metadata = {
    description = "Example Login Rule"
    labels = {
      "example" = "yes"
    }
  }

  version  = "v1"
  priority = 0
  traits_map = {
    "logins" = {
      values = [
        "external.logins",
        "external.username",
      ]
    }
    "groups" = {
      values = [
        "external.groups",
      ]
    }
  }
}

teleport_oidc_connector

Name	Type	Required	Description
metadata	object		Metadata holds resource metadata.
spec	object	*	Spec is an OIDC connector specification.
sub_kind	string		SubKind is an optional resource sub kind, used in some resources.
version	string	*	Version is the resource version. It must be specified. Supported values are: v3.

metadata

Metadata holds resource metadata.

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is an OIDC connector specification.

Name	Type	Required	Description
acr_values	string		ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.
allow_unverified_email	bool		AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.
claims_to_roles	object		ClaimsToRoles specifies a dynamic mapping from claims to roles.
client_id	string		ClientID is the id of the authentication client (Teleport Auth server).
client_secret	string		ClientSecret is used to authenticate the client.
display	string		Display is the friendly name for this provider.
google_admin_email	string		GoogleAdminEmail is the email of a google admin to impersonate.
google_service_account	string		GoogleServiceAccount is a string containing google service account credentials.
google_service_account_uri	string		GoogleServiceAccountURI is a path to a google service account uri.
issuer_url	string		IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
max_age	duration
prompt	string		Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
provider	string		Provider is the external identity provider.
redirect_url	array of strings
scope	array of strings		Scope specifies additional scopes set by provider.
username_claim	string		UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

spec.claims_to_roles

ClaimsToRoles specifies a dynamic mapping from claims to roles.

Name	Type	Required	Description
claim	string		Claim is a claim name.
roles	array of strings		Roles is a list of static teleport roles to match.
value	string		Value is a claim value to match.

Example:

# Teleport OIDC connector
# 
# Please note that OIDC connector will work in Enterprise version only. Check the setup docs:
# https://goteleport.com/docs/enterprise/sso/oidc/

variable "oidc_secret" {}

resource "teleport_oidc_connector" "example" {
  metadata = {
    name = "example"
    labels = {
      test = "yes"
    }
  }

  spec = {
    client_id = "client"
    client_secret = var.oidc_secret

    claims_to_roles = [{
      claim = "test"
      roles = ["terraform"]
    }]

    redirect_url = ["https://example.com/redirect"]
  }
}

teleport_okta_import_rule

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
spec	object	*	Spec is the specification for the Okta import rule.
sub_kind	string		SubKind is an optional resource sub kind, used in some resources
version	string	*	Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

metadata

Metadata is resource metadata

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is the specification for the Okta import rule.

Name	Type	Required	Description
mappings	object		Mappings is a list of matches that will map match conditions to labels.
priority	number		Priority represents the priority of the rule application. Lower numbered rules will be applied first.

spec.mappings

Mappings is a list of matches that will map match conditions to labels.

Name	Type	Required	Description
add_labels	map of strings		AddLabels specifies which labels to add if any of the previous matches match.
match	object		Match is a set of matching rules for this mapping. If any of these match, then the mapping will be applied.

spec.mappings.match

Match is a set of matching rules for this mapping. If any of these match, then the mapping will be applied.

Name	Type	Required	Description
app_ids	array of strings		AppIDs is a list of app IDs to match against.
app_name_regexes	array of strings		AppNameRegexes is a list of regexes to match against app names.
group_ids	array of strings		GroupIDs is a list of group IDs to match against.
group_name_regexes	array of strings		GroupNameRegexes is a list of regexes to match against group names.

Example:

# Teleport Okta Import Rule resource

resource "teleport_okta_import_rule" "example" {
  metadata = {
    description = "Example Okta Import Rule"
    labels = {
      "example" = "yes"
    }
  }

  version  = "v1"

  spec = {
    priority = 100
    mappings = [
      {
        add_labels = {
          "label1": "value1"
        }
        match = [
          {
            app_ids = ["1", "2", "3"]
          },
        ],
      },
      {
        add_labels = {
          "label2": "value2"
        }
        match = [
          {
            group_ids = ["1", "2", "3"]
          },
        ],
      },
      {
        add_labels = {
          "label3" : "value3",
        }
        match = [
          {
            group_name_regexes = ["^.*$"]
          },
        ],
      },
      {
        add_labels = {
          "label4" : "value4",
        }
        match = [
          {
            app_name_regexes = ["^.*$"]
          },
        ],
      }
    ]
  }
}

teleport_provision_token

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
spec	object	*	Spec is a provisioning token V2 spec
sub_kind	string		SubKind is an optional resource sub kind, used in some resources
version	string	*	Version is the resource version. It must be specified. Supported values are:v2.

metadata

Metadata is resource metadata

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string		Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a provisioning token V2 spec

Name	Type	Required	Description
allow	object		Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
aws_iid_ttl	duration		AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token.
azure	object		Azure allows the configuration of options specific to the "azure" join method.
bot_name	string		BotName is the name of the bot this token grants access to, if any
circleci	object		CircleCI allows the configuration of options specific to the "circleci" join method.
gcp	object		GCP allows the configuration of options specific to the "gcp" join method.
github	object		GitHub allows the configuration of options specific to the "github" join method.
gitlab	object		GitLab allows the configuration of options specific to the "gitlab" join method.
join_method	string		JoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam".
kubernetes	object		Kubernetes allows the configuration of options specific to the "kubernetes" join method.
roles	array of strings	*	Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token
spacelift	object		Spacelift allows the configuration of options specific to the "spacelift" join method.
suggested_agent_matcher_labels	map of string arrays
suggested_labels	map of string arrays

spec.allow

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

Name	Type	Required	Description
aws_account	string		AWSAccount is the AWS account ID.
aws_arn	string		AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?".
aws_regions	array of strings		AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from.
aws_role	string		AWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API.

spec.azure

Azure allows the configuration of options specific to the "azure" join method.

Name	Type	Required	Description
allow	object		Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

spec.azure.allow

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Name	Type	Required	Description
resource_groups	array of strings		ResourceGroups is a list of Azure resource groups the node is allowed to join from.
subscription	string		Subscription is the Azure subscription.

spec.circleci

CircleCI allows the configuration of options specific to the "circleci" join method.

Name	Type	Required	Description
allow	object		Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
organization_id	string

spec.circleci.allow

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

Name	Type	Required	Description
context_id	string
project_id	string

spec.gcp

GCP allows the configuration of options specific to the "gcp" join method.

Name	Type	Required	Description
allow	object		Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

spec.gcp.allow

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Name	Type	Required	Description
locations	array of strings		Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b").
project_ids	array of strings		ProjectIDs is a list of project IDs (e.g. "<example-id-123456>").
service_accounts	array of strings		ServiceAccounts is a list of service account emails (e.g. "<project-number>[email protected]").

spec.github

GitHub allows the configuration of options specific to the "github" join method.

Name	Type	Required	Description
allow	object		Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
enterprise_server_host	string		EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server.
enterprise_slug	string		EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the include_enterprise_slug option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if enterprise_server_host is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.

spec.github.allow

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

Name	Type	Required	Description
actor	string		The personal account that initiated the workflow run.
environment	string		The name of the environment used by the job.
ref	string		The git ref that triggered the workflow run.
ref_type	string		The type of ref, for example: "branch".
repository	string		The repository from where the workflow is running. This includes the name of the owner e.g gravitational/teleport
repository_owner	string		The name of the organization in which the repository is stored.
sub	string		Sub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run.
workflow	string		The name of the workflow.

spec.gitlab

GitLab allows the configuration of options specific to the "gitlab" join method.

Name	Type	Required	Description
allow	object		Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.
domain	string		Domain is the domain of your GitLab instance. This will default to gitlab.com - but can be set to the domain of your self-hosted GitLab e.g gitlab.example.com.

spec.gitlab.allow

Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token.

Name	Type	Required	Description
ci_config_ref_uri	string		CIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main.
ci_config_sha	string		CIConfigSHA is the git commit SHA for the ci_config_ref_uri.
deployment_tier	string		DeploymentTier is the deployment tier of the environment the job specifies
environment	string		Environment limits access by the environment the job deploys to (if one is associated)
environment_protected	bool
namespace_path	string		NamespacePath is used to limit access to jobs in a group or user's projects. Example: mygroup This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
pipeline_source	string		PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: web
project_path	string		ProjectPath is used to limit access to jobs belonging to an individual project. Example: mygroup/myproject This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
project_visibility	string		ProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public.
ref	string		Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
ref_protected	bool
ref_type	string		RefType allows access to be limited to jobs triggered by a specific git ref type. Example: branch or tag
sub	string		Sub roughly uniquely identifies the workload. Example: project_path:mygroup/my-project:ref_type:branch:ref:main project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
user_email	string		UserEmail is the email of the user executing the job
user_id	string		UserID is the ID of the user executing the job
user_login	string		UserLogin is the username of the user executing the job

spec.kubernetes

Kubernetes allows the configuration of options specific to the "kubernetes" join method.

Name	Type	Required	Description
allow	object		Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
static_jwks	object		StaticJWKS is the configuration specific to the static_jwks type.
type	string		Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - in_cluster - static_jwks If unset, this defaults to in_cluster.

spec.kubernetes.allow

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Name	Type	Required	Description
service_account	string		ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account".

spec.kubernetes.static_jwks

StaticJWKS is the configuration specific to the static_jwks type.

Name	Type	Required	Description
jwks	string		JWKS should be the JSON Web Key Set formatted public keys of that the Kubernetes Cluster uses to sign service account tokens. This can be fetched from /openid/v1/jwks on the Kubernetes API Server.

spec.spacelift

Spacelift allows the configuration of options specific to the "spacelift" join method.

Name	Type	Required	Description
allow	object		Allow is a list of Rules, nodes using this token must match one allow rule to use this token.
hostname	string		Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g example.app.spacelift.io

spec.spacelift.allow

Allow is a list of Rules, nodes using this token must match one allow rule to use this token.

Name	Type	Required	Description
caller_id	string		CallerID is the ID of the caller, ie. the stack or module that generated the run.
caller_type	string		CallerType is the type of the caller, ie. the entity that owns the run - either stack or module.
scope	string		Scope is the scope of the token - either read or write. See https://docs.spacelift.io/integrations/cloud-providers/oidc/#about-scopes
space_id	string		SpaceID is the ID of the space in which the run that owns the token was executed.

Example:

# Teleport Provision Token resource

resource "teleport_provision_token" "example" {
  metadata = {
    expires = "2022-10-12T07:20:51Z"
    description = "Example token"

    labels = {
      example = "yes" 
      "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    roles = ["Node", "Auth"]
  }
}

resource "teleport_provision_token" "iam-token" {
  metadata = {
    name = "iam-token"
  }
  spec = {
    roles       = ["Bot"]
    bot_name    = "mybot"
    join_method = "iam"
    allow = [{
      aws_account = "123456789012"
    }]
  }
}

teleport_role

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
spec	object		Spec is a role specification
sub_kind	string		SubKind is an optional resource sub kind, used in some resources
version	string	*	Version is the resource version. It must be specified. Supported values are: v3, v4, v5, v6, v7.

metadata

Metadata is resource metadata

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a role specification

Name	Type	Required	Description
allow	object		Allow is the set of conditions evaluated to grant access.
deny	object		Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.
options	object		Options is for OpenSSH options like agent forwarding.

spec.allow

Allow is the set of conditions evaluated to grant access.

Name	Type	Required	Description
app_labels	map of string arrays
app_labels_expression	string		AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
aws_role_arns	array of strings		AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
azure_identities	array of strings		AzureIdentities is a list of Azure identities this role is allowed to assume.
cluster_labels	map of string arrays
cluster_labels_expression	string		ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
db_labels	map of string arrays
db_labels_expression	string		DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
db_names	array of strings		DatabaseNames is a list of database names this role is allowed to connect to.
db_permissions	object		DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
db_roles	array of strings		DatabaseRoles is a list of databases roles for automatic user creation.
db_service_labels	map of string arrays
db_service_labels_expression	string		DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
db_users	array of strings		DatabaseUsers is a list of databases users this role is allowed to connect as.
desktop_groups	array of strings		DesktopGroups is a list of groups for created desktop users to be added to
gcp_service_accounts	array of strings		GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
group_labels	map of string arrays
group_labels_expression	string		GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
host_groups	array of strings		HostGroups is a list of groups for created users to be added to
host_sudoers	array of strings		HostSudoers is a list of entries to include in a users sudoer file
impersonate	object		Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
join_sessions	object		JoinSessions specifies policies to allow users to join other sessions.
kubernetes_groups	array of strings		KubeGroups is a list of kubernetes groups
kubernetes_labels	map of string arrays
kubernetes_labels_expression	string		KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
kubernetes_resources	object		KubernetesResources is the Kubernetes Resources this Role grants access to.
kubernetes_users	array of strings		KubeUsers is an optional kubernetes users to impersonate
logins	array of strings		Logins is a list of *nix system logins.
node_labels	map of string arrays
node_labels_expression	string		NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
request	object
require_session_join	object		RequireSessionJoin specifies policies for required users to start a session.
review_requests	object		ReviewRequests defines conditions for submitting access reviews.
rules	object		Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
spiffe	object		SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
windows_desktop_labels	map of string arrays
windows_desktop_labels_expression	string		WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
windows_desktop_logins	array of strings		WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.

spec.allow.db_permissions

DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.

Name	Type	Required	Description
match	map of string arrays
permissions	array of strings		Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...

spec.allow.impersonate

Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.

Name	Type	Required	Description
roles	array of strings		Roles is a list of resources this role is allowed to impersonate
users	array of strings		Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
where	string		Where specifies optional advanced matcher

spec.allow.join_sessions

JoinSessions specifies policies to allow users to join other sessions.

Name	Type	Required	Description
kinds	array of strings		Kinds are the session kinds this policy applies to.
modes	array of strings		Modes is a list of permitted participant modes for this policy.
name	string		Name is the name of the policy.
roles	array of strings		Roles is a list of roles that you can join the session of.

spec.allow.kubernetes_resources

KubernetesResources is the Kubernetes Resources this Role grants access to.

Name	Type	Required	Description
kind	string		Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported.
name	string		Name is the resource name. It supports wildcards.
namespace	string		Namespace is the resource namespace. It supports wildcards.
verbs	array of strings		Verbs are the allowed Kubernetes verbs for the following resource.

spec.allow.request

Name	Type	Required	Description
annotations	map of string arrays
claims_to_roles	object		ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
max_duration	duration		MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
roles	array of strings		Roles is the name of roles which will match the request rule.
search_as_roles	array of strings		SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
suggested_reviewers	array of strings		SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
thresholds	object		Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

spec.allow.request.claims_to_roles

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

Name	Type	Required	Description
claim	string		Claim is a claim name.
roles	array of strings		Roles is a list of static teleport roles to match.
value	string		Value is a claim value to match.

spec.allow.request.thresholds

Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

Name	Type	Required	Description
approve	number		Approve is the number of matching approvals needed for state-transition.
deny	number		Deny is the number of denials needed for state-transition.
filter	string		Filter is an optional predicate used to determine which reviews count toward this threshold.
name	string		Name is the optional human-readable name of the threshold.

spec.allow.require_session_join

RequireSessionJoin specifies policies for required users to start a session.

Name	Type	Required	Description
count	number		Count is the amount of people that need to be matched for this policy to be fulfilled.
filter	string		Filter is a predicate that determines what users count towards this policy.
kinds	array of strings		Kinds are the session kinds this policy applies to.
modes	array of strings		Modes is the list of modes that may be used to fulfill this policy.
name	string		Name is the name of the policy.
on_leave	string		OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.

spec.allow.review_requests

ReviewRequests defines conditions for submitting access reviews.

Name	Type	Required	Description
claims_to_roles	object		ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
preview_as_roles	array of strings		PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
roles	array of strings		Roles is the name of roles which may be reviewed.
where	string		Where is an optional predicate which further limits which requests are reviewable.

spec.allow.review_requests.claims_to_roles

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

Name	Type	Required	Description
claim	string		Claim is a claim name.
roles	array of strings		Roles is a list of static teleport roles to match.
value	string		Value is a claim value to match.

spec.allow.rules

Rules is a list of rules and their access levels. Rules are a high level construct used for access control.

Name	Type	Required	Description
actions	array of strings		Actions specifies optional actions taken when this rule matches
resources	array of strings		Resources is a list of resources
verbs	array of strings		Verbs is a list of verbs
where	string		Where specifies optional advanced matcher

spec.allow.spiffe

SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.

Name	Type	Required	Description
dns_sans	array of strings		DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
ip_sans	array of strings		IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
path	string		Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

spec.deny

Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.

Name	Type	Required	Description
app_labels	map of string arrays
app_labels_expression	string		AppLabelsExpression is a predicate expression used to allow/deny access to Apps.
aws_role_arns	array of strings		AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume.
azure_identities	array of strings		AzureIdentities is a list of Azure identities this role is allowed to assume.
cluster_labels	map of string arrays
cluster_labels_expression	string		ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.
db_labels	map of string arrays
db_labels_expression	string		DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.
db_names	array of strings		DatabaseNames is a list of database names this role is allowed to connect to.
db_permissions	object		DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.
db_roles	array of strings		DatabaseRoles is a list of databases roles for automatic user creation.
db_service_labels	map of string arrays
db_service_labels_expression	string		DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.
db_users	array of strings		DatabaseUsers is a list of databases users this role is allowed to connect as.
desktop_groups	array of strings		DesktopGroups is a list of groups for created desktop users to be added to
gcp_service_accounts	array of strings		GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume.
group_labels	map of string arrays
group_labels_expression	string		GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.
host_groups	array of strings		HostGroups is a list of groups for created users to be added to
host_sudoers	array of strings		HostSudoers is a list of entries to include in a users sudoer file
impersonate	object		Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.
join_sessions	object		JoinSessions specifies policies to allow users to join other sessions.
kubernetes_groups	array of strings		KubeGroups is a list of kubernetes groups
kubernetes_labels	map of string arrays
kubernetes_labels_expression	string		KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.
kubernetes_resources	object		KubernetesResources is the Kubernetes Resources this Role grants access to.
kubernetes_users	array of strings		KubeUsers is an optional kubernetes users to impersonate
logins	array of strings		Logins is a list of *nix system logins.
node_labels	map of string arrays
node_labels_expression	string		NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.
request	object
require_session_join	object		RequireSessionJoin specifies policies for required users to start a session.
review_requests	object		ReviewRequests defines conditions for submitting access reviews.
rules	object		Rules is a list of rules and their access levels. Rules are a high level construct used for access control.
spiffe	object		SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.
windows_desktop_labels	map of string arrays
windows_desktop_labels_expression	string		WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
windows_desktop_logins	array of strings		WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.

spec.deny.db_permissions

DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning.

Name	Type	Required	Description
match	map of string arrays
permissions	array of strings		Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...

spec.deny.impersonate

Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means.

Name	Type	Required	Description
roles	array of strings		Roles is a list of resources this role is allowed to impersonate
users	array of strings		Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern
where	string		Where specifies optional advanced matcher

spec.deny.join_sessions

JoinSessions specifies policies to allow users to join other sessions.

Name	Type	Required	Description
kinds	array of strings		Kinds are the session kinds this policy applies to.
modes	array of strings		Modes is a list of permitted participant modes for this policy.
name	string		Name is the name of the policy.
roles	array of strings		Roles is a list of roles that you can join the session of.

spec.deny.kubernetes_resources

KubernetesResources is the Kubernetes Resources this Role grants access to.

Name	Type	Required	Description
kind	string		Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported.
name	string		Name is the resource name. It supports wildcards.
namespace	string		Namespace is the resource namespace. It supports wildcards.
verbs	array of strings		Verbs are the allowed Kubernetes verbs for the following resource.

spec.deny.request

Name	Type	Required	Description
annotations	map of string arrays
claims_to_roles	object		ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
max_duration	duration		MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used.
roles	array of strings		Roles is the name of roles which will match the request rule.
search_as_roles	array of strings		SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request.
suggested_reviewers	array of strings		SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement.
thresholds	object		Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

spec.deny.request.claims_to_roles

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

Name	Type	Required	Description
claim	string		Claim is a claim name.
roles	array of strings		Roles is a list of static teleport roles to match.
value	string		Value is a claim value to match.

spec.deny.request.thresholds

Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used.

Name	Type	Required	Description
approve	number		Approve is the number of matching approvals needed for state-transition.
deny	number		Deny is the number of denials needed for state-transition.
filter	string		Filter is an optional predicate used to determine which reviews count toward this threshold.
name	string		Name is the optional human-readable name of the threshold.

spec.deny.require_session_join

RequireSessionJoin specifies policies for required users to start a session.

Name	Type	Required	Description
count	number		Count is the amount of people that need to be matched for this policy to be fulfilled.
filter	string		Filter is a predicate that determines what users count towards this policy.
kinds	array of strings		Kinds are the session kinds this policy applies to.
modes	array of strings		Modes is the list of modes that may be used to fulfill this policy.
name	string		Name is the name of the policy.
on_leave	string		OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session.

spec.deny.review_requests

ReviewRequests defines conditions for submitting access reviews.

Name	Type	Required	Description
claims_to_roles	object		ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.
preview_as_roles	array of strings		PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources.
roles	array of strings		Roles is the name of roles which may be reviewed.
where	string		Where is an optional predicate which further limits which requests are reviewable.

spec.deny.review_requests.claims_to_roles

ClaimsToRoles specifies a mapping from claims (traits) to teleport roles.

Name	Type	Required	Description
claim	string		Claim is a claim name.
roles	array of strings		Roles is a list of static teleport roles to match.
value	string		Value is a claim value to match.

spec.deny.rules

Rules is a list of rules and their access levels. Rules are a high level construct used for access control.

Name	Type	Required	Description
actions	array of strings		Actions specifies optional actions taken when this rule matches
resources	array of strings		Resources is a list of resources
verbs	array of strings		Verbs is a list of verbs
where	string		Where specifies optional advanced matcher

spec.deny.spiffe

SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.

Name	Type	Required	Description
dns_sans	array of strings		DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '*' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: *.example.com would match foo.example.com
ip_sans	array of strings		IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42
path	string		Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^/svc/foo/.*/bar$ would match /svc/foo/baz/bar

spec.options

Options is for OpenSSH options like agent forwarding.

Name	Type	Required	Description
cert_extensions	object		CertExtensions specifies the key/values
cert_format	string		CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH.
client_idle_timeout	duration		ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration.
create_db_user	bool
create_db_user_mode	number		CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop".
create_desktop_user	bool
create_host_user	bool
create_host_user_mode	number		CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop".
desktop_clipboard	bool
desktop_directory_sharing	bool
device_trust_mode	string		DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. Reserved for future use, not yet used by Teleport.
disconnect_expired_cert	bool		DisconnectExpiredCert sets disconnect clients on expired certificates.
enhanced_recording	array of strings		BPF defines what events to record for the BPF-based session recorder.
forward_agent	bool		ForwardAgent is SSH agent forwarding.
idp	object		IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.
lock	string		Lock specifies the locking mode (strict
max_connections	number		MaxConnections defines the maximum number of concurrent connections a user may hold.
max_kubernetes_connections	number		MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold.
max_session_ttl	duration		MaxSessionTTL defines how long a SSH session can last for.
max_sessions	number		MaxSessions defines the maximum number of concurrent sessions per connection.
permit_x11_forwarding	bool		PermitX11Forwarding authorizes use of X11 forwarding.
pin_source_ip	bool		PinSourceIP forces the same client IP for certificate generation and usage
port_forwarding	bool
record_session	object		RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.
request_access	string		RequestAccess defines the access request strategy (optional
request_prompt	string		RequestPrompt is an optional message which tells users what they aught to request.
require_session_mfa	number		RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
ssh_file_copy	bool

spec.options.cert_extensions

CertExtensions specifies the key/values

Name	Type	Required	Description
mode	number		Mode is the type of extension to be used -- currently critical-option is not supported. 0 is "extension".
name	string		Name specifies the key to be used in the cert extension.
type	number		Type represents the certificate type being extended, only ssh is supported at this time. 0 is "ssh".
value	string		Value specifies the value to be used in the cert extension.

spec.options.idp

IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise.

Name	Type	Required	Description
saml	object		SAML are options related to the Teleport SAML IdP.

spec.options.idp.saml

SAML are options related to the Teleport SAML IdP.

Name	Type	Required	Description
enabled	bool

spec.options.record_session

RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.

Name	Type	Required	Description
default	string		Default indicates the default value for the services.
desktop	bool
ssh	string		SSH indicates the session mode used on SSH sessions.

Example:

# Teleport Role resource

resource "teleport_role" "example" {
  metadata = {
    name        = "example"
    description = "Example Teleport Role"
    expires     = "2022-10-12T07:20:51Z"
    labels = {
      example  = "yes"      
    }
  }
  
  spec = {
    options = {
      forward_agent           = false
      max_session_ttl         = "7m"
      port_forwarding         = false
      client_idle_timeout     = "1h"
      disconnect_expired_cert = true
      permit_x11_forwarding   = false
      request_access          = "denied"
    }

    allow = {
      logins = ["example"]

      rules = [{
        resources = ["user", "role"]
        verbs = ["list"]
      }]

      request = {
        roles = ["example"]
        claims_to_roles = [{
          claim = "example"
          value = "example"
          roles = ["example"]
        }]
      }

      node_labels = {
        example = ["yes"]
      }
    }

    deny = {
      logins = ["anonymous"]
    }
  }
}

teleport_saml_connector

Name	Type	Required	Description
metadata	object		Metadata holds resource metadata.
spec	object	*	Spec is an SAML connector specification.
sub_kind	string		SubKind is an optional resource sub kind, used in some resources.
version	string	*	Version is the resource version. It must be specified. Supported values are: v2.

metadata

Metadata holds resource metadata.

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is an SAML connector specification.

Name	Type	Required	Description
acs	string	*	AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).
allow_idp_initiated	bool		AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins.
assertion_key_pair	object		EncryptionKeyPair is a key pair used for decrypting SAML assertions.
attributes_to_roles	object	*	AttributesToRoles is a list of mappings of attribute statements to roles.
audience	string		Audience uniquely identifies our service provider.
cert	string		Cert is the identity provider certificate PEM. IDP signs <Response> responses using this certificate.
display	string		Display controls how this connector is displayed.
entity_descriptor	string		EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
entity_descriptor_url	string		EntityDescriptorURL is a URL that supplies a configuration XML.
issuer	string		Issuer is the identity provider issuer.
provider	string		Provider is the external identity provider.
service_provider_issuer	string		ServiceProviderIssuer is the issuer of the service provider (Teleport).
signing_key_pair	object		SigningKeyPair is an x509 key pair used to sign AuthnRequest.
sso	string		SSO is the URL of the identity provider's SSO service.

spec.assertion_key_pair

EncryptionKeyPair is a key pair used for decrypting SAML assertions.

Name	Type	Required	Description
cert	string		Cert is a PEM-encoded x509 certificate.
private_key	string		PrivateKey is a PEM encoded x509 private key.

spec.attributes_to_roles

AttributesToRoles is a list of mappings of attribute statements to roles.

Name	Type	Required	Description
name	string		Name is an attribute statement name.
roles	array of strings		Roles is a list of static teleport roles to map to.
value	string		Value is an attribute statement value to match.

spec.signing_key_pair

SigningKeyPair is an x509 key pair used to sign AuthnRequest.

Name	Type	Required	Description
cert	string		Cert is a PEM-encoded x509 certificate.
private_key	string		PrivateKey is a PEM encoded x509 private key.

Example:

# Teleport SAML connector
# 
# Please note that SAML connector will work in Enterprise version only. Check the setup docs:
# https://goteleport.com/docs/enterprise/sso/okta/

resource "teleport_saml_connector" "example" {
  # This block will tell Terraform to never update private key from our side if a keys are managed 
  # from an outside of Terraform.

  # lifecycle {
  #   ignore_changes = [
  #     spec[0].signing_key_pair[0].cert,
  #     spec[0].signing_key_pair[0].private_key,
  #     spec[0].assertion_key_pair[0].cert,
  #     spec[0].assertion_key_pair[0].private_key,
  #   ]
  # }

  # This section tells Terraform that role example must be created before the SAML connector
  depends_on = [
    teleport_role.example
  ]

  metadata = {
    name = "example"
  }

  spec = {
    attributes_to_roles = [{
      name  = "groups"
      roles = ["example"]
      value = "okta-admin"
    },
    {
      name  = "groups"
      roles = ["example"]
      value = "okta-dev"
    }]

    acs               = "https://localhost:3025/v1/webapi/saml/acs"
    entity_descriptor = ""
  }
}

teleport_session_recording_config

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
spec	object		Spec is a SessionRecordingConfig specification
sub_kind	string		SubKind is an optional resource sub kind, used in some resources
version	string	*	Version is the resource version. It must be specified. Supported values are:v2.

metadata

Metadata is resource metadata

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a SessionRecordingConfig specification

Name	Type	Required	Description
mode	string		Mode controls where (or if) the session is recorded.
proxy_checks_host_keys	bool

Example:

# Teleport session recording config

resource "teleport_session_recording_config" "example" {
  metadata = {
    description = "Session recording config"
    labels = {
      "example" = "yes"
      "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    proxy_checks_host_keys = true
  }
}

teleport_trusted_cluster

Name	Type	Required	Description
metadata	object		Metadata holds resource metadata.
spec	object	*	Spec is a Trusted Cluster specification.
sub_kind	string		SubKind is an optional resource sub kind, used in some resources.
version	string	*	Version is the resource version. It must be specified. Supported values are: v2.

metadata

Metadata holds resource metadata.

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a Trusted Cluster specification.

Name	Type	Required	Description
enabled	bool		Enabled is a bool that indicates if the TrustedCluster is enabled or disabled. Setting Enabled to false has a side effect of deleting the user and host certificate authority (CA).
role_map	object		RoleMap specifies role mappings to remote roles.
roles	array of strings		Roles is a list of roles that users will be assuming when connecting to this cluster.
token	string		Token is the authorization token provided by another cluster needed by this cluster to join.
tunnel_addr	string		ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default reverse tunnel port>.
web_proxy_addr	string		ProxyAddress is the address of the web proxy server of the cluster to join. If not set, it is derived from <metadata.name>:<default web proxy server port>.

spec.role_map

RoleMap specifies role mappings to remote roles.

Name	Type	Required	Description
local	array of strings		Local specifies local roles to map to
remote	string		Remote specifies remote role name to map from

Example:

# Teleport trusted cluster
#
# https://goteleport.com/docs/setup/admin/trustedclusters/

resource "teleport_trusted_cluster" "cluster" {
  metadata = {
    name = "primary"
    labels = {
      test = "yes"
    }
  }

  spec = {
    enabled = false
    role_map = [{
      remote = "test"
      local = ["admin"]
    }]
    proxy_addr = "localhost:3080"
    token = "salami"
  }
}

teleport_trusted_device

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
spec	object		Specification of the device.
version	string	*	Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: v1

metadata

Metadata is resource metadata

Name	Type	Required	Description
labels	map of strings		Labels is a set of labels
name	string		Name is an object name
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Specification of the device.

Name	Type	Required	Description
asset_tag	string	*
enroll_status	string
os_type	string	*
owner	string
source	object

spec.source

Name	Type	Required	Description
name	string
origin	string

Example:

# Trusted device resource

resource "teleport_trusted_device" "TESTDEVICE1" {
  spec = {
    asset_tag = "TESTDEVICE1"
    os_type   = "macos"
  }
}

teleport_user

Name	Type	Required	Description
metadata	object		Metadata is resource metadata
spec	object		Spec is a user specification
sub_kind	string		SubKind is an optional resource sub kind, used in some resources
version	string	*	Version is the resource version. It must be specified. Supported values are: v2.

metadata

Metadata is resource metadata

Name	Type	Required	Description
description	string		Description is object description
expires	RFC3339 time		Expires is a global expiry time header can be set on any resource in the system.
labels	map of strings		Labels is a set of labels
name	string	*	Name is an object name
namespace	string		Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4.
revision	string		Revision is an opaque identifier which tracks the versions of a resource over time. Clients should ignore and not alter its value but must return the revision in any updates of a resource.

spec

Spec is a user specification

Name	Type	Required	Description
github_identities	object		GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity
oidc_identities	object		OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity
roles	array of strings		Roles is a list of roles assigned to user
saml_identities	object		SAMLIdentities lists associated SAML identities that let user log in using externally verified identity
traits	map of string arrays
trusted_device_ids	array of strings		TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.

spec.github_identities

GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity

Name	Type	Required	Description
connector_id	string		ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
username	string		Username is username supplied by external identity provider

spec.oidc_identities

OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity

Name	Type	Required	Description
connector_id	string		ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
username	string		Username is username supplied by external identity provider

spec.saml_identities

SAMLIdentities lists associated SAML identities that let user log in using externally verified identity

Name	Type	Required	Description
connector_id	string		ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
username	string		Username is username supplied by external identity provider

Example:

# Teleport User resource

resource "teleport_user" "example" {
  # Tells Terraform that the role could not be destroyed while this user exists
  depends_on = [
    teleport_role.example
  ]

  metadata = {
    name        = "example"
    description = "Example Teleport User"

    expires = "2022-10-12T07:20:50Z"

    labels = {
      example = "yes"
    }
  }

  spec = {
    roles = ["example"]

    oidc_identities = [{
      connector_id = "oidc1"
      username     = "example"
    }]

    traits = {
      "logins1" = ["example"]
      "logins2" = ["example"]
    }

    github_identities = [{
      connector_id = "github"
      username     = "example"
    }]

    saml_identities = [{
      connector_id = "example-saml"
      username     = "example"
    }]
  }
}