From 255d0288bf08860e7ea0cbe71722516d3e51ce72 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Thu, 18 May 2023 14:21:59 +0100 Subject: [PATCH 1/3] Update Terraform reference docs to 13.0.2 --- docs/pages/reference/terraform-provider.mdx | 294 ++++++++++++-------- 1 file changed, 180 insertions(+), 114 deletions(-) diff --git a/docs/pages/reference/terraform-provider.mdx b/docs/pages/reference/terraform-provider.mdx index 54fa7b55437b2..058660af68807 100644 --- a/docs/pages/reference/terraform-provider.mdx +++ b/docs/pages/reference/terraform-provider.mdx @@ -3,6 +3,8 @@ title: Terraform provider resources description: Terraform provider resources reference --- +{/* Content generated by teleport-plugins/terraform/gen/main.go DO NOT EDIT */} + Supported resources: - [teleport_app](#teleport_app) @@ -11,6 +13,7 @@ Supported resources: - [teleport_cluster_networking_config](#teleport_cluster_networking_config) - [teleport_database](#teleport_database) - [teleport_github_connector](#teleport_github_connector) +- [teleport_login_rule](#teleport_login_rule) - [teleport_oidc_connector](#teleport_oidc_connector) - [teleport_provision_token](#teleport_provision_token) - [teleport_role](#teleport_role) @@ -21,6 +24,8 @@ Supported resources: ## Provider configuration +Ensure your Terraform version is v(=terraform.version=) or higher. + Add the following configuration section to your `terraform` configuration block: ``` @@ -190,29 +195,31 @@ Metadata is resource metadata Spec is an AuthPreference specification -| Name | Type | Required | Description | -|-------------------------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------| -| allow_local_auth | bool | | | -| allow_passwordless | bool | | | -| connector_name | string | | ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used. | -| device_trust | object | | DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. | -| disconnect_expired_cert | bool | | | -| idp | object | | IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. | -| locking_mode | string | | LockingMode is the cluster-wide locking mode default. | -| message_of_the_day | string | | | -| require_mfa_type | number | | RequireMFAType is the type of MFA requirement enforced for this cluster. | -| second_factor | string | | SecondFactor is the type of second factor. | -| type | string | | Type is the type of authentication. | -| u2f | object | | U2F are the settings for the U2F device. | -| webauthn | object | | Webauthn are the settings for server-side Web Authentication support. | +| Name | Type | Required | Description | +|-------------------------|--------|----------|----------------------------------------------------------------------------------------------------------------------------------------| +| allow_headless | bool | | | +| allow_local_auth | bool | | | +| allow_passwordless | bool | | | +| connector_name | string | | ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used. | +| device_trust | object | | DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. | +| disconnect_expired_cert | bool | | | +| idp | object | | IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. | +| locking_mode | string | | LockingMode is the cluster-wide locking mode default. | +| message_of_the_day | string | | | +| require_session_mfa | number | | RequireMFAType is the type of MFA requirement enforced for this cluster: 0:Off, 1:Session, 2:SessionAndHardwareKey, 3:HardwareKeyTouch | +| second_factor | string | | SecondFactor is the type of second factor. | +| type | string | | Type is the type of authentication. | +| u2f | object | | U2F are the settings for the U2F device. | +| webauthn | object | | Webauthn are the settings for server-side Web Authentication support. | #### spec.device_trust DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. -| Name | Type | Required | Description | -|------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| mode | string | | Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise. | +| Name | Type | Required | Description | +|-------------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| auto_enroll | bool | | Enable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled. `tsh` takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off". | +| mode | string | | Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise. | #### spec.idp @@ -372,12 +379,16 @@ TunnelStrategyV1 determines the tunnel strategy used in the cluster. ##### spec.tunnel_strategy.agent_mesh + + | Name | Type | Required | Description | |--------|------|----------|---------------------------------------------------------------| | active | bool | | Automatically generated field preventing empty message errors | ##### spec.tunnel_strategy.proxy_peering + + | Name | Type | Required | Description | |------------------------|--------|----------|-------------| | agent_connection_count | number | | | @@ -457,18 +468,19 @@ AD is the Active Directory configuration for the database. AWS contains AWS specific settings for RDS/Aurora/Redshift databases. -| Name | Type | Required | Description | -|---------------------|--------|----------|------------------------------------------------------------------------------------------------| -| account_id | string | | AccountID is the AWS account ID this database belongs to. | -| elasticache | object | | ElastiCache contains AWS ElastiCache Redis specific metadata. | -| external_id | string | | ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts. | -| memorydb | object | | MemoryDB contains AWS MemoryDB specific metadata. | -| rds | object | | RDS contains RDS specific metadata. | -| rdsproxy | object | | RDSProxy contains AWS Proxy specific metadata. | -| redshift | object | | Redshift contains Redshift specific metadata. | -| redshift_serverless | object | | RedshiftServerless contains AWS Redshift Serverless specific metadata. | -| region | string | | Region is a AWS cloud region. | -| secret_store | object | | SecretStore contains secret store configurations. | +| Name | Type | Required | Description | +|---------------------|--------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------| +| account_id | string | | AccountID is the AWS account ID this database belongs to. | +| assume_role_arn | string | | AssumeRoleARN is an optional AWS role ARN to assume when accessing a database. Set this field and ExternalID to enable access across AWS accounts. | +| elasticache | object | | ElastiCache contains AWS ElastiCache Redis specific metadata. | +| external_id | string | | ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts. | +| memorydb | object | | MemoryDB contains AWS MemoryDB specific metadata. | +| rds | object | | RDS contains RDS specific metadata. | +| rdsproxy | object | | RDSProxy contains AWS Proxy specific metadata. | +| redshift | object | | Redshift contains Redshift specific metadata. | +| redshift_serverless | object | | RedshiftServerless contains AWS Redshift Serverless specific metadata. | +| region | string | | Region is a AWS cloud region. | +| secret_store | object | | SecretStore contains secret store configurations. | ##### spec.aws.elasticache @@ -642,15 +654,16 @@ Metadata holds resource metadata. Spec is an Github connector specification. -| Name | Type | Required | Description | -|-----------------|--------|----------|-------------------------------------------------------------------------------------------------------------------------------------| -| client_id | string | * | ClientID is the Github OAuth app client ID. | -| client_secret | string | * | ClientSecret is the Github OAuth app client secret. | -| display | string | | Display is the connector display name. | -| endpoint_url | string | | | -| redirect_url | string | | RedirectURL is the authorization callback URL. | -| teams_to_logins | object | | TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead. | -| teams_to_roles | object | | TeamsToRoles maps Github team memberships onto allowed roles. | +| Name | Type | Required | Description | +|------------------|--------|----------|-------------------------------------------------------------------------------------------------------------------------------------| +| api_endpoint_url | string | | APIEndpointURL is the URL of the API endpoint of the Github instance this connector is for. | +| client_id | string | * | ClientID is the Github OAuth app client ID. | +| client_secret | string | * | ClientSecret is the Github OAuth app client secret. | +| display | string | | Display is the connector display name. | +| endpoint_url | string | | EndpointURL is the URL of the GitHub instance this connector is for. | +| redirect_url | string | | RedirectURL is the authorization callback URL. | +| teams_to_logins | object | | TeamsToLogins maps Github team memberships onto allowed logins/roles. DELETE IN 11.0.0 Deprecated: use GithubTeamsToRoles instead. | +| teams_to_roles | object | | TeamsToRoles maps Github team memberships onto allowed roles. | #### spec.teams_to_logins @@ -708,6 +721,68 @@ resource "teleport_github_connector" "github" { ``` +## teleport_login_rule + +| Name | Type | Required | Description | +|-------------------|--------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| metadata | object | | Metadata is resource metadata. | +| priority | number | | Priority is the priority of the login rule relative to other login rules in the same cluster. Login rules with a lower numbered priority will be evaluated first. | +| traits_expression | string | | TraitsExpression is a predicate expression which should return the desired traits for the user upon login. | +| traits_map | object | | TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait. | +| version | string | | Version is the resource version. | + +### metadata + +Metadata is resource metadata. + +| Name | Type | Required | Description | +|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | + +### traits_map + +TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait. + +| Name | Type | Required | Description | +|--------|------------------|----------|-------------| +| values | array of strings | | | + +Example: + +``` +# Teleport Login Rule resource + +resource "teleport_login_rule" "example" { + metadata = { + description = "Example Login Rule" + labels = { + "example" = "yes" + } + } + + version = "v1" + priority = 0 + traits_map = { + "logins" = { + values = [ + "external.logins", + "external.username", + ] + } + "groups" = { + values = [ + "external.groups", + ] + } + } +} + +``` + ## teleport_oidc_connector | Name | Type | Required | Description | @@ -826,7 +901,9 @@ Spec is a provisioning token V2 spec | azure | object | | Azure allows the configuration of options specific to the "azure" join method. | | bot_name | string | | BotName is the name of the bot this token grants access to, if any | | circleci | object | | CircleCI allows the configuration of options specific to the "circleci" join method. | +| gcp | object | | GCP allows the configuration of options specific to the "gcp" join method. | | github | object | | GitHub allows the configuration of options specific to the "github" join method. | +| gitlab | object | | GitLab allows the configuration of options specific to the "gitlab" join method. | | join_method | string | | JoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam". | | kubernetes | object | | Kubernetes allows the configuration of options specific to the "kubernetes" join method. | | roles | array of strings | * | Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token | @@ -879,6 +956,24 @@ Allow is a list of TokenRules, nodes using this token must match one allow rule | context_id | string | | | | project_id | string | | | +#### spec.gcp + +GCP allows the configuration of options specific to the "gcp" join method. + +| Name | Type | Required | Description | +|-------|--------|----------|-----------------------------------------------------------------------------------------------| +| allow | object | | Allow is a list of Rules, nodes using this token must match one allow rule to use this token. | + +##### spec.gcp.allow + +Allow is a list of Rules, nodes using this token must match one allow rule to use this token. + +| Name | Type | Required | Description | +|------------------|------------------|----------|------------------------------------------------------------------------------------------------------------------------------------| +| locations | array of strings | | Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b"). | +| project_ids | array of strings | | ProjectIDs is a list of project IDs (e.g. "<example-id-123456>"). | +| service_accounts | array of strings | | ServiceAccounts is a list of service account emails (e.g. "<project-number>-compute@developer.gserviceaccount.com"). | + #### spec.github GitHub allows the configuration of options specific to the "github" join method. @@ -892,16 +987,39 @@ GitHub allows the configuration of options specific to the "github" join method. Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. -| Name | Type | Required | Description | -|------------------|--------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------| -| actor | string | | The personal account that initiated the workflow run. | -| environment | string | | The name of the environment used by the job. | -| ref | string | | The git ref that triggered the workflow run. | -| ref_type | string | | The type of ref, for example: "branch". | -| repository | string | | The repository from where the workflow is running. This includes the name of the owner e.g `gravitational/teleport` | -| repository_owner | string | | The name of the organization in which the repository is stored. | +| Name | Type | Required | Description | +|------------------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------| +| actor | string | | The personal account that initiated the workflow run. | +| environment | string | | The name of the environment used by the job. | +| ref | string | | The git ref that triggered the workflow run. | +| ref_type | string | | The type of ref, for example: "branch". | +| repository | string | | The repository from where the workflow is running. This includes the name of the owner e.g `gravitational/teleport` | +| repository_owner | string | | The name of the organization in which the repository is stored. | | sub | string | | Sub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run. | -| workflow | string | | The name of the workflow. | +| workflow | string | | The name of the workflow. | + +#### spec.gitlab + +GitLab allows the configuration of options specific to the "gitlab" join method. + +| Name | Type | Required | Description | +|--------|--------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| allow | object | | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | +| domain | string | | Domain is the domain of your GitLab instance. This will default to `gitlab.com` - but can be set to the domain of your self-hosted GitLab e.g `gitlab.example.com`. | + +##### spec.gitlab.allow + +Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. + +| Name | Type | Required | Description | +|-----------------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| environment | string | | Environment limits access by the environment the job deploys to (if one is associated) | +| namespace_path | string | | NamespacePath is used to limit access to jobs in a group or user's projects. Example: `mygroup` | +| pipeline_source | string | | PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: `web` | +| project_path | string | | ProjectPath is used to limit access to jobs belonging to an individual project. Example: `mygroup/myproject` | +| ref | string | | Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. | +| ref_type | string | | RefType allows access to be limited to jobs triggered by a specific git ref type. Example: `branch` or `tag` | +| sub | string | | Sub roughly uniquely identifies the workload. Example: `project_path:mygroup/my-project:ref_type:branch:ref:main` project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} | #### spec.kubernetes @@ -986,8 +1104,10 @@ Allow is the set of conditions evaluated to grant access. | db_labels | map of string arrays | | | | db_names | array of strings | | DatabaseNames is a list of database names this role is allowed to connect to. | | db_service_labels | map of string arrays | | | -| db_users | array of strings | | DatabaseUsers is a list of databases users this role is allowed to connect as. | +| db_users | array of strings | | DatabaseUsers is a list of databases users this role is allowed to connect as. | +| desktop_groups | array of strings | | DesktopGroups is a list of groups for created desktop users to be added to | | gcp_service_accounts | array of strings | | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. | +| group_labels | map of string arrays | | | | host_groups | array of strings | | HostGroups is a list of groups for created users to be added to | | host_sudoers | array of strings | | HostSudoers is a list of entries to include in a users sudoer file | | impersonate | object | | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. | @@ -1038,6 +1158,8 @@ KubernetesResources is the Kubernetes Resources this Role grants access to. ##### spec.allow.request + + | Name | Type | Required | Description | |---------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | annotations | map of string arrays | | | @@ -1126,8 +1248,10 @@ Deny is the set of conditions evaluated to deny access. Deny takes priority over | db_labels | map of string arrays | | | | db_names | array of strings | | DatabaseNames is a list of database names this role is allowed to connect to. | | db_service_labels | map of string arrays | | | -| db_users | array of strings | | DatabaseUsers is a list of databases users this role is allowed to connect as. | +| db_users | array of strings | | DatabaseUsers is a list of databases users this role is allowed to connect as. | +| desktop_groups | array of strings | | DesktopGroups is a list of groups for created desktop users to be added to | | gcp_service_accounts | array of strings | | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. | +| group_labels | map of string arrays | | | | host_groups | array of strings | | HostGroups is a list of groups for created users to be added to | | host_sudoers | array of strings | | HostSudoers is a list of entries to include in a users sudoer file | | impersonate | object | | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. | @@ -1178,6 +1302,8 @@ KubernetesResources is the Kubernetes Resources this Role grants access to. ##### spec.deny.request + + | Name | Type | Required | Description | |---------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | annotations | map of string arrays | | | @@ -1262,6 +1388,7 @@ Options is for OpenSSH options like agent forwarding. | cert_extensions | object | | CertExtensions specifies the key/values | | cert_format | string | | CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH. | | client_idle_timeout | duration | | ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration. | +| create_desktop_user | bool | | | | create_host_user | bool | | | | desktop_clipboard | bool | | | | desktop_directory_sharing | bool | | | @@ -1279,9 +1406,9 @@ Options is for OpenSSH options like agent forwarding. | pin_source_ip | bool | | PinSourceIP forces the same client IP for certificate generation and usage | | port_forwarding | bool | | | | record_session | object | | RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. | -| request_access | string | | RequestAccess defines the access request strategy (optional|note|always) where optional is the default. | +| request_access | string | | RequestAccess defines the access request strategy (optional|note|always) where optional is the default. | | request_prompt | string | | RequestPrompt is an optional message which tells users what they aught to | -| require_mfa_type | number | | RequireMFAType is the type of MFA requirement enforced for this user. | +| require_session_mfa | number | | RequireMFAType is the type of MFA requirement enforced for this role: 0:Off, 1:Session, 2:SessionAndHardwareKey, 3:HardwareKeyTouch | | ssh_file_copy | bool | | | ##### spec.options.cert_extensions @@ -1293,7 +1420,7 @@ CertExtensions specifies the key/values | mode | number | | Mode is the type of extension to be used -- currently critical-option is not supported | | name | string | | Name specifies the key to be used in the cert extension. | | type | number | | Type represents the certificate type being extended, only ssh is supported at this time. | -| value | string | | Value specifies the value to be used in the cert extension. | +| value | string | | Value specifies the value to be used in the cert extension. | ##### spec.options.idp @@ -1721,64 +1848,3 @@ resource "teleport_user" "example" { } } ``` - -## teleport_login_rule - -| Name | Type | Required | Description | -|-------------------|--------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| metadata | object | | Metadata is resource metadata. | -| version | string | | Version is the resource version. | -| priority | number | | Priority is the priority of the login rule relative to other login rules in the same cluster. Login rules with a lower numbered priority will be evaluated first. | -| traits_expression | string | | TraitsExpression is a predicate expression which should return the desired traits for the user upon login. | -| traits_map | object | | TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait. | - - -### teleport_login_rule.metadata - -Metadata is resource metadata. - -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | | Name is an object name | - - -### teleport_login_rule.traits_map - -TraitsMap is a map of trait keys to lists of predicate expressions which should evaluate to the desired values for that trait. - -| Name | Type | Required | Description | -|--------|------------------|----------|-------------| -| values | array of strings | | | - - -Example: - -``` -# Teleport Login Rule resource -resource "teleport_login_rule" "example" { - metadata = { - description = "Example Login Rule" - labels = { - "example" = "yes" - } - } - version = "v1" - priority = 0 - traits_map = { - "logins" = { - values = [ - "external.logins", - "external.username", - ] - } - "groups" = { - values = [ - "external.groups", - ] - } - } -} -``` From 1306b67811c31b3350e3717d5058fc5dd700faa8 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Fri, 19 May 2023 17:24:22 +0100 Subject: [PATCH 2/3] add cspell exception for mygroup --- docs/cspell.json | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/cspell.json b/docs/cspell.json index e751bf0cb88a0..fcecd57aaa71c 100644 --- a/docs/cspell.json +++ b/docs/cspell.json @@ -491,6 +491,7 @@ "mycommand", "myelastic", "myendpoint", + "mygroup", "myhost", "myinstance", "mynode", From 9a7ebd5922175e7bf735a49f7b52f76f1ab14275 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Fri, 26 May 2023 09:37:43 +0100 Subject: [PATCH 3/3] only escape lt and gt and update to 13.0.3 --- docs/pages/reference/terraform-provider.mdx | 363 ++++++++++---------- 1 file changed, 182 insertions(+), 181 deletions(-) diff --git a/docs/pages/reference/terraform-provider.mdx b/docs/pages/reference/terraform-provider.mdx index 058660af68807..b719bf3841525 100644 --- a/docs/pages/reference/terraform-provider.mdx +++ b/docs/pages/reference/terraform-provider.mdx @@ -93,13 +93,13 @@ provider "teleport" { Metadata is the app resource metadata. -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | * | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | * | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -109,8 +109,8 @@ Spec is the app resource spec. |----------------------|--------|----------|--------------------------------------------------------------------------| | aws | object | | AWS contains additional options for AWS applications. | | cloud | string | | Cloud identifies the cloud instance the app represents. | -| dynamic_labels | object | | DynamicLabels are the app's command labels. | -| insecure_skip_verify | bool | | InsecureSkipVerify disables app's TLS certificate verification. | +| dynamic_labels | object | | DynamicLabels are the app's command labels. | +| insecure_skip_verify | bool | | InsecureSkipVerify disables app's TLS certificate verification. | | public_addr | string | | PublicAddr is the public address the application is accessible at. | | rewrite | object | | Rewrite is a list of rewriting rules to apply to requests and responses. | | uri | string | | URI is the web app endpoint. | @@ -137,10 +137,10 @@ DynamicLabels are the app's command labels. Rewrite is a list of rewriting rules to apply to requests and responses. -| Name | Type | Required | Description | -|----------|------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------| -| headers | object | | Headers is a list of headers to inject when passing the request over to the application. | -| redirect | array of strings | | Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header. | +| Name | Type | Required | Description | +|----------|------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------| +| headers | object | | Headers is a list of headers to inject when passing the request over to the application. | +| redirect | array of strings | | Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header. | ##### spec.rewrite.headers @@ -184,12 +184,12 @@ resource "teleport_app" "example" { Metadata is resource metadata -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -216,10 +216,10 @@ Spec is an AuthPreference specification DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. -| Name | Type | Required | Description | -|-------------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| auto_enroll | bool | | Enable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled. `tsh` takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off". | -| mode | string | | Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise. | +| Name | Type | Required | Description | +|-------------|--------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| auto_enroll | bool | | Enable device auto-enroll. Auto-enroll lets any user issue a device enrollment token for a known device that is not already enrolled. `tsh` takes advantage of auto-enroll to automatically enroll devices on user login, when appropriate. The effective cluster Mode still applies: AutoEnroll=true is meaningless if Mode="off". | +| mode | string | | Mode of verification for trusted devices. The following modes are supported: - "off": disables both device authentication and authorization. - "optional": allows both device authentication and authorization, but doesn't enforce the presence of device extensions for sensitive endpoints. - "required": enforces the presence of device extensions for sensitive endpoints. Mode is always "off" for OSS. Defaults to "optional" for Enterprise. | #### spec.idp @@ -251,11 +251,11 @@ U2F are the settings for the U2F device. Webauthn are the settings for server-side Web Authentication support. -| Name | Type | Required | Description | -|-------------------------|------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| attestation_allowed_cas | array of strings | | Allow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed. | -| attestation_denied_cas | array of strings | | Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied. | -| rp_id | string | | RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register. | +| Name | Type | Required | Description | +|-------------------------|------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| attestation_allowed_cas | array of strings | | Allow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed. | +| attestation_denied_cas | array of strings | | Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied. | +| rp_id | string | | RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register. | Example: @@ -344,12 +344,12 @@ resource "teleport_bot" "example" { Metadata is resource metadata -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -426,13 +426,13 @@ resource "teleport_cluster_networking_config" "example" { Metadata is the database metadata. -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | * | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | * | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -508,12 +508,13 @@ MemoryDB contains AWS MemoryDB specific metadata. RDS contains RDS specific metadata. -| Name | Type | Required | Description | -|-------------|--------|----------|-------------------------------------------------------------------| -| cluster_id | string | | ClusterID is the RDS cluster (Aurora) identifier. | -| iam_auth | bool | | IAMAuth indicates whether database IAM authentication is enabled. | -| instance_id | string | | InstanceID is the RDS instance identifier. | -| resource_id | string | | ResourceID is the RDS instance resource identifier (db-xxx). | +| Name | Type | Required | Description | +|-------------|------------------|----------|-------------------------------------------------------------------| +| cluster_id | string | | ClusterID is the RDS cluster (Aurora) identifier. | +| iam_auth | bool | | IAMAuth indicates whether database IAM authentication is enabled. | +| instance_id | string | | InstanceID is the RDS instance identifier. | +| resource_id | string | | ResourceID is the RDS instance resource identifier (db-xxx). | +| subnets | array of strings | | Subnets is a list of subnets for the RDS instance. | ##### spec.aws.rdsproxy @@ -642,13 +643,13 @@ resource "teleport_database" "example" { Metadata holds resource metadata. -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | * | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | * | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -735,13 +736,13 @@ resource "teleport_github_connector" "github" { Metadata is resource metadata. -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### traits_map @@ -796,13 +797,13 @@ resource "teleport_login_rule" "example" { Metadata holds resource metadata. -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | * | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | * | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -824,7 +825,7 @@ Spec is an OIDC connector specification. | provider | string | | Provider is the external identity provider. | | redirect_url | array of strings | | | | scope | array of strings | | Scope specifies additional scopes set by provider. | -| username_claim | string | | UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username. | +| username_claim | string | | UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username. | #### spec.claims_to_roles @@ -882,44 +883,44 @@ resource "teleport_oidc_connector" "example" { Metadata is resource metadata -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | * | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | * | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec Spec is a provisioning token V2 spec -| Name | Type | Required | Description | -|--------------------------------|----------------------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------| -| allow | object | | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | -| aws_iid_ttl | duration | | AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. | -| azure | object | | Azure allows the configuration of options specific to the "azure" join method. | -| bot_name | string | | BotName is the name of the bot this token grants access to, if any | -| circleci | object | | CircleCI allows the configuration of options specific to the "circleci" join method. | -| gcp | object | | GCP allows the configuration of options specific to the "gcp" join method. | -| github | object | | GitHub allows the configuration of options specific to the "github" join method. | -| gitlab | object | | GitLab allows the configuration of options specific to the "gitlab" join method. | -| join_method | string | | JoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam". | -| kubernetes | object | | Kubernetes allows the configuration of options specific to the "kubernetes" join method. | -| roles | array of strings | * | Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token | -| suggested_agent_matcher_labels | map of string arrays | | | -| suggested_labels | map of string arrays | | | +| Name | Type | Required | Description | +|--------------------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------| +| allow | object | | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | +| aws_iid_ttl | duration | | AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. | +| azure | object | | Azure allows the configuration of options specific to the "azure" join method. | +| bot_name | string | | BotName is the name of the bot this token grants access to, if any | +| circleci | object | | CircleCI allows the configuration of options specific to the "circleci" join method. | +| gcp | object | | GCP allows the configuration of options specific to the "gcp" join method. | +| github | object | | GitHub allows the configuration of options specific to the "github" join method. | +| gitlab | object | | GitLab allows the configuration of options specific to the "gitlab" join method. | +| join_method | string | | JoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam". | +| kubernetes | object | | Kubernetes allows the configuration of options specific to the "kubernetes" join method. | +| roles | array of strings | * | Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token | +| suggested_agent_matcher_labels | map of string arrays | | | +| suggested_labels | map of string arrays | | | #### spec.allow Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. -| Name | Type | Required | Description | -|-------------|------------------|----------|------------------------------------------------------------------------------------------------------------------------------------------------| -| aws_account | string | | AWSAccount is the AWS account ID. | -| aws_arn | string | | AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?". | -| aws_regions | array of strings | | AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from. | -| aws_role | string | | AWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API. | +| Name | Type | Required | Description | +|-------------|------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------| +| aws_account | string | | AWSAccount is the AWS account ID. | +| aws_arn | string | | AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?". | +| aws_regions | array of strings | | AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from. | +| aws_role | string | | AWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API. | #### spec.azure @@ -968,11 +969,11 @@ GCP allows the configuration of options specific to the "gcp" join method. Allow is a list of Rules, nodes using this token must match one allow rule to use this token. -| Name | Type | Required | Description | -|------------------|------------------|----------|------------------------------------------------------------------------------------------------------------------------------------| -| locations | array of strings | | Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b"). | -| project_ids | array of strings | | ProjectIDs is a list of project IDs (e.g. "<example-id-123456>"). | -| service_accounts | array of strings | | ServiceAccounts is a list of service account emails (e.g. "<project-number>-compute@developer.gserviceaccount.com"). | +| Name | Type | Required | Description | +|------------------|------------------|----------|----------------------------------------------------------------------------------------------------------------------------| +| locations | array of strings | | Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b"). | +| project_ids | array of strings | | ProjectIDs is a list of project IDs (e.g. "<example-id-123456>"). | +| service_accounts | array of strings | | ServiceAccounts is a list of service account emails (e.g. "<project-number>-compute@developer.gserviceaccount.com"). | #### spec.github @@ -992,7 +993,7 @@ Allow is a list of TokenRules, nodes using this token must match one allow rule | actor | string | | The personal account that initiated the workflow run. | | environment | string | | The name of the environment used by the job. | | ref | string | | The git ref that triggered the workflow run. | -| ref_type | string | | The type of ref, for example: "branch". | +| ref_type | string | | The type of ref, for example: "branch". | | repository | string | | The repository from where the workflow is running. This includes the name of the owner e.g `gravitational/teleport` | | repository_owner | string | | The name of the organization in which the repository is stored. | | sub | string | | Sub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run. | @@ -1014,7 +1015,7 @@ Allow is a list of TokenRules, nodes using this token must match one allow rule | Name | Type | Required | Description | |-----------------|--------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | environment | string | | Environment limits access by the environment the job deploys to (if one is associated) | -| namespace_path | string | | NamespacePath is used to limit access to jobs in a group or user's projects. Example: `mygroup` | +| namespace_path | string | | NamespacePath is used to limit access to jobs in a group or user's projects. Example: `mygroup` | | pipeline_source | string | | PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: `web` | | project_path | string | | ProjectPath is used to limit access to jobs belonging to an individual project. Example: `mygroup/myproject` | | ref | string | | Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. | @@ -1033,9 +1034,9 @@ Kubernetes allows the configuration of options specific to the "kubernetes" join Allow is a list of Rules, nodes using this token must match one allow rule to use this token. -| Name | Type | Required | Description | -|-----------------|--------|----------|-----------------------------------------------------------------------------------------------------------------------------| -| service_account | string | | ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account". | +| Name | Type | Required | Description | +|-----------------|--------|----------|---------------------------------------------------------------------------------------------------------------------| +| service_account | string | | ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account". | Example: @@ -1073,13 +1074,13 @@ resource "teleport_provision_token" "example" { Metadata is resource metadata -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | * | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | * | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -1150,11 +1151,11 @@ JoinSessions specifies policies to allow users to join other sessions. KubernetesResources is the Kubernetes Resources this Role grants access to. -| Name | Type | Required | Description | -|-----------|--------|----------|---------------------------------------------------------------------------------------------| -| kind | string | | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. | -| name | string | | Name is the resource name. It supports wildcards. | -| namespace | string | | Namespace is the resource namespace. It supports wildcards. | +| Name | Type | Required | Description | +|-----------|--------|----------|-------------------------------------------------------------------------------------| +| kind | string | | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. | +| name | string | | Name is the resource name. It supports wildcards. | +| namespace | string | | Namespace is the resource namespace. It supports wildcards. | ##### spec.allow.request @@ -1194,14 +1195,14 @@ Thresholds is a list of thresholds, one of which must be met in order for review RequireSessionJoin specifies policies for required users to start a session. -| Name | Type | Required | Description | -|----------|------------------|----------|-----------------------------------------------------------------------------------------------------| -| count | number | | Count is the amount of people that need to be matched for this policy to be fulfilled. | -| filter | string | | Filter is a predicate that determines what users count towards this policy. | -| kinds | array of strings | | Kinds are the session kinds this policy applies to. | -| modes | array of strings | | Modes is the list of modes that may be used to fulfill this policy. | -| name | string | | Name is the name of the policy. | -| on_leave | string | | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. | +| Name | Type | Required | Description | +|----------|------------------|----------|-------------------------------------------------------------------------------------------------| +| count | number | | Count is the amount of people that need to be matched for this policy to be fulfilled. | +| filter | string | | Filter is a predicate that determines what users count towards this policy. | +| kinds | array of strings | | Kinds are the session kinds this policy applies to. | +| modes | array of strings | | Modes is the list of modes that may be used to fulfill this policy. | +| name | string | | Name is the name of the policy. | +| on_leave | string | | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. | ##### spec.allow.review_requests @@ -1294,11 +1295,11 @@ JoinSessions specifies policies to allow users to join other sessions. KubernetesResources is the Kubernetes Resources this Role grants access to. -| Name | Type | Required | Description | -|-----------|--------|----------|---------------------------------------------------------------------------------------------| -| kind | string | | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. | -| name | string | | Name is the resource name. It supports wildcards. | -| namespace | string | | Namespace is the resource namespace. It supports wildcards. | +| Name | Type | Required | Description | +|-----------|--------|----------|-------------------------------------------------------------------------------------| +| kind | string | | Kind specifies the Kubernetes Resource type. At the moment only "pod" is supported. | +| name | string | | Name is the resource name. It supports wildcards. | +| namespace | string | | Namespace is the resource namespace. It supports wildcards. | ##### spec.deny.request @@ -1338,14 +1339,14 @@ Thresholds is a list of thresholds, one of which must be met in order for review RequireSessionJoin specifies policies for required users to start a session. -| Name | Type | Required | Description | -|----------|------------------|----------|-----------------------------------------------------------------------------------------------------| -| count | number | | Count is the amount of people that need to be matched for this policy to be fulfilled. | -| filter | string | | Filter is a predicate that determines what users count towards this policy. | -| kinds | array of strings | | Kinds are the session kinds this policy applies to. | -| modes | array of strings | | Modes is the list of modes that may be used to fulfill this policy. | -| name | string | | Name is the name of the policy. | -| on_leave | string | | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. | +| Name | Type | Required | Description | +|----------|------------------|----------|-------------------------------------------------------------------------------------------------| +| count | number | | Count is the amount of people that need to be matched for this policy to be fulfilled. | +| filter | string | | Filter is a predicate that determines what users count towards this policy. | +| kinds | array of strings | | Kinds are the session kinds this policy applies to. | +| modes | array of strings | | Modes is the list of modes that may be used to fulfill this policy. | +| name | string | | Name is the name of the policy. | +| on_leave | string | | OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session. | ##### spec.deny.review_requests @@ -1516,13 +1517,13 @@ resource "teleport_role" "example" { Metadata holds resource metadata. -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | * | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | * | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -1530,7 +1531,7 @@ Spec is an SAML connector specification. | Name | Type | Required | Description | |-------------------------|--------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| acs | string | * | AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side). | +| acs | string | * | AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side). | | allow_idp_initiated | bool | | AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins. | | assertion_key_pair | object | | EncryptionKeyPair is a key pair used for decrypting SAML assertions. | | attributes_to_roles | object | * | AttributesToRoles is a list of mappings of attribute statements to roles. | @@ -1543,7 +1544,7 @@ Spec is an SAML connector specification. | provider | string | | Provider is the external identity provider. | | service_provider_issuer | string | | ServiceProviderIssuer is the issuer of the service provider (Teleport). | | signing_key_pair | object | | SigningKeyPair is an x509 key pair used to sign AuthnRequest. | -| sso | string | | SSO is the URL of the identity provider's SSO service. | +| sso | string | | SSO is the URL of the identity provider's SSO service. | #### spec.assertion_key_pair @@ -1634,12 +1635,12 @@ resource "teleport_saml_connector" "example" { Metadata is resource metadata -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -1683,13 +1684,13 @@ resource "teleport_session_recording_config" "example" { Metadata holds resource metadata. -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | * | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | * | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -1754,13 +1755,13 @@ resource "teleport_trusted_cluster" "cluster" { Metadata is resource metadata -| Name | Type | Required | Description | -|-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------| -| description | string | | Description is object description | -| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | -| labels | map of strings | | Labels is a set of labels | -| name | string | * | Name is an object name | -| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | +| Name | Type | Required | Description | +|-------------|----------------|----------|--------------------------------------------------------------------------------------------------------| +| description | string | | Description is object description | +| expires | RFC3339 time | | Expires is a global expiry time header can be set on any resource in the system. | +| labels | map of strings | | Labels is a set of labels | +| name | string | * | Name is an object name | +| namespace | string | | Namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | ### spec @@ -1778,28 +1779,28 @@ Spec is a user specification GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity -| Name | Type | Required | Description | -|--------------|--------|----------|-----------------------------------------------------------------------------------| -| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | -| username | string | | Username is username supplied by external identity provider | +| Name | Type | Required | Description | +|--------------|--------|----------|---------------------------------------------------------------------------| +| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | +| username | string | | Username is username supplied by external identity provider | #### spec.oidc_identities OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity -| Name | Type | Required | Description | -|--------------|--------|----------|-----------------------------------------------------------------------------------| -| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | -| username | string | | Username is username supplied by external identity provider | +| Name | Type | Required | Description | +|--------------|--------|----------|---------------------------------------------------------------------------| +| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | +| username | string | | Username is username supplied by external identity provider | #### spec.saml_identities SAMLIdentities lists associated SAML identities that let user log in using externally verified identity -| Name | Type | Required | Description | -|--------------|--------|----------|-----------------------------------------------------------------------------------| -| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | -| username | string | | Username is username supplied by external identity provider | +| Name | Type | Required | Description | +|--------------|--------|----------|---------------------------------------------------------------------------| +| connector_id | string | | ConnectorID is id of registered OIDC connector, e.g. 'google-example.com' | +| username | string | | Username is username supplied by external identity provider | Example: