diff --git a/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go b/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go index aedb1e7c725c6..607e5644f9d82 100644 --- a/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go +++ b/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go @@ -222,7 +222,7 @@ type AccessList struct { // header is the header for the resource. Header *v1.ResourceHeader `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` - // spec is the specification for the access list. + // spec is the specification for the Access List. Spec *AccessListSpec `protobuf:"bytes,2,opt,name=spec,proto3" json:"spec,omitempty"` // status contains dynamically calculated fields. Status *AccessListStatus `protobuf:"bytes,3,opt,name=status,proto3" json:"status,omitempty"` @@ -281,33 +281,33 @@ func (x *AccessList) GetStatus() *AccessListStatus { return nil } -// AccessListSpec is the specification for an access list. +// AccessListSpec is the specification for an Access List. type AccessListSpec struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // description is an optional plaintext description of the access list. + // description is an optional plaintext description of the Access List. Description string `protobuf:"bytes,1,opt,name=description,proto3" json:"description,omitempty"` - // owners is a list of owners of the access list. + // owners is a list of owners of the Access List. Owners []*AccessListOwner `protobuf:"bytes,2,rep,name=owners,proto3" json:"owners,omitempty"` - // audit describes the frequency that this access list must be audited. + // audit describes the frequency that this Access List must be audited. Audit *AccessListAudit `protobuf:"bytes,3,opt,name=audit,proto3" json:"audit,omitempty"` // membership_requires describes the requirements for a user to be a member of - // the access list. For a membership to an access list to be effective, the + // the Access List. For a membership to an Access List to be effective, the // user must meet the requirements of Membership_requires and must be in the // members list. MembershipRequires *AccessListRequires `protobuf:"bytes,4,opt,name=membership_requires,json=membershipRequires,proto3" json:"membership_requires,omitempty"` // ownership_requires describes the requirements for a user to be an owner of - // the access list. For ownership of an access list to be effective, the user + // the Access List. For ownership of an Access List to be effective, the user // must meet the requirements of ownership_requires and must be in the owners // list. OwnershipRequires *AccessListRequires `protobuf:"bytes,5,opt,name=ownership_requires,json=ownershipRequires,proto3" json:"ownership_requires,omitempty"` - // grants describes the access granted by membership to this access list. + // grants describes the access granted by membership to this Access List. Grants *AccessListGrants `protobuf:"bytes,6,opt,name=grants,proto3" json:"grants,omitempty"` - // title is a plaintext short description of the access list. + // title is a plaintext short description of the Access List. Title string `protobuf:"bytes,8,opt,name=title,proto3" json:"title,omitempty"` - // owner_grants describes the access granted by owners to this access list. + // owner_grants describes the access granted by owners to this Access List. OwnerGrants *AccessListGrants `protobuf:"bytes,11,opt,name=owner_grants,json=ownerGrants,proto3" json:"owner_grants,omitempty"` } @@ -399,7 +399,7 @@ func (x *AccessListSpec) GetOwnerGrants() *AccessListGrants { return nil } -// AccessListOwner is an owner of an access list. +// AccessListOwner is an owner of an Access List. type AccessListOwner struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -468,7 +468,7 @@ func (x *AccessListOwner) GetIneligibleStatus() IneligibleStatus { return IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED } -// AccessListAudit describes the audit configuration for an access list. +// AccessListAudit describes the audit configuration for an Access List. type AccessListAudit struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -647,7 +647,7 @@ func (x *Notifications) GetStart() *durationpb.Duration { return nil } -// AccessListRequires describes a requirement section for an access list. A user +// AccessListRequires describes a requirement section for an Access List. A user // must meet the following criteria to obtain the specific access to the list. type AccessListRequires struct { state protoimpl.MessageState @@ -707,18 +707,18 @@ func (x *AccessListRequires) GetTraits() []*v11.Trait { return nil } -// AccessListGrants describes what access is granted by membership to the access -// list. +// AccessListGrants describes what access is granted by membership to the Access +// List. type AccessListGrants struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // roles are the roles that are granted to users who are members of the access - // list. + // roles are the roles that are granted to users who are members of the Access + // List. Roles []string `protobuf:"bytes,1,rep,name=roles,proto3" json:"roles,omitempty"` // traits are the traits that are granted to users who are members of the - // access list. + // Access List. Traits []*v11.Trait `protobuf:"bytes,2,rep,name=traits,proto3" json:"traits,omitempty"` } @@ -768,7 +768,7 @@ func (x *AccessListGrants) GetTraits() []*v11.Trait { return nil } -// Member describes a member of an access list. +// Member describes a member of an Access List. type Member struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -776,7 +776,7 @@ type Member struct { // header is the header for the resource. Header *v1.ResourceHeader `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` - // spec is the specification for the access list member. + // spec is the specification for the Access List member. Spec *MemberSpec `protobuf:"bytes,2,opt,name=spec,proto3" json:"spec,omitempty"` } @@ -826,23 +826,23 @@ func (x *Member) GetSpec() *MemberSpec { return nil } -// MemberSpec is the specification for an access list member. +// MemberSpec is the specification for an Access List member. type MemberSpec struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // associated access list + // associated Access List AccessList string `protobuf:"bytes,1,opt,name=access_list,json=accessList,proto3" json:"access_list,omitempty"` - // name is the name of the member of the access list. + // name is the name of the member of the Access List. Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` - // joined is when the user joined the access list. + // joined is when the user joined the Access List. Joined *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=joined,proto3" json:"joined,omitempty"` - // expires is when the user's membership to the access list expires. + // expires is when the user's membership to the Access List expires. Expires *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=expires,proto3" json:"expires,omitempty"` - // reason is the reason this user was added to the access list. + // reason is the reason this user was added to the Access List. Reason string `protobuf:"bytes,5,opt,name=reason,proto3" json:"reason,omitempty"` - // added_by is the user that added this user to the access list. + // added_by is the user that added this user to the Access List. AddedBy string `protobuf:"bytes,6,opt,name=added_by,json=addedBy,proto3" json:"added_by,omitempty"` // ineligible_status describes if this member is eligible or not // and if not, describes how they're lacking eligibility. @@ -930,7 +930,7 @@ func (x *MemberSpec) GetIneligibleStatus() IneligibleStatus { return IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED } -// Review is a review of an access list. +// Review is a review of an Access List. type Review struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -938,7 +938,7 @@ type Review struct { // header is the header for the resource. Header *v1.ResourceHeader `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"` - // spec is the specification for the access list review. + // spec is the specification for the Access List review. Spec *ReviewSpec `protobuf:"bytes,2,opt,name=spec,proto3" json:"spec,omitempty"` } @@ -988,13 +988,13 @@ func (x *Review) GetSpec() *ReviewSpec { return nil } -// ReviewSpec is the specification for an access list review. +// ReviewSpec is the specification for an Access List review. type ReviewSpec struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // access_list is the name of the access list that this review is for. + // access_list is the name of the Access List that this review is for. AccessList string `protobuf:"bytes,1,opt,name=access_list,json=accessList,proto3" json:"access_list,omitempty"` // reviewers are the users who performed the review. Reviewers []string `protobuf:"bytes,2,rep,name=reviewers,proto3" json:"reviewers,omitempty"` @@ -1159,7 +1159,7 @@ type AccessListStatus struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // member_count is the number of members in the in the access list. + // member_count is the number of members in the in the Access List. MemberCount *uint32 `protobuf:"varint,1,opt,name=member_count,json=memberCount,proto3,oneof" json:"member_count,omitempty"` } diff --git a/api/proto/teleport/accesslist/v1/accesslist.proto b/api/proto/teleport/accesslist/v1/accesslist.proto index fabe0525bab0f..b83034160a9e7 100644 --- a/api/proto/teleport/accesslist/v1/accesslist.proto +++ b/api/proto/teleport/accesslist/v1/accesslist.proto @@ -30,50 +30,50 @@ message AccessList { // header is the header for the resource. teleport.header.v1.ResourceHeader header = 1; - // spec is the specification for the access list. + // spec is the specification for the Access List. AccessListSpec spec = 2; // status contains dynamically calculated fields. AccessListStatus status = 3; } -// AccessListSpec is the specification for an access list. +// AccessListSpec is the specification for an Access List. message AccessListSpec { reserved 7, 9, 10; reserved "members", "membership", "ownership"; - // description is an optional plaintext description of the access list. + // description is an optional plaintext description of the Access List. string description = 1; - // owners is a list of owners of the access list. + // owners is a list of owners of the Access List. repeated AccessListOwner owners = 2; - // audit describes the frequency that this access list must be audited. + // audit describes the frequency that this Access List must be audited. AccessListAudit audit = 3; // membership_requires describes the requirements for a user to be a member of - // the access list. For a membership to an access list to be effective, the + // the Access List. For a membership to an Access List to be effective, the // user must meet the requirements of Membership_requires and must be in the // members list. AccessListRequires membership_requires = 4; // ownership_requires describes the requirements for a user to be an owner of - // the access list. For ownership of an access list to be effective, the user + // the Access List. For ownership of an Access List to be effective, the user // must meet the requirements of ownership_requires and must be in the owners // list. AccessListRequires ownership_requires = 5; - // grants describes the access granted by membership to this access list. + // grants describes the access granted by membership to this Access List. AccessListGrants grants = 6; - // title is a plaintext short description of the access list. + // title is a plaintext short description of the Access List. string title = 8; - // owner_grants describes the access granted by owners to this access list. + // owner_grants describes the access granted by owners to this Access List. AccessListGrants owner_grants = 11; } -// AccessListOwner is an owner of an access list. +// AccessListOwner is an owner of an Access List. message AccessListOwner { // name is the username of the owner. string name = 1; @@ -87,7 +87,7 @@ message AccessListOwner { IneligibleStatus ineligible_status = 3; } -// AccessListAudit describes the audit configuration for an access list. +// AccessListAudit describes the audit configuration for an Access List. message AccessListAudit { reserved 1; reserved "frequency"; @@ -139,7 +139,7 @@ message Notifications { google.protobuf.Duration start = 1; } -// AccessListRequires describes a requirement section for an access list. A user +// AccessListRequires describes a requirement section for an Access List. A user // must meet the following criteria to obtain the specific access to the list. message AccessListRequires { // roles are the user roles that must be present for the user to obtain @@ -150,48 +150,48 @@ message AccessListRequires { repeated teleport.trait.v1.Trait traits = 2; } -// AccessListGrants describes what access is granted by membership to the access -// list. +// AccessListGrants describes what access is granted by membership to the Access +// List. message AccessListGrants { - // roles are the roles that are granted to users who are members of the access - // list. + // roles are the roles that are granted to users who are members of the Access + // List. repeated string roles = 1; // traits are the traits that are granted to users who are members of the - // access list. + // Access List. repeated teleport.trait.v1.Trait traits = 2; } -// Member describes a member of an access list. +// Member describes a member of an Access List. message Member { // header is the header for the resource. teleport.header.v1.ResourceHeader header = 1; - // spec is the specification for the access list member. + // spec is the specification for the Access List member. MemberSpec spec = 2; } -// MemberSpec is the specification for an access list member. +// MemberSpec is the specification for an Access List member. message MemberSpec { reserved 8; reserved "membership"; - // associated access list + // associated Access List string access_list = 1; - // name is the name of the member of the access list. + // name is the name of the member of the Access List. string name = 2; - // joined is when the user joined the access list. + // joined is when the user joined the Access List. google.protobuf.Timestamp joined = 3; - // expires is when the user's membership to the access list expires. + // expires is when the user's membership to the Access List expires. google.protobuf.Timestamp expires = 4; - // reason is the reason this user was added to the access list. + // reason is the reason this user was added to the Access List. string reason = 5; - // added_by is the user that added this user to the access list. + // added_by is the user that added this user to the Access List. string added_by = 6; // ineligible_status describes if this member is eligible or not @@ -217,18 +217,18 @@ enum IneligibleStatus { INELIGIBLE_STATUS_EXPIRED = 4; } -// Review is a review of an access list. +// Review is a review of an Access List. message Review { // header is the header for the resource. teleport.header.v1.ResourceHeader header = 1; - // spec is the specification for the access list review. + // spec is the specification for the Access List review. ReviewSpec spec = 2; } -// ReviewSpec is the specification for an access list review. +// ReviewSpec is the specification for an Access List review. message ReviewSpec { - // access_list is the name of the access list that this review is for. + // access_list is the name of the Access List that this review is for. string access_list = 1; // reviewers are the users who performed the review. @@ -268,6 +268,6 @@ message ReviewChanges { // AccessListStatus contains dynamic fields calculated during retrieval. message AccessListStatus { - // member_count is the number of members in the in the access list. + // member_count is the number of members in the in the Access List. optional uint32 member_count = 1; } diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto index a221616318313..bf8bf5aa096e5 100644 --- a/api/proto/teleport/legacy/types/types.proto +++ b/api/proto/teleport/legacy/types/types.proto @@ -670,10 +670,10 @@ message InstanceSpecV1 { // Hostname is the hostname this instance most recently advertised. string Hostname = 3 [(gogoproto.jsontag) = "hostname,omitempty"]; - // AuthID is the ID of the auth server that most recently observed this instance. + // AuthID is the ID of the Auth Service that most recently observed this instance. string AuthID = 4 [(gogoproto.jsontag) = "auth_id,omitempty"]; - // LastSeen is the last time an auth server reported observing this instance. + // LastSeen is the last time an Auth Service server reported observing this instance. google.protobuf.Timestamp LastSeen = 5 [ (gogoproto.stdtime) = true, (gogoproto.nullable) = false, @@ -697,10 +697,10 @@ message InstanceSpecV1 { // InstanceControlLogEntry represents an entry in a given instance's control log. The control log of // an instance is protected by CompareAndSwap semantics, allowing entries to function as a means of -// synchronization as well as recordkeeping. For example, an auth server intending to trigger an upgrade +// synchronization as well as recordkeeping. For example, an Auth Service instance intending to trigger an upgrade // for a given instance can check its control log for 'upgrade-attempt' entries. If no such entry exists, // it can attempt to write an 'upgrade-attempt' entry of its own. If that entry successfully writes without -// hitting a CompareFailed, the auth server knows that no other auth servers will make concurrent upgrade +// hitting a CompareFailed, the Auth Service instance knows that no other Auth Service instances will make concurrent upgrade // attempts while that entry persists. // // NOTE: Due to resource size and backend throughput limitations, care should be taken to minimize the @@ -767,7 +767,7 @@ message InstanceFilter { string NewerThanVersion = 7; } -// ServerV2 represents a Node, App, Database, Proxy or Auth server in a Teleport cluster. +// ServerV2 represents a Node, App, Database, Proxy or Auth Service instance in a Teleport cluster. message ServerV2 { option (gogoproto.goproto_stringer) = false; option (gogoproto.stringer) = false; @@ -1207,8 +1207,8 @@ message TokenRule { // AWSRegions is used for the EC2 join method and is a list of AWS regions a // node is allowed to join from. repeated string AWSRegions = 2 [(gogoproto.jsontag) = "aws_regions,omitempty"]; - // AWSRole is used for the EC2 join method and is the the ARN of the AWS - // role that the auth server will assume in order to call the ec2 API. + // AWSRole is used for the EC2 join method and is the ARN of the AWS + // role that the Auth Service will assume in order to call the ec2 API. string AWSRole = 3 [(gogoproto.jsontag) = "aws_role,omitempty"]; // AWSARN is used for the IAM join method, the AWS identity of joining nodes // must match this ARN. Supports wildcards "*" and "?". @@ -1351,7 +1351,7 @@ message ProvisionTokenSpecV2GitHub { // // This value should be the hostname of the GHES instance, and should not // include the scheme or a path. The instance must be accessible over HTTPS - // at this hostname and the certificate must be trusted by the Auth Server. + // at this hostname and the certificate must be trusted by the Auth Service. string EnterpriseServerHost = 2 [(gogoproto.jsontag) = "enterprise_server_host,omitempty"]; // EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be // included in the expected issuer of the OIDC tokens. This is for @@ -1374,14 +1374,14 @@ message ProvisionTokenSpecV2GitLab { // `project_path:mygroup/my-project:ref_type:branch:ref:main` // project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. string Sub = 1 [(gogoproto.jsontag) = "sub,omitempty"]; // Ref allows access to be limited to jobs triggered by a specific git ref. // Ensure this is used in combination with ref_type. // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. string Ref = 2 [(gogoproto.jsontag) = "ref,omitempty"]; @@ -1394,7 +1394,7 @@ message ProvisionTokenSpecV2GitLab { // Example: // `mygroup` // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. string NamespacePath = 4 [(gogoproto.jsontag) = "namespace_path,omitempty"]; @@ -1402,7 +1402,7 @@ message ProvisionTokenSpecV2GitLab { // project. Example: // `mygroup/myproject` // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. string ProjectPath = 5 [(gogoproto.jsontag) = "project_path,omitempty"]; @@ -1621,7 +1621,7 @@ message ClusterNameSpecV2 { string ClusterName = 1 [(gogoproto.jsontag) = "cluster_name"]; // ClusterID is the unique cluster ID that is set once during the first - // auth server startup. + // Auth Service startup. string ClusterID = 2 [(gogoproto.jsontag) = "cluster_id"]; } @@ -1896,7 +1896,7 @@ message AuthPreferenceSpecV2 { // Type is the type of authentication. string Type = 1 [(gogoproto.jsontag) = "type"]; - // SecondFactor is the type of second factor. + // SecondFactor is the type of mult-factor. string SecondFactor = 2 [ (gogoproto.jsontag) = "second_factor,omitempty", (gogoproto.casttype) = "github.com/gravitational/teleport/api/constants.SecondFactorType" @@ -2000,10 +2000,10 @@ message AuthPreferenceSpecV2 { // Deprecated: U2F is transparently converted to WebAuthn by Teleport. Prefer // using WebAuthn instead. message U2F { - // AppID returns the application ID for universal second factor. + // AppID returns the application ID for universal mult-factor. string AppID = 1 [(gogoproto.jsontag) = "app_id,omitempty"]; - // Facets returns the facets for universal second factor. + // Facets returns the facets for universal mult-factor. // Deprecated: Kept for backwards compatibility reasons, but Facets have no // effect since Teleport v10, when Webauthn replaced the U2F implementation. repeated string Facets = 2 [(gogoproto.jsontag) = "facets,omitempty"]; @@ -2022,7 +2022,7 @@ message Webauthn { // IMPORTANT: RPID must never change in the lifetime of the cluster, because // it's recorded in the registration data on the WebAuthn device. If the // RPID changes, all existing WebAuthn key registrations will become invalid - // and all users who use WebAuthn as the second factor will need to + // and all users who use WebAuthn as the multi-factor will need to // re-register. string RPID = 1 [(gogoproto.jsontag) = "rp_id,omitempty"]; // Allow list of device attestation CAs in PEM format. @@ -2215,7 +2215,7 @@ message UserTokenSecretsSpecV3 { ]; } -// AccessRequest represents an access request resource specification +// AccessRequest represents an Access Request resource specification message AccessRequestV3 { option (gogoproto.goproto_stringer) = false; option (gogoproto.stringer) = false; @@ -2255,7 +2255,7 @@ message AccessReviewThreshold { } // PromotedAccessList is a minimal access list representation used for -// promoting access requests to access lists. +// promoting Access Requests to access lists. message PromotedAccessList { // Name is the name of the access list. string Name = 1 [(gogoproto.jsontag) = "name"]; @@ -2263,7 +2263,7 @@ message PromotedAccessList { string Title = 2 [(gogoproto.jsontag) = "title"]; } -// AccessReview is a review to be applied to an access request. +// AccessReview is a review to be applied to an Access Request. message AccessReview { // Author is the teleport username of the review author. string Author = 1 [(gogoproto.jsontag) = "author"]; @@ -2360,7 +2360,7 @@ message AccessRequestSpecV3 { string User = 1 [(gogoproto.jsontag) = "user"]; // Roles is the name of the roles being requested. repeated string Roles = 2 [(gogoproto.jsontag) = "roles"]; - // State is the current state of this access request. + // State is the current state of this Access Request. RequestState State = 3 [(gogoproto.jsontag) = "state,omitempty"]; // Created encodes the time at which the request was registered with the auth // server. @@ -2395,10 +2395,10 @@ message AccessRequestSpecV3 { ]; // SystemAnnotations is a set of programmatically generated annotations attached - // to pending access requests by teleport. These annotations are generated by + // to pending Access Requests by teleport. These annotations are generated by // applying variable interpolation to the RoleConditions.Request.Annotations block // of a user's role(s). These annotations serve as a mechanism for administrators - // to pass extra information to plugins when they process pending access requests. + // to pass extra information to plugins when they process pending Access Requests. wrappers.LabelValues SystemAnnotations = 9 [ (gogoproto.nullable) = false, (gogoproto.jsontag) = "system_annotations,omitempty", @@ -2441,12 +2441,12 @@ message AccessRequestSpecV3 { (gogoproto.nullable) = false ]; - // LoginHint is used as a hint for search-based access requests to select + // LoginHint is used as a hint for search-based Access Requests to select // roles based on the login the user is attempting. string LoginHint = 15 [(gogoproto.jsontag) = "login_hint,omitempty"]; // DryRun indicates that the request should not actually be created, the - // auth server should only validate the access request. + // Auth Service should only validate the Access Request. bool DryRun = 16 [(gogoproto.jsontag) = "dry_run,omitempty"]; // MaxDuration indicates how long the access should be granted for. @@ -2493,7 +2493,7 @@ enum AccessRequestScope { REVIEWED = 3; } -// AccessRequestFilter encodes filter params for access requests. +// AccessRequestFilter encodes filter params for Access Requests. message AccessRequestFilter { // ID specifies a request ID if set. string ID = 1 [(gogoproto.jsontag) = "id,omitempty"]; @@ -2509,7 +2509,7 @@ message AccessRequestFilter { repeated string SearchKeywords = 4 [(gogoproto.jsontag) = "search,omitempty"]; // Scope is an aditional filter to view requests based on needs review, reviewed, my requests AccessRequestScope Scope = 5 [(gogoproto.jsontag) = "scope,omitempty"]; - // Requester is the requester of the api call. This is set by the auth server + // Requester is the requester of the api call. This is set by the Auth Service // Use User for the requester of the request. string Requester = 6 [(gogoproto.jsontag) = "requester,omitempty"]; } @@ -3231,7 +3231,7 @@ message AccessRequestConditions { ]; // Annotations is a collection of annotations to be programmatically - // appended to pending access requests at the time of their creation. + // appended to pending Access Requests at the time of their creation. // These annotations serve as a mechanism to propagate extra information // to plugins. Since these annotations support variable interpolation // syntax, they also offer a mechanism for forwarding claims from an @@ -3292,7 +3292,7 @@ message AccessReviewConditions { repeated string PreviewAsRoles = 4 [(gogoproto.jsontag) = "preview_as_roles,omitempty"]; } -// AccessRequestAllowedPromotion describes an allowed promotion to an access list. +// AccessRequestAllowedPromotion describes an allowed promotion to an Access List. message AccessRequestAllowedPromotion { // associated access list string accessListName = 1; @@ -3563,7 +3563,7 @@ message LocalAuthSecrets { repeated MFADevice MFA = 5 [(gogoproto.jsontag) = "mfa,omitempty"]; // Webauthn holds settings necessary for webauthn local auth. // May be null for legacy users or users that haven't yet used webauthn as - // their second factor. + // their multi-factor. WebauthnLocalAuth Webauthn = 6 [(gogoproto.jsontag) = "webauthn,omitempty"]; } @@ -4320,7 +4320,7 @@ message OIDCConnectorSpecV3 { // IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. string IssuerURL = 1 [(gogoproto.jsontag) = "issuer_url"]; - // ClientID is the id of the authentication client (Teleport Auth server). + // ClientID is the id of the authentication client (Teleport Auth Service). string ClientID = 2 [(gogoproto.jsontag) = "client_id"]; // ClientSecret is used to authenticate the client. string ClientSecret = 3 [(gogoproto.jsontag) = "client_secret"]; @@ -4390,7 +4390,7 @@ message SSOClientRedirectSettings { } // OIDCAuthRequest is a request to authenticate with OIDC -// provider, the state about request is managed by auth server +// provider, the state about request is managed by Auth Service message OIDCAuthRequest { // ConnectorID is ID of OIDC connector this request uses string ConnectorID = 1 [(gogoproto.jsontag) = "connector_id"]; @@ -4413,7 +4413,7 @@ message OIDCAuthRequest { string RedirectURL = 6 [(gogoproto.jsontag) = "redirect_url"]; // PublicKey is an optional public key, users want these - // keys to be signed by auth servers user CA in case + // keys to be signed by Auth Service's user CA in case // of successful auth bytes PublicKey = 7 [(gogoproto.jsontag) = "public_key"]; @@ -4540,7 +4540,7 @@ message SAMLConnectorSpecV2 { } // SAMLAuthRequest is a request to authenticate with SAML -// provider, the state about request is managed by auth server. +// provider, the state about request is managed by the Auth Service message SAMLAuthRequest { // ID is a unique request ID. string ID = 1 [(gogoproto.jsontag) = "id"]; @@ -4558,7 +4558,7 @@ message SAMLAuthRequest { string RedirectURL = 5 [(gogoproto.jsontag) = "redirect_url"]; // PublicKey is an optional public key, users want these - // keys to be signed by auth servers user CA in case + // keys to be signed by Auth Service's user CA in case // of successful auth. bytes PublicKey = 6 [(gogoproto.jsontag) = "public_key"]; @@ -5039,7 +5039,7 @@ message LockTarget { string Login = 3 [(gogoproto.jsontag) = "login,omitempty"]; // Node specifies the UUID of a Teleport node. - // A matching node is also prevented from heartbeating to the auth server. + // A matching node is also prevented from heartbeating to the Auth Service. // DEPRECATED: use ServerID instead. string Node = 4 [ deprecated = true, @@ -5179,7 +5179,7 @@ message Resolution { uint32 Height = 2 [(gogoproto.jsontag) = "height,omitempty"]; } -// RegisterUsingTokenRequest is a request to register with the auth server using +// RegisterUsingTokenRequest is a request to register with the Auth Service using // an authentication token message RegisterUsingTokenRequest { // HostID is a unique host ID, usually a UUID @@ -5223,7 +5223,7 @@ message RegisterUsingTokenRequest { } // RecoveryCodes holds a user's recovery code information. Recovery codes allows users to regain -// access to their account by restoring their lost password or second factor. Once a recovery code +// access to their account by restoring their lost password or multi-factor. Once a recovery code // is successfully verified, the code is mark used (which invalidates it), and lets the user begin // the recovery flow. When a user successfully finishes the recovery flow, users will get a new set // of codes that will replace all the previous ones. diff --git a/api/types/types.pb.go b/api/types/types.pb.go index 6078b02a39734..ccbdfb5452726 100644 --- a/api/types/types.pb.go +++ b/api/types/types.pb.go @@ -2533,9 +2533,9 @@ type InstanceSpecV1 struct { Services []SystemRole `protobuf:"bytes,2,rep,name=Services,proto3,casttype=SystemRole" json:"services,omitempty"` // Hostname is the hostname this instance most recently advertised. Hostname string `protobuf:"bytes,3,opt,name=Hostname,proto3" json:"hostname,omitempty"` - // AuthID is the ID of the auth server that most recently observed this instance. + // AuthID is the ID of the Auth Service that most recently observed this instance. AuthID string `protobuf:"bytes,4,opt,name=AuthID,proto3" json:"auth_id,omitempty"` - // LastSeen is the last time an auth server reported observing this instance. + // LastSeen is the last time an Auth Service server reported observing this instance. LastSeen time.Time `protobuf:"bytes,5,opt,name=LastSeen,proto3,stdtime" json:"last_seen,omitempty"` // ControlLog is the log of recent important instance control events related to this instance. See comments // on the InstanceControlLogEntry type for details. @@ -2585,10 +2585,10 @@ var xxx_messageInfo_InstanceSpecV1 proto.InternalMessageInfo // InstanceControlLogEntry represents an entry in a given instance's control log. The control log of // an instance is protected by CompareAndSwap semantics, allowing entries to function as a means of -// synchronization as well as recordkeeping. For example, an auth server intending to trigger an upgrade +// synchronization as well as recordkeeping. For example, an Auth Service instance intending to trigger an upgrade // for a given instance can check its control log for 'upgrade-attempt' entries. If no such entry exists, // it can attempt to write an 'upgrade-attempt' entry of its own. If that entry successfully writes without -// hitting a CompareFailed, the auth server knows that no other auth servers will make concurrent upgrade +// hitting a CompareFailed, the Auth Service instance knows that no other Auth Service instances will make concurrent upgrade // attempts while that entry persists. // // NOTE: Due to resource size and backend throughput limitations, care should be taken to minimize the @@ -2709,7 +2709,7 @@ func (m *InstanceFilter) XXX_DiscardUnknown() { var xxx_messageInfo_InstanceFilter proto.InternalMessageInfo -// ServerV2 represents a Node, App, Database, Proxy or Auth server in a Teleport cluster. +// ServerV2 represents a Node, App, Database, Proxy or Auth Service instance in a Teleport cluster. type ServerV2 struct { // Kind is a resource kind Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"` @@ -3935,8 +3935,8 @@ type TokenRule struct { // AWSRegions is used for the EC2 join method and is a list of AWS regions a // node is allowed to join from. AWSRegions []string `protobuf:"bytes,2,rep,name=AWSRegions,proto3" json:"aws_regions,omitempty"` - // AWSRole is used for the EC2 join method and is the the ARN of the AWS - // role that the auth server will assume in order to call the ec2 API. + // AWSRole is used for the EC2 join method and is the ARN of the AWS + // role that the Auth Service will assume in order to call the ec2 API. AWSRole string `protobuf:"bytes,3,opt,name=AWSRole,proto3" json:"aws_role,omitempty"` // AWSARN is used for the IAM join method, the AWS identity of joining nodes // must match this ARN. Supports wildcards "*" and "?". @@ -4180,7 +4180,7 @@ type ProvisionTokenSpecV2GitHub struct { // // This value should be the hostname of the GHES instance, and should not // include the scheme or a path. The instance must be accessible over HTTPS - // at this hostname and the certificate must be trusted by the Auth Server. + // at this hostname and the certificate must be trusted by the Auth Service. EnterpriseServerHost string `protobuf:"bytes,2,opt,name=EnterpriseServerHost,proto3" json:"enterprise_server_host,omitempty"` // EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be // included in the expected issuer of the OIDC tokens. This is for @@ -4346,14 +4346,14 @@ type ProvisionTokenSpecV2GitLab_Rule struct { // `project_path:mygroup/my-project:ref_type:branch:ref:main` // project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. Sub string `protobuf:"bytes,1,opt,name=Sub,proto3" json:"sub,omitempty"` // Ref allows access to be limited to jobs triggered by a specific git ref. // Ensure this is used in combination with ref_type. // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. Ref string `protobuf:"bytes,2,opt,name=Ref,proto3" json:"ref,omitempty"` @@ -4366,7 +4366,7 @@ type ProvisionTokenSpecV2GitLab_Rule struct { // Example: // `mygroup` // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. NamespacePath string `protobuf:"bytes,4,opt,name=NamespacePath,proto3" json:"namespace_path,omitempty"` @@ -4374,7 +4374,7 @@ type ProvisionTokenSpecV2GitLab_Rule struct { // project. Example: // `mygroup/myproject` // - // This field supports simple "glob-style" matching: + // This field supports "glob-style" matching: // - Use '*' to match zero or more characters. // - Use '?' to match any single character. ProjectPath string `protobuf:"bytes,5,opt,name=ProjectPath,proto3" json:"project_path,omitempty"` @@ -5100,7 +5100,7 @@ type ClusterNameSpecV2 struct { // cluster is setup can and will cause catastrophic problems. ClusterName string `protobuf:"bytes,1,opt,name=ClusterName,proto3" json:"cluster_name"` // ClusterID is the unique cluster ID that is set once during the first - // auth server startup. + // Auth Service startup. ClusterID string `protobuf:"bytes,2,opt,name=ClusterID,proto3" json:"cluster_id"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -5712,7 +5712,7 @@ var xxx_messageInfo_AuthPreferenceV2 proto.InternalMessageInfo type AuthPreferenceSpecV2 struct { // Type is the type of authentication. Type string `protobuf:"bytes,1,opt,name=Type,proto3" json:"type"` - // SecondFactor is the type of second factor. + // SecondFactor is the type of mult-factor. SecondFactor github_com_gravitational_teleport_api_constants.SecondFactorType `protobuf:"bytes,2,opt,name=SecondFactor,proto3,casttype=github.com/gravitational/teleport/api/constants.SecondFactorType" json:"second_factor,omitempty"` // ConnectorName is the name of the OIDC or SAML connector. If this value is // not set the first connector in the backend will be used. @@ -5802,9 +5802,9 @@ var xxx_messageInfo_AuthPreferenceSpecV2 proto.InternalMessageInfo // Deprecated: U2F is transparently converted to WebAuthn by Teleport. Prefer // using WebAuthn instead. type U2F struct { - // AppID returns the application ID for universal second factor. + // AppID returns the application ID for universal mult-factor. AppID string `protobuf:"bytes,1,opt,name=AppID,proto3" json:"app_id,omitempty"` - // Facets returns the facets for universal second factor. + // Facets returns the facets for universal mult-factor. // Deprecated: Kept for backwards compatibility reasons, but Facets have no // effect since Teleport v10, when Webauthn replaced the U2F implementation. Facets []string `protobuf:"bytes,2,rep,name=Facets,proto3" json:"facets,omitempty"` @@ -5858,7 +5858,7 @@ type Webauthn struct { // IMPORTANT: RPID must never change in the lifetime of the cluster, because // it's recorded in the registration data on the WebAuthn device. If the // RPID changes, all existing WebAuthn key registrations will become invalid - // and all users who use WebAuthn as the second factor will need to + // and all users who use WebAuthn as the multi-factor will need to // re-register. RPID string `protobuf:"bytes,1,opt,name=RPID,proto3" json:"rp_id,omitempty"` // Allow list of device attestation CAs in PEM format. @@ -6360,7 +6360,7 @@ func (m *UserTokenSecretsSpecV3) XXX_DiscardUnknown() { var xxx_messageInfo_UserTokenSecretsSpecV3 proto.InternalMessageInfo -// AccessRequest represents an access request resource specification +// AccessRequest represents an Access Request resource specification type AccessRequestV3 struct { // Kind is a resource kind Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"` @@ -6462,7 +6462,7 @@ func (m *AccessReviewThreshold) XXX_DiscardUnknown() { var xxx_messageInfo_AccessReviewThreshold proto.InternalMessageInfo // PromotedAccessList is a minimal access list representation used for -// promoting access requests to access lists. +// promoting Access Requests to access lists. type PromotedAccessList struct { // Name is the name of the access list. Name string `protobuf:"bytes,1,opt,name=Name,proto3" json:"name"` @@ -6506,7 +6506,7 @@ func (m *PromotedAccessList) XXX_DiscardUnknown() { var xxx_messageInfo_PromotedAccessList proto.InternalMessageInfo -// AccessReview is a review to be applied to an access request. +// AccessReview is a review to be applied to an Access Request. type AccessReview struct { // Author is the teleport username of the review author. Author string `protobuf:"bytes,1,opt,name=Author,proto3" json:"author"` @@ -6704,7 +6704,7 @@ type AccessRequestSpecV3 struct { User string `protobuf:"bytes,1,opt,name=User,proto3" json:"user"` // Roles is the name of the roles being requested. Roles []string `protobuf:"bytes,2,rep,name=Roles,proto3" json:"roles"` - // State is the current state of this access request. + // State is the current state of this Access Request. State RequestState `protobuf:"varint,3,opt,name=State,proto3,enum=types.RequestState" json:"state,omitempty"` // Created encodes the time at which the request was registered with the auth // server. @@ -6723,10 +6723,10 @@ type AccessRequestSpecV3 struct { // arbitrary structured data to the audit log. ResolveAnnotations github_com_gravitational_teleport_api_types_wrappers.Traits `protobuf:"bytes,8,opt,name=ResolveAnnotations,proto3,customtype=github.com/gravitational/teleport/api/types/wrappers.Traits" json:"resolve_annotations,omitempty"` // SystemAnnotations is a set of programmatically generated annotations attached - // to pending access requests by teleport. These annotations are generated by + // to pending Access Requests by teleport. These annotations are generated by // applying variable interpolation to the RoleConditions.Request.Annotations block // of a user's role(s). These annotations serve as a mechanism for administrators - // to pass extra information to plugins when they process pending access requests. + // to pass extra information to plugins when they process pending Access Requests. SystemAnnotations github_com_gravitational_teleport_api_types_wrappers.Traits `protobuf:"bytes,9,opt,name=SystemAnnotations,proto3,customtype=github.com/gravitational/teleport/api/types/wrappers.Traits" json:"system_annotations,omitempty"` // Thresholds is a list of review thresholds relevant to this request. Order must be // preserved, as thresholds are referenced by index (internal use only). @@ -6747,11 +6747,11 @@ type AccessRequestSpecV3 struct { SuggestedReviewers []string `protobuf:"bytes,13,rep,name=SuggestedReviewers,proto3" json:"suggested_reviewers,omitempty"` // RequestedResourceIDs is a set of resources to which access is being requested. RequestedResourceIDs []ResourceID `protobuf:"bytes,14,rep,name=RequestedResourceIDs,proto3" json:"resource_ids,omitempty"` - // LoginHint is used as a hint for search-based access requests to select + // LoginHint is used as a hint for search-based Access Requests to select // roles based on the login the user is attempting. LoginHint string `protobuf:"bytes,15,opt,name=LoginHint,proto3" json:"login_hint,omitempty"` // DryRun indicates that the request should not actually be created, the - // auth server should only validate the access request. + // Auth Service should only validate the Access Request. DryRun bool `protobuf:"varint,16,opt,name=DryRun,proto3" json:"dry_run,omitempty"` // MaxDuration indicates how long the access should be granted for. MaxDuration time.Time `protobuf:"bytes,17,opt,name=MaxDuration,proto3,stdtime" json:"max_duration,omitempty"` @@ -6801,7 +6801,7 @@ func (m *AccessRequestSpecV3) XXX_DiscardUnknown() { var xxx_messageInfo_AccessRequestSpecV3 proto.InternalMessageInfo -// AccessRequestFilter encodes filter params for access requests. +// AccessRequestFilter encodes filter params for Access Requests. type AccessRequestFilter struct { // ID specifies a request ID if set. ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"id,omitempty"` @@ -6817,7 +6817,7 @@ type AccessRequestFilter struct { SearchKeywords []string `protobuf:"bytes,4,rep,name=SearchKeywords,proto3" json:"search,omitempty"` // Scope is an aditional filter to view requests based on needs review, reviewed, my requests Scope AccessRequestScope `protobuf:"varint,5,opt,name=Scope,proto3,enum=types.AccessRequestScope" json:"scope,omitempty"` - // Requester is the requester of the api call. This is set by the auth server + // Requester is the requester of the api call. This is set by the Auth Service // Use User for the requester of the request. Requester string `protobuf:"bytes,6,opt,name=Requester,proto3" json:"requester,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -8032,7 +8032,7 @@ type AccessRequestConditions struct { // ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. ClaimsToRoles []ClaimMapping `protobuf:"bytes,2,rep,name=ClaimsToRoles,proto3" json:"claims_to_roles,omitempty"` // Annotations is a collection of annotations to be programmatically - // appended to pending access requests at the time of their creation. + // appended to pending Access Requests at the time of their creation. // These annotations serve as a mechanism to propagate extra information // to plugins. Since these annotations support variable interpolation // syntax, they also offer a mechanism for forwarding claims from an @@ -8145,7 +8145,7 @@ func (m *AccessReviewConditions) XXX_DiscardUnknown() { var xxx_messageInfo_AccessReviewConditions proto.InternalMessageInfo -// AccessRequestAllowedPromotion describes an allowed promotion to an access list. +// AccessRequestAllowedPromotion describes an allowed promotion to an Access List. type AccessRequestAllowedPromotion struct { // associated access list AccessListName string `protobuf:"bytes,1,opt,name=accessListName,proto3" json:"accessListName,omitempty"` @@ -8819,7 +8819,7 @@ type LocalAuthSecrets struct { MFA []*MFADevice `protobuf:"bytes,5,rep,name=MFA,proto3" json:"mfa,omitempty"` // Webauthn holds settings necessary for webauthn local auth. // May be null for legacy users or users that haven't yet used webauthn as - // their second factor. + // their multi-factor. Webauthn *WebauthnLocalAuth `protobuf:"bytes,6,opt,name=Webauthn,proto3" json:"webauthn,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -11230,7 +11230,7 @@ var xxx_messageInfo_OIDCConnectorV3List proto.InternalMessageInfo type OIDCConnectorSpecV3 struct { // IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. IssuerURL string `protobuf:"bytes,1,opt,name=IssuerURL,proto3" json:"issuer_url"` - // ClientID is the id of the authentication client (Teleport Auth server). + // ClientID is the id of the authentication client (Teleport Auth Service). ClientID string `protobuf:"bytes,2,opt,name=ClientID,proto3" json:"client_id"` // ClientSecret is used to authenticate the client. ClientSecret string `protobuf:"bytes,3,opt,name=ClientSecret,proto3" json:"client_secret"` @@ -11395,7 +11395,7 @@ func (m *SSOClientRedirectSettings) XXX_DiscardUnknown() { var xxx_messageInfo_SSOClientRedirectSettings proto.InternalMessageInfo // OIDCAuthRequest is a request to authenticate with OIDC -// provider, the state about request is managed by auth server +// provider, the state about request is managed by Auth Service type OIDCAuthRequest struct { // ConnectorID is ID of OIDC connector this request uses ConnectorID string `protobuf:"bytes,1,opt,name=ConnectorID,proto3" json:"connector_id"` @@ -11412,7 +11412,7 @@ type OIDCAuthRequest struct { // Teleport Proxy after the oidc login attempt in the browser. RedirectURL string `protobuf:"bytes,6,opt,name=RedirectURL,proto3" json:"redirect_url"` // PublicKey is an optional public key, users want these - // keys to be signed by auth servers user CA in case + // keys to be signed by Auth Service's user CA in case // of successful auth PublicKey []byte `protobuf:"bytes,7,opt,name=PublicKey,proto3" json:"public_key"` // CertTTL is the TTL of the certificate user wants to get @@ -11651,7 +11651,7 @@ func (m *SAMLConnectorSpecV2) XXX_DiscardUnknown() { var xxx_messageInfo_SAMLConnectorSpecV2 proto.InternalMessageInfo // SAMLAuthRequest is a request to authenticate with SAML -// provider, the state about request is managed by auth server. +// provider, the state about request is managed by the Auth Service type SAMLAuthRequest struct { // ID is a unique request ID. ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"id"` @@ -11664,7 +11664,7 @@ type SAMLAuthRequest struct { // RedirectURL will be used by browser. RedirectURL string `protobuf:"bytes,5,opt,name=RedirectURL,proto3" json:"redirect_url"` // PublicKey is an optional public key, users want these - // keys to be signed by auth servers user CA in case + // keys to be signed by Auth Service's user CA in case // of successful auth. PublicKey []byte `protobuf:"bytes,6,opt,name=PublicKey,proto3" json:"public_key"` // CertTTL is the TTL of the certificate user wants to get. @@ -12687,7 +12687,7 @@ type LockTarget struct { // Login specifies the name of a local UNIX user. Login string `protobuf:"bytes,3,opt,name=Login,proto3" json:"login,omitempty"` // Node specifies the UUID of a Teleport node. - // A matching node is also prevented from heartbeating to the auth server. + // A matching node is also prevented from heartbeating to the Auth Service. // DEPRECATED: use ServerID instead. Node string `protobuf:"bytes,4,opt,name=Node,proto3" json:"node,omitempty"` // Deprecated: Do not use. // MFADevice specifies the UUID of a user MFA device. @@ -13152,7 +13152,7 @@ func (m *Resolution) XXX_DiscardUnknown() { var xxx_messageInfo_Resolution proto.InternalMessageInfo -// RegisterUsingTokenRequest is a request to register with the auth server using +// RegisterUsingTokenRequest is a request to register with the Auth Service using // an authentication token type RegisterUsingTokenRequest struct { // HostID is a unique host ID, usually a UUID @@ -13226,7 +13226,7 @@ func (m *RegisterUsingTokenRequest) XXX_DiscardUnknown() { var xxx_messageInfo_RegisterUsingTokenRequest proto.InternalMessageInfo // RecoveryCodes holds a user's recovery code information. Recovery codes allows users to regain -// access to their account by restoring their lost password or second factor. Once a recovery code +// access to their account by restoring their lost password or multi-factor. Once a recovery code // is successfully verified, the code is mark used (which invalidates it), and lets the user begin // the recovery flow. When a user successfully finishes the recovery flow, users will get a new set // of codes that will replace all the previous ones. diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml index f73fc63729992..60c0a57843c12 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_accesslists.yaml @@ -36,7 +36,7 @@ spec: description: AccessList resource definition v1 from Teleport properties: audit: - description: audit describes the frequency that this access list must + description: audit describes the frequency that this Access List must be audited. nullable: true properties: @@ -74,16 +74,16 @@ spec: type: object description: description: description is an optional plaintext description of the - access list. + Access List. type: string grants: description: grants describes the access granted by membership to - this access list. + this Access List. nullable: true properties: roles: description: roles are the roles that are granted to users who - are members of the access list. + are members of the Access List. items: type: string nullable: true @@ -94,13 +94,13 @@ spec: type: string type: array description: traits are the traits that are granted to users who - are members of the access list. + are members of the Access List. type: object type: object membership_requires: description: membership_requires describes the requirements for a - user to be a member of the access list. For a membership to an access - list to be effective, the user must meet the requirements of Membership_requires + user to be a member of the Access List. For a membership to an Access + List to be effective, the user must meet the requirements of Membership_requires and must be in the members list. nullable: true properties: @@ -122,12 +122,12 @@ spec: type: object owner_grants: description: owner_grants describes the access granted by owners to - this access list. + this Access List. nullable: true properties: roles: description: roles are the roles that are granted to users who - are members of the access list. + are members of the Access List. items: type: string nullable: true @@ -138,11 +138,11 @@ spec: type: string type: array description: traits are the traits that are granted to users who - are members of the access list. + are members of the Access List. type: object type: object owners: - description: owners is a list of owners of the access list. + description: owners is a list of owners of the Access List. items: properties: description: @@ -161,7 +161,7 @@ spec: type: array ownership_requires: description: ownership_requires describes the requirements for a user - to be an owner of the access list. For ownership of an access list + to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. nullable: true @@ -183,8 +183,8 @@ spec: type: object type: object title: - description: title is a plaintext short description of the access - list. + description: title is a plaintext short description of the Access + List. type: string type: object status: diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml index aa3486d5ae3e4..9c374f0188698 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml @@ -65,7 +65,7 @@ spec: type: array client_id: description: ClientID is the id of the authentication client (Teleport - Auth server). + Auth Service). type: string client_redirect_settings: description: ClientRedirectSettings defines which client redirect diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml index a325de71a9473..8c76351a1baba 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml @@ -70,7 +70,7 @@ spec: type: array aws_role: description: AWSRole is used for the EC2 join method and is - the the ARN of the AWS role that the auth server will assume + the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API. type: string type: object @@ -192,7 +192,7 @@ spec: against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate - must be trusted by the Auth Server. + must be trusted by the Auth Service. type: string enterprise_slug: description: EnterpriseSlug allows the slug of a GitHub Enterprise diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml index e67112259a609..8817de2068d2c 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml @@ -298,7 +298,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -824,7 +824,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -1629,7 +1629,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -2155,7 +2155,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml index e9cdee16944ca..ca647219fd7fe 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml @@ -301,7 +301,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -827,7 +827,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml index fe0b50f1eb77e..a22abf4e334df 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml @@ -301,7 +301,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -827,7 +827,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, diff --git a/gen/proto/ts/teleport/accesslist/v1/accesslist_pb.ts b/gen/proto/ts/teleport/accesslist/v1/accesslist_pb.ts index 4ba7f2b2e7f27..11062df8a111e 100644 --- a/gen/proto/ts/teleport/accesslist/v1/accesslist_pb.ts +++ b/gen/proto/ts/teleport/accesslist/v1/accesslist_pb.ts @@ -46,7 +46,7 @@ export interface AccessList { */ header?: ResourceHeader; /** - * spec is the specification for the access list. + * spec is the specification for the Access List. * * @generated from protobuf field: teleport.accesslist.v1.AccessListSpec spec = 2; */ @@ -59,32 +59,32 @@ export interface AccessList { status?: AccessListStatus; } /** - * AccessListSpec is the specification for an access list. + * AccessListSpec is the specification for an Access List. * * @generated from protobuf message teleport.accesslist.v1.AccessListSpec */ export interface AccessListSpec { /** - * description is an optional plaintext description of the access list. + * description is an optional plaintext description of the Access List. * * @generated from protobuf field: string description = 1; */ description: string; /** - * owners is a list of owners of the access list. + * owners is a list of owners of the Access List. * * @generated from protobuf field: repeated teleport.accesslist.v1.AccessListOwner owners = 2; */ owners: AccessListOwner[]; /** - * audit describes the frequency that this access list must be audited. + * audit describes the frequency that this Access List must be audited. * * @generated from protobuf field: teleport.accesslist.v1.AccessListAudit audit = 3; */ audit?: AccessListAudit; /** * membership_requires describes the requirements for a user to be a member of - * the access list. For a membership to an access list to be effective, the + * the Access List. For a membership to an Access List to be effective, the * user must meet the requirements of Membership_requires and must be in the * members list. * @@ -93,7 +93,7 @@ export interface AccessListSpec { membershipRequires?: AccessListRequires; /** * ownership_requires describes the requirements for a user to be an owner of - * the access list. For ownership of an access list to be effective, the user + * the Access List. For ownership of an Access List to be effective, the user * must meet the requirements of ownership_requires and must be in the owners * list. * @@ -101,26 +101,26 @@ export interface AccessListSpec { */ ownershipRequires?: AccessListRequires; /** - * grants describes the access granted by membership to this access list. + * grants describes the access granted by membership to this Access List. * * @generated from protobuf field: teleport.accesslist.v1.AccessListGrants grants = 6; */ grants?: AccessListGrants; /** - * title is a plaintext short description of the access list. + * title is a plaintext short description of the Access List. * * @generated from protobuf field: string title = 8; */ title: string; /** - * owner_grants describes the access granted by owners to this access list. + * owner_grants describes the access granted by owners to this Access List. * * @generated from protobuf field: teleport.accesslist.v1.AccessListGrants owner_grants = 11; */ ownerGrants?: AccessListGrants; } /** - * AccessListOwner is an owner of an access list. + * AccessListOwner is an owner of an Access List. * * @generated from protobuf message teleport.accesslist.v1.AccessListOwner */ @@ -147,7 +147,7 @@ export interface AccessListOwner { ineligibleStatus: IneligibleStatus; } /** - * AccessListAudit describes the audit configuration for an access list. + * AccessListAudit describes the audit configuration for an Access List. * * @generated from protobuf message teleport.accesslist.v1.AccessListAudit */ @@ -209,7 +209,7 @@ export interface Notifications { start?: Duration; } /** - * AccessListRequires describes a requirement section for an access list. A user + * AccessListRequires describes a requirement section for an Access List. A user * must meet the following criteria to obtain the specific access to the list. * * @generated from protobuf message teleport.accesslist.v1.AccessListRequires @@ -230,29 +230,29 @@ export interface AccessListRequires { traits: Trait[]; } /** - * AccessListGrants describes what access is granted by membership to the access - * list. + * AccessListGrants describes what access is granted by membership to the Access + * List. * * @generated from protobuf message teleport.accesslist.v1.AccessListGrants */ export interface AccessListGrants { /** - * roles are the roles that are granted to users who are members of the access - * list. + * roles are the roles that are granted to users who are members of the Access + * List. * * @generated from protobuf field: repeated string roles = 1; */ roles: string[]; /** * traits are the traits that are granted to users who are members of the - * access list. + * Access List. * * @generated from protobuf field: repeated teleport.trait.v1.Trait traits = 2; */ traits: Trait[]; } /** - * Member describes a member of an access list. + * Member describes a member of an Access List. * * @generated from protobuf message teleport.accesslist.v1.Member */ @@ -264,50 +264,50 @@ export interface Member { */ header?: ResourceHeader; /** - * spec is the specification for the access list member. + * spec is the specification for the Access List member. * * @generated from protobuf field: teleport.accesslist.v1.MemberSpec spec = 2; */ spec?: MemberSpec; } /** - * MemberSpec is the specification for an access list member. + * MemberSpec is the specification for an Access List member. * * @generated from protobuf message teleport.accesslist.v1.MemberSpec */ export interface MemberSpec { /** - * associated access list + * associated Access List * * @generated from protobuf field: string access_list = 1; */ accessList: string; /** - * name is the name of the member of the access list. + * name is the name of the member of the Access List. * * @generated from protobuf field: string name = 2; */ name: string; /** - * joined is when the user joined the access list. + * joined is when the user joined the Access List. * * @generated from protobuf field: google.protobuf.Timestamp joined = 3; */ joined?: Timestamp; /** - * expires is when the user's membership to the access list expires. + * expires is when the user's membership to the Access List expires. * * @generated from protobuf field: google.protobuf.Timestamp expires = 4; */ expires?: Timestamp; /** - * reason is the reason this user was added to the access list. + * reason is the reason this user was added to the Access List. * * @generated from protobuf field: string reason = 5; */ reason: string; /** - * added_by is the user that added this user to the access list. + * added_by is the user that added this user to the Access List. * * @generated from protobuf field: string added_by = 6; */ @@ -321,7 +321,7 @@ export interface MemberSpec { ineligibleStatus: IneligibleStatus; } /** - * Review is a review of an access list. + * Review is a review of an Access List. * * @generated from protobuf message teleport.accesslist.v1.Review */ @@ -333,20 +333,20 @@ export interface Review { */ header?: ResourceHeader; /** - * spec is the specification for the access list review. + * spec is the specification for the Access List review. * * @generated from protobuf field: teleport.accesslist.v1.ReviewSpec spec = 2; */ spec?: ReviewSpec; } /** - * ReviewSpec is the specification for an access list review. + * ReviewSpec is the specification for an Access List review. * * @generated from protobuf message teleport.accesslist.v1.ReviewSpec */ export interface ReviewSpec { /** - * access_list is the name of the access list that this review is for. + * access_list is the name of the Access List that this review is for. * * @generated from protobuf field: string access_list = 1; */ @@ -418,7 +418,7 @@ export interface ReviewChanges { */ export interface AccessListStatus { /** - * member_count is the number of members in the in the access list. + * member_count is the number of members in the in the Access List. * * @generated from protobuf field: optional uint32 member_count = 1; */ diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_accesslists.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_accesslists.yaml index f73fc63729992..60c0a57843c12 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_accesslists.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_accesslists.yaml @@ -36,7 +36,7 @@ spec: description: AccessList resource definition v1 from Teleport properties: audit: - description: audit describes the frequency that this access list must + description: audit describes the frequency that this Access List must be audited. nullable: true properties: @@ -74,16 +74,16 @@ spec: type: object description: description: description is an optional plaintext description of the - access list. + Access List. type: string grants: description: grants describes the access granted by membership to - this access list. + this Access List. nullable: true properties: roles: description: roles are the roles that are granted to users who - are members of the access list. + are members of the Access List. items: type: string nullable: true @@ -94,13 +94,13 @@ spec: type: string type: array description: traits are the traits that are granted to users who - are members of the access list. + are members of the Access List. type: object type: object membership_requires: description: membership_requires describes the requirements for a - user to be a member of the access list. For a membership to an access - list to be effective, the user must meet the requirements of Membership_requires + user to be a member of the Access List. For a membership to an Access + List to be effective, the user must meet the requirements of Membership_requires and must be in the members list. nullable: true properties: @@ -122,12 +122,12 @@ spec: type: object owner_grants: description: owner_grants describes the access granted by owners to - this access list. + this Access List. nullable: true properties: roles: description: roles are the roles that are granted to users who - are members of the access list. + are members of the Access List. items: type: string nullable: true @@ -138,11 +138,11 @@ spec: type: string type: array description: traits are the traits that are granted to users who - are members of the access list. + are members of the Access List. type: object type: object owners: - description: owners is a list of owners of the access list. + description: owners is a list of owners of the Access List. items: properties: description: @@ -161,7 +161,7 @@ spec: type: array ownership_requires: description: ownership_requires describes the requirements for a user - to be an owner of the access list. For ownership of an access list + to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. nullable: true @@ -183,8 +183,8 @@ spec: type: object type: object title: - description: title is a plaintext short description of the access - list. + description: title is a plaintext short description of the Access + List. type: string type: object status: diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml index aa3486d5ae3e4..9c374f0188698 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml @@ -65,7 +65,7 @@ spec: type: array client_id: description: ClientID is the id of the authentication client (Teleport - Auth server). + Auth Service). type: string client_redirect_settings: description: ClientRedirectSettings defines which client redirect diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml index a325de71a9473..8c76351a1baba 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml @@ -70,7 +70,7 @@ spec: type: array aws_role: description: AWSRole is used for the EC2 join method and is - the the ARN of the AWS role that the auth server will assume + the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API. type: string type: object @@ -192,7 +192,7 @@ spec: against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate - must be trusted by the Auth Server. + must be trusted by the Auth Service. type: string enterprise_slug: description: EnterpriseSlug allows the slug of a GitHub Enterprise diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml index e67112259a609..8817de2068d2c 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml @@ -298,7 +298,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -824,7 +824,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -1629,7 +1629,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -2155,7 +2155,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml index e9cdee16944ca..ca647219fd7fe 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml @@ -301,7 +301,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -827,7 +827,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml index fe0b50f1eb77e..a22abf4e334df 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml @@ -301,7 +301,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, @@ -827,7 +827,7 @@ spec: type: string type: array description: Annotations is a collection of annotations to - be programmatically appended to pending access requests + be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml index f73fc63729992..60c0a57843c12 100644 --- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml +++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml @@ -36,7 +36,7 @@ spec: description: AccessList resource definition v1 from Teleport properties: audit: - description: audit describes the frequency that this access list must + description: audit describes the frequency that this Access List must be audited. nullable: true properties: @@ -74,16 +74,16 @@ spec: type: object description: description: description is an optional plaintext description of the - access list. + Access List. type: string grants: description: grants describes the access granted by membership to - this access list. + this Access List. nullable: true properties: roles: description: roles are the roles that are granted to users who - are members of the access list. + are members of the Access List. items: type: string nullable: true @@ -94,13 +94,13 @@ spec: type: string type: array description: traits are the traits that are granted to users who - are members of the access list. + are members of the Access List. type: object type: object membership_requires: description: membership_requires describes the requirements for a - user to be a member of the access list. For a membership to an access - list to be effective, the user must meet the requirements of Membership_requires + user to be a member of the Access List. For a membership to an Access + List to be effective, the user must meet the requirements of Membership_requires and must be in the members list. nullable: true properties: @@ -122,12 +122,12 @@ spec: type: object owner_grants: description: owner_grants describes the access granted by owners to - this access list. + this Access List. nullable: true properties: roles: description: roles are the roles that are granted to users who - are members of the access list. + are members of the Access List. items: type: string nullable: true @@ -138,11 +138,11 @@ spec: type: string type: array description: traits are the traits that are granted to users who - are members of the access list. + are members of the Access List. type: object type: object owners: - description: owners is a list of owners of the access list. + description: owners is a list of owners of the Access List. items: properties: description: @@ -161,7 +161,7 @@ spec: type: array ownership_requires: description: ownership_requires describes the requirements for a user - to be an owner of the access list. For ownership of an access list + to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. nullable: true @@ -183,8 +183,8 @@ spec: type: object type: object title: - description: title is a plaintext short description of the access - list. + description: title is a plaintext short description of the Access + List. type: string type: object status: diff --git a/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist.proto b/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist.proto index fabe0525bab0f..b83034160a9e7 100644 --- a/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist.proto +++ b/integrations/operator/crdgen/testdata/protofiles/teleport/accesslist/v1/accesslist.proto @@ -30,50 +30,50 @@ message AccessList { // header is the header for the resource. teleport.header.v1.ResourceHeader header = 1; - // spec is the specification for the access list. + // spec is the specification for the Access List. AccessListSpec spec = 2; // status contains dynamically calculated fields. AccessListStatus status = 3; } -// AccessListSpec is the specification for an access list. +// AccessListSpec is the specification for an Access List. message AccessListSpec { reserved 7, 9, 10; reserved "members", "membership", "ownership"; - // description is an optional plaintext description of the access list. + // description is an optional plaintext description of the Access List. string description = 1; - // owners is a list of owners of the access list. + // owners is a list of owners of the Access List. repeated AccessListOwner owners = 2; - // audit describes the frequency that this access list must be audited. + // audit describes the frequency that this Access List must be audited. AccessListAudit audit = 3; // membership_requires describes the requirements for a user to be a member of - // the access list. For a membership to an access list to be effective, the + // the Access List. For a membership to an Access List to be effective, the // user must meet the requirements of Membership_requires and must be in the // members list. AccessListRequires membership_requires = 4; // ownership_requires describes the requirements for a user to be an owner of - // the access list. For ownership of an access list to be effective, the user + // the Access List. For ownership of an Access List to be effective, the user // must meet the requirements of ownership_requires and must be in the owners // list. AccessListRequires ownership_requires = 5; - // grants describes the access granted by membership to this access list. + // grants describes the access granted by membership to this Access List. AccessListGrants grants = 6; - // title is a plaintext short description of the access list. + // title is a plaintext short description of the Access List. string title = 8; - // owner_grants describes the access granted by owners to this access list. + // owner_grants describes the access granted by owners to this Access List. AccessListGrants owner_grants = 11; } -// AccessListOwner is an owner of an access list. +// AccessListOwner is an owner of an Access List. message AccessListOwner { // name is the username of the owner. string name = 1; @@ -87,7 +87,7 @@ message AccessListOwner { IneligibleStatus ineligible_status = 3; } -// AccessListAudit describes the audit configuration for an access list. +// AccessListAudit describes the audit configuration for an Access List. message AccessListAudit { reserved 1; reserved "frequency"; @@ -139,7 +139,7 @@ message Notifications { google.protobuf.Duration start = 1; } -// AccessListRequires describes a requirement section for an access list. A user +// AccessListRequires describes a requirement section for an Access List. A user // must meet the following criteria to obtain the specific access to the list. message AccessListRequires { // roles are the user roles that must be present for the user to obtain @@ -150,48 +150,48 @@ message AccessListRequires { repeated teleport.trait.v1.Trait traits = 2; } -// AccessListGrants describes what access is granted by membership to the access -// list. +// AccessListGrants describes what access is granted by membership to the Access +// List. message AccessListGrants { - // roles are the roles that are granted to users who are members of the access - // list. + // roles are the roles that are granted to users who are members of the Access + // List. repeated string roles = 1; // traits are the traits that are granted to users who are members of the - // access list. + // Access List. repeated teleport.trait.v1.Trait traits = 2; } -// Member describes a member of an access list. +// Member describes a member of an Access List. message Member { // header is the header for the resource. teleport.header.v1.ResourceHeader header = 1; - // spec is the specification for the access list member. + // spec is the specification for the Access List member. MemberSpec spec = 2; } -// MemberSpec is the specification for an access list member. +// MemberSpec is the specification for an Access List member. message MemberSpec { reserved 8; reserved "membership"; - // associated access list + // associated Access List string access_list = 1; - // name is the name of the member of the access list. + // name is the name of the member of the Access List. string name = 2; - // joined is when the user joined the access list. + // joined is when the user joined the Access List. google.protobuf.Timestamp joined = 3; - // expires is when the user's membership to the access list expires. + // expires is when the user's membership to the Access List expires. google.protobuf.Timestamp expires = 4; - // reason is the reason this user was added to the access list. + // reason is the reason this user was added to the Access List. string reason = 5; - // added_by is the user that added this user to the access list. + // added_by is the user that added this user to the Access List. string added_by = 6; // ineligible_status describes if this member is eligible or not @@ -217,18 +217,18 @@ enum IneligibleStatus { INELIGIBLE_STATUS_EXPIRED = 4; } -// Review is a review of an access list. +// Review is a review of an Access List. message Review { // header is the header for the resource. teleport.header.v1.ResourceHeader header = 1; - // spec is the specification for the access list review. + // spec is the specification for the Access List review. ReviewSpec spec = 2; } -// ReviewSpec is the specification for an access list review. +// ReviewSpec is the specification for an Access List review. message ReviewSpec { - // access_list is the name of the access list that this review is for. + // access_list is the name of the Access List that this review is for. string access_list = 1; // reviewers are the users who performed the review. @@ -268,6 +268,6 @@ message ReviewChanges { // AccessListStatus contains dynamic fields calculated during retrieval. message AccessListStatus { - // member_count is the number of members in the in the access list. + // member_count is the number of members in the in the Access List. optional uint32 member_count = 1; } diff --git a/integrations/terraform/Makefile b/integrations/terraform/Makefile index 34d5453c82510..8530f8de01af4 100644 --- a/integrations/terraform/Makefile +++ b/integrations/terraform/Makefile @@ -45,7 +45,8 @@ $(BUILDDIR)/terraform-provider-teleport_%: terraform-provider-teleport-v$(VERSIO mv $(BUILDDIR)/$(OS)/$*/terraform-provider-teleport $@ CUSTOM_IMPORTS_TMP_DIR ?= /tmp/protoc-gen-terraform/custom-imports -PROTOC_GEN_TERRAFORM_VERSION ?= v2.2.0 +# This version must match the version installed by .github/workflows/lint.yaml +PROTOC_GEN_TERRAFORM_VERSION ?= v3.0.0 PROTOC_GEN_TERRAFORM_EXISTS := $(shell protoc-gen-terraform version 2>&1 >/dev/null | grep 'protoc-gen-terraform $(PROTOC_GEN_TERRAFORM_VERSION)') .PHONY: gen-tfschema diff --git a/integrations/terraform/protoc-gen-terraform-accesslist.yaml b/integrations/terraform/protoc-gen-terraform-accesslist.yaml index 60196357c103d..7f4cc2094530f 100644 --- a/integrations/terraform/protoc-gen-terraform-accesslist.yaml +++ b/integrations/terraform/protoc-gen-terraform-accesslist.yaml @@ -17,6 +17,7 @@ import_path_overrides: "timestamppb": "google.golang.org/protobuf/types/known/timestamppb" "v1": "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1" "v11": "github.com/gravitational/teleport/api/gen/proto/go/teleport/trait/v1" + "github_com_gravitational_teleport_integrations_terraform_tfschema": "github.com/gravitational/teleport/integrations/terraform/tfschema" # id field is required for integration tests. It is not used by provider. # We have to add it manually (might be removed in the future versions). diff --git a/integrations/terraform/provider/resource_teleport_bot.go b/integrations/terraform/provider/resource_teleport_bot.go index b5f3d8afabcdb..75bf6565c4464 100644 --- a/integrations/terraform/provider/resource_teleport_bot.go +++ b/integrations/terraform/provider/resource_teleport_bot.go @@ -88,7 +88,7 @@ func GenSchemaBot(ctx context.Context) (tfsdk.Schema, diag.Diagnostics) { // Implementation note: This needs RequiresReplace() to handle // updates properly but we aren't able to attach plan modifiers to // fields from schema methods here. See ModifyPlan below. - "traits": tfschema.GenSchemaTraits(ctx), + "traits": tfschema.GenSchemaTraits(ctx, tfsdk.Attribute{}), }, }, nil } diff --git a/integrations/terraform/reference.mdx b/integrations/terraform/reference.mdx index 26fa663c925b9..f1099897d9a07 100755 --- a/integrations/terraform/reference.mdx +++ b/integrations/terraform/reference.mdx @@ -130,7 +130,7 @@ To mitigate this, you should explicitly set the resource version. | Name | Type | Required | Description | |--------|--------|----------|------------------------------------------------| | header | object | | header is the header for the resource. | -| spec | object | | spec is the specification for the access list. | +| spec | object | | spec is the specification for the Access List. | ### header @@ -150,7 +150,7 @@ metadata is resource metadata. | Name | Type | Required | Description | |-------------|----------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | description | string | | description is object description. | -| expires | RFC3339 time | | | +| expires | RFC3339 time | | expires is a global expiry time header can be set on any resource in the system. | | labels | map of strings | | labels is a set of labels. | | name | string | * | name is an object name. | | namespace | string | | namespace is object namespace. The field should be called "namespace" when it returns in Teleport 2.4. | @@ -158,36 +158,36 @@ metadata is resource metadata. ### spec -spec is the specification for the access list. +spec is the specification for the Access List. | Name | Type | Required | Description | |---------------------|--------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| audit | object | * | audit describes the frequency that this access list must be audited. | -| description | string | | description is an optional plaintext description of the access list. | -| grants | object | * | grants describes the access granted by membership to this access list. | -| membership_requires | object | | membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list. | -| owner_grants | object | | owner_grants describes the access granted by owners to this access list. | -| owners | object | * | owners is a list of owners of the access list. | -| ownership_requires | object | | ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. | -| title | string | | title is a plaintext short description of the access list. | +| audit | object | * | audit describes the frequency that this Access List must be audited. | +| description | string | | description is an optional plaintext description of the Access List. | +| grants | object | * | grants describes the access granted by membership to this Access List. | +| membership_requires | object | | membership_requires describes the requirements for a user to be a member of the Access List. For a membership to an Access List to be effective, the user must meet the requirements of Membership_requires and must be in the members list. | +| owner_grants | object | | owner_grants describes the access granted by owners to this Access List. | +| owners | object | * | owners is a list of owners of the Access List. | +| ownership_requires | object | | ownership_requires describes the requirements for a user to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. | +| title | string | | title is a plaintext short description of the Access List. | #### spec.audit -audit describes the frequency that this access list must be audited. +audit describes the frequency that this Access List must be audited. -| Name | Type | Required | Description | -|-----------------|--------------|----------|---------------------------------------------------------| -| next_audit_date | RFC3339 time | | | -| notifications | object | | notifications is the configuration for notifying users. | -| recurrence | object | * | recurrence is the recurrence definition | +| Name | Type | Required | Description | +|-----------------|--------------|----------|----------------------------------------------------------------| +| next_audit_date | RFC3339 time | | next_audit_date is when the next audit date should be done by. | +| notifications | object | | notifications is the configuration for notifying users. | +| recurrence | object | * | recurrence is the recurrence definition | ##### spec.audit.notifications notifications is the configuration for notifying users. -| Name | Type | Required | Description | -|-------|----------|----------|-------------| -| start | duration | | | +| Name | Type | Required | Description | +|-------|----------|----------|--------------------------------------------------------------------------------------| +| start | duration | | start specifies when to start notifying users that the next audit date is coming up. | ##### spec.audit.recurrence @@ -200,16 +200,16 @@ recurrence is the recurrence definition #### spec.grants -grants describes the access granted by membership to this access list. +grants describes the access granted by membership to this Access List. | Name | Type | Required | Description | |--------|------------------|----------|-------------------------------------------------------------------------------------| -| roles | array of strings | | roles are the roles that are granted to users who are members of the access list. | -| traits | object | | traits are the traits that are granted to users who are members of the access list. | +| roles | array of strings | | roles are the roles that are granted to users who are members of the Access List. | +| traits | object | | traits are the traits that are granted to users who are members of the Access List. | ##### spec.grants.traits -traits are the traits that are granted to users who are members of the access list. +traits are the traits that are granted to users who are members of the Access List. | Name | Type | Required | Description | |--------|------------------|----------|-------------------------------------| @@ -218,7 +218,7 @@ traits are the traits that are granted to users who are members of the access li #### spec.membership_requires -membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list. +membership_requires describes the requirements for a user to be a member of the Access List. For a membership to an Access List to be effective, the user must meet the requirements of Membership_requires and must be in the members list. | Name | Type | Required | Description | |--------|------------------|----------|------------------------------------------------------------------------------| @@ -236,16 +236,16 @@ traits are the traits that must be present for the user to obtain access. #### spec.owner_grants -owner_grants describes the access granted by owners to this access list. +owner_grants describes the access granted by owners to this Access List. | Name | Type | Required | Description | |--------|------------------|----------|-------------------------------------------------------------------------------------| -| roles | array of strings | | roles are the roles that are granted to users who are members of the access list. | -| traits | object | | traits are the traits that are granted to users who are members of the access list. | +| roles | array of strings | | roles are the roles that are granted to users who are members of the Access List. | +| traits | object | | traits are the traits that are granted to users who are members of the Access List. | ##### spec.owner_grants.traits -traits are the traits that are granted to users who are members of the access list. +traits are the traits that are granted to users who are members of the Access List. | Name | Type | Required | Description | |--------|------------------|----------|-------------------------------------| @@ -254,7 +254,7 @@ traits are the traits that are granted to users who are members of the access li #### spec.owners -owners is a list of owners of the access list. +owners is a list of owners of the Access List. | Name | Type | Required | Description | |-------------|--------|----------|----------------------------------------------------------------------------------| @@ -263,7 +263,7 @@ owners is a list of owners of the access list. #### spec.ownership_requires -ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. +ownership_requires describes the requirements for a user to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. | Name | Type | Required | Description | |--------|------------------|----------|------------------------------------------------------------------------------| @@ -444,26 +444,26 @@ Metadata is resource metadata Spec is an AuthPreference specification -| Name | Type | Required | Description | -|-------------------------|----------|----------|----------------------------------------------------------------------------------------------------------------------------------------| -| allow_headless | bool | | | -| allow_local_auth | bool | | | -| allow_passwordless | bool | | | -| connector_name | string | | ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used. | -| default_session_ttl | duration | | DefaultSessionTTL is the TTL to use for user certs when an explicit TTL is not requested. | -| device_trust | object | | DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. | -| disconnect_expired_cert | bool | | | -| hardware_key | object | | HardwareKey are the settings for hardware key support. | -| idp | object | | IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. | -| locking_mode | string | | LockingMode is the cluster-wide locking mode default. | -| message_of_the_day | string | | | -| okta | object | | Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise. | -| piv_slot | string | | TODO(Joerger): DELETE IN 17.0.0 Deprecated, replaced by HardwareKey settings. | -| require_session_mfa | number | | RequireMFAType is the type of MFA requirement enforced for this cluster: 0:Off, 1:Session, 2:SessionAndHardwareKey, 3:HardwareKeyTouch | -| second_factor | string | | SecondFactor is the type of second factor. | -| type | string | | Type is the type of authentication. | -| u2f | object | | U2F are the settings for the U2F device. | -| webauthn | object | | Webauthn are the settings for server-side Web Authentication support. | +| Name | Type | Required | Description | +|-------------------------|----------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| allow_headless | bool | | AllowHeadless enables/disables headless support. Headless authentication requires Webauthn to work. Defaults to true if the Webauthn is configured, defaults to false otherwise. | +| allow_local_auth | bool | | AllowLocalAuth is true if local authentication is enabled. | +| allow_passwordless | bool | | AllowPasswordless enables/disables passwordless support. Passwordless requires Webauthn to work. Defaults to true if the Webauthn is configured, defaults to false otherwise. | +| connector_name | string | | ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used. | +| default_session_ttl | duration | | DefaultSessionTTL is the TTL to use for user certs when an explicit TTL is not requested. | +| device_trust | object | | DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise. | +| disconnect_expired_cert | bool | | DisconnectExpiredCert provides disconnect expired certificate setting - if true, connections with expired client certificates will get disconnected | +| hardware_key | object | | HardwareKey are the settings for hardware key support. | +| idp | object | | IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise. | +| locking_mode | string | | LockingMode is the cluster-wide locking mode default. | +| message_of_the_day | string | | | +| okta | object | | Okta is a set of options related to the Okta service in Teleport. Requires Teleport Enterprise. | +| piv_slot | string | | TODO(Joerger): DELETE IN 17.0.0 Deprecated, replaced by HardwareKey settings. | +| require_session_mfa | number | | RequireMFAType is the type of MFA requirement enforced for this cluster: 0:Off, 1:Session, 2:SessionAndHardwareKey, 3:HardwareKeyTouch | +| second_factor | string | | SecondFactor is the type of mult-factor. | +| type | string | | Type is the type of authentication. | +| u2f | object | | U2F are the settings for the U2F device. | +| webauthn | object | | Webauthn are the settings for server-side Web Authentication support. | #### spec.device_trust @@ -505,9 +505,9 @@ IDP is a set of options related to accessing IdPs within Teleport. Requires Tele SAML are options related to the Teleport SAML IdP. -| Name | Type | Required | Description | -|---------|------|----------|-------------| -| enabled | bool | | | +| Name | Type | Required | Description | +|---------|------|----------|-------------------------------------------------------------------------------| +| enabled | bool | | Enabled is set to true if this option allows access to the Teleport SAML IdP. | #### spec.okta @@ -521,11 +521,11 @@ Okta is a set of options related to the Okta service in Teleport. Requires Telep U2F are the settings for the U2F device. -| Name | Type | Required | Description | -|------------------------|------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| app_id | string | | AppID returns the application ID for universal second factor. | -| device_attestation_cas | array of strings | | DeviceAttestationCAs contains the trusted attestation CAs for U2F devices. | -| facets | array of strings | | Facets returns the facets for universal second factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation. | +| Name | Type | Required | Description | +|------------------------|------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| app_id | string | | AppID returns the application ID for universal mult-factor. | +| device_attestation_cas | array of strings | | DeviceAttestationCAs contains the trusted attestation CAs for U2F devices. | +| facets | array of strings | | Facets returns the facets for universal mult-factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation. | #### spec.webauthn @@ -535,7 +535,7 @@ Webauthn are the settings for server-side Web Authentication support. |-------------------------|------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | attestation_allowed_cas | array of strings | | Allow list of device attestation CAs in PEM format. If present, only devices whose attestation certificates match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationDeniedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default all devices are allowed. | | attestation_denied_cas | array of strings | | Deny list of device attestation CAs in PEM format. If present, only devices whose attestation certificates don't match the certificates specified here may be registered (existing registrations are unchanged). If supplied in conjunction with AttestationAllowedCAs, then both conditions need to be true for registration to be allowed (the device MUST match an allowed CA and MUST NOT match a denied CA). By default no devices are denied. | -| rp_id | string | | RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register. | +| rp_id | string | | RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the multi-factor will need to re-register. | Example: @@ -1314,25 +1314,25 @@ Metadata holds resource metadata. Spec is an OIDC connector specification. -| Name | Type | Required | Description | -|----------------------------|------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------| -| acr_values | string | | ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers. | -| allow_unverified_email | bool | | AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails. | -| claims_to_roles | object | | ClaimsToRoles specifies a dynamic mapping from claims to roles. | -| client_id | string | | ClientID is the id of the authentication client (Teleport Auth server). | -| client_redirect_settings | object | | ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. | -| client_secret | string | | ClientSecret is used to authenticate the client. | -| display | string | | Display is the friendly name for this provider. | -| google_admin_email | string | | GoogleAdminEmail is the email of a google admin to impersonate. | -| google_service_account | string | | GoogleServiceAccount is a string containing google service account credentials. | -| google_service_account_uri | string | | GoogleServiceAccountURI is a path to a google service account uri. | -| issuer_url | string | | IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. | -| max_age | duration | | | -| prompt | string | | Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. | -| provider | string | | Provider is the external identity provider. | -| redirect_url | array of strings | | | -| scope | array of strings | | Scope specifies additional scopes set by provider. | -| username_claim | string | | UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username. | +| Name | Type | Required | Description | +|----------------------------|------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| acr_values | string | | ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers. | +| allow_unverified_email | bool | | AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails. | +| claims_to_roles | object | | ClaimsToRoles specifies a dynamic mapping from claims to roles. | +| client_id | string | | ClientID is the id of the authentication client (Teleport Auth Service). | +| client_redirect_settings | object | | ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. | +| client_secret | string | | ClientSecret is used to authenticate the client. | +| display | string | | Display is the friendly name for this provider. | +| google_admin_email | string | | GoogleAdminEmail is the email of a google admin to impersonate. | +| google_service_account | string | | GoogleServiceAccount is a string containing google service account credentials. | +| google_service_account_uri | string | | GoogleServiceAccountURI is a path to a google service account uri. | +| issuer_url | string | | IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. | +| max_age | duration | | | +| prompt | string | | Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. | +| provider | string | | Provider is the external identity provider. | +| redirect_url | array of strings | | RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used. | +| scope | array of strings | | Scope specifies additional scopes set by provider. | +| username_claim | string | | UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username. | #### spec.claims_to_roles @@ -1526,34 +1526,34 @@ Metadata is resource metadata Spec is a provisioning token V2 spec -| Name | Type | Required | Description | -|--------------------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------| -| allow | object | | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | -| aws_iid_ttl | duration | | AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. | -| azure | object | | Azure allows the configuration of options specific to the "azure" join method. | -| bot_name | string | | BotName is the name of the bot this token grants access to, if any | -| circleci | object | | CircleCI allows the configuration of options specific to the "circleci" join method. | -| gcp | object | | GCP allows the configuration of options specific to the "gcp" join method. | -| github | object | | GitHub allows the configuration of options specific to the "github" join method. | -| gitlab | object | | GitLab allows the configuration of options specific to the "gitlab" join method. | -| join_method | string | | JoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam". | -| kubernetes | object | | Kubernetes allows the configuration of options specific to the "kubernetes" join method. | -| roles | array of strings | * | Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token | -| spacelift | object | | Spacelift allows the configuration of options specific to the "spacelift" join method. | -| suggested_agent_matcher_labels | map of string arrays | | | -| suggested_labels | map of string arrays | | | -| tpm | object | | TPM allows the configuration of options specific to the "tpm" join method. | +| Name | Type | Required | Description | +|--------------------------------|----------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| allow | object | | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | +| aws_iid_ttl | duration | | AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. | +| azure | object | | Azure allows the configuration of options specific to the "azure" join method. | +| bot_name | string | | BotName is the name of the bot this token grants access to, if any | +| circleci | object | | CircleCI allows the configuration of options specific to the "circleci" join method. | +| gcp | object | | GCP allows the configuration of options specific to the "gcp" join method. | +| github | object | | GitHub allows the configuration of options specific to the "github" join method. | +| gitlab | object | | GitLab allows the configuration of options specific to the "gitlab" join method. | +| join_method | string | | JoinMethod is the joining method required in order to use this token. Supported joining methods include "token", "ec2", and "iam". | +| kubernetes | object | | Kubernetes allows the configuration of options specific to the "kubernetes" join method. | +| roles | array of strings | * | Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token | +| spacelift | object | | Spacelift allows the configuration of options specific to the "spacelift" join method. | +| suggested_agent_matcher_labels | map of string arrays | | SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to `db_service.resources.labels`. Currently, only node-join scripts create a configuration according to the suggestion. | +| suggested_labels | map of string arrays | | SuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion. | +| tpm | object | | TPM allows the configuration of options specific to the "tpm" join method. | #### spec.allow Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. -| Name | Type | Required | Description | -|-------------|------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------| -| aws_account | string | | AWSAccount is the AWS account ID. | -| aws_arn | string | | AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?". | -| aws_regions | array of strings | | AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from. | -| aws_role | string | | AWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API. | +| Name | Type | Required | Description | +|-------------|------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------| +| aws_account | string | | AWSAccount is the AWS account ID. | +| aws_arn | string | | AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?". | +| aws_regions | array of strings | | AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from. | +| aws_role | string | | AWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API. | #### spec.azure @@ -1615,7 +1615,7 @@ GitHub allows the configuration of options specific to the "github" join method. | Name | Type | Required | Description | |------------------------|--------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | allow | object | | Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. | -| enterprise_server_host | string | | EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server. | +| enterprise_server_host | string | | EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service. | | enterprise_slug | string | | EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. | ##### spec.github.allow @@ -1646,24 +1646,24 @@ GitLab allows the configuration of options specific to the "gitlab" join method. Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. -| Name | Type | Required | Description | -|-----------------------|--------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| ci_config_ref_uri | string | | CIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main. | -| ci_config_sha | string | | CIConfigSHA is the git commit SHA for the ci_config_ref_uri. | -| deployment_tier | string | | DeploymentTier is the deployment tier of the environment the job specifies | -| environment | string | | Environment limits access by the environment the job deploys to (if one is associated) | -| environment_protected | bool | | | -| namespace_path | string | | NamespacePath is used to limit access to jobs in a group or user's projects. Example: `mygroup` This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | -| pipeline_source | string | | PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: `web` | -| project_path | string | | ProjectPath is used to limit access to jobs belonging to an individual project. Example: `mygroup/myproject` This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | -| project_visibility | string | | ProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public. | -| ref | string | | Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | -| ref_protected | bool | | | -| ref_type | string | | RefType allows access to be limited to jobs triggered by a specific git ref type. Example: `branch` or `tag` | -| sub | string | | Sub roughly uniquely identifies the workload. Example: `project_path:mygroup/my-project:ref_type:branch:ref:main` project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} This field supports simple "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | -| user_email | string | | UserEmail is the email of the user executing the job | -| user_id | string | | UserID is the ID of the user executing the job | -| user_login | string | | UserLogin is the username of the user executing the job | +| Name | Type | Required | Description | +|-----------------------|--------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ci_config_ref_uri | string | | CIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main. | +| ci_config_sha | string | | CIConfigSHA is the git commit SHA for the ci_config_ref_uri. | +| deployment_tier | string | | DeploymentTier is the deployment tier of the environment the job specifies | +| environment | string | | Environment limits access by the environment the job deploys to (if one is associated) | +| environment_protected | bool | | EnvironmentProtected is true if the Git ref is protected, false otherwise. | +| namespace_path | string | | NamespacePath is used to limit access to jobs in a group or user's projects. Example: `mygroup` This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | +| pipeline_source | string | | PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: `web` | +| project_path | string | | ProjectPath is used to limit access to jobs belonging to an individual project. Example: `mygroup/myproject` This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | +| project_visibility | string | | ProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public. | +| ref | string | | Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | +| ref_protected | bool | | RefProtected is true if the Git ref is protected, false otherwise. | +| ref_type | string | | RefType allows access to be limited to jobs triggered by a specific git ref type. Example: `branch` or `tag` | +| sub | string | | Sub roughly uniquely identifies the workload. Example: `project_path:mygroup/my-project:ref_type:branch:ref:main` project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character. | +| user_email | string | | UserEmail is the email of the user executing the job | +| user_id | string | | UserID is the ID of the user executing the job | +| user_login | string | | UserLogin is the username of the user executing the job | #### spec.kubernetes @@ -1805,42 +1805,42 @@ Allow is the set of conditions evaluated to grant access. | Name | Type | Required | Description | |-----------------------------------|----------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------| -| app_labels | map of string arrays | | | +| app_labels | map of string arrays | | AppLabels is a map of labels used as part of the RBAC system. | | app_labels_expression | string | | AppLabelsExpression is a predicate expression used to allow/deny access to Apps. | | aws_role_arns | array of strings | | AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. | | azure_identities | array of strings | | AzureIdentities is a list of Azure identities this role is allowed to assume. | -| cluster_labels | map of string arrays | | | +| cluster_labels | map of string arrays | | ClusterLabels is a map of node labels (used to dynamically grant access to clusters). | | cluster_labels_expression | string | | ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. | -| db_labels | map of string arrays | | | +| db_labels | map of string arrays | | DatabaseLabels are used in RBAC system to allow/deny access to databases. | | db_labels_expression | string | | DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. | | db_names | array of strings | | DatabaseNames is a list of database names this role is allowed to connect to. | | db_permissions | object | | DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. | | db_roles | array of strings | | DatabaseRoles is a list of databases roles for automatic user creation. | -| db_service_labels | map of string arrays | | | +| db_service_labels | map of string arrays | | DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services. | | db_service_labels_expression | string | | DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. | | db_users | array of strings | | DatabaseUsers is a list of databases users this role is allowed to connect as. | | desktop_groups | array of strings | | DesktopGroups is a list of groups for created desktop users to be added to | | gcp_service_accounts | array of strings | | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. | -| group_labels | map of string arrays | | | +| group_labels | map of string arrays | | GroupLabels is a map of labels used as part of the RBAC system. | | group_labels_expression | string | | GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. | | host_groups | array of strings | | HostGroups is a list of groups for created users to be added to | | host_sudoers | array of strings | | HostSudoers is a list of entries to include in a users sudoer file | | impersonate | object | | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. | | join_sessions | object | | JoinSessions specifies policies to allow users to join other sessions. | | kubernetes_groups | array of strings | | KubeGroups is a list of kubernetes groups | -| kubernetes_labels | map of string arrays | | | +| kubernetes_labels | map of string arrays | | KubernetesLabels is a map of kubernetes cluster labels used for RBAC. | | kubernetes_labels_expression | string | | KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. | | kubernetes_resources | object | | KubernetesResources is the Kubernetes Resources this Role grants access to. | | kubernetes_users | array of strings | | KubeUsers is an optional kubernetes users to impersonate | | logins | array of strings | | Logins is a list of *nix system logins. | -| node_labels | map of string arrays | | | +| node_labels | map of string arrays | | NodeLabels is a map of node labels (used to dynamically grant access to nodes). | | node_labels_expression | string | | NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. | | request | object | | | | require_session_join | object | | RequireSessionJoin specifies policies for required users to start a session. | | review_requests | object | | ReviewRequests defines conditions for submitting access reviews. | | rules | object | | Rules is a list of rules and their access levels. Rules are a high level construct used for access control. | | spiffe | object | | SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. | -| windows_desktop_labels | map of string arrays | | | +| windows_desktop_labels | map of string arrays | | WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops. | | windows_desktop_labels_expression | string | | WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. | | windows_desktop_logins | array of strings | | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. | @@ -1850,7 +1850,7 @@ DatabasePermissions specifies a set of permissions that will be granted to the d | Name | Type | Required | Description | |-------------|----------------------|----------|------------------------------------------------------------------------------------------------------------------| -| match | map of string arrays | | | +| match | map of string arrays | | Match is a list of object labels that must be matched for the permission to be granted. | | permissions | array of strings | | Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ... | ##### spec.allow.impersonate @@ -1889,15 +1889,15 @@ KubernetesResources is the Kubernetes Resources this Role grants access to. -| Name | Type | Required | Description | -|---------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| annotations | map of string arrays | | | -| claims_to_roles | object | | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. | -| max_duration | duration | | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. | -| roles | array of strings | | Roles is the name of roles which will match the request rule. | -| search_as_roles | array of strings | | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. | -| suggested_reviewers | array of strings | | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. | -| thresholds | object | | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. | +| Name | Type | Required | Description | +|---------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| annotations | map of string arrays | | Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. | +| claims_to_roles | object | | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. | +| max_duration | duration | | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. | +| roles | array of strings | | Roles is the name of roles which will match the request rule. | +| search_as_roles | array of strings | | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. | +| suggested_reviewers | array of strings | | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. | +| thresholds | object | | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. | ###### spec.allow.request.claims_to_roles @@ -1981,42 +1981,42 @@ Deny is the set of conditions evaluated to deny access. Deny takes priority over | Name | Type | Required | Description | |-----------------------------------|----------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------| -| app_labels | map of string arrays | | | +| app_labels | map of string arrays | | AppLabels is a map of labels used as part of the RBAC system. | | app_labels_expression | string | | AppLabelsExpression is a predicate expression used to allow/deny access to Apps. | | aws_role_arns | array of strings | | AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume. | | azure_identities | array of strings | | AzureIdentities is a list of Azure identities this role is allowed to assume. | -| cluster_labels | map of string arrays | | | +| cluster_labels | map of string arrays | | ClusterLabels is a map of node labels (used to dynamically grant access to clusters). | | cluster_labels_expression | string | | ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters. | -| db_labels | map of string arrays | | | +| db_labels | map of string arrays | | DatabaseLabels are used in RBAC system to allow/deny access to databases. | | db_labels_expression | string | | DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases. | | db_names | array of strings | | DatabaseNames is a list of database names this role is allowed to connect to. | | db_permissions | object | | DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning. | | db_roles | array of strings | | DatabaseRoles is a list of databases roles for automatic user creation. | -| db_service_labels | map of string arrays | | | +| db_service_labels | map of string arrays | | DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services. | | db_service_labels_expression | string | | DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services. | | db_users | array of strings | | DatabaseUsers is a list of databases users this role is allowed to connect as. | | desktop_groups | array of strings | | DesktopGroups is a list of groups for created desktop users to be added to | | gcp_service_accounts | array of strings | | GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume. | -| group_labels | map of string arrays | | | +| group_labels | map of string arrays | | GroupLabels is a map of labels used as part of the RBAC system. | | group_labels_expression | string | | GroupLabelsExpression is a predicate expression used to allow/deny access to user groups. | | host_groups | array of strings | | HostGroups is a list of groups for created users to be added to | | host_sudoers | array of strings | | HostSudoers is a list of entries to include in a users sudoer file | | impersonate | object | | Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means. | | join_sessions | object | | JoinSessions specifies policies to allow users to join other sessions. | | kubernetes_groups | array of strings | | KubeGroups is a list of kubernetes groups | -| kubernetes_labels | map of string arrays | | | +| kubernetes_labels | map of string arrays | | KubernetesLabels is a map of kubernetes cluster labels used for RBAC. | | kubernetes_labels_expression | string | | KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters. | | kubernetes_resources | object | | KubernetesResources is the Kubernetes Resources this Role grants access to. | | kubernetes_users | array of strings | | KubeUsers is an optional kubernetes users to impersonate | | logins | array of strings | | Logins is a list of *nix system logins. | -| node_labels | map of string arrays | | | +| node_labels | map of string arrays | | NodeLabels is a map of node labels (used to dynamically grant access to nodes). | | node_labels_expression | string | | NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes. | | request | object | | | | require_session_join | object | | RequireSessionJoin specifies policies for required users to start a session. | | review_requests | object | | ReviewRequests defines conditions for submitting access reviews. | | rules | object | | Rules is a list of rules and their access levels. Rules are a high level construct used for access control. | | spiffe | object | | SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID. | -| windows_desktop_labels | map of string arrays | | | +| windows_desktop_labels | map of string arrays | | WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops. | | windows_desktop_labels_expression | string | | WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops. | | windows_desktop_logins | array of strings | | WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops. | @@ -2026,7 +2026,7 @@ DatabasePermissions specifies a set of permissions that will be granted to the d | Name | Type | Required | Description | |-------------|----------------------|----------|------------------------------------------------------------------------------------------------------------------| -| match | map of string arrays | | | +| match | map of string arrays | | Match is a list of object labels that must be matched for the permission to be granted. | | permissions | array of strings | | Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ... | ##### spec.deny.impersonate @@ -2065,15 +2065,15 @@ KubernetesResources is the Kubernetes Resources this Role grants access to. -| Name | Type | Required | Description | -|---------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| annotations | map of string arrays | | | -| claims_to_roles | object | | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. | -| max_duration | duration | | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. | -| roles | array of strings | | Roles is the name of roles which will match the request rule. | -| search_as_roles | array of strings | | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. | -| suggested_reviewers | array of strings | | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. | -| thresholds | object | | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. | +| Name | Type | Required | Description | +|---------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| annotations | map of string arrays | | Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `{{external.trait_name}}` style substitutions. | +| claims_to_roles | object | | ClaimsToRoles specifies a mapping from claims (traits) to teleport roles. | +| max_duration | duration | | MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used. | +| roles | array of strings | | Roles is the name of roles which will match the request rule. | +| search_as_roles | array of strings | | SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request. | +| suggested_reviewers | array of strings | | SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement. | +| thresholds | object | | Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used. | ###### spec.deny.request.claims_to_roles @@ -2160,13 +2160,13 @@ Options is for OpenSSH options like agent forwarding. | cert_extensions | object | | CertExtensions specifies the key/values | | cert_format | string | | CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH. | | client_idle_timeout | duration | | ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration. | -| create_db_user | bool | | | +| create_db_user | bool | | CreateDatabaseUser enabled automatic database user creation. | | create_db_user_mode | number | | CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". | -| create_desktop_user | bool | | | -| create_host_user | bool | | | +| create_desktop_user | bool | | CreateDesktopUser allows users to be automatically created on a Windows desktop | +| create_host_user | bool | | CreateHostUser allows users to be automatically created on a host | | create_host_user_mode | number | | CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". | -| desktop_clipboard | bool | | | -| desktop_directory_sharing | bool | | | +| desktop_clipboard | bool | | DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false. | +| desktop_directory_sharing | bool | | DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true. | | device_trust_mode | string | | DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. | | disconnect_expired_cert | bool | | DisconnectExpiredCert sets disconnect clients on expired certificates. | | enhanced_recording | array of strings | | BPF defines what events to record for the BPF-based session recorder. | @@ -2179,12 +2179,12 @@ Options is for OpenSSH options like agent forwarding. | max_sessions | number | | MaxSessions defines the maximum number of concurrent sessions per connection. | | permit_x11_forwarding | bool | | PermitX11Forwarding authorizes use of X11 forwarding. | | pin_source_ip | bool | | PinSourceIP forces the same client IP for certificate generation and usage | -| port_forwarding | bool | | | +| port_forwarding | bool | | PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer | | record_session | object | | RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. | | request_access | string | | RequestAccess defines the access request strategy (optional|note|always) where optional is the default. | | request_prompt | string | | RequestPrompt is an optional message which tells users what they aught to request. | | require_session_mfa | number | | RequireMFAType is the type of MFA requirement enforced for this role: 0:Off, 1:Session, 2:SessionAndHardwareKey, 3:HardwareKeyTouch | -| ssh_file_copy | bool | | | +| ssh_file_copy | bool | | SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false. | ##### spec.options.cert_extensions @@ -2209,19 +2209,19 @@ IDP is a set of options related to accessing IdPs within Teleport. Requires Tele SAML are options related to the Teleport SAML IdP. -| Name | Type | Required | Description | -|---------|------|----------|-------------| -| enabled | bool | | | +| Name | Type | Required | Description | +|---------|------|----------|-------------------------------------------------------------------------------| +| enabled | bool | | Enabled is set to true if this option allows access to the Teleport SAML IdP. | ##### spec.options.record_session RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. -| Name | Type | Required | Description | -|---------|--------|----------|-------------------------------------------------------| -| default | string | | Default indicates the default value for the services. | -| desktop | bool | | | -| ssh | string | | SSH indicates the session mode used on SSH sessions. | +| Name | Type | Required | Description | +|---------|--------|----------|--------------------------------------------------------------------------------------------------------------------| +| default | string | | Default indicates the default value for the services. | +| desktop | bool | | Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false. | +| ssh | string | | SSH indicates the session mode used on SSH sessions. | Example: @@ -2565,10 +2565,10 @@ Metadata is resource metadata Spec is a SessionRecordingConfig specification -| Name | Type | Required | Description | -|------------------------|--------|----------|------------------------------------------------------| -| mode | string | | Mode controls where (or if) the session is recorded. | -| proxy_checks_host_keys | bool | | | +| Name | Type | Required | Description | +|------------------------|--------|----------|--------------------------------------------------------------------------------------------------| +| mode | string | | Mode controls where (or if) the session is recorded. | +| proxy_checks_host_keys | bool | | ProxyChecksHostKeys is used to control if the proxy will check host keys when in recording mode. | Example: @@ -2742,14 +2742,14 @@ Metadata is resource metadata Spec is a user specification -| Name | Type | Required | Description | -|--------------------|----------------------|----------|---------------------------------------------------------------------------------------------------------------------------------------| -| github_identities | object | | GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity | -| oidc_identities | object | | OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity | -| roles | array of strings | | Roles is a list of roles assigned to user | -| saml_identities | object | | SAMLIdentities lists associated SAML identities that let user log in using externally verified identity | -| traits | map of string arrays | | | -| trusted_device_ids | array of strings | | TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits. | +| Name | Type | Required | Description | +|--------------------|----------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| github_identities | object | | GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity | +| oidc_identities | object | | OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity | +| roles | array of strings | | Roles is a list of roles assigned to user | +| saml_identities | object | | SAMLIdentities lists associated SAML identities that let user log in using externally verified identity | +| traits | map of string arrays | | Traits are key/value pairs received from an identity provider (through OIDC claims or SAML assertions) or from a system administrator for local accounts. Traits are used to populate role variables. | +| trusted_device_ids | array of strings | | TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits. | #### spec.github_identities @@ -2785,9 +2785,10 @@ SAMLIdentities lists associated SAML identities that let user log in using exter -| Name | Type | Required | Description | -|----------------|--------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| password_state | number | | password_state reflects what the system knows about the user's password. Note that this is a "best effort" property, in that it can be UNSPECIFIED for users who were created before this property was introduced and didn't perform any password-related activity since then. See RFD 0159 for details. Do NOT use this value for authentication purposes! | +| Name | Type | Required | Description | +|--------------------|--------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| mfa_weakest_device | number | | mfa_weakest_device reflects what the system knows about the user's weakest MFA device. Note that this is a "best effort" property, in that it can be UNSPECIFIED. | +| password_state | number | | password_state reflects what the system knows about the user's password. Note that this is a "best effort" property, in that it can be UNSPECIFIED for users who were created before this property was introduced and didn't perform any password-related activity since then. See RFD 0159 for details. Do NOT use this value for authentication purposes! | Example: diff --git a/integrations/terraform/tfschema/accesslist/v1/accesslist_terraform.go b/integrations/terraform/tfschema/accesslist/v1/accesslist_terraform.go index 8683faf239d31..ef0bd9464ef7a 100644 --- a/integrations/terraform/tfschema/accesslist/v1/accesslist_terraform.go +++ b/integrations/terraform/tfschema/accesslist/v1/accesslist_terraform.go @@ -29,6 +29,7 @@ import ( github_com_gravitational_teleport_api_gen_proto_go_teleport_header_v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1" _ "github.com/gravitational/teleport/api/gen/proto/go/teleport/trait/v1" github_com_gravitational_teleport_api_gen_proto_go_teleport_trait_v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/trait/v1" + github_com_gravitational_teleport_integrations_terraform_tfschema "github.com/gravitational/teleport/integrations/terraform/tfschema" github_com_hashicorp_terraform_plugin_framework_attr "github.com/hashicorp/terraform-plugin-framework/attr" github_com_hashicorp_terraform_plugin_framework_diag "github.com/hashicorp/terraform-plugin-framework/diag" github_com_hashicorp_terraform_plugin_framework_tfsdk "github.com/hashicorp/terraform-plugin-framework/tfsdk" @@ -60,7 +61,11 @@ func GenSchemaAccessList(ctx context.Context) (github_com_hashicorp_terraform_pl Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, - "expires": GenSchemaTimestamp(ctx), + "expires": GenSchemaTimestamp(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "expires is a global expiry time header can be set on any resource in the system.", + Optional: true, + Validators: []github_com_hashicorp_terraform_plugin_framework_tfsdk.AttributeValidator{github_com_gravitational_teleport_integrations_terraform_tfschema.MustTimeBeInFuture()}, + }), "labels": { Description: "labels is a set of labels.", Optional: true, @@ -113,9 +118,17 @@ func GenSchemaAccessList(ctx context.Context) (github_com_hashicorp_terraform_pl Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "audit": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - "next_audit_date": GenSchemaTimestamp(ctx), + "next_audit_date": GenSchemaTimestamp(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Computed: true, + Description: "next_audit_date is when the next audit date should be done by.", + Optional: true, + PlanModifiers: []github_com_hashicorp_terraform_plugin_framework_tfsdk.AttributePlanModifier{github_com_hashicorp_terraform_plugin_framework_tfsdk.UseStateForUnknown()}, + }), "notifications": { - Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"start": GenSchemaDuration(ctx)}), + Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"start": GenSchemaDuration(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "start specifies when to start notifying users that the next audit date is coming up.", + Optional: true, + })}), Description: "notifications is the configuration for notifying users.", Optional: true, }, @@ -136,18 +149,18 @@ func GenSchemaAccessList(ctx context.Context) (github_com_hashicorp_terraform_pl Required: true, }, }), - Description: "audit describes the frequency that this access list must be audited.", + Description: "audit describes the frequency that this Access List must be audited.", Required: true, }, "description": { - Description: "description is an optional plaintext description of the access list.", + Description: "description is an optional plaintext description of the Access List.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, "grants": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "roles": { - Description: "roles are the roles that are granted to users who are members of the access list.", + Description: "roles are the roles that are granted to users who are members of the Access List.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, @@ -164,11 +177,11 @@ func GenSchemaAccessList(ctx context.Context) (github_com_hashicorp_terraform_pl Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, }), - Description: "traits are the traits that are granted to users who are members of the access list.", + Description: "traits are the traits that are granted to users who are members of the Access List.", Optional: true, }, }), - Description: "grants describes the access granted by membership to this access list.", + Description: "grants describes the access granted by membership to this Access List.", Required: true, }, "membership_requires": { @@ -195,13 +208,13 @@ func GenSchemaAccessList(ctx context.Context) (github_com_hashicorp_terraform_pl Optional: true, }, }), - Description: "membership_requires describes the requirements for a user to be a member of the access list. For a membership to an access list to be effective, the user must meet the requirements of Membership_requires and must be in the members list.", + Description: "membership_requires describes the requirements for a user to be a member of the Access List. For a membership to an Access List to be effective, the user must meet the requirements of Membership_requires and must be in the members list.", Optional: true, }, "owner_grants": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "roles": { - Description: "roles are the roles that are granted to users who are members of the access list.", + Description: "roles are the roles that are granted to users who are members of the Access List.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, @@ -218,11 +231,11 @@ func GenSchemaAccessList(ctx context.Context) (github_com_hashicorp_terraform_pl Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, }), - Description: "traits are the traits that are granted to users who are members of the access list.", + Description: "traits are the traits that are granted to users who are members of the Access List.", Optional: true, }, }), - Description: "owner_grants describes the access granted by owners to this access list.", + Description: "owner_grants describes the access granted by owners to this Access List.", Optional: true, }, "owners": { @@ -238,7 +251,7 @@ func GenSchemaAccessList(ctx context.Context) (github_com_hashicorp_terraform_pl Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, }), - Description: "owners is a list of owners of the access list.", + Description: "owners is a list of owners of the Access List.", Required: true, }, "ownership_requires": { @@ -265,16 +278,16 @@ func GenSchemaAccessList(ctx context.Context) (github_com_hashicorp_terraform_pl Optional: true, }, }), - Description: "ownership_requires describes the requirements for a user to be an owner of the access list. For ownership of an access list to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.", + Description: "ownership_requires describes the requirements for a user to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.", Optional: true, }, "title": { - Description: "title is a plaintext short description of the access list.", + Description: "title is a plaintext short description of the Access List.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, }), - Description: "spec is the specification for the access list.", + Description: "spec is the specification for the Access List.", Optional: true, }, }}, nil diff --git a/integrations/terraform/tfschema/accesslist/v1/custom_types.go b/integrations/terraform/tfschema/accesslist/v1/custom_types.go index 3f20d59778f7f..e061b175c3681 100644 --- a/integrations/terraform/tfschema/accesslist/v1/custom_types.go +++ b/integrations/terraform/tfschema/accesslist/v1/custom_types.go @@ -29,10 +29,11 @@ import ( "github.com/gravitational/teleport/integrations/terraform/tfschema" ) -func GenSchemaTimestamp(_ context.Context) tfsdk.Attribute { +func GenSchemaTimestamp(_ context.Context, attr tfsdk.Attribute) tfsdk.Attribute { return tfsdk.Attribute{ - Optional: true, - Type: tfschema.UseRFC3339Time(), + Optional: true, + Type: tfschema.UseRFC3339Time(), + Description: attr.Description, } } @@ -66,10 +67,11 @@ func CopyToTimestamp(diags diag.Diagnostics, o *timestamppb.Timestamp, t attr.Ty return value } -func GenSchemaDuration(_ context.Context) tfsdk.Attribute { +func GenSchemaDuration(_ context.Context, attr tfsdk.Attribute) tfsdk.Attribute { return tfsdk.Attribute{ - Optional: true, - Type: tfschema.DurationType{}, + Optional: true, + Type: tfschema.DurationType{}, + Description: attr.Description, } } diff --git a/integrations/terraform/tfschema/custom_types.go b/integrations/terraform/tfschema/custom_types.go index 794b06773867d..c6baa4d8515b5 100644 --- a/integrations/terraform/tfschema/custom_types.go +++ b/integrations/terraform/tfschema/custom_types.go @@ -31,15 +31,16 @@ import ( ) // GenSchemaBoolOptions returns Terraform schema for BoolOption type -func GenSchemaBoolOption(_ context.Context) tfsdk.Attribute { +func GenSchemaBoolOption(_ context.Context, attr tfsdk.Attribute) tfsdk.Attribute { return tfsdk.Attribute{ - Optional: true, - Type: types.BoolType, + Optional: true, + Type: types.BoolType, + Description: attr.Description, } } // GenSchemaBoolOptions returns Terraform schema for Traits type -func GenSchemaTraits(_ context.Context) tfsdk.Attribute { +func GenSchemaTraits(_ context.Context, attr tfsdk.Attribute) tfsdk.Attribute { return tfsdk.Attribute{ Optional: true, Type: types.MapType{ @@ -47,12 +48,13 @@ func GenSchemaTraits(_ context.Context) tfsdk.Attribute { ElemType: types.StringType, }, }, + Description: attr.Description, } } // GenSchemaBoolOptions returns Terraform schema for Labels type -func GenSchemaLabels(ctx context.Context) tfsdk.Attribute { - return GenSchemaTraits(ctx) +func GenSchemaLabels(ctx context.Context, attr tfsdk.Attribute) tfsdk.Attribute { + return GenSchemaTraits(ctx, attr) } func CopyFromBoolOption(diags diag.Diagnostics, tf attr.Value, o **apitypes.BoolOption) { @@ -196,12 +198,13 @@ func CopyToTraits(diags diag.Diagnostics, o wrappers.Traits, t attr.Type, v attr } // GenSchemaStrings returns Terraform schema for Strings type -func GenSchemaStrings(_ context.Context) tfsdk.Attribute { +func GenSchemaStrings(_ context.Context, attr tfsdk.Attribute) tfsdk.Attribute { return tfsdk.Attribute{ Optional: true, Type: types.ListType{ ElemType: types.StringType, }, + Description: attr.Description, } } diff --git a/integrations/terraform/tfschema/token/custom_types.go b/integrations/terraform/tfschema/token/custom_types.go index 70e10070845ac..8d0ca2876e94a 100644 --- a/integrations/terraform/tfschema/token/custom_types.go +++ b/integrations/terraform/tfschema/token/custom_types.go @@ -30,15 +30,16 @@ import ( ) // GenSchemaLabels returns Terraform schema for Labels type -func GenSchemaLabels(ctx context.Context) tfsdk.Attribute { - return tfschema.GenSchemaLabels(ctx) +func GenSchemaLabels(ctx context.Context, attr tfsdk.Attribute) tfsdk.Attribute { + return tfschema.GenSchemaLabels(ctx, attr) } // GenSchemaBoolOptionsNullable returns Terraform schema for BoolOption type -func GenSchemaBoolOptionNullable(_ context.Context) tfsdk.Attribute { +func GenSchemaBoolOptionNullable(_ context.Context, attr tfsdk.Attribute) tfsdk.Attribute { return tfsdk.Attribute{ - Optional: true, - Type: types.BoolType, + Optional: true, + Type: types.BoolType, + Description: attr.Description, } } diff --git a/integrations/terraform/tfschema/token/types_terraform.go b/integrations/terraform/tfschema/token/types_terraform.go index 0949c22ed4a20..9a3a669417130 100644 --- a/integrations/terraform/tfschema/token/types_terraform.go +++ b/integrations/terraform/tfschema/token/types_terraform.go @@ -122,7 +122,7 @@ func GenSchemaProvisionTokenV2(ctx context.Context) (github_com_hashicorp_terraf Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, "aws_role": { - Description: "AWSRole is used for the EC2 join method and is the the ARN of the AWS role that the auth server will assume in order to call the ec2 API.", + Description: "AWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -263,7 +263,7 @@ func GenSchemaProvisionTokenV2(ctx context.Context) (github_com_hashicorp_terraf Optional: true, }, "enterprise_server_host": { - Description: "EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Server.", + Description: "EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -300,9 +300,12 @@ func GenSchemaProvisionTokenV2(ctx context.Context) (github_com_hashicorp_terraf Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, - "environment_protected": GenSchemaBoolOptionNullable(ctx), + "environment_protected": GenSchemaBoolOptionNullable(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "EnvironmentProtected is true if the Git ref is protected, false otherwise.", + Optional: true, + }), "namespace_path": { - Description: "NamespacePath is used to limit access to jobs in a group or user's projects. Example: `mygroup` This field supports simple \"glob-style\" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.", + Description: "NamespacePath is used to limit access to jobs in a group or user's projects. Example: `mygroup` This field supports \"glob-style\" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -312,7 +315,7 @@ func GenSchemaProvisionTokenV2(ctx context.Context) (github_com_hashicorp_terraf Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, "project_path": { - Description: "ProjectPath is used to limit access to jobs belonging to an individual project. Example: `mygroup/myproject` This field supports simple \"glob-style\" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.", + Description: "ProjectPath is used to limit access to jobs belonging to an individual project. Example: `mygroup/myproject` This field supports \"glob-style\" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -322,18 +325,21 @@ func GenSchemaProvisionTokenV2(ctx context.Context) (github_com_hashicorp_terraf Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, "ref": { - Description: "Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports simple \"glob-style\" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.", + Description: "Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports \"glob-style\" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, - "ref_protected": GenSchemaBoolOptionNullable(ctx), + "ref_protected": GenSchemaBoolOptionNullable(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "RefProtected is true if the Git ref is protected, false otherwise.", + Optional: true, + }), "ref_type": { Description: "RefType allows access to be limited to jobs triggered by a specific git ref type. Example: `branch` or `tag`", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, "sub": { - Description: "Sub roughly uniquely identifies the workload. Example: `project_path:mygroup/my-project:ref_type:branch:ref:main` project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} This field supports simple \"glob-style\" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.", + Description: "Sub roughly uniquely identifies the workload. Example: `project_path:mygroup/my-project:ref_type:branch:ref:main` project_path:{group}/{project}:ref_type:{type}:ref:{branch_name} This field supports \"glob-style\" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -441,8 +447,14 @@ func GenSchemaProvisionTokenV2(ctx context.Context) (github_com_hashicorp_terraf Description: "Spacelift allows the configuration of options specific to the \"spacelift\" join method.", Optional: true, }, - "suggested_agent_matcher_labels": GenSchemaLabels(ctx), - "suggested_labels": GenSchemaLabels(ctx), + "suggested_agent_matcher_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to `db_service.resources.labels`. Currently, only node-join scripts create a configuration according to the suggestion.", + Optional: true, + }), + "suggested_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "SuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion.", + Optional: true, + }), "tpm": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "allow": { diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go index e25be90bf8e18..f91057aa1b8f9 100644 --- a/integrations/terraform/tfschema/types_terraform.go +++ b/integrations/terraform/tfschema/types_terraform.go @@ -1133,7 +1133,10 @@ func GenSchemaSessionRecordingConfigV2(ctx context.Context) (github_com_hashicor PlanModifiers: []github_com_hashicorp_terraform_plugin_framework_tfsdk.AttributePlanModifier{github_com_hashicorp_terraform_plugin_framework_tfsdk.UseStateForUnknown()}, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, - "proxy_checks_host_keys": GenSchemaBoolOption(ctx), + "proxy_checks_host_keys": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "ProxyChecksHostKeys is used to control if the proxy will check host keys when in recording mode.", + Optional: true, + }), }), Description: "Spec is a SessionRecordingConfig specification", Optional: true, @@ -1208,9 +1211,18 @@ func GenSchemaAuthPreferenceV2(ctx context.Context) (github_com_hashicorp_terraf }, "spec": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - "allow_headless": GenSchemaBoolOption(ctx), - "allow_local_auth": GenSchemaBoolOption(ctx), - "allow_passwordless": GenSchemaBoolOption(ctx), + "allow_headless": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "AllowHeadless enables/disables headless support. Headless authentication requires Webauthn to work. Defaults to true if the Webauthn is configured, defaults to false otherwise.", + Optional: true, + }), + "allow_local_auth": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "AllowLocalAuth is true if local authentication is enabled.", + Optional: true, + }), + "allow_passwordless": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "AllowPasswordless enables/disables passwordless support. Passwordless requires Webauthn to work. Defaults to true if the Webauthn is configured, defaults to false otherwise.", + Optional: true, + }), "connector_name": { Description: "ConnectorName is the name of the OIDC or SAML connector. If this value is not set the first connector in the backend will be used.", Optional: true, @@ -1242,7 +1254,10 @@ func GenSchemaAuthPreferenceV2(ctx context.Context) (github_com_hashicorp_terraf Description: "DeviceTrust holds settings related to trusted device verification. Requires Teleport Enterprise.", Optional: true, }, - "disconnect_expired_cert": GenSchemaBoolOption(ctx), + "disconnect_expired_cert": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "DisconnectExpiredCert provides disconnect expired certificate setting - if true, connections with expired client certificates will get disconnected", + Optional: true, + }), "hardware_key": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "piv_slot": { @@ -1272,7 +1287,10 @@ func GenSchemaAuthPreferenceV2(ctx context.Context) (github_com_hashicorp_terraf }, "idp": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"saml": { - Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"enabled": GenSchemaBoolOption(ctx)}), + Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"enabled": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "Enabled is set to true if this option allows access to the Teleport SAML IdP.", + Optional: true, + })}), Description: "SAML are options related to the Teleport SAML IdP.", Optional: true, }}), @@ -1312,7 +1330,7 @@ func GenSchemaAuthPreferenceV2(ctx context.Context) (github_com_hashicorp_terraf }, "second_factor": { Computed: true, - Description: "SecondFactor is the type of second factor.", + Description: "SecondFactor is the type of mult-factor.", Optional: true, PlanModifiers: []github_com_hashicorp_terraform_plugin_framework_tfsdk.AttributePlanModifier{github_com_hashicorp_terraform_plugin_framework_tfsdk.UseStateForUnknown()}, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, @@ -1327,7 +1345,7 @@ func GenSchemaAuthPreferenceV2(ctx context.Context) (github_com_hashicorp_terraf "u2f": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "app_id": { - Description: "AppID returns the application ID for universal second factor.", + Description: "AppID returns the application ID for universal mult-factor.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -1337,7 +1355,7 @@ func GenSchemaAuthPreferenceV2(ctx context.Context) (github_com_hashicorp_terraf Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, "facets": { - Description: "Facets returns the facets for universal second factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation.", + Description: "Facets returns the facets for universal mult-factor. Deprecated: Kept for backwards compatibility reasons, but Facets have no effect since Teleport v10, when Webauthn replaced the U2F implementation.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, @@ -1358,7 +1376,7 @@ func GenSchemaAuthPreferenceV2(ctx context.Context) (github_com_hashicorp_terraf Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, "rp_id": { - Description: "RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the second factor will need to re-register.", + Description: "RPID is the ID of the Relying Party. It should be set to the domain name of the Teleport installation. IMPORTANT: RPID must never change in the lifetime of the cluster, because it's recorded in the registration data on the WebAuthn device. If the RPID changes, all existing WebAuthn key registrations will become invalid and all users who use WebAuthn as the multi-factor will need to re-register.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -1445,7 +1463,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "allow": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - "app_labels": GenSchemaLabels(ctx), + "app_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "AppLabels is a map of labels used as part of the RBAC system.", + Optional: true, + }), "app_labels_expression": { Description: "AppLabelsExpression is a predicate expression used to allow/deny access to Apps.", Optional: true, @@ -1461,13 +1482,19 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "cluster_labels": GenSchemaLabels(ctx), + "cluster_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "ClusterLabels is a map of node labels (used to dynamically grant access to clusters).", + Optional: true, + }), "cluster_labels_expression": { Description: "ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, - "db_labels": GenSchemaLabels(ctx), + "db_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "DatabaseLabels are used in RBAC system to allow/deny access to databases.", + Optional: true, + }), "db_labels_expression": { Description: "DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.", Optional: true, @@ -1480,7 +1507,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin }, "db_permissions": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.ListNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - "match": GenSchemaLabels(ctx), + "match": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "Match is a list of object labels that must be matched for the permission to be granted.", + Optional: true, + }), "permissions": { Description: "Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...", Optional: true, @@ -1495,7 +1525,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "db_service_labels": GenSchemaLabels(ctx), + "db_service_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services.", + Optional: true, + }), "db_service_labels_expression": { Description: "DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.", Optional: true, @@ -1516,7 +1549,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "group_labels": GenSchemaLabels(ctx), + "group_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "GroupLabels is a map of labels used as part of the RBAC system.", + Optional: true, + }), "group_labels_expression": { Description: "GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.", Optional: true, @@ -1584,7 +1620,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "kubernetes_labels": GenSchemaLabels(ctx), + "kubernetes_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "KubernetesLabels is a map of kubernetes cluster labels used for RBAC.", + Optional: true, + }), "kubernetes_labels_expression": { Description: "KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.", Optional: true, @@ -1630,7 +1669,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "node_labels": GenSchemaLabels(ctx), + "node_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "NodeLabels is a map of node labels (used to dynamically grant access to nodes).", + Optional: true, + }), "node_labels_expression": { Description: "NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.", Optional: true, @@ -1638,7 +1680,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin }, "request": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - "annotations": GenSchemaTraits(ctx), + "annotations": GenSchemaTraits(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `{{external.trait_name}}` style substitutions.", + Optional: true, + }), "claims_to_roles": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.ListNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "claim": { @@ -1835,7 +1880,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Description: "SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.", Optional: true, }, - "windows_desktop_labels": GenSchemaLabels(ctx), + "windows_desktop_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.", + Optional: true, + }), "windows_desktop_labels_expression": { Description: "WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.", Optional: true, @@ -1852,7 +1900,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin }, "deny": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - "app_labels": GenSchemaLabels(ctx), + "app_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "AppLabels is a map of labels used as part of the RBAC system.", + Optional: true, + }), "app_labels_expression": { Description: "AppLabelsExpression is a predicate expression used to allow/deny access to Apps.", Optional: true, @@ -1868,13 +1919,19 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "cluster_labels": GenSchemaLabels(ctx), + "cluster_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "ClusterLabels is a map of node labels (used to dynamically grant access to clusters).", + Optional: true, + }), "cluster_labels_expression": { Description: "ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, - "db_labels": GenSchemaLabels(ctx), + "db_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "DatabaseLabels are used in RBAC system to allow/deny access to databases.", + Optional: true, + }), "db_labels_expression": { Description: "DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases.", Optional: true, @@ -1887,7 +1944,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin }, "db_permissions": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.ListNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - "match": GenSchemaLabels(ctx), + "match": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "Match is a list of object labels that must be matched for the permission to be granted.", + Optional: true, + }), "permissions": { Description: "Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ...", Optional: true, @@ -1902,7 +1962,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "db_service_labels": GenSchemaLabels(ctx), + "db_service_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services.", + Optional: true, + }), "db_service_labels_expression": { Description: "DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services.", Optional: true, @@ -1923,7 +1986,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "group_labels": GenSchemaLabels(ctx), + "group_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "GroupLabels is a map of labels used as part of the RBAC system.", + Optional: true, + }), "group_labels_expression": { Description: "GroupLabelsExpression is a predicate expression used to allow/deny access to user groups.", Optional: true, @@ -1991,7 +2057,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "kubernetes_labels": GenSchemaLabels(ctx), + "kubernetes_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "KubernetesLabels is a map of kubernetes cluster labels used for RBAC.", + Optional: true, + }), "kubernetes_labels_expression": { Description: "KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters.", Optional: true, @@ -2033,7 +2102,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType}, }, - "node_labels": GenSchemaLabels(ctx), + "node_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "NodeLabels is a map of node labels (used to dynamically grant access to nodes).", + Optional: true, + }), "node_labels_expression": { Description: "NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes.", Optional: true, @@ -2041,7 +2113,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin }, "request": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - "annotations": GenSchemaTraits(ctx), + "annotations": GenSchemaTraits(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via `{{external.trait_name}}` style substitutions.", + Optional: true, + }), "claims_to_roles": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.ListNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "claim": { @@ -2238,7 +2313,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Description: "SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID.", Optional: true, }, - "windows_desktop_labels": GenSchemaLabels(ctx), + "windows_desktop_labels": GenSchemaLabels(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.", + Optional: true, + }), "windows_desktop_labels_expression": { Description: "WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.", Optional: true, @@ -2293,21 +2371,36 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: DurationType{}, }, - "create_db_user": GenSchemaBoolOption(ctx), + "create_db_user": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "CreateDatabaseUser enabled automatic database user creation.", + Optional: true, + }), "create_db_user_mode": { Description: "CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is \"unspecified\", 1 is \"off\", 2 is \"keep\", 3 is \"best_effort_drop\".", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.Int64Type, }, - "create_desktop_user": GenSchemaBoolOption(ctx), - "create_host_user": GenSchemaBoolOption(ctx), + "create_desktop_user": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "CreateDesktopUser allows users to be automatically created on a Windows desktop", + Optional: true, + }), + "create_host_user": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "CreateHostUser allows users to be automatically created on a host", + Optional: true, + }), "create_host_user_mode": { Description: "CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is \"unspecified\"; 1 is \"off\"; 2 is \"drop\" (removed for v15 and above), 3 is \"keep\"; 4 is \"insecure-drop\".", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.Int64Type, }, - "desktop_clipboard": GenSchemaBoolOption(ctx), - "desktop_directory_sharing": GenSchemaBoolOption(ctx), + "desktop_clipboard": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.", + Optional: true, + }), + "desktop_directory_sharing": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true.", + Optional: true, + }), "device_trust_mode": { Description: "DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode.", Optional: true, @@ -2332,7 +2425,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin }, "idp": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"saml": { - Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"enabled": GenSchemaBoolOption(ctx)}), + Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{"enabled": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "Enabled is set to true if this option allows access to the Teleport SAML IdP.", + Optional: true, + })}), Description: "SAML are options related to the Teleport SAML IdP.", Optional: true, }}), @@ -2376,7 +2472,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.BoolType, }, - "port_forwarding": GenSchemaBoolOption(ctx), + "port_forwarding": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "PortForwarding defines if the certificate will have \"permit-port-forwarding\" in the certificate. PortForwarding is \"yes\" if not set, that's why this is a pointer", + Optional: true, + }), "record_session": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ "default": { @@ -2384,7 +2483,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, - "desktop": GenSchemaBoolOption(ctx), + "desktop": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.", + Optional: true, + }), "ssh": { Description: "SSH indicates the session mode used on SSH sessions.", Optional: true, @@ -2409,7 +2511,10 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.Int64Type, }, - "ssh_file_copy": GenSchemaBoolOption(ctx), + "ssh_file_copy": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.", + Optional: true, + }), }), Description: "Options is for OpenSSH options like agent forwarding.", Optional: true, @@ -2559,7 +2664,10 @@ func GenSchemaUserV2(ctx context.Context) (github_com_hashicorp_terraform_plugin Description: "SAMLIdentities lists associated SAML identities that let user log in using externally verified identity", Optional: true, }, - "traits": GenSchemaTraits(ctx), + "traits": GenSchemaTraits(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "Traits are key/value pairs received from an identity provider (through OIDC claims or SAML assertions) or from a system administrator for local accounts. Traits are used to populate role variables.", + Optional: true, + }), "trusted_device_ids": { Description: "TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.", Optional: true, @@ -2690,7 +2798,7 @@ func GenSchemaOIDCConnectorV3(ctx context.Context) (github_com_hashicorp_terrafo Optional: true, }, "client_id": { - Description: "ClientID is the id of the authentication client (Teleport Auth server).", + Description: "ClientID is the id of the authentication client (Teleport Auth Service).", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -2750,7 +2858,10 @@ func GenSchemaOIDCConnectorV3(ctx context.Context) (github_com_hashicorp_terrafo Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, - "redirect_url": GenSchemaStrings(ctx), + "redirect_url": GenSchemaStrings(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.", + Optional: true, + }), "scope": { Description: "Scope specifies additional scopes set by provider.", Optional: true,