gravitational · kopiczko · Jun 12, 2025 · May 23, 2025
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/access_request.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/access_request.pb.go
diff --git a/gen/proto/ts/teleport/lib/teleterm/v1/access_request_pb.ts b/gen/proto/ts/teleport/lib/teleterm/v1/access_request_pb.ts
diff --git a/lib/teleterm/apiserver/handler/handler_access_requests.go b/lib/teleterm/apiserver/handler/handler_access_requests.go
@@ -26,6 +26,7 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	accesslistv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1"
+	"github.com/gravitational/teleport/api/types"
 	accesslistv1conv "github.com/gravitational/teleport/api/types/accesslist/convert/v1"
 	api "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/v1"
 	"github.com/gravitational/teleport/lib/teleterm/api/uri"
@@ -200,6 +201,11 @@ func newAPIAccessRequest(req clusters.AccessRequest) *api.AccessRequest {
 		}
 	}
 
+	dryRunEnrichment := req.GetDryRunEnrichment()
+	if dryRunEnrichment == nil {
+		dryRunEnrichment = &types.AccessRequestDryRunEnrichment{}
+	}
+
 	return &api.AccessRequest{
 		Id:                      req.GetName(),
 		State:                   req.GetState().String(),
@@ -219,6 +225,8 @@ func newAPIAccessRequest(req clusters.AccessRequest) *api.AccessRequest {
 		MaxDuration:             timestamppb.New(req.GetMaxDuration()),
 		RequestTtl:              timestamppb.New(req.Expiry()),
 		SessionTtl:              timestamppb.New(req.GetSessionTLL()),
+		ReasonMode:              string(dryRunEnrichment.ReasonMode),
+		ReasonPrompts:           dryRunEnrichment.ReasonPrompts,
 	}
 }
 

diff --git a/proto/teleport/lib/teleterm/v1/access_request.proto b/proto/teleport/lib/teleterm/v1/access_request.proto
@@ -56,6 +56,12 @@ message AccessRequest {
   google.protobuf.Timestamp request_ttl = 17;
   // session_ttl indicates how long a certificate for a session should be valid for.
   google.protobuf.Timestamp session_ttl = 18;
+  // reason_mode specifies the reason mode for this Access Request. It can be either "optional" or
+  // "required". It's only added in response to a dry run request.
+  string reason_mode = 19;
+  // reason_prompts is a sorted and deduplicated list of reason prompts for this Access Request.
+  // It's only added in response to a dry run request.
+  repeated string reason_prompts = 20;
 }
 
 message AccessRequestReview {

diff --git a/web/packages/teleterm/src/services/tshd/testHelpers.ts b/web/packages/teleterm/src/services/tshd/testHelpers.ts
@@ -366,6 +366,8 @@ export const makeAccessRequest = (
   maxDuration: { seconds: 1729026573n, nanos: 0 },
   requestTtl: { seconds: 1729026573n, nanos: 0 },
   sessionTtl: { seconds: 1729026573n, nanos: 0 },
+  reasonMode: 'optional',
+  reasonPrompts: [],
   ...props,
 });
 

diff --git a/web/packages/teleterm/src/ui/AccessRequestCheckout/AccessRequestCheckout.tsx b/web/packages/teleterm/src/ui/AccessRequestCheckout/AccessRequestCheckout.tsx
@@ -102,6 +102,7 @@ export function AccessRequestCheckout() {
     onStartTimeChange,
     fetchKubeNamespaces,
     updateNamespacesForKubeCluster,
+    reasonMode,
     reasonPrompts,
   } = useAccessRequestCheckout();
 
@@ -269,7 +270,6 @@ export function AccessRequestCheckout() {
             clearAttempt={clearCreateAttempt}
             selectedReviewers={selectedReviewers}
             setSelectedReviewers={setSelectedReviewers}
-            requireReason={false}
             numRequestedResources={requestedCount}
             isResourceRequest={!isRoleRequest}
             fetchStatus={'loaded'}
@@ -284,6 +284,7 @@ export function AccessRequestCheckout() {
             onStartTimeChange={onStartTimeChange}
             fetchKubeNamespaces={fetchKubeNamespaces}
             updateNamespacesForKubeCluster={updateNamespacesForKubeCluster}
+            requireReason={reasonMode === 'required'}
             reasonPrompts={reasonPrompts}
           />
         )}

diff --git a/web/packages/teleterm/src/ui/DocumentAccessRequests/DocumentAccessRequests.story.tsx b/web/packages/teleterm/src/ui/DocumentAccessRequests/DocumentAccessRequests.story.tsx
@@ -79,6 +79,8 @@ const mockedAccessRequest: AccessRequest = {
   maxDuration: { seconds: 1729026573n, nanos: 0 },
   requestTtl: { seconds: 1729026573n, nanos: 0 },
   sessionTtl: { seconds: 1729026573n, nanos: 0 },
+  reasonMode: 'optional',
+  reasonPrompts: [],
 };
 
 export function Browsing() {

diff --git a/web/packages/teleterm/src/ui/DocumentAccessRequests/useAccessRequests.test.tsx b/web/packages/teleterm/src/ui/DocumentAccessRequests/useAccessRequests.test.tsx
@@ -89,6 +89,8 @@ test('makeUiAccessRequest', async () => {
       seconds: 1709853650n,
       nanos: 520000000,
     },
+    reasonMode: 'optional',
+    reasonPrompts: [],
   };
 
   const processedRequest: AccessRequest = {

diff --git a/web/packages/teleterm/src/ui/DocumentAccessRequests/useAccessRequests.tsx b/web/packages/teleterm/src/ui/DocumentAccessRequests/useAccessRequests.tsx
@@ -104,6 +104,8 @@ export function makeUiAccessRequest(request: TshdAccessRequest) {
     suggestedReviewers: request.suggestedReviewers,
     thresholdNames: request.thresholdNames,
     resources: request.resources,
+    reasonMode: request.reasonMode || 'optional',
+    reasonPrompts: request.reasonPrompts,
   });
 }