Add support for role.spec.allow.request.reason.prompt to specify custom reason prompts for Access Requests

api/proto/teleport/legacy/types/types.proto

@@ -4254,6 +4254,9 @@ message AccessRequestConditionsReason {
     (gogoproto.jsontag) = "mode,omitempty",
     (gogoproto.casttype) = "RequestReasonMode"
   ];
+  // Prompt is a custom message prompted to the user for the requested roles or resources searchable
+  // as other roles. This is only applied to the requested roles and resources specifying the prompt.
+  string Prompt = 2 [(gogoproto.jsontag) = "prompt,omitempty"];
 }
 
 // AccessReviewConditions is a matcher for allow/deny restrictions on

api/types/role.go

@@ -2003,7 +2003,7 @@ func (r *RoleV6) GetRoleConditions(rct RoleConditionType) RoleConditions {
 	return roleConditions
 }
 
-// GetRoleConditions returns the role conditions for the role.
+// GetRequestReasonMode returns the request reason mode for the role.
 func (r *RoleV6) GetRequestReasonMode(rct RoleConditionType) RequestReasonMode {
 	roleConditions := r.GetRoleConditions(rct)
 	if roleConditions.Request == nil || roleConditions.Request.Reason == nil {

docs/pages/identity-governance/access-requests/access-request-configuration.mdx

@@ -310,6 +310,9 @@ Allowed values are:
 | `optional` | The default. The user does not need to provide a reason when making a request. |
 | `required` | The user must provide a non-empty reason when making a request. |
 
+You can specify a scoped prompt to remind the user to provide a reason for specific requestable
+roles or resources using `spec.allow.request.reason.prompt`.
+
 Example:
 
 ```yaml
@@ -326,18 +329,67 @@ spec:
         - 'root-node-access'
       reason:
         mode: 'required'
+        prompt: 'Please give a reason for accessing node resources'
 ```
 
-If a user with "node-requester" role assigned makes an Access Request for "node-access" role or any
-resource allowed by "root-node-access" they will be required to provide a reason. If a user's
+If a user with `node-requester` role assigned makes an Access Request for `node-access` role or any
+resource allowed by `root-node-access` they will be required to provide a reason. If a user's
 role set includes multiple roles governing Access Requests to the same roles and resources,
-"require" mode takes precedence.
+`required` mode takes precedence.
 
 ## Custom request reason prompts
 
-As of right now it's only possible specify a custom prompt for all or none of the Access Requests
-for a particular user. A custom request prompt can be specified by assigned the user a role with
-`spec.options.request_prompt` set to non-empty string.
+It is possible to specify custom request prompts for a user:
+
+- for requestable resources or roles specified by a single role
+- for all Access Requests made by the user
+
+To specify a scoped prompt for requestable resources specified by a single role, set
+`spec.allow.request.reason.prompt` to a non-empty string. This will affect only Access Requests that
+contain the specific resource or role.
+
+A custom global request prompt can be specified by assigning the user a role
+with `spec.options.request_prompt` set to non-empty string. This global prompt will apply for
+all Access Requests made by the user.
+
+If multiple global prompts and scoped prompts apply to the same Access Request, all
+prompts will be listed in alphabetical order within the request reason form.
+
+Example:
+
+```yaml
+kind: role
+version: v7
+metadata:
+  name: k8s-requester
+spec:
+  allow:
+    request:
+      search_as_roles:
+        - 'k8s-viewer'
+      reason:
+        # If a user is assigned this role, the prompt below will be displayed
+        # when any resource allowed by k8s-viewer role is requested.
+        prompt: 'Please give a reason for accessing kubernetes resources'
+```
+
+```yaml
+kind: role
+version: v7
+metadata:
+  name: employee
+spec:
+  allow: {}
+  options:
+    # If a user is assigned this role, the prompt below will be displayed for
+    # all access requests made by this user.
+    request_prompt: 'Please provide your ticket ID'
+```
+
+If a user assigned with `k8s-requester` and `employee` roles makes an Access Request
+for resources searchable as `k8s-viewer`, they will be prompted with the text
+"Please give a reason for accessing kubernetes resources" on the first line and
+"Please provide your ticket ID" on the second line, in alphabetical order.
 
 ## Review thresholds
 

docs/pages/includes/role-spec.mdx

@@ -381,6 +381,9 @@ spec:
         # is required for all Access Requests requesting roles or resources allowed by
         # this role. It applies only to users who have this role assigned.
         mode: "optional"
+        # 'prompt' is a custom message prompted to the user for the requested roles or resources searchable
+	      # as other roles. This is only applied to the requested roles and resources specifying the prompt.
+        prompt: I am a reason prompt specific to a requested role or resource
 
       # thresholds specifies minimum amount of approvers and deniers,
       # defaults to 1 for both (enterprise-only)

docs/pages/reference/cli/tctl.mdx

@@ -1204,7 +1204,7 @@ $ tctl request approve request-id-1, request-id-2
 Create a pending Access Request.
 
 ```code
-$ tctl request create <username>
+$ tctl request create [<flags>] <username>
 ```
 
 ### Arguments
@@ -1215,10 +1215,10 @@ $ tctl request create <username>
 
 | Name | Default Value(s) | Allowed Value(s) | Description |
 | - | - | - | - |
-|`roles`|none|Comma-separated list of strings|Roles to be requested|
-|`resource`|none|Comma-separated list of strings|Resource IDs to be requested|
-|`reason`|none|String|Optional reason message|
-|`dry-run`|none|Boolean|Don't actually generate the Access Request|
+|`--roles`|none|Comma-separated list of strings|Roles to be requested|
+|`--resource`|none|Comma-separated list of strings|Resource IDs to be requested|
+|`--reason`|none|String|Optional reason message|
+|`--dry-run`|none|Boolean|Don't actually generate the Access Request|
 
 Use the `dry-run` flag if you want to validate whether Teleport can create an
 Access Request for the user in the `username` argument, given the user's static

docs/pages/reference/infrastructure-as-code/operator-resources/resources-teleport-dev-roles.mdx

@@ -168,6 +168,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.allow.request.thresholds items
 
@@ -358,6 +359,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.deny.request.thresholds items
 
@@ -651,6 +653,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.allow.request.thresholds items
 
@@ -841,6 +844,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.deny.request.thresholds items
 

docs/pages/reference/infrastructure-as-code/operator-resources/resources-teleport-dev-rolesv6.mdx

@@ -168,6 +168,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.allow.request.thresholds items
 
@@ -358,6 +359,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.deny.request.thresholds items
 

docs/pages/reference/infrastructure-as-code/operator-resources/resources-teleport-dev-rolesv7.mdx

@@ -168,6 +168,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.allow.request.thresholds items
 
@@ -358,6 +359,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.deny.request.thresholds items
 

docs/pages/reference/infrastructure-as-code/operator-resources/resources-teleport-dev-rolesv8.mdx

@@ -168,6 +168,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.allow.request.thresholds items
 
@@ -358,6 +359,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |Field|Type|Description|
 |---|---|---|
 |mode|string|Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.|
+|prompt|string|Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.|
 
 ### spec.deny.request.thresholds items
 

docs/pages/reference/infrastructure-as-code/terraform-provider/data-sources/role.mdx

@@ -196,6 +196,7 @@ Optional:
 Optional:
 
 - `mode` (String) Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.
+- `prompt` (String) Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.
 
 
 ### Nested Schema for `spec.allow.request.thresholds`
@@ -404,6 +405,7 @@ Optional:
 Optional:
 
 - `mode` (String) Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.
+- `prompt` (String) Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.
 
 
 ### Nested Schema for `spec.deny.request.thresholds`

docs/pages/reference/infrastructure-as-code/terraform-provider/resources/role.mdx

@@ -258,6 +258,7 @@ Optional:
 Optional:
 
 - `mode` (String) Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.
+- `prompt` (String) Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.
 
 
 ### Nested Schema for `spec.allow.request.thresholds`
@@ -466,6 +467,7 @@ Optional:
 Optional:
 
 - `mode` (String) Mode can be either "required" or "optional". Empty string is treated as "optional". If a role has the request reason mode set to "required", then reason is required for all Access Requests requesting roles or resources allowed by this role. It applies only to users who have this role assigned.
+- `prompt` (String) Prompt is a custom message prompted to the user for the requested roles or resources searchable as other roles. This is only applied to the requested roles and resources specifying the prompt.
 
 
 ### Nested Schema for `spec.deny.request.thresholds`

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml

@@ -404,6 +404,12 @@ spec:
                               or resources allowed by this role. It applies only to
                               users who have this role assigned.
                             type: string
+                          prompt:
+                            description: Prompt is a custom message prompted to the
+                              user for the requested roles or resources searchable
+                              as other roles. This is only applied to the requested
+                              roles and resources specifying the prompt.
+                            type: string
                         type: object
                       roles:
                         description: Roles is the name of roles which will match the
@@ -1015,6 +1021,12 @@ spec:
                               or resources allowed by this role. It applies only to
                               users who have this role assigned.
                             type: string
+                          prompt:
+                            description: Prompt is a custom message prompted to the
+                              user for the requested roles or resources searchable
+                              as other roles. This is only applied to the requested
+                              roles and resources specifying the prompt.
+                            type: string
                         type: object
                       roles:
                         description: Roles is the name of roles which will match the
@@ -1923,6 +1935,12 @@ spec:
                               or resources allowed by this role. It applies only to
                               users who have this role assigned.
                             type: string
+                          prompt:
+                            description: Prompt is a custom message prompted to the
+                              user for the requested roles or resources searchable
+                              as other roles. This is only applied to the requested
+                              roles and resources specifying the prompt.
+                            type: string
                         type: object
                       roles:
                         description: Roles is the name of roles which will match the
@@ -2534,6 +2552,12 @@ spec:
                               or resources allowed by this role. It applies only to
                               users who have this role assigned.
                             type: string
+                          prompt:
+                            description: Prompt is a custom message prompted to the
+                              user for the requested roles or resources searchable
+                              as other roles. This is only applied to the requested
+                              roles and resources specifying the prompt.
+                            type: string
                         type: object
                       roles:
                         description: Roles is the name of roles which will match the

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml

@@ -407,6 +407,12 @@ spec:
                               or resources allowed by this role. It applies only to
                               users who have this role assigned.
                             type: string
+                          prompt:
+                            description: Prompt is a custom message prompted to the
+                              user for the requested roles or resources searchable
+                              as other roles. This is only applied to the requested
+                              roles and resources specifying the prompt.
+                            type: string
                         type: object
                       roles:
                         description: Roles is the name of roles which will match the
@@ -1018,6 +1024,12 @@ spec:
                               or resources allowed by this role. It applies only to
                               users who have this role assigned.
                             type: string
+                          prompt:
+                            description: Prompt is a custom message prompted to the
+                              user for the requested roles or resources searchable
+                              as other roles. This is only applied to the requested
+                              roles and resources specifying the prompt.
+                            type: string
                         type: object
                       roles:
                         description: Roles is the name of roles which will match the