gravitational · bernardjkim · Dec 19, 2025 · Nov 13, 2025 · Dec 15, 2025 · Dec 15, 2025
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -3520,7 +3520,7 @@ message RoleV6 {
   // SubKind is an optional resource sub kind, used in some resources
   string SubKind = 2 [(gogoproto.jsontag) = "sub_kind,omitempty"];
   // Version is the resource version. It must be specified.
-  // Supported values are: `v3`, `v4`, `v5`, `v6`, `v7`.
+  // Supported values are: `v3`, `v4`, `v5`, `v6`, `v7`, `v8`.
   string Version = 3 [(gogoproto.jsontag) = "version"];
   // Metadata is resource metadata
   Metadata Metadata = 4 [

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/...pages/reference/infrastructure-as-code/terraform-provider/data-sources/role.mdx b/...pages/reference/infrastructure-as-code/terraform-provider/data-sources/role.mdx
@@ -19,7 +19,7 @@ Teleport Terraform provider.
 
 ### Required
 
-- `version` (String) Version is the resource version. It must be specified. Supported values are: `v3`, `v4`, `v5`, `v6`, `v7`.
+- `version` (String) Version is the resource version. It must be specified. Supported values are: `v3`, `v4`, `v5`, `v6`, `v7`, `v8`.
 
 ### Optional
 

diff --git a/docs/pages/reference/infrastructure-as-code/terraform-provider/resources/role.mdx b/docs/pages/reference/infrastructure-as-code/terraform-provider/resources/role.mdx
@@ -18,7 +18,7 @@ This page describes the supported values of the teleport_role resource of the Te
 # Teleport Role resource
 
 resource "teleport_role" "example" {
-  version = "v7"
+  version = "v8"
   metadata = {
     name        = "example"
     description = "Example Teleport Role"
@@ -81,7 +81,7 @@ resource "teleport_role" "example" {
 
 ### Required
 
-- `version` (String) Version is the resource version. It must be specified. Supported values are: `v3`, `v4`, `v5`, `v6`, `v7`.
+- `version` (String) Version is the resource version. It must be specified. Supported values are: `v3`, `v4`, `v5`, `v6`, `v7`, `v8`.
 
 ### Optional
 

diff --git a/integrations/terraform/examples/resources/teleport_role/resource.tf b/integrations/terraform/examples/resources/teleport_role/resource.tf
@@ -1,7 +1,7 @@
 # Teleport Role resource
 
 resource "teleport_role" "example" {
-  version = "v7"
+  version = "v8"
   metadata = {
     name        = "example"
     description = "Example Teleport Role"

diff --git a/integrations/terraform/protoc-gen-terraform-teleport.yaml b/integrations/terraform/protoc-gen-terraform-teleport.yaml
@@ -473,7 +473,7 @@ validators:
   ProvisionTokenV2.Version:
     - UseVersionBetween(2,2)
   RoleV6.Version:
-    - UseVersionBetween(3,7)
+    - UseVersionBetween(3,8)
   SAMLConnectorV2.Version:
     - UseVersionBetween(2,2)
   SAMLConnectorV2.Spec:

diff --git a/integrations/terraform/reference.mdx b/integrations/terraform/reference.mdx
@@ -111,6 +111,7 @@ To mitigate this, you should explicitly set the resource version.
   - v12 default role version is `v5`
   - v13 default role version is `v6`
   - v14 default role version is `v7`
+  - v18+ default role version is `v8`
 
   For example, before upgrading from v12 to v13, edit every unversioned role
   to pin the `v5` version:
@@ -1649,7 +1650,7 @@ resource "teleport_provision_token" "iam-token" {
 | metadata | object |          | Metadata is resource metadata                                                                              |
 | spec     | object |          | Spec is a role specification                                                                               |
 | sub_kind | string |          | SubKind is an optional resource sub kind, used in some resources                                           |
-| version  | string | *        | Version is the resource version. It must be specified. Supported values are: `v3`, `v4`, `v5`, `v6`, `v7`. |
+| version  | string | *        | Version is the resource version. It must be specified. Supported values are: `v3`, `v4`, `v5`, `v6`, `v7`, `v8`. |
 
 ### metadata
 

diff --git a/integrations/terraform/testlib/fixtures/role_0_create.tf b/integrations/terraform/testlib/fixtures/role_0_create.tf
@@ -1,5 +1,5 @@
 resource "teleport_role" "test" {
-  version = "v7"
+  version = "v8"
   metadata = {
     name = "test"
   }

diff --git a/integrations/terraform/testlib/fixtures/role_1_update.tf b/integrations/terraform/testlib/fixtures/role_1_update.tf
@@ -1,5 +1,5 @@
 resource "teleport_role" "test" {
-  version = "v7"
+  version = "v8"
   metadata = {
     name        = "test"
     description = ""

diff --git a/integrations/terraform/testlib/fixtures/role_2_update.tf b/integrations/terraform/testlib/fixtures/role_2_update.tf
@@ -1,5 +1,5 @@
 resource "teleport_role" "test" {
-  version = "v7"
+  version = "v8"
   metadata = {
     name        = "test"
     description = "Test role"

diff --git a/integrations/terraform/testlib/fixtures/role_3_update.tf b/integrations/terraform/testlib/fixtures/role_3_update.tf
@@ -1,5 +1,5 @@
 resource "teleport_role" "test" {
-  version = "v7"
+  version = "v8"
   metadata = {
     name    = "test"
     expires = "2032-12-12T00:00:00Z"

diff --git a/integrations/terraform/testlib/fixtures/role_data_source.tf b/integrations/terraform/testlib/fixtures/role_data_source.tf
@@ -1,6 +1,6 @@
 data "teleport_role" "test" {
   kind    = "role"
-  version = "v7"
+  version = "v8"
   metadata = {
     name = "test"
   }

diff --git a/integrations/terraform/testlib/fixtures/role_drift_0.tf b/integrations/terraform/testlib/fixtures/role_drift_0.tf
@@ -1,5 +1,5 @@
 resource "teleport_role" "splitbrain" {
-  version = "v7"
+  version = "v8"
   metadata = {
     name = "splitbrain"
   }

diff --git a/integrations/terraform/testlib/fixtures/role_reviewers_0_two_roles.tf b/integrations/terraform/testlib/fixtures/role_reviewers_0_two_roles.tf
@@ -12,5 +12,5 @@ resource "teleport_role" "test_decrease_reviewers" {
     }
   }
 
-  version = "v6"
+  version = "v8"
 }
diff --git a/integrations/terraform/testlib/fixtures/role_reviewers_1_one_role.tf b/integrations/terraform/testlib/fixtures/role_reviewers_1_one_role.tf
@@ -12,5 +12,5 @@ resource "teleport_role" "test_decrease_reviewers" {
     }
   }
 
-  version = "v6"
+  version = "v8"
 }
diff --git a/integrations/terraform/testlib/fixtures/role_upgrade_v8.tf b/integrations/terraform/testlib/fixtures/role_upgrade_v8.tf
@@ -0,0 +1,17 @@
+resource "teleport_role" "upgrade" {
+  metadata = {
+    name = "upgrade"
+  }
+
+  spec = {
+    allow = {
+      logins = ["onev8"]
+      kubernetes_labels = {
+        env = ["dev", "prod"]
+      }
+    }
+  }
+
+  version = "v8"
+}
+
diff --git a/...tlib/fixtures/role_with_kube_resources.tf → ...b/fixtures/role_with_kube_resources_v6.tf b/...tlib/fixtures/role_with_kube_resources.tf → ...b/fixtures/role_with_kube_resources_v6.tf
@@ -1,6 +1,6 @@
-resource "teleport_role" "upgrade" {
+resource "teleport_role" "kube_resources_v6" {
   metadata = {
-    name = "upgrade"
+    name = "kube_resources_v6"
   }
 
   spec = {

diff --git a/integrations/terraform/testlib/fixtures/role_with_kube_resources_v7.tf b/integrations/terraform/testlib/fixtures/role_with_kube_resources_v7.tf
@@ -0,0 +1,27 @@
+
+resource "teleport_role" "kube_resources_v7" {
+  metadata = {
+    name = "kube_resources_v7"
+  }
+
+  spec = {
+    allow = {
+      logins = ["onev7"]
+
+      kubernetes_labels = {
+        env = ["dev", "prod"]
+      }
+
+      kubernetes_resources = [
+        {
+          kind      = "deployment"
+          name      = "*"
+          namespace = "myns"
+          verbs     = ["get"]
+        }
+      ]
+    }
+  }
+
+  version = "v7"
+}
diff --git a/integrations/terraform/testlib/fixtures/role_with_kube_resources_v8.tf b/integrations/terraform/testlib/fixtures/role_with_kube_resources_v8.tf
@@ -0,0 +1,34 @@
+
+resource "teleport_role" "kube_resources_v8" {
+  metadata = {
+    name = "kube_resources_v8"
+  }
+
+  spec = {
+    allow = {
+      logins = ["onev8"]
+
+      kubernetes_labels = {
+        env = ["dev", "prod"]
+      }
+
+      kubernetes_resources = [
+        {
+          kind      = "pods"
+          name      = "*"
+          namespace = "myns"
+          verbs     = ["get"]
+        },
+        {
+          kind      = "deployments"
+          api_group = "apps"
+          name      = "*"
+          namespace = "myns"
+          verbs     = ["get"]
+        }
+      ]
+    }
+  }
+
+  version = "v8"
+}
diff --git a/integrations/terraform/testlib/fixtures/role_with_kube_verbs.tf b/integrations/terraform/testlib/fixtures/role_with_kube_verbs.tf
@@ -5,10 +5,10 @@ resource "teleport_role" "kube_verbs" {
 
   spec = {
     allow = {
-      logins = ["onev6"]
+      logins = ["onev8"]
       kubernetes_resources = [
         {
-          kind      = "pod"
+          kind      = "pods"
           name      = "*"
           namespace = "myns"
           verbs     = ["get", "watch", "list"]
@@ -17,5 +17,5 @@ resource "teleport_role" "kube_verbs" {
     }
   }
 
-  version = "v7"
+  version = "v8"
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,5 +12,5 @@ resource "teleport_role" "test_decrease_reviewers" { @@
         }
       }
-      version = "v6"
+      version = "v8"
     }