Reference for the teleport_provision_token Terraform resource

Report an issue with this page

This page describes the supported values of the teleport_provision_token resource of the Teleport Terraform provider.

Example Usage

# Teleport Provision Token resource

resource "teleport_provision_token" "example" {
  metadata = {
    expires     = "2022-10-12T07:20:51Z"
    description = "Example token"

    labels = {
      example               = "yes"
      "teleport.dev/origin" = "dynamic" // This label is added on Teleport side by default
    }
  }

  spec = {
    roles = ["Node", "Auth"]
  }
}

resource "teleport_provision_token" "iam-token" {
  metadata = {
    name = "iam-token"
  }
  spec = {
    roles       = ["Bot"]
    bot_name    = "mybot"
    join_method = "iam"
    allow = [{
      aws_account = "123456789012"
    }]
  }
}

Schema

Required

• spec (Attributes) Spec is a provisioning token V2 spec (see below for nested schema)
• version (String) Version is the resource version. It must be specified. Supported values are:v2.

Optional

• metadata (Attributes) Metadata is resource metadata (see below for nested schema)
• status (Attributes) Status is extended status information, depending on token type. It is not user writable. (see below for nested schema)
• sub_kind (String) SubKind is an optional resource sub kind, used in some resources

Nested Schema for spec

Required:

• roles (List of String) Roles is a list of roles associated with the token, that will be converted to metadata in the SSH and X509 certificates issued to the user of the token

Optional:

• allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
• aws_iid_ttl (String) AWSIIDTTL is the TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token.
• azure (Attributes) Azure allows the configuration of options specific to the "azure" join method. (see below for nested schema)
• azure_devops (Attributes) AzureDevops allows the configuration of options specific to the "azure_devops" join method. (see below for nested schema)
• bitbucket (Attributes) Bitbucket allows the configuration of options specific to the "bitbucket" join method. (see below for nested schema)
• bot_name (String) BotName is the name of the bot this token grants access to, if any
• bound_keypair (Attributes) BoundKeypair allows the configuration of options specific to the "bound_keypair" join method. (see below for nested schema)
• circleci (Attributes) CircleCI allows the configuration of options specific to the "circleci" join method. (see below for nested schema)
• gcp (Attributes) GCP allows the configuration of options specific to the "gcp" join method. (see below for nested schema)
• github (Attributes) GitHub allows the configuration of options specific to the "github" join method. (see below for nested schema)
• gitlab (Attributes) GitLab allows the configuration of options specific to the "gitlab" join method. (see below for nested schema)
• join_method (String) JoinMethod is the joining method required in order to use this token. Supported joining methods include: azure, circleci, ec2, gcp, github, gitlab, iam, kubernetes, spacelift, token, tpm
• kubernetes (Attributes) Kubernetes allows the configuration of options specific to the "kubernetes" join method. (see below for nested schema)
• oracle (Attributes) Oracle allows the configuration of options specific to the "oracle" join method. (see below for nested schema)
• spacelift (Attributes) Spacelift allows the configuration of options specific to the "spacelift" join method. (see below for nested schema)
• suggested_agent_matcher_labels (Map of List of String) SuggestedAgentMatcherLabels is a set of labels to be used by agents to match on resources. When an agent uses this token, the agent should monitor resources that match those labels. For databases, this means adding the labels to db_service.resources.labels. Currently, only node-join scripts create a configuration according to the suggestion.
• suggested_labels (Map of List of String) SuggestedLabels is a set of labels that resources should set when using this token to enroll themselves in the cluster. Currently, only node-join scripts create a configuration according to the suggestion.
• terraform_cloud (Attributes) TerraformCloud allows the configuration of options specific to the "terraform_cloud" join method. (see below for nested schema)
• tpm (Attributes) TPM allows the configuration of options specific to the "tpm" join method. (see below for nested schema)

Nested Schema for spec.allow

Optional:

• aws_account (String) AWSAccount is the AWS account ID.
• aws_arn (String) AWSARN is used for the IAM join method, the AWS identity of joining nodes must match this ARN. Supports wildcards "*" and "?".
• aws_regions (List of String) AWSRegions is used for the EC2 join method and is a list of AWS regions a node is allowed to join from.
• aws_role (String) AWSRole is used for the EC2 join method and is the ARN of the AWS role that the Auth Service will assume in order to call the ec2 API.

Nested Schema for spec.azure

Optional:

• allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)

Nested Schema for spec.azure.allow

Optional:

• resource_groups (List of String) ResourceGroups is a list of Azure resource groups the node is allowed to join from.
• subscription (String) Subscription is the Azure subscription.

Nested Schema for spec.azure_devops

Optional:

• allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. At least one allow rule must be specified. (see below for nested schema)
• organization_id (String) OrganizationID specifies the UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field.

Nested Schema for spec.azure_devops.allow

Optional:

• definition_id (String) The ID of the AZDO pipeline definition. Example: 1 Mapped from the def_id claim.
• pipeline_name (String) The name of the AZDO pipeline. Example: my-pipeline. Mapped out of the sub claim.
• project_id (String) The ID of the AZDO pipeline. Example: 271ef6f7-0000-0000-0000-4b54d9129990 Mapped from the prj_id claim.
• project_name (String) The name of the AZDO project. Example: my-project. Mapped out of the sub claim.
• repository_ref (String) The reference of the repository the pipeline is using. Example: refs/heads/main. Mapped from the rpo_ref claim.
• repository_uri (String) The URI of the repository the pipeline is using. Example: https://github.com/gravitational/teleport.git. Mapped from the rpo_uri claim.
• repository_version (String) The individual commit of the repository the pipeline is using. Example: e6b9eb29a288b27a3a82cc19c48b9d94b80aff36. Mapped from the rpo_ver claim.
• sub (String) Sub also known as Subject is a string that roughly uniquely identifies the workload. Example: p://my-organization/my-project/my-pipeline Mapped from the sub claim.

Nested Schema for spec.bitbucket

Optional:

• allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
• audience (String) Audience is a Bitbucket-specified audience value for this token. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.
• identity_provider_url (String) IdentityProviderURL is a Bitbucket-specified issuer URL for incoming OIDC tokens. It is unique to each Bitbucket repository, and must be set to the value as written in the Pipelines -> OpenID Connect section of the repository settings.

Nested Schema for spec.bitbucket.allow

Optional:

• branch_name (String) BranchName is the name of the branch on which this pipeline executed.
• deployment_environment_uuid (String) DeploymentEnvironmentUUID is the UUID of the deployment environment targeted by this pipelines run, if any. These values may be found in the "Pipelines -> OpenID Connect -> Deployment environments" section of the repository settings.
• repository_uuid (String) RepositoryUUID is the UUID of the repository for which this token was issued. Bitbucket UUIDs must begin and end with braces, e.g. {...}. This value may be found in the Pipelines -> OpenID Connect section of the repository settings.
• workspace_uuid (String) WorkspaceUUID is the UUID of the workspace for which this token was issued. Bitbucket UUIDs must begin and end with braces, e.g. {...}. This value may be found in the Pipelines -> OpenID Connect section of the repository settings.

Nested Schema for spec.bound_keypair

Optional:

• onboarding (Attributes) Onboarding contains parameters related to initial onboarding and keypair registration. (see below for nested schema)
• recovery (Attributes) Recovery contains parameters related to recovery after identity expiration. (see below for nested schema)
• rotate_after (String) RotateAfter is an optional timestamp that forces clients to perform a keypair rotation on the next join or recovery attempt after the given date. If LastRotatedAt is unset or before this timestamp, a rotation will be requested. It is recommended to set this value to the current timestamp if a rotation should be triggered on the next join attempt.

Nested Schema for spec.bound_keypair.onboarding

Optional:

• initial_public_key (String) InitialPublicKey is used to preregister a public key generated by tbot keypair create. When set, no initial join secret is generated or made available for use, and clients must have the associated private key available to join. If set, initial_join_secret and must_register_before are ignored. This value is written in SSH authorized_keys format.
• must_register_before (String) MustRegisterBefore is an optional time before which registeration via initial join secret must be performed. Attempts to register using an initial join secret after this timestamp will not be allowed. This may be modified after creation if necessary to allow the initial registration to take place. This value is ignored if initial_public_key is set.
• registration_secret (String) RegistrationSecret is a secret joining clients may use to register their public key on first join, which may be used instead of preregistering a public key with initial_public_key. If initial_public_key is set, this value is ignored. Otherwise, if set, this value will be used to populate .status.bound_keypair.intitial_join_secret. If unset and no initial_public_key is provided, a random secure value will be generated server-side to populate the status field.

Nested Schema for spec.bound_keypair.recovery

Optional:

• limit (Number) Limit is the maximum number of allowed recovery attempts. This value may be raised or lowered after creation to allow additional recovery attempts should the initial limit be exhausted. If mode is set to standard, recovery attempts will only be allowed if .status.bound_keypair.recovery_count is less than this limit. This limit is not enforced if mode is set to relaxed or insecure. This value must be at least 1 to allow for the initial join during onboarding, which counts as a recovery.
• mode (String) Mode sets the recovery rule enforcement mode. It may be one of these values: - standard (or unset): all configured rules enforced. The recovery limit and client join state are required and verified. This is the most secure recovery mode. - relaxed: recovery limit is not enforced, but client join state is still required. This effectively allows unlimited recovery attempts, but client join state still helps mitigate stolen credentials. - insecure: neither the recovery limit nor client join state are enforced. This allows any client with the private key to join freely. This is less secure, but can be useful in certain situations, like in otherwise unsupported CI/CD providers. This mode should be used with care, and RBAC rules should be configured to heavily restrict which resources this identity can access.

Nested Schema for spec.circleci

Optional:

• allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
• organization_id (String)

Nested Schema for spec.circleci.allow

Optional:

• context_id (String)
• project_id (String)

Nested Schema for spec.gcp

Optional:

• allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)

Nested Schema for spec.gcp.allow

Optional:

• locations (List of String) Locations is a list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b").
• project_ids (List of String) ProjectIDs is a list of project IDs (e.g. <example-id-123456>).
• service_accounts (List of String) ServiceAccounts is a list of service account emails (e.g. <project-number>-compute@developer.gserviceaccount.com).

Nested Schema for spec.github

Optional:

• allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
• enterprise_server_host (String) EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service.
• enterprise_slug (String) EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the include_enterprise_slug option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if enterprise_server_host is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values.
• static_jwks (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Service.

Nested Schema for spec.github.allow

Optional:

• actor (String) The personal account that initiated the workflow run.
• environment (String) The name of the environment used by the job.
• ref (String) The git ref that triggered the workflow run.
• ref_type (String) The type of ref, for example: "branch".
• repository (String) The repository from where the workflow is running. This includes the name of the owner e.g gravitational/teleport
• repository_owner (String) The name of the organization in which the repository is stored.
• sub (String) Sub also known as Subject is a string that roughly uniquely identifies the workload. The format of this varies depending on the type of github action run.
• workflow (String) The name of the workflow.

Nested Schema for spec.gitlab

Optional:

• allow (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
• domain (String) Domain is the domain of your GitLab instance. This will default to gitlab.com - but can be set to the domain of your self-hosted GitLab e.g gitlab.example.com.
• static_jwks (String) StaticJWKS disables fetching of the GitLab signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitLab CI instances that are not reachable by the Teleport Auth Service.

Nested Schema for spec.gitlab.allow

Optional:

• ci_config_ref_uri (String) CIConfigRefURI is the ref path to the top-level pipeline definition, for example, gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main.
• ci_config_sha (String) CIConfigSHA is the git commit SHA for the ci_config_ref_uri.
• deployment_tier (String) DeploymentTier is the deployment tier of the environment the job specifies
• environment (String) Environment limits access by the environment the job deploys to (if one is associated)
• environment_protected (Boolean) EnvironmentProtected is true if the Git ref is protected, false otherwise.
• namespace_path (String) NamespacePath is used to limit access to jobs in a group or user's projects. Example: mygroup This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
• pipeline_source (String) PipelineSource limits access by the job pipeline source type. https://docs.gitlab.com/ee/ci/jobs/job_control.html#common-if-clauses-for-rules Example: web
• project_path (String) ProjectPath is used to limit access to jobs belonging to an individual project. Example: mygroup/myproject This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
• project_visibility (String) ProjectVisibility is the visibility of the project where the pipeline is running. Can be internal, private, or public.
• ref (String) Ref allows access to be limited to jobs triggered by a specific git ref. Ensure this is used in combination with ref_type. This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
• ref_protected (Boolean) RefProtected is true if the Git ref is protected, false otherwise.
• ref_type (String) RefType allows access to be limited to jobs triggered by a specific git ref type. Example: branch or tag
• sub (String) Sub roughly uniquely identifies the workload. Example: project_path:mygroup/my-project:ref_type:branch:ref:main project_path:GROUP/PROJECT:ref_type:TYPE:ref:BRANCH_NAME This field supports "glob-style" matching: - Use '*' to match zero or more characters. - Use '?' to match any single character.
• user_email (String) UserEmail is the email of the user executing the job
• user_id (String) UserID is the ID of the user executing the job
• user_login (String) UserLogin is the username of the user executing the job

Nested Schema for spec.kubernetes

Optional:

• allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
• static_jwks (Attributes) StaticJWKS is the configuration specific to the static_jwks type. (see below for nested schema)
• type (String) Type controls which behavior should be used for validating the Kubernetes Service Account token. Support values: - in_cluster - static_jwks If unset, this defaults to in_cluster.

Nested Schema for spec.kubernetes.allow

Optional:

• service_account (String) ServiceAccount is the namespaced name of the Kubernetes service account. Its format is "namespace:service-account".

Nested Schema for spec.kubernetes.static_jwks

Optional:

• jwks (String) JWKS should be the JSON Web Key Set formatted public keys of that the Kubernetes Cluster uses to sign service account tokens. This can be fetched from /openid/v1/jwks on the Kubernetes API Server.

Nested Schema for spec.oracle

Optional:

• allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)

Nested Schema for spec.oracle.allow

Optional:

• parent_compartments (List of String) ParentCompartments is a list of the OCIDs of compartments an instance is allowed to join from. Only direct parents are allowed, i.e. no nested compartments. If empty, any compartment is allowed.
• regions (List of String) Regions is a list of regions an instance is allowed to join from. Both full region names ("us-phoenix-1") and abbreviations ("phx") are allowed. If empty, any region is allowed.
• tenancy (String) Tenancy is the OCID of the instance's tenancy. Required.

Nested Schema for spec.spacelift

Optional:

• allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
• hostname (String) Hostname is the hostname of the Spacelift tenant that tokens will originate from. E.g example.app.spacelift.io

Nested Schema for spec.spacelift.allow

Optional:

• caller_id (String) CallerID is the ID of the caller, ie. the stack or module that generated the run.
• caller_type (String) CallerType is the type of the caller, ie. the entity that owns the run - either stack or module.
• scope (String) Scope is the scope of the token - either read or write. See https://docs.spacelift.io/integrations/cloud-providers/oidc/#about-scopes
• space_id (String) SpaceID is the ID of the space in which the run that owns the token was executed.

Nested Schema for spec.terraform_cloud

Optional:

• allow (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see below for nested schema)
• audience (String) Audience is the JWT audience as configured in the TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo is set in Terraform Cloud, this value should be foo. If the variable is set to match the cluster name, it does not need to be set here.
• hostname (String) Hostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be app.terraform.io. Otherwise, it must both match the iss (issuer) field included in JWTs, and provide standard JWKS endpoints.

Nested Schema for spec.terraform_cloud.allow

Optional:

• organization_id (String) OrganizationID is the ID of the HCP Terraform organization. At least one organization value is required, either ID or name.
• organization_name (String) OrganizationName is the human-readable name of the HCP Terraform organization. At least one organization value is required, either ID or name.
• project_id (String) ProjectID is the ID of the HCP Terraform project. At least one project or workspace value is required, either ID or name.
• project_name (String) ProjectName is the human-readable name for the HCP Terraform project. At least one project or workspace value is required, either ID or name.
• run_phase (String) RunPhase is the phase of the run the token was issued for, e.g. plan or apply
• workspace_id (String) WorkspaceID is the ID of the HCP Terraform workspace. At least one project or workspace value is required, either ID or name.
• workspace_name (String) WorkspaceName is the human-readable name of the HCP Terraform workspace. At least one project or workspace value is required, either ID or name.

Nested Schema for spec.tpm

Optional:

• allow (Attributes List) Allow is a list of Rules, the presented delegated identity must match one allow rule to permit joining. (see below for nested schema)
• ekcert_allowed_cas (List of String) EKCertAllowedCAs is a list of CA certificates that will be used to validate TPM EKCerts. When specified, joining TPMs must present an EKCert signed by one of the specified CAs. TPMs that do not present an EKCert will be not permitted to join. When unspecified, TPMs will be allowed to join with either an EKCert or an EKPubHash.

Nested Schema for spec.tpm.allow

Optional:

• description (String) Description is a human-readable description of the rule. It has no bearing on whether or not a TPM is allowed to join, but can be used to associate a rule with a specific host (e.g the asset tag of the server in which the TPM resides). Example: "build-server-100"
• ek_certificate_serial (String) EKCertificateSerial is the serial number of the EKCert in hexadecimal with colon separated nibbles. This value will not be checked when a TPM does not have an EKCert configured. Example: 73:df:dc:bd:af:ef:8a:d8:15:2e:96:71:7a:3e:7f:a4
• ek_public_hash (String) EKPublicHash is the SHA256 hash of the EKPub marshaled in PKIX format and encoded in hexadecimal. This value will also be checked when a TPM has submitted an EKCert, and the public key in the EKCert will be used for this check. Example: d4b45864d9d6fabfc568d74f26c35ababde2105337d7af9a6605e1c56c891aa6

Nested Schema for metadata

Optional:

• description (String) Description is object description
• expires (String) Expires is a global expiry time header can be set on any resource in the system.
• labels (Map of String) Labels is a set of labels
• name (String, Sensitive) Name is an object name

Nested Schema for status

Optional:

• bound_keypair (Attributes) BoundKeypair contains status information related to bound_keypair type tokens. (see below for nested schema)

Nested Schema for status.bound_keypair

Optional:

• bound_bot_instance_id (String) BoundBotInstanceID is the ID of the currently associated bot instance. A new bot instance is issued on each join; the new bot instance will have a previous_bot_instance set to this value, if any.
• bound_public_key (String) BoundPublicKey contains the currently bound public key. If .spec.bound_keypair.onboarding.initial_public_key is set, that value will be copied here on creation, otherwise it will be populated as part of public key registration process. This value will be updated over time if keypair rotation takes place, and will always reflect the currently trusted public key. This value is written in SSH authorized_keys format.
• last_recovered_at (String) LastRecoveredAt contains a timestamp of the last successful recovery attempt. Note that normal renewals do not count as a recovery attempt, however onboarding does, either with a preregistered key or registration secret. This corresponds with the last time bound_bot_instance_id was updated.
• last_rotated_at (String) LastRotatedAt contains a timestamp of the last time the keypair was rotated, if any. This is not set at initial join.
• recovery_count (Number) RecoveryCount is a count of the total number of recoveries performed using this token. It is incremented for every successful join or rejoin. Recovery is only allowed if this value is less than .spec.bound_keypair.recovery.limit, or if the recovery mode is relaxed or insecure.
• registration_secret (String) RegistrationSecret contains a secret value that may be used for public key registration during the initial join process if no public key is preregistered. If .spec.bound_keypair.onboarding.initial_public_key is set, †his field will remain empty. Otherwise, if .spec.bound_keypair.onboarding.registration_secret is set, that value will be copied here. If that field is unset, a value will be randomly generated.