Skip to main content

Reference for the teleport_oidc_connector Terraform resource

Example Usage

# Teleport OIDC connector
# 
# Please note that the OIDC connector will work in Teleport Enterprise only.

variable "oidc_secret" {}

resource "teleport_oidc_connector" "example" {
  version = "v3"
  metadata = {
    name = "example"
    labels = {
      test = "yes"
    }
  }

  spec = {
    client_id     = "client"
    client_secret = var.oidc_secret

    claims_to_roles = [{
      claim = "test"
      roles = ["terraform"]
    }]

    redirect_url = ["https://example.com/redirect"]
  }
}

Schema

Required

  • spec (Attributes) Spec is an OIDC connector specification. (see below for nested schema)
  • version (String) Version is the resource version. It must be specified. Supported values are: v3.

Optional

  • metadata (Attributes) Metadata holds resource metadata. (see below for nested schema)
  • sub_kind (String) SubKind is an optional resource sub kind, used in some resources.

Nested Schema for spec

Optional:

  • acr_values (String) ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.
  • allow_unverified_email (Boolean) AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.
  • claims_to_roles (Attributes List) ClaimsToRoles specifies a dynamic mapping from claims to roles. (see below for nested schema)
  • client_id (String) ClientID is the id of the authentication client (Teleport Auth Service).
  • client_redirect_settings (Attributes) ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. (see below for nested schema)
  • client_secret (String, Sensitive) ClientSecret is used to authenticate the client.
  • display (String) Display is the friendly name for this provider.
  • google_admin_email (String) GoogleAdminEmail is the email of a google admin to impersonate.
  • google_service_account (String, Sensitive) GoogleServiceAccount is a string containing google service account credentials.
  • google_service_account_uri (String) GoogleServiceAccountURI is a path to a google service account uri.
  • issuer_url (String) IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.
  • max_age (String)
  • prompt (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
  • provider (String) Provider is the external identity provider.
  • redirect_url (List of String) RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.
  • scope (List of String) Scope specifies additional scopes set by provider.
  • username_claim (String) UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

Nested Schema for spec.claims_to_roles

Optional:

  • claim (String) Claim is a claim name.
  • roles (List of String) Roles is a list of static teleport roles to match.
  • value (String) Value is a claim value to match.

Nested Schema for spec.client_redirect_settings

Optional:

  • allowed_https_hostnames (List of String) a list of hostnames allowed for https client redirect URLs
  • insecure_allowed_cidr_ranges (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs

Nested Schema for metadata

Required:

  • name (String) Name is an object name

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels