Reference for the teleport_workload_identity Terraform resource
Example Usage
resource "teleport_workload_identity" "example" {
version = "v1"
metadata = {
name = "example"
}
spec = {
rules = {
allow = [
{
conditions = [{
attribute = "user.name"
eq = {
value = "my-user"
}
}]
}
]
}
spiffe = {
id = "/my/spiffe/id/path"
hint = "my-hint"
}
}
}
Schema
Optional
metadata(Attributes) Common metadata that all resources share. (see below for nested schema)spec(Attributes) The configured properties of the WorkloadIdentity (see below for nested schema)sub_kind(String) Differentiates variations of the same kind. All resources should contain one, even if it is never populated.version(String) The version of the resource being represented.
Nested Schema for metadata
Optional:
description(String) description is object description.expires(String) expires is a global expiry time header can be set on any resource in the system.labels(Map of String) labels is a set of labels.name(String) name is an object name.
Nested Schema for spec
Optional:
rules(Attributes) The rules which are evaluated before the WorkloadIdentity can be issued. (see below for nested schema)spiffe(Attributes) Configuration pertaining to the issuance of SPIFFE-compatible workload identity credentials. (see below for nested schema)
Nested Schema for spec.rules
Optional:
allow(Attributes List) A list of rules used to determine if a WorkloadIdentity can be issued. If none are provided, it will be considered a pass. If any are provided, then at least one must pass for the rules to be considered passed. (see below for nested schema)
Nested Schema for spec.rules.allow
Optional:
conditions(Attributes List) The conditions that must be met for this rule to be considered passed. (see below for nested schema)
Nested Schema for spec.rules.allow.conditions
Optional:
attribute(String) The name of the attribute to evaluate the condition against.eq(Attributes) The attribute casted to a string must be equal to the value. (see below for nested schema)in(Attributes) The attribute casted to a string must be in the list of values. (see below for nested schema)not_eq(Attributes) The attribute casted to a string must not be equal to the value. (see below for nested schema)not_in(Attributes) The attribute casted to a string must not be in the list of values. (see below for nested schema)
Nested Schema for spec.rules.allow.conditions.eq
Optional:
value(String) The value to compare the attribute against.
Nested Schema for spec.rules.allow.conditions.in
Optional:
values(List of String) The list of values to compare the attribute against.
Nested Schema for spec.rules.allow.conditions.not_eq
Optional:
value(String) The value to compare the attribute against.
Nested Schema for spec.rules.allow.conditions.not_in
Optional:
values(List of String) The list of values to compare the attribute against.
Nested Schema for spec.spiffe
Optional:
hint(String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials.id(String) The path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash ("/"). This field supports templating using attributes.x509(Attributes) Configuration specific to X509-SVIDs. (see below for nested schema)
Nested Schema for spec.spiffe.x509
Optional:
dns_sans(List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes.