{"token_count": 2485} # Reference for the teleport\_scoped\_role Terraform data-source This page describes the supported values of the `teleport_scoped_role` data source of the Teleport Terraform provider. ## Schema ### Required - `metadata` (Attributes) Metadata contains the resource metadata. (see [below for nested schema](#nested-schema-for-metadata)) - `scope` (String) Scope is the scope of the role resource. - `spec` (Attributes) Spec is the role specification. (see [below for nested schema](#nested-schema-for-spec)) - `version` (String) Version is the resource version. ### Optional - `sub_kind` (String) SubKind is the resource sub-kind. ### Nested Schema for `metadata` Required: - `name` (String) name is an object name. Optional: - `description` (String) description is object description. - `expires` (String) expires is a global expiry time header can be set on any resource in the system. - `labels` (Map of String) labels is a set of labels. ### Nested Schema for `spec` Required: - `assignable_scopes` (List of String) AssignableScopes is a list of scopes to which this role can be assigned. Optional: - `defaults` (Attributes) Defaults specifies default values for controls common across multiple protocols. If the same control specified in defaults is also specified in a protocol block, the value in the protocol block takes precedence. (see [below for nested schema](#nested-schema-for-specdefaults)) - `kube` (Attributes) The kubernetes specific configuration for a scoped role. (see [below for nested schema](#nested-schema-for-speckube)) - `rules` (Attributes List) Rules describes basic resource:verb permissions (e.g. scoped\_role:read). (see [below for nested schema](#nested-schema-for-specrules)) - `ssh` (Attributes) Ssh specifies controls that govern SSH access. (see [below for nested schema](#nested-schema-for-specssh)) - `workload_identity` (Attributes) WorkloadIdentity specifies controls that govern issuance using WorkloadIdentity resources. (see [below for nested schema](#nested-schema-for-specworkload_identity)) ### Nested Schema for `spec.defaults` Optional: - `client_idle_timeout` (String) ClientIdleTimeout sets the default idle timeout for access sessions across all protocols that do not specify their own value. Must be a valid Go duration string (e.g. "30m", "1h"). - `disconnect_expired_cert` (Boolean) DisconnectExpiredCert defines the default behavior of all protocols when certs expire for a session. If unset, cluster wide defaults are used. - `lock` (Attributes) Lock specifies the default locking mode for access sessions across all protocols that do not specify their own value. If unset, cluster wide defaults are used. (see [below for nested schema](#nested-schema-for-specdefaultslock)) - `session_recording` (Attributes) SessionRecording configures the session recording strategy for all protocols that don't explicitly set their session recording mode. (see [below for nested schema](#nested-schema-for-specdefaultssession_recording)) ### Nested Schema for `spec.defaults.lock` Optional: - `mode` (String) Allowed values: strict or best\_effort. Defaults to value cluster wide auth preference if not set. ### Nested Schema for `spec.defaults.session_recording` Optional: - `mode` (String) Mode sets the session recording mode. Allowed values: strict or best\_effort. ### Nested Schema for `spec.kube` Optional: - `client_idle_timeout` (String) Overrides the defaults block idle timeout specifically for kube sessions. Must be a valid Go duration string (e.g. "30m", "1h"). If empty, the defaults block value (or global default) applies. - `disconnect_expired_cert` (Boolean) DisconnectExpiredCert controls whether Kube sessions are disconnected when the user certificate expires. - `groups` (List of String) The list of kubernetes groups this role allows. - `labels` (Attributes List) The map of kubernetes cluster labels used for RBAC. (see [below for nested schema](#nested-schema-for-speckubelabels)) - `lock` (Attributes) Lock configures the role's locking behavior for kubernetes sessions. (see [below for nested schema](#nested-schema-for-speckubelock)) - `users` (List of String) An optional list of impersonatable kubernetes users this role allows. ### Nested Schema for `spec.kube.labels` Optional: - `name` (String) The name of the label. - `values` (List of String) The values associated with the label. ### Nested Schema for `spec.kube.lock` Optional: - `mode` (String) Allowed values: strict or best\_effort. Defaults to value cluster wide auth preference if not set. ### Nested Schema for `spec.rules` Optional: - `resources` (List of String) Resources is a list of resource kinds (e.g. 'scoped\_token') that the below verbs apply to. - `verbs` (List of String) Verbs is the list of action verbs (e.g. 'read') that apply to the above resources. ### Nested Schema for `spec.ssh` Optional: - `client_idle_timeout` (String) ClientIdleTimeout overrides the defaults block idle timeout specifically for SSH sessions. Must be a valid Go duration string (e.g. "30m", "1h"). If empty, the defaults block value (or global default) applies. - `disconnect_expired_cert` (Boolean) DisconnectExpiredCert controls whether SSH sessions are disconnected when the user certificate expires. Defaults to value cluster wide auth preference if not set. - `enhanced_recording` (Attributes) EnhancedRecording is the set of BPF events to record for enhanced session recording. (see [below for nested schema](#nested-schema-for-specsshenhanced_recording)) - `file_copy` (Boolean) FileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to allowing the user to download and upload files by default. - `forward_agent` (Boolean) ForwardAgent enables SSH agent forwarding. - `host_sudoers` (List of String) Sudoers is a list of entries to include in a users sudoer file - `host_user_creation` (Attributes) HostUserCreation configures the creation of host users. (see [below for nested schema](#nested-schema-for-specsshhost_user_creation)) - `labels` (Attributes List) Labels is the set of node labels used to dynamically select which nodes this role applies to. (see [below for nested schema](#nested-schema-for-specsshlabels)) - `lock` (Attributes) Lock configures the role's locking behavior for SSH sessions. (see [below for nested schema](#nested-schema-for-specsshlock)) - `logins` (List of String) Logins is the list of OS logins this role permits on matching nodes. - `max_sessions` (Number) MaxSessions defines the maximum number of concurrent sessions per connection. - `permit_x11_forwarding` (Boolean) PermitX11Forwarding, when true, authorizes use of X11 forwarding over SSH sessions. If not set, X11 forwarding is not permitted. - `port_forwarding` (Attributes) SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. (see [below for nested schema](#nested-schema-for-specsshport_forwarding)) - `session_recording` (Attributes) SessionRecording configures the session recording strategy for SSH sessions. (see [below for nested schema](#nested-schema-for-specsshsession_recording)) ### Nested Schema for `spec.ssh.enhanced_recording` Optional: - `command` (Boolean) Command enables session.command in audit logs - `disk` (Boolean) Disk enables session.disk in audit logs - `network` (Boolean) Network enables session.network in audit logs ### Nested Schema for `spec.ssh.host_user_creation` Optional: - `groups` (List of String) Groups is a list of host groups to add the user to. - `mode` (String) Mode specifies how the host user should be created. - `shell` (String) Shell is the shell to set for the user. ### Nested Schema for `spec.ssh.labels` Optional: - `name` (String) The name of the label. - `values` (List of String) The values associated with the label. ### Nested Schema for `spec.ssh.lock` Optional: - `mode` (String) Allowed values: strict or best\_effort. Defaults to value cluster wide auth preference if not set. ### Nested Schema for `spec.ssh.port_forwarding` Optional: - `local` (Attributes) Allow for local port forwarding. (see [below for nested schema](#nested-schema-for-specsshport_forwardinglocal)) - `remote` (Attributes) Allow for remote port forwarding. (see [below for nested schema](#nested-schema-for-specsshport_forwardingremote)) ### Nested Schema for `spec.ssh.port_forwarding.local` Optional: - `enabled` (Boolean) ### Nested Schema for `spec.ssh.port_forwarding.remote` Optional: - `enabled` (Boolean) ### Nested Schema for `spec.ssh.session_recording` Optional: - `mode` (String) Mode sets the session recording mode. Allowed values: strict or best\_effort. ### Nested Schema for `spec.workload_identity` Optional: - `labels` (Attributes List) Labels is the set of WorkloadIdentity labels used to dynamically select which WorkloadIdentity resources this role permits issuance with. Issuance additionally requires the caller to hold read\_no\_secrets (and, for the multi-issue RPC, list) rules for the workload\_identity kind in the relevant scope. (see [below for nested schema](#nested-schema-for-specworkload_identitylabels)) ### Nested Schema for `spec.workload_identity.labels` Optional: - `name` (String) The name of the label. - `values` (List of String) The values associated with the label.