diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto index 3ee920f7c609a..2416c606a44b3 100644 --- a/api/proto/teleport/legacy/types/types.proto +++ b/api/proto/teleport/legacy/types/types.proto @@ -2883,7 +2883,7 @@ message RoleOptions { (gogoproto.casttype) = "Duration" ]; - // Deprecated: Use PortForwardMode instead + // Deprecated: Use PortForwardConfig instead BoolValue PortForwarding = 3 [ (gogoproto.nullable) = true, (gogoproto.jsontag) = "port_forwarding,omitempty", diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx index bc3ffaeb82b22..dac105aa53f54 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx @@ -388,7 +388,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.| |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.| |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage| -|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer| +|port_forward_config|[object](#specoptionsport_forward_config)|PortForwardConfig| +|port_forwarding|boolean|Deprecated: Use PortForwardMode instead| |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.| |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.| |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.| @@ -416,6 +417,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |---|---|---| |enabled|boolean|Enabled is set to true if this option allows access to the Teleport SAML IdP.| +### spec.options.port_forward_config + +|Field|Type|Description| +|---|---|---| +|local|boolean|| +|remote|boolean|| + ### spec.options.record_session |Field|Type|Description| @@ -801,7 +809,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.| |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.| |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage| -|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer| +|port_forward_config|[object](#specoptionsport_forward_config)|PortForwardConfig| +|port_forwarding|boolean|Deprecated: Use PortForwardMode instead| |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.| |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.| |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.| @@ -829,6 +838,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |---|---|---| |enabled|boolean|Enabled is set to true if this option allows access to the Teleport SAML IdP.| +### spec.options.port_forward_config + +|Field|Type|Description| +|---|---|---| +|local|boolean|| +|remote|boolean|| + ### spec.options.record_session |Field|Type|Description| diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx index b7a46956303f6..f7a2fcedcba63 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx @@ -388,7 +388,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.| |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.| |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage| -|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer| +|port_forward_config|[object](#specoptionsport_forward_config)|PortForwardConfig| +|port_forwarding|boolean|Deprecated: Use PortForwardMode instead| |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.| |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.| |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.| @@ -416,6 +417,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |---|---|---| |enabled|boolean|Enabled is set to true if this option allows access to the Teleport SAML IdP.| +### spec.options.port_forward_config + +|Field|Type|Description| +|---|---|---| +|local|boolean|| +|remote|boolean|| + ### spec.options.record_session |Field|Type|Description| diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx index cb1a3d4c7b40d..86b7a15ebcf54 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx @@ -388,7 +388,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.| |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.| |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage| -|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer| +|port_forward_config|[object](#specoptionsport_forward_config)|PortForwardConfig| +|port_forwarding|boolean|Deprecated: Use PortForwardMode instead| |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.| |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.| |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.| @@ -416,6 +417,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |---|---|---| |enabled|boolean|Enabled is set to true if this option allows access to the Teleport SAML IdP.| +### spec.options.port_forward_config + +|Field|Type|Description| +|---|---|---| +|local|boolean|| +|remote|boolean|| + ### spec.options.record_session |Field|Type|Description| diff --git a/docs/pages/reference/terraform-provider/data-sources/role.mdx b/docs/pages/reference/terraform-provider/data-sources/role.mdx index 6ef5d98029f93..53a4cd2205358 100644 --- a/docs/pages/reference/terraform-provider/data-sources/role.mdx +++ b/docs/pages/reference/terraform-provider/data-sources/role.mdx @@ -432,7 +432,8 @@ Optional: - `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`. - `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding. - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage -- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer +- `port_forward_config` (Attributes) PortForwardConfig (see [below for nested schema](#nested-schema-for-specoptionsport_forward_config)) +- `port_forwarding` (Boolean) Deprecated: Use PortForwardMode instead - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session)) - `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default. - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request. @@ -463,6 +464,14 @@ Optional: +### Nested Schema for `spec.options.port_forward_config` + +Optional: + +- `local` (Boolean) +- `remote` (Boolean) + + ### Nested Schema for `spec.options.record_session` Optional: diff --git a/docs/pages/reference/terraform-provider/resources/role.mdx b/docs/pages/reference/terraform-provider/resources/role.mdx index 9cc8710c72480..d3cd2dee0f227 100644 --- a/docs/pages/reference/terraform-provider/resources/role.mdx +++ b/docs/pages/reference/terraform-provider/resources/role.mdx @@ -486,7 +486,8 @@ Optional: - `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`. - `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding. - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage -- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer +- `port_forward_config` (Attributes) PortForwardConfig (see [below for nested schema](#nested-schema-for-specoptionsport_forward_config)) +- `port_forwarding` (Boolean) Deprecated: Use PortForwardMode instead - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session)) - `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default. - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request. @@ -517,6 +518,14 @@ Optional: +### Nested Schema for `spec.options.port_forward_config` + +Optional: + +- `local` (Boolean) +- `remote` (Boolean) + + ### Nested Schema for `spec.options.record_session` Optional: diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml index c333c44eb2d33..7ccc74c3be020 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml @@ -1280,10 +1280,17 @@ spec: description: PinSourceIP forces the same client IP for certificate generation and usage type: boolean + port_forward_config: + description: PortForwardConfig + nullable: true + properties: + local: + type: boolean + remote: + type: boolean + type: object port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use PortForwardMode instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -2661,10 +2668,17 @@ spec: description: PinSourceIP forces the same client IP for certificate generation and usage type: boolean + port_forward_config: + description: PortForwardConfig + nullable: true + properties: + local: + type: boolean + remote: + type: boolean + type: object port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use PortForwardMode instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml index d8825c525df6d..bc8a079b384d1 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml @@ -1283,10 +1283,17 @@ spec: description: PinSourceIP forces the same client IP for certificate generation and usage type: boolean + port_forward_config: + description: PortForwardConfig + nullable: true + properties: + local: + type: boolean + remote: + type: boolean + type: object port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use PortForwardMode instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml index 85a0961a5a617..d6daafc55b085 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml @@ -1283,10 +1283,17 @@ spec: description: PinSourceIP forces the same client IP for certificate generation and usage type: boolean + port_forward_config: + description: PortForwardConfig + nullable: true + properties: + local: + type: boolean + remote: + type: boolean + type: object port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use PortForwardMode instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml index c333c44eb2d33..7ccc74c3be020 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml @@ -1280,10 +1280,17 @@ spec: description: PinSourceIP forces the same client IP for certificate generation and usage type: boolean + port_forward_config: + description: PortForwardConfig + nullable: true + properties: + local: + type: boolean + remote: + type: boolean + type: object port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use PortForwardMode instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access @@ -2661,10 +2668,17 @@ spec: description: PinSourceIP forces the same client IP for certificate generation and usage type: boolean + port_forward_config: + description: PortForwardConfig + nullable: true + properties: + local: + type: boolean + remote: + type: boolean + type: object port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use PortForwardMode instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml index d8825c525df6d..bc8a079b384d1 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml @@ -1283,10 +1283,17 @@ spec: description: PinSourceIP forces the same client IP for certificate generation and usage type: boolean + port_forward_config: + description: PortForwardConfig + nullable: true + properties: + local: + type: boolean + remote: + type: boolean + type: object port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use PortForwardMode instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml index 85a0961a5a617..d6daafc55b085 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml @@ -1283,10 +1283,17 @@ spec: description: PinSourceIP forces the same client IP for certificate generation and usage type: boolean + port_forward_config: + description: PortForwardConfig + nullable: true + properties: + local: + type: boolean + remote: + type: boolean + type: object port_forwarding: - description: PortForwarding defines if the certificate will have - "permit-port-forwarding" in the certificate. PortForwarding - is "yes" if not set, that's why this is a pointer + description: 'Deprecated: Use PortForwardMode instead' type: boolean record_session: description: RecordDesktopSession indicates whether desktop access diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go index 822f6396a24f0..f8f34c18d832c 100644 --- a/integrations/terraform/tfschema/types_terraform.go +++ b/integrations/terraform/tfschema/types_terraform.go @@ -2606,8 +2606,22 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.BoolType, }, + "port_forward_config": { + Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + "local": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "", + Optional: true, + }), + "remote": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + Description: "", + Optional: true, + }), + }), + Description: "PortForwardConfig", + Optional: true, + }, "port_forwarding": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - Description: "PortForwarding defines if the certificate will have \"permit-port-forwarding\" in the certificate. PortForwarding is \"yes\" if not set, that's why this is a pointer", + Description: "Deprecated: Use PortForwardMode instead", Optional: true, }), "record_session": { @@ -16357,6 +16371,38 @@ func CopyRoleV6FromTerraform(_ context.Context, tf github_com_hashicorp_terrafor } } } + { + a, ok := tf.Attrs["port_forward_config"] + if !ok { + diags.Append(attrReadMissingDiag{"RoleV6.Spec.Options.PortForwardConfig"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.Object) + if !ok { + diags.Append(attrReadConversionFailureDiag{"RoleV6.Spec.Options.PortForwardConfig", "github.com/hashicorp/terraform-plugin-framework/types.Object"}) + } else { + obj.PortForwardConfig = nil + if !v.Null && !v.Unknown { + tf := v + obj.PortForwardConfig = &github_com_gravitational_teleport_api_types.PortForwardConfig{} + obj := obj.PortForwardConfig + { + a, ok := tf.Attrs["local"] + if !ok { + diags.Append(attrReadMissingDiag{"RoleV6.Spec.Options.PortForwardConfig.Local"}) + } + CopyFromBoolOption(diags, a, &obj.Local) + } + { + a, ok := tf.Attrs["remote"] + if !ok { + diags.Append(attrReadMissingDiag{"RoleV6.Spec.Options.PortForwardConfig.Remote"}) + } + CopyFromBoolOption(diags, a, &obj.Remote) + } + } + } + } + } } } } @@ -21351,6 +21397,56 @@ func CopyRoleV6ToTerraform(ctx context.Context, obj *github_com_gravitational_te tf.Attrs["create_host_user_default_shell"] = v } } + { + a, ok := tf.AttrTypes["port_forward_config"] + if !ok { + diags.Append(attrWriteMissingDiag{"RoleV6.Spec.Options.PortForwardConfig"}) + } else { + o, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.ObjectType) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"RoleV6.Spec.Options.PortForwardConfig", "github.com/hashicorp/terraform-plugin-framework/types.ObjectType"}) + } else { + v, ok := tf.Attrs["port_forward_config"].(github_com_hashicorp_terraform_plugin_framework_types.Object) + if !ok { + v = github_com_hashicorp_terraform_plugin_framework_types.Object{ + + AttrTypes: o.AttrTypes, + Attrs: make(map[string]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(o.AttrTypes)), + } + } else { + if v.Attrs == nil { + v.Attrs = make(map[string]github_com_hashicorp_terraform_plugin_framework_attr.Value, len(tf.AttrTypes)) + } + } + if obj.PortForwardConfig == nil { + v.Null = true + } else { + obj := obj.PortForwardConfig + tf := &v + { + t, ok := tf.AttrTypes["local"] + if !ok { + diags.Append(attrWriteMissingDiag{"RoleV6.Spec.Options.PortForwardConfig.Local"}) + } else { + v := CopyToBoolOption(diags, obj.Local, t, tf.Attrs["local"]) + tf.Attrs["local"] = v + } + } + { + t, ok := tf.AttrTypes["remote"] + if !ok { + diags.Append(attrWriteMissingDiag{"RoleV6.Spec.Options.PortForwardConfig.Remote"}) + } else { + v := CopyToBoolOption(diags, obj.Remote, t, tf.Attrs["remote"]) + tf.Attrs["remote"] = v + } + } + } + v.Unknown = false + tf.Attrs["port_forward_config"] = v + } + } + } } v.Unknown = false tf.Attrs["options"] = v