Infrastructure as Code
This section explains how to manage Teleport using infrastructure as code (IaC) tools.
Teleport provides three methods for managing Teleport with infrastructure as code tools:
For instructions on managing users, roles, trusted clusters, and other resources with IaC tools, see Managing Resources with Infrastructure as Code.
How IaC works with Teleport
There are two ways to configure a Teleport cluster:
- Static configuration file: At startup, a Teleport process reads a
configuration file from the local filesystem (the default path is
/etc/teleport.yaml). Static configuration settings control aspects of a cluster that are not expected to change frequently, like the ports that services listen on. (See the Configuration Reference for all static configuration options.) - Dynamic resources: Dynamic resources control aspects of your cluster that are likely to change over time, such as roles, local users, and Teleport-protected infrastructure resources.
The Teleport Auth Service stores dynamic resources on its cluster state backend, and clients can authenticate to the Auth Service to read or write dynamic resources, depending on their permissions. Infrastructure as code tools can authenticate to a Teleport cluster to manage dynamic resources.
Reconciling static and dynamic configurations
Some dynamic resources assign the same settings as fields within Teleport's static configuration file. For these fields, the Teleport Auth Service reconciles static and dynamic configurations on startup and when you create or remove a Teleport resource.
While Teleport Enterprise Cloud does not expose the static configuration file to operators, they do use a static configuration file for certain settings.
Configuration resources that apply to static configuration fields
There are four dynamic resources that share fields with the static configuration file:
session_recording_configcluster_auth_preferencecluster_networking_configui_config
session_recording_config
| Dynamic resource field | Static configuration field |
|---|---|
spec.mode | auth_service.session_recording |
spec.proxy_checks_host_keys | auth_service.proxy_checks_host_keys |
cluster_auth_preference
| Dynamic resource field | Static configuration field |
|---|---|
spec.type | auth_service.authentication.type |
spec.second_factor | auth_service.authentication.second_factor |
spec.second_factors | auth_service.authentication.second_factors |
spec.connector_name | auth_service.authentication.connector_name |
spec.u2f | auth_service.authentication.u2f |
spec.disconnect_expired_cert | auth_service.disconnect_expired_cert |
spec.allow_local_auth | auth_service.authentication.local_auth |
spec.message_of_the_day | auth_service.message_of_the_day |
spec.locking_mode | auth_service.authentication.locking_mode |
spec.webauthn | auth_service.authentication.webauthn |
spec.require_session_mfa | auth_service.authentication.require_session_mfa |
spec.allow_passwordless | auth_service.authentication.passwordless |
spec.device_trust | auth_service.authentication.device_trust |
spec.idp | proxy_service.idp |
spec.allow_headless | auth_service.authentication.headless |
cluster_networking_config
| Dynamic resource field | Static configuration field |
|---|---|
spec.client_idle_timeout | auth_service.client_idle_timeout |
spec.keep_alive_interval | auth_service.keep_alive_interval |
spec.keep_alive_count_max | auth_service.keep_alive_count_max |
spec.session_control_timeout | auth_service.session_control_timeout |
spec.idle_timeout_message | auth_service.client_idle_timeout_message |
spec.web_idle_timeout | auth_service.web_idle_timeout |
spec.proxy_listener_mode | auth_service.proxy_listener_mode |
spec.routing_strategy | auth_service.routing_strategy |
spec.tunnel_strategy | auth_service.tunnel_strategy |
spec.proxy_ping_interval | auth_service.proxy_ping_interval |
spec.case_insensitive_routing | auth_service.case_insensitive_routing |
ui_config
| Dynamic resource field | Static configuration field |
|---|---|
spec.scrollback_lines | proxy_service.ui.scrollback_lines |
spec.show_resources | proxy_service.ui.show_resources |
Origin labels
The Teleport Auth Service applies the teleport.dev/origin label to
configuration resources to indicate whether they originated from the static
configuration file, a dynamic configuration resource, or the default value.
Here are possible values of the teleport.dev/origin label:
defaultsconfig-filedynamicterraformkubernetes
When the Auth Service starts up, it looks up the values of static configuration fields that correspond to fields in dynamic configuration resources. If any of these have values, it creates the corresponding dynamic configuration resources and stores them in its backend.
For any static configuration fields without a value, the Auth Service checks
whether the backend contains the corresponding dynamic configuration resource.
If not, it creates one with default values and the
teleport.dev/origin=defaults label.
If you attempt to create a dynamic configuration resource after the Auth Service has already loaded the configuration from a static configuration file, the Auth Service will return an error.
If you remove a dynamic configuration resource, the Auth Service will restore
its configuration fields to the default values and add the
teleport.dev/origin=defaults label.
Cloud-hosted Teleport deployments use configuration files, but these are not
available for operators to modify. Users of Teleport Enterprise Cloud may see
configuration resources with the teleport.dev/origin=config-file label.
Dynamic resource references
Read the following reference guides for comprehensive lists of supported fields in Teleport dynamic resources:
tctl resources
For reference guides to dynamic configuration resources available to apply using
tctl, read the Configuration Resource
Reference. There are also
dedicated configuration resource references for
applications and
databases.
Terraform resources and data sources
For comprehensive reference guides for resources and data sources you can manage with the Teleport Terraform provider, see Teleport Terraform Provider References.
Kubernetes operator resources
For comprehensive reference guides for resources you can manage with the Teleport Terraform provider, see Teleport Terraform Provider References.
Other ways to use the dynamic resource API
The Teleport Kubernetes Operator, Terraform provider, and tctl are all clients
of the Teleport Auth Service's gRPC API. To build your own API client to extend
Teleport for your organization's needs, read our API
guides.