Skip to content

Support IntegrationV1 in terraform provider #61764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support IntegrationV1 in terraform provider #61764

wants to merge 1 commit into from

Conversation

@GavinFrazar
Copy link
Contributor

@GavinFrazar GavinFrazar commented Nov 25, 2025
edited
Loading

Changelog: Added Terraform provider support for teleport_integration resources.

Closes #61401

@github-actions
Copy link

github-actions bot commented Nov 25, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
gavinfrazar/terraform-aws-oidc-integration 52c22e6 4 ✅SUCCEED gavinfrazar-terraform-aws-oidc-integration 2025-11-26 05:49:53

@GavinFrazar GavinFrazar force-pushed the gavinfrazar/terraform-aws-oidc-integration branch from d530fed to 5eac265 Compare November 25, 2025 03:17
@GavinFrazar GavinFrazar marked this pull request as ready for review November 25, 2025 03:19
@public-teleport-github-review-bot
Copy link

public-teleport-github-review-bot bot commented Nov 25, 2025

@GavinFrazar - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

@GavinFrazar GavinFrazar requested review from avatus and removed request for bernardjkim, mmcallister, ptgott, r0mant, tigrato and zmb3 November 25, 2025 03:24
hugoShaka
hugoShaka reviewed Nov 25, 2025
View reviewed changes
Copy link
Contributor

@hugoShaka hugoShaka left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a couple of non-blocking questions

integrations/terraform/protoc-gen-terraform-teleport.yaml
# only the "github" integration subkind uses credentials currently, but
# credentials is excluded intentionally so that we dont have to handle plugin credentials, which are stored separately.
- "IntegrationV1.Spec.credentials"
- "IntegrationV1.Spec.GitHub"
Copy link
Contributor

@hugoShaka hugoShaka Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why must we ignore the github integration completely? can we add support for this integration, or at least document that it's not supported and track it in an issue? else we will forget about this and will tell to customers: "yes we support integrations in TF" while we're not.

Copy link
Contributor Author

@GavinFrazar GavinFrazar Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The github integration is complicated. You specify credentials and then auth modifies the credentials (in the spec) when you create the integration and replaces them with a "credential ref" and creates/stores plugins credentials separately.

On destroy the auth server also deletes the plugin credentials referenced by the integration.

I thought that would cause a lot of problems and it's not necessary to support github integration for our cloud discovery goals.
Maybe we could just mark credentials field as computed though? I'm not sure.
I'll try that now just to see what happens, but if it's not such a trivial thing I'd rather just document it and track it in an issue until someone asks for it.

Copy link
Contributor Author

@GavinFrazar GavinFrazar Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ticket created: #61799

integrations/terraform/protoc-gen-terraform-teleport.yaml
Comment on lines +502 to +503
IntegrationV1.Spec.AWSOIDC.audience:
- UseValueIn("", "aws-identity-center")
Copy link
Contributor

@hugoShaka hugoShaka Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this check needed? the server doesn't validate this or do we want to restrict the type of IaC integrations manageable by TF?

Copy link
Contributor Author

@GavinFrazar GavinFrazar Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not needed, just nice to have because terraform will reject bad inputs at planning time

@GavinFrazar GavinFrazar force-pushed the gavinfrazar/terraform-aws-oidc-integration branch from 5eac265 to 275a4e4 Compare November 26, 2025 05:34
@GavinFrazar GavinFrazar mentioned this pull request Nov 26, 2025
Open
@GavinFrazar
Support IntegrationV1 in terraform provider
52c22e6 
* Also updated the audience field docs and validation error message to
  clarify what values are supported.
@GavinFrazar GavinFrazar force-pushed the gavinfrazar/terraform-aws-oidc-integration branch from 275a4e4 to 52c22e6 Compare November 26, 2025 05:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@ptgott ptgott ptgott approved these changes

@hugoShaka hugoShaka Awaiting requested review from hugoShaka

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

backport/branch/v18 documentation size/xl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add terraform support for AWS OIDC integration

5 participants

@GavinFrazar @r0mant @hugoShaka @ptgott