gravitational · gabrielcorado · Oct 9, 2025
diff --git a/integrations/terraform/Makefile b/integrations/terraform/Makefile
@@ -149,6 +149,13 @@ endif
 		--terraform_out=config=protoc-gen-terraform-discoveryconfig.yaml:./tfschema \
 		teleport/discoveryconfig/v1/discoveryconfig.proto
 
+	@protoc \
+		-I=../../api/proto \
+		-I=$(PROTOBUF_MOD_PATH) \
+		--plugin=$(PROTOC_GEN_TERRAFORM) \
+		--terraform_out=config=protoc-gen-terraform-appauthconfig.yaml:./tfschema \
+		teleport/appauthconfig/v1/appauthconfig.proto
+
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/loginrule/v1/loginrule_terraform.go ./tfschema/loginrule/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1/accesslist_terraform.go ./tfschema/accesslist/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules_terraform.go ./tfschema/accessmonitoringrules/v1/
@@ -157,6 +164,7 @@ endif
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1/autoupdate_terraform.go ./tfschema/autoupdate/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/healthcheckconfig/v1/health_check_config_terraform.go ./tfschema/healthcheckconfig/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig_terraform.go ./tfschema/discoveryconfig/v1/
+	mv ./tfschema/github.com/gravitational/teleport/api/gen/proto/go/teleport/appauthconfig/v1/appauthconfig_terraform.go ./tfschema/appauthconfig/v1/
 	mv ./tfschema/github.com/gravitational/teleport/api/types/device_terraform.go ./tfschema/devicetrust/v1/
 	rm -r ./tfschema/github.com/
 	@go run ./gen/main.go

diff --git a/integrations/terraform/gen/main.go b/integrations/terraform/gen/main.go
@@ -704,6 +704,32 @@ var (
 		TerraformResourceType:  "teleport_integration",
 		HasCheckAndSetDefaults: true,
 	}
+
+	appAuthConfig = payload{
+		Name:                  "AppAuthConfig",
+		TypeName:              "AppAuthConfig",
+		VarName:               "appauthconfig",
+		GetMethod:             "GetAppAuthConfig",
+		CreateMethod:          "CreateAppAuthConfig",
+		UpsertMethodArity:     2,
+		UpdateMethod:          "UpsertAppAuthConfig",
+		DeleteMethod:          "DeleteAppAuthConfig",
+		ID:                    "appauthconfig.Metadata.Name",
+		Kind:                  "app_auth_config",
+		HasStaticID:           false,
+		ProtoPackage:          "appauthconfigv1",
+		ProtoPackagePath:      "github.com/gravitational/teleport/api/gen/proto/go/teleport/appauthconfig/v1",
+		SchemaPackage:         "schemav1",
+		SchemaPackagePath:     "github.com/gravitational/teleport/integrations/terraform/tfschema/appauthconfig/v1",
+		TerraformResourceType: "teleport_app_auth_config",
+		// Since [RFD 153](https://github.com/gravitational/teleport/blob/master/rfd/0153-resource-guidelines.md)
+		// resources are plain structs
+		IsPlainStruct: true,
+		// As 153-style resources don't have CheckAndSetDefaults, we must set the Kind manually.
+		// We import the package containing kinds, then use ForceSetKind.
+		ExtraImports: []string{"apitypes \"github.com/gravitational/teleport/api/types\""},
+		ForceSetKind: "apitypes.KindAppAuthConfig",
+	}
 )
 
 func main() {
@@ -769,6 +795,8 @@ func genTFSchema() {
 	generateDataSource(discoveryConfig, pluralDataSource)
 	generateResource(integration, pluralResource)
 	generateDataSource(integration, pluralDataSource)
+	generateResource(appAuthConfig, pluralResource)
+	generateDataSource(appAuthConfig, pluralDataSource)
 }
 
 func generateResource(p payload, tpl string) {

diff --git a/integrations/terraform/protoc-gen-terraform-appauthconfig.yaml b/integrations/terraform/protoc-gen-terraform-appauthconfig.yaml
@@ -0,0 +1,76 @@
+---
+target_package_name: "v1"
+default_package_name: "github.com/gravitational/teleport/api/gen/proto/go/teleport/appauthconfig/v1"
+duration_custom_type: Duration
+use_state_for_unknown_by_default: true
+
+# Top-level type names to export
+types:
+  - "AppAuthConfig"
+
+# These import paths were not being automatically picked up by
+# protoc-gen-terraform without these overrides
+import_path_overrides:
+  "types": "github.com/gravitational/teleport/api/types"
+  "wrappers": "github.com/gravitational/teleport/api/types/wrappers"
+  "durationpb": "google.golang.org/protobuf/types/known/durationpb"
+  "timestamppb": "google.golang.org/protobuf/types/known/timestamppb"
+  "v1": "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+  "v11": "github.com/gravitational/teleport/api/gen/proto/go/teleport/label/v1"
+  "github_com_gravitational_teleport_integrations_terraform_tfschema": "github.com/gravitational/teleport/integrations/terraform/tfschema"
+
+
+# id field is required for integration tests. It is not used by provider.
+# We have to add it manually (might be removed in the future versions).
+injected_fields:
+  AppAuthConfig:
+    - name: id
+      type: github.com/hashicorp/terraform-plugin-framework/types.StringType
+      computed: true
+      plan_modifiers:
+        - "github.com/hashicorp/terraform-plugin-framework/tfsdk.UseStateForUnknown()"
+
+# These fields will be excluded
+exclude_fields:
+  # Metadata (we id resources by name on our side)
+  - "AppAuthConfig.metadata.id"
+
+# These fields will be marked as Computed: true
+computed_fields:
+  # Metadata
+  - "AppAuthConfig.metadata.expires"
+  - "AppAuthConfig.metadata.namespace"
+  - "AppAuthConfig.metadata.revision"
+  - "AppAuthConfig.kind"
+
+# These fields will be marked as Required: true
+required_fields:
+  - "AppAuthConfig.metadata"
+  - "AppAuthConfig.metadata.name"
+  - "AppAuthConfig.version"
+  - "AppAuthConfig.spec"
+  - "AppAuthConfig.spec.match"
+
+plan_modifiers:
+  # Force to recreate resource if it's name changes
+  Metadata.name:
+    - "github.com/hashicorp/terraform-plugin-framework/tfsdk.RequiresReplace()"
+
+# This must be defined for the generator to be happy, but in reality all time
+# fields are overridden (because the protobuf timestamps contain locks and the
+# linter gets mad if we use raw structs instead of pointers).
+time_type:
+  type: "PlaceholderType"
+duration_type:
+  type: "PlaceholderType"
+
+validators:
+  # Expires must be in the future
+  Metadata.expires:
+    - github_com_gravitational_teleport_integrations_terraform_tfschema.MustTimeBeInFuture()
+
+custom_types:
+  "AppAuthConfig.metadata.expires": Timestamp
+  "AppAuthConfig.spec.interval": Duration
+  "AppAuthConfig.spec.timeout": Duration
+
diff --git a/integrations/terraform/provider/data_source_teleport_app_auth_config.go b/integrations/terraform/provider/data_source_teleport_app_auth_config.go