# Reference for the teleport\_workload\_identity Terraform resource This page describes the supported values of the teleport\_workload\_identity resource of the Teleport Terraform provider. ## Example Usage ``` resource "teleport_workload_identity" "example" { version = "v1" metadata = { name = "example" } spec = { rules = { allow = [ { conditions = [{ attribute = "user.name" eq = { value = "my-user" } }] } ] } spiffe = { id = "/my/spiffe/id/path" hint = "my-hint" } } } ``` ## Schema ### Optional - `metadata` (Attributes) Common metadata that all resources share. (see [below for nested schema](#nested-schema-for-metadata)) - `spec` (Attributes) The configured properties of the WorkloadIdentity (see [below for nested schema](#nested-schema-for-spec)) - `sub_kind` (String) Differentiates variations of the same kind. All resources should contain one, even if it is never populated. - `version` (String) The version of the resource being represented. ### Nested Schema for `metadata` Optional: - `description` (String) description is object description. - `expires` (String) expires is a global expiry time header can be set on any resource in the system. - `labels` (Map of String) labels is a set of labels. - `name` (String) name is an object name. ### Nested Schema for `spec` Optional: - `rules` (Attributes) The rules which are evaluated before the WorkloadIdentity can be issued. (see [below for nested schema](#nested-schema-for-specrules)) - `spiffe` (Attributes) Configuration pertaining to the issuance of SPIFFE-compatible workload identity credentials. (see [below for nested schema](#nested-schema-for-specspiffe)) ### Nested Schema for `spec.rules` Optional: - `allow` (Attributes List) A list of rules used to determine if a WorkloadIdentity can be issued. If none are provided, it will be considered a pass. If any are provided, then at least one must pass for the rules to be considered passed. (see [below for nested schema](#nested-schema-for-specrulesallow)) ### Nested Schema for `spec.rules.allow` Optional: - `conditions` (Attributes List) The conditions that must be met for this rule to be considered passed. Mutually exclusive with expression. (see [below for nested schema](#nested-schema-for-specrulesallowconditions)) - `expression` (String) An expression written in Teleport's predicate language that must evaluate to true for this rule to be considered passed. Mutually exclusive with conditions. ### Nested Schema for `spec.rules.allow.conditions` Optional: - `attribute` (String) The name of the attribute to evaluate the condition against. - `eq` (Attributes) The attribute casted to a string must be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionseq)) - `in` (Attributes) The attribute casted to a string must be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsin)) - `not_eq` (Attributes) The attribute casted to a string must not be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_eq)) - `not_in` (Attributes) The attribute casted to a string must not be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_in)) ### Nested Schema for `spec.rules.allow.conditions.eq` Optional: - `value` (String) The value to compare the attribute against. ### Nested Schema for `spec.rules.allow.conditions.in` Optional: - `values` (List of String) The list of values to compare the attribute against. ### Nested Schema for `spec.rules.allow.conditions.not_eq` Optional: - `value` (String) The value to compare the attribute against. ### Nested Schema for `spec.rules.allow.conditions.not_in` Optional: - `values` (List of String) The list of values to compare the attribute against. ### Nested Schema for `spec.spiffe` Optional: - `hint` (String) A freeform text field which is provided to workloads along with a credential produced by this WorkloadIdentity. This can be used to provide additional context that can be used to select between multiple credentials. - `id` (String) The path of the SPIFFE ID that will be issued to the workload. This should be prefixed with a forward-slash ("/"). This field supports templating using attributes. - `jwt` (Attributes) Configuration specific to JWT-SVIDs. (see [below for nested schema](#nested-schema-for-specspiffejwt)) - `x509` (Attributes) Configuration specific to X509-SVIDs. (see [below for nested schema](#nested-schema-for-specspiffex509)) ### Nested Schema for `spec.spiffe.jwt` Optional: - `maximum_ttl` (String) Control the maximum TTL of JWT-SVIDs issued using this WorkloadIdentity. If a JWT-SVID is requested with a TTL greater than this value, then the returned JWT-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 24 hours. ### Nested Schema for `spec.spiffe.x509` Optional: - `dns_sans` (List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity. Each entry in this list supports templating using attributes. - `maximum_ttl` (String) Control the maximum TTL of X509-SVIDs issued using this WorkloadIdentity. If a X509-SVID is requested with a TTL greater than this value, then the returned X509-SVID will have a TTL of this value. Defaults to 24 hours. The maximum this value can be set to is 14 days. - `subject_template` (Attributes) Used to configure the Subject Distinguished Name (DN) of the X509-SVID. In most circumstances, it is recommended to prefer relying on the SPIFFE ID encoded in the URI SAN. However, the Subject DN may be needed to support legacy systems designed for X509 and not SPIFFE/WIMSE. If not provided, the X509-SVID will be issued with an empty Subject DN. (see [below for nested schema](#nested-schema-for-specspiffex509subject_template)) ### Nested Schema for `spec.spiffe.x509.subject_template` Optional: - `common_name` (String) Common Name (CN) - 2.5.4.3 If empty, the RDN will be omitted from the DN. - `organization` (String) Organization (O) - 2.5.4.10 If empty, the RDN will be omitted from the DN. - `organizational_unit` (String) Organizational Unit (OU) - 2.5.4.11 If empty, the RDN will be omitted from the DN.