From 750f8082dd14eff8d7af6d61ec3c2e7effec758c Mon Sep 17 00:00:00 2001 From: Erik Tate Date: Fri, 11 Oct 2024 10:38:05 -0400 Subject: [PATCH] adding note about terraform mappings for create_host_user_mode to host user creation guide (#47139) --- api/proto/teleport/legacy/types/types.proto | 2 +- api/types/types.pb.go | 2 +- docs/cspell.json | 1 + .../server-access/guides/host-user-creation.mdx | 2 ++ .../operator-resources/resources.teleport.dev_roles.mdx | 4 ++-- .../operator-resources/resources.teleport.dev_rolesv6.mdx | 2 +- .../operator-resources/resources.teleport.dev_rolesv7.mdx | 2 +- .../reference/terraform-provider/data-sources/role.mdx | 2 +- docs/pages/reference/terraform-provider/resources/role.mdx | 2 +- .../operator-crds/resources.teleport.dev_roles.yaml | 6 ++---- .../operator-crds/resources.teleport.dev_rolesv6.yaml | 3 +-- .../operator-crds/resources.teleport.dev_rolesv7.yaml | 3 +-- .../config/crd/bases/resources.teleport.dev_roles.yaml | 6 ++---- .../config/crd/bases/resources.teleport.dev_rolesv6.yaml | 3 +-- .../config/crd/bases/resources.teleport.dev_rolesv7.yaml | 3 +-- integrations/terraform/tfschema/types_terraform.go | 2 +- lib/services/access_checker.go | 1 + lib/srv/regular/sshserver_test.go | 1 + 18 files changed, 22 insertions(+), 25 deletions(-) diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto index 07697dc7ad393..0a974d983bae8 100644 --- a/api/proto/teleport/legacy/types/types.proto +++ b/api/proto/teleport/legacy/types/types.proto @@ -2951,7 +2951,7 @@ message RoleOptions { (gogoproto.customtype) = "BoolOption" ]; - // CreateHostUser allows users to be automatically created on a host + // Deprecated: use CreateHostUserMode instead. BoolValue CreateHostUser = 20 [ (gogoproto.nullable) = true, (gogoproto.jsontag) = "create_host_user,omitempty", diff --git a/api/types/types.pb.go b/api/types/types.pb.go index d9d82f64b37b2..f0c28a1aea857 100644 --- a/api/types/types.pb.go +++ b/api/types/types.pb.go @@ -7870,7 +7870,7 @@ type RoleOptions struct { // workstation and the remote desktop. It defaults to false unless explicitly set to // true. DesktopDirectorySharing *BoolOption `protobuf:"bytes,19,opt,name=DesktopDirectorySharing,proto3,customtype=BoolOption" json:"desktop_directory_sharing"` - // CreateHostUser allows users to be automatically created on a host + // Deprecated: use CreateHostUserMode instead. CreateHostUser *BoolOption `protobuf:"bytes,20,opt,name=CreateHostUser,proto3,customtype=BoolOption" json:"create_host_user,omitempty"` // PinSourceIP forces the same client IP for certificate generation and usage PinSourceIP Bool `protobuf:"varint,21,opt,name=PinSourceIP,proto3,casttype=Bool" json:"pin_source_ip"` diff --git a/docs/cspell.json b/docs/cspell.json index ee126b1b5fcaa..6628e917a3909 100644 --- a/docs/cspell.json +++ b/docs/cspell.json @@ -847,6 +847,7 @@ "snowsql", "spacectl", "spacelift", + "specoptions", "spfile", "spiffe", "splunkd", diff --git a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx index e63af39b3e74d..538c6c8c9032e 100644 --- a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx +++ b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx @@ -438,3 +438,5 @@ on the hosts. - Configure automatic user provisioning for [Database Access](../../database-access/auto-user-provisioning.mdx). - Configure automatic user provisioning for [desktop access](../../../reference/agent-services/desktop-access-reference/user-creation.mdx). +- Configure automatic user provisioning with [Terraform](../../../reference/terraform-provider/resources/role.mdx). +Note when using the terraform provider that some values may be different than described in this guide. diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx index b0e46197dc132..204ff9b9b9cd4 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx @@ -340,7 +340,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |create_db_user|boolean|CreateDatabaseUser enabled automatic database user creation.| |create_db_user_mode|string or integer|CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.| |create_desktop_user|boolean|CreateDesktopUser allows users to be automatically created on a Windows desktop| -|create_host_user|boolean|CreateHostUser allows users to be automatically created on a host| +|create_host_user|boolean|Deprecated: use CreateHostUserMode instead.| |create_host_user_default_shell|string|CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.| |create_host_user_mode|string or integer|CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.| |desktop_clipboard|boolean|DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.| @@ -723,7 +723,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |create_db_user|boolean|CreateDatabaseUser enabled automatic database user creation.| |create_db_user_mode|string or integer|CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.| |create_desktop_user|boolean|CreateDesktopUser allows users to be automatically created on a Windows desktop| -|create_host_user|boolean|CreateHostUser allows users to be automatically created on a host| +|create_host_user|boolean|Deprecated: use CreateHostUserMode instead.| |create_host_user_default_shell|string|CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.| |create_host_user_mode|string or integer|CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.| |desktop_clipboard|boolean|DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.| diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx index 1153951d12523..1ea906c390622 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx @@ -340,7 +340,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |create_db_user|boolean|CreateDatabaseUser enabled automatic database user creation.| |create_db_user_mode|string or integer|CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.| |create_desktop_user|boolean|CreateDesktopUser allows users to be automatically created on a Windows desktop| -|create_host_user|boolean|CreateHostUser allows users to be automatically created on a host| +|create_host_user|boolean|Deprecated: use CreateHostUserMode instead.| |create_host_user_default_shell|string|CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.| |create_host_user_mode|string or integer|CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.| |desktop_clipboard|boolean|DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.| diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx index a4cb13e8bdce3..877857b1dd5e1 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx @@ -340,7 +340,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |create_db_user|boolean|CreateDatabaseUser enabled automatic database user creation.| |create_db_user_mode|string or integer|CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.| |create_desktop_user|boolean|CreateDesktopUser allows users to be automatically created on a Windows desktop| -|create_host_user|boolean|CreateHostUser allows users to be automatically created on a host| +|create_host_user|boolean|Deprecated: use CreateHostUserMode instead.| |create_host_user_default_shell|string|CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.| |create_host_user_mode|string or integer|CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.| |desktop_clipboard|boolean|DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.| diff --git a/docs/pages/reference/terraform-provider/data-sources/role.mdx b/docs/pages/reference/terraform-provider/data-sources/role.mdx index 9ca42d7e5e678..c86fe26c731c1 100644 --- a/docs/pages/reference/terraform-provider/data-sources/role.mdx +++ b/docs/pages/reference/terraform-provider/data-sources/role.mdx @@ -380,7 +380,7 @@ Optional: - `create_db_user` (Boolean) CreateDatabaseUser enabled automatic database user creation. - `create_db_user_mode` (Number) CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". - `create_desktop_user` (Boolean) CreateDesktopUser allows users to be automatically created on a Windows desktop -- `create_host_user` (Boolean) CreateHostUser allows users to be automatically created on a host +- `create_host_user` (Boolean) Deprecated: use CreateHostUserMode instead. - `create_host_user_default_shell` (String) CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users. - `create_host_user_mode` (Number) CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". - `desktop_clipboard` (Boolean) DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false. diff --git a/docs/pages/reference/terraform-provider/resources/role.mdx b/docs/pages/reference/terraform-provider/resources/role.mdx index 52f5bd3fdf266..de5ebe16e42ab 100644 --- a/docs/pages/reference/terraform-provider/resources/role.mdx +++ b/docs/pages/reference/terraform-provider/resources/role.mdx @@ -433,7 +433,7 @@ Optional: - `create_db_user` (Boolean) CreateDatabaseUser enabled automatic database user creation. - `create_db_user_mode` (Number) CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". - `create_desktop_user` (Boolean) CreateDesktopUser allows users to be automatically created on a Windows desktop -- `create_host_user` (Boolean) CreateHostUser allows users to be automatically created on a host +- `create_host_user` (Boolean) Deprecated: use CreateHostUserMode instead. - `create_host_user_default_shell` (String) CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users. - `create_host_user_mode` (Number) CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". - `desktop_clipboard` (Boolean) DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false. diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml index 796c938c6a616..d091c86f048ae 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml @@ -1133,8 +1133,7 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean create_host_user_default_shell: description: CreateHostUserDefaultShell is used to configure the @@ -2465,8 +2464,7 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean create_host_user_default_shell: description: CreateHostUserDefaultShell is used to configure the diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml index 341e344c403d2..837ff72ce28d8 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml @@ -1136,8 +1136,7 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean create_host_user_default_shell: description: CreateHostUserDefaultShell is used to configure the diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml index a4eec4b4f7cb1..a214227ba32b7 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml @@ -1136,8 +1136,7 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean create_host_user_default_shell: description: CreateHostUserDefaultShell is used to configure the diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml index 796c938c6a616..d091c86f048ae 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml @@ -1133,8 +1133,7 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean create_host_user_default_shell: description: CreateHostUserDefaultShell is used to configure the @@ -2465,8 +2464,7 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean create_host_user_default_shell: description: CreateHostUserDefaultShell is used to configure the diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml index 341e344c403d2..837ff72ce28d8 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml @@ -1136,8 +1136,7 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean create_host_user_default_shell: description: CreateHostUserDefaultShell is used to configure the diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml index a4eec4b4f7cb1..a214227ba32b7 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml @@ -1136,8 +1136,7 @@ spec: created on a Windows desktop type: boolean create_host_user: - description: CreateHostUser allows users to be automatically created - on a host + description: 'Deprecated: use CreateHostUserMode instead.' type: boolean create_host_user_default_shell: description: CreateHostUserDefaultShell is used to configure the diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go index d2f2f216a517c..f05c1bba50d9b 100644 --- a/integrations/terraform/tfschema/types_terraform.go +++ b/integrations/terraform/tfschema/types_terraform.go @@ -2459,7 +2459,7 @@ func GenSchemaRoleV6(ctx context.Context) (github_com_hashicorp_terraform_plugin Optional: true, }), "create_host_user": GenSchemaBoolOption(ctx, github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ - Description: "CreateHostUser allows users to be automatically created on a host", + Description: "Deprecated: use CreateHostUserMode instead.", Optional: true, }), "create_host_user_default_shell": { diff --git a/lib/services/access_checker.go b/lib/services/access_checker.go index 6d784bddde0f1..7a3a2b8469ce6 100644 --- a/lib/services/access_checker.go +++ b/lib/services/access_checker.go @@ -1035,6 +1035,7 @@ func (a *accessChecker) HostUsers(s types.Server) (*HostUsersInfo, error) { } createHostUserMode := role.GetOptions().CreateHostUserMode + //nolint:staticcheck // this field is preserved for existing deployments, but shouldn't be used going forward createHostUser := role.GetOptions().CreateHostUser if createHostUserMode == types.CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED { createHostUserMode = types.CreateHostUserMode_HOST_USER_MODE_OFF diff --git a/lib/srv/regular/sshserver_test.go b/lib/srv/regular/sshserver_test.go index 26428f5cb003b..42df4c9d4017c 100644 --- a/lib/srv/regular/sshserver_test.go +++ b/lib/srv/regular/sshserver_test.go @@ -2803,6 +2803,7 @@ func newUpack(testSvr *auth.TestServer, username string, allowedLogins []string, role.SetRules(types.Allow, rules) opts := role.GetOptions() opts.PermitX11Forwarding = types.NewBool(true) + //nolint:staticcheck // this field is preserved for existing deployments, but shouldn't be used going forward opts.CreateHostUser = types.NewBoolOption(true) role.SetOptions(opts) role.SetLogins(types.Allow, allowedLogins)