{"id":51104722,"url":"https://github.com/cruxstack/terraform-provider-teleportconnect","last_synced_at":"2026-06-24T13:30:35.212Z","repository":{"id":361419490,"uuid":"1254392351","full_name":"cruxstack/terraform-provider-teleportconnect","owner":"cruxstack","description":"Terraform provider for Teleport-mediated access to resources (eg, dbs, ssh, etc). Creates short-lived certs, local tunnels, and delegated CI joins, without the requirement of tsh/tbot.","archived":false,"fork":false,"pushed_at":"2026-06-18T20:06:36.000Z","size":27317,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-18T21:27:11.951Z","etag":null,"topics":["ci","database","db","k8s","kubernetes","opentofu","opentofu-provider","ssh","teleport","terraform","terraform-provider"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/providers/cruxstack/teleportconnect/latest","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cruxstack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-30T14:03:05.000Z","updated_at":"2026-06-18T20:06:36.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cruxstack/terraform-provider-teleportconnect","commit_stats":null,"previous_names":["cruxstack/terraform-provider-teleportconnect"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/cruxstack/terraform-provider-teleportconnect","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-provider-teleportconnect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-provider-teleportconnect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-provider-teleportconnect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-provider-teleportconnect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cruxstack","download_url":"https://codeload.github.com/cruxstack/terraform-provider-teleportconnect/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cruxstack%2Fterraform-provider-teleportconnect/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34735263,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-24T02:00:07.484Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","database","db","k8s","kubernetes","opentofu","opentofu-provider","ssh","teleport","terraform","terraform-provider"],"created_at":"2026-06-24T13:30:33.580Z","updated_at":"2026-06-24T13:30:35.204Z","avatar_url":"https://github.com/cruxstack.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform Provider: teleportconnect\n\n`teleportconnect` provides Terraform-native, Teleport-mediated access to remote\nresources — database client credentials, database tunnels, and SSH tunnels —\n**without** requiring `tsh`, `jq`, or `bash` on the machine running Terraform.\n\nIt is the in-process equivalent of common `tsh` workflows:\n\n| This provider                              | `tsh` equivalent                     |\n| ------------------------------------------ | ------------------------------------ |\n| `ephemeral.teleportconnect_db_certificate` | `tsh db login` + `tsh db config`     |\n| `ephemeral.teleportconnect_db_tunnel`      | `tsh proxy db --tunnel`              |\n| `ephemeral.teleportconnect_ssh_tunnel`     | `tsh ssh -N -L LOCAL:TARGET GATEWAY` |\n| `data.teleportconnect_database`            | `tsh db ls`                          |\n| `data.teleportconnect_node`                | `tsh ls`                             |\n| `data.teleportconnect_cluster`             | `tsh status` (cluster info + CA)     |\n\nBecause credentials and tunnels are modeled as\n[ephemeral resources](https://developer.hashicorp.com/terraform/language/resources/ephemeral),\nthe issued certificates and private keys are never written to Terraform state.\n\n## Requirements\n\n- [Terraform](https://developer.hashicorp.com/terraform/downloads) \u003e= 1.12\n  (ephemeral resources are required)\n- A reachable [Teleport](https://goteleport.com) cluster, **v15 or newer** (the\n  provider requests ECDSA P-256 user certificates, which require a modern auth\n  server)\n- Credentials for that cluster: a `tsh` profile, or an identity file from\n  `tctl auth sign` / `tbot`\n\n## Using the provider\n\n```hcl\nterraform {\n  required_version = \"\u003e= 1.12.0\"\n  required_providers {\n    teleportconnect = {\n      source  = \"cruxstack/teleportconnect\"\n      version = \"~\u003e 0.1\"\n    }\n  }\n}\n\nprovider \"teleportconnect\" {\n  proxy_address     = \"teleport.example.com:443\"\n  use_local_profile = true\n}\n```\n\n### Authentication\n\nExactly one authentication method must be configured:\n\n| Attribute                    | Description                                                                                     |\n| ---------------------------- | ----------------------------------------------------------------------------------------------- |\n| `use_local_profile`          | Reuse the local `~/.tsh` profile for `proxy_address` (mirrors `tsh login`).                     |\n| `identity_file_path`         | Path to an identity file produced by `tctl auth sign` or `tbot`.                                |\n| `identity_file_data`         | Inline identity file contents (PEM bundle). Marked sensitive.                                   |\n| `join_method` + `join_token` | Delegated Machine ID join for CI — the provider joins the cluster in-process, no `tbot` needed. |\n\n### CI / Machine ID join (no tbot, no identity file)\n\nFor non-interactive runners, set `join_method` + `join_token`. The provider\nfetches the platform's OIDC/JWT identity token and joins the cluster in-process\n— no `tbot` sidecar and no identity file to manage:\n\n```hcl\nprovider \"teleportconnect\" {\n  proxy_address = \"teleport.example.com:443\"\n  join_method   = \"github\" # github | gitlab | kubernetes | spacelift\n  join_token    = \"teleportconnect-ci\"\n}\n```\n\nSupported methods: `github`, `gitlab`, `kubernetes`, `spacelift`. For GitHub\nActions, the only extra requirement is `permissions: id-token: write` on the\njob. See the [CI usage guide](./docs/guides/ci.md) and the\n[join methods guide](./docs/guides/join-methods.md) for per-platform setup.\n\n### Example: issue a database certificate\n\n```hcl\ndata \"teleportconnect_database\" \"main\" {\n  name = \"mycorp-postgres\"\n}\n\nephemeral \"teleportconnect_db_certificate\" \"main\" {\n  database = data.teleportconnect_database.main.matched_name\n  db_user  = \"readonly\"\n  db_name  = \"appdb\"\n}\n```\n\n### Example: open a database tunnel\n\n```hcl\nephemeral \"teleportconnect_db_tunnel\" \"main\" {\n  database = data.teleportconnect_database.main.matched_name\n  db_user  = \"readonly\"\n  db_name  = \"appdb\"\n}\n\nprovider \"postgresql\" {\n  host     = ephemeral.teleportconnect_db_tunnel.main.local_host\n  port     = ephemeral.teleportconnect_db_tunnel.main.local_port\n  database = \"appdb\"\n  username = \"readonly\"\n  sslmode  = \"disable\" # the tunnel terminates TLS to Teleport for you\n}\n```\n\n### Example: open an SSH tunnel\n\n```hcl\ndata \"teleportconnect_node\" \"bastion\" {\n  labels = { role = \"bastion\" }\n}\n\nephemeral \"teleportconnect_ssh_tunnel\" \"db\" {\n  gateway_node = data.teleportconnect_node.bastion.matched_hostname\n  ssh_login    = \"ec2-user\"\n  target_host  = \"internal-db.vpc.local\"\n  target_port  = 5432\n}\n```\n\nSee [`docs/`](./docs) for full reference documentation and the\n[`examples/`](./examples) directory for runnable configurations. For running the\nprovider in CI (e.g. self-hosted GitHub Actions runners) against the\n`cyrilgdn/postgresql` provider, see the [CI usage guide](./docs/guides/ci.md).\n\n## ALPN connection upgrade\n\nWhen the Teleport proxy sits behind an L7 load balancer (e.g. AWS ALB) that\nterminates TLS with its own certificate, Teleport's automatic ALPN probe can be\nfooled into using direct TLS routing, which then fails. Set\n`alpn_conn_upgrade = \"yes\"` to force the HTTPS connection upgrade in that case.\nThe default (`auto`) probes the proxy; `no` forces direct TLS routing.\n\n## Teleport RBAC\n\nThe credentials used by the provider need a role that allows, at minimum:\n\n- reading `db_server` and `node` resources (for the data sources and protocol\n  lookup)\n- issuing user certificates scoped to the target databases / nodes and logins\n\nSee [`docs/guides/teleport-rbac.md`](./docs/guides/teleport-rbac.md) for a\nsample role.\n\n## Developing the provider\n\n```sh\n# build\nmake build\n\n# install into the local Go bin for dev_overrides\nmake install\n\n# format, lint, vet\nmake fmt\nmake lint\n\n# unit tests\nmake test\n\n# acceptance tests (requires a live cluster + TF_ACC=1 + env vars)\nmake testacc\n\n# regenerate registry docs from schema, examples, and templates/guides\nmake docs\n```\n\n### Running against a local cluster\n\nA single-node Teleport cluster for local acceptance/integration testing is\nprovided under [`test/integration/`](./test/integration). See its README for the\nbootstrap steps.\n\n## Roadmap\n\n- Delegated Machine ID join methods (`iam`, `github`, `gcp`, ...) implemented\n  directly against the Teleport JoinService, removing the need for a `tbot`\n  sidecar.\n- Configurable key algorithm (RSA / ECDSA / Ed25519).\n\n## License\n\n[MPL-2.0](./LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcruxstack%2Fterraform-provider-teleportconnect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcruxstack%2Fterraform-provider-teleportconnect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcruxstack%2Fterraform-provider-teleportconnect/lists"}