diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_oidcconnectors.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_oidcconnectors.mdx index d3665d60e7041..670e1eae4f244 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_oidcconnectors.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_oidcconnectors.mdx @@ -68,5 +68,6 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |client_id|string|ClientID is the OIDC OAuth app client ID.| |client_secret|string|ClientSecret is the OIDC OAuth app client secret.| |enabled|boolean|Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.| +|max_age|string|MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions.| |prompt|string|Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.| diff --git a/docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx b/docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx index 9bd555e383c08..51b919dba35e6 100644 --- a/docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx +++ b/docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx @@ -71,6 +71,7 @@ Optional: - `client_id` (String) ClientID is the OIDC OAuth app client ID. - `client_secret` (String) ClientSecret is the OIDC OAuth app client secret. - `enabled` (Boolean) Enabled specified whether this OIDC connector supports MFA checks. Defaults to false. +- `max_age` (String) MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions. - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. diff --git a/docs/pages/reference/terraform-provider/resources/oidc_connector.mdx b/docs/pages/reference/terraform-provider/resources/oidc_connector.mdx index 2d586fa362432..64fa69390c6a0 100644 --- a/docs/pages/reference/terraform-provider/resources/oidc_connector.mdx +++ b/docs/pages/reference/terraform-provider/resources/oidc_connector.mdx @@ -100,6 +100,7 @@ Optional: - `client_id` (String) ClientID is the OIDC OAuth app client ID. - `client_secret` (String) ClientSecret is the OIDC OAuth app client secret. - `enabled` (Boolean) Enabled specified whether this OIDC connector supports MFA checks. Defaults to false. +- `max_age` (String) MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions. - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml index e07c3025139e1..41621df889b6b 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml @@ -138,6 +138,14 @@ spec: description: Enabled specified whether this OIDC connector supports MFA checks. Defaults to false. type: boolean + max_age: + description: MaxAge is the amount of time in nanoseconds that + an IdP session is valid for. Defaults to 0 to always force re-authentication + for MFA checks. This should only be set to a non-zero value + if the IdP is setup to perform MFA checks on top of active user + sessions. + format: duration + type: string prompt: description: Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml index e07c3025139e1..41621df889b6b 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml @@ -138,6 +138,14 @@ spec: description: Enabled specified whether this OIDC connector supports MFA checks. Defaults to false. type: boolean + max_age: + description: MaxAge is the amount of time in nanoseconds that + an IdP session is valid for. Defaults to 0 to always force re-authentication + for MFA checks. This should only be set to a non-zero value + if the IdP is setup to perform MFA checks on top of active user + sessions. + format: duration + type: string prompt: description: Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go index 1cef5e613e28b..a04a136853c64 100644 --- a/integrations/terraform/tfschema/types_terraform.go +++ b/integrations/terraform/tfschema/types_terraform.go @@ -2848,6 +2848,11 @@ func GenSchemaOIDCConnectorV3(ctx context.Context) (github_com_hashicorp_terrafo Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.BoolType, }, + "max_age": { + Description: "MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions.", + Optional: true, + Type: DurationType{}, + }, "prompt": { Description: "Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.", Optional: true, @@ -29196,6 +29201,23 @@ func CopyOIDCConnectorV3FromTerraform(_ context.Context, tf github_com_hashicorp } } } + { + a, ok := tf.Attrs["max_age"] + if !ok { + diags.Append(attrReadMissingDiag{"OIDCConnectorV3.Spec.MFASettings.max_age"}) + } else { + v, ok := a.(DurationValue) + if !ok { + diags.Append(attrReadConversionFailureDiag{"OIDCConnectorV3.Spec.MFASettings.max_age", "DurationValue"}) + } else { + var t github_com_gravitational_teleport_api_types.Duration + if !v.Null && !v.Unknown { + t = github_com_gravitational_teleport_api_types.Duration(v.Value) + } + obj.MaxAge = t + } + } + } } } } @@ -30279,6 +30301,28 @@ func CopyOIDCConnectorV3ToTerraform(ctx context.Context, obj *github_com_gravita tf.Attrs["prompt"] = v } } + { + t, ok := tf.AttrTypes["max_age"] + if !ok { + diags.Append(attrWriteMissingDiag{"OIDCConnectorV3.Spec.MFASettings.max_age"}) + } else { + v, ok := tf.Attrs["max_age"].(DurationValue) + if !ok { + i, err := t.ValueFromTerraform(ctx, github_com_hashicorp_terraform_plugin_go_tftypes.NewValue(t.TerraformType(ctx), nil)) + if err != nil { + diags.Append(attrWriteGeneralError{"OIDCConnectorV3.Spec.MFASettings.max_age", err}) + } + v, ok = i.(DurationValue) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"OIDCConnectorV3.Spec.MFASettings.max_age", "DurationValue"}) + } + v.Null = false + } + v.Value = time.Duration(obj.MaxAge) + v.Unknown = false + tf.Attrs["max_age"] = v + } + } } v.Unknown = false tf.Attrs["mfa"] = v