# Reference for the teleport\_app Terraform data-source This page describes the supported values of the `teleport_app` data source of the Teleport Terraform provider. ## Schema ### Required - `version` (String) Version is the resource version. It must be specified. Supported values are:`v3`. ### Optional - `metadata` (Attributes) Metadata is the app resource metadata. (see [below for nested schema](#nested-schema-for-metadata)) - `spec` (Attributes) Spec is the app resource spec. (see [below for nested schema](#nested-schema-for-spec)) - `sub_kind` (String) SubKind is an optional resource subkind. ### Nested Schema for `metadata` Required: - `name` (String) Name is an object name Optional: - `description` (String) Description is object description - `expires` (String) Expires is a global expiry time header can be set on any resource in the system. - `labels` (Map of String) Labels is a set of labels ### Nested Schema for `spec` Optional: - `aws` (Attributes) AWS contains additional options for AWS applications. (see [below for nested schema](#nested-schema-for-specaws)) - `cloud` (String) Cloud identifies the cloud instance the app represents. - `cors` (Attributes) CORSPolicy defines the Cross-Origin Resource Sharing settings for the app. (see [below for nested schema](#nested-schema-for-speccors)) - `dynamic_labels` (Attributes Map) DynamicLabels are the app's command labels. (see [below for nested schema](#nested-schema-for-specdynamic_labels)) - `identity_center` (Attributes) IdentityCenter encapsulates information specific to AWS IAM Identity Center. Only valid for Identity Center account apps. (see [below for nested schema](#nested-schema-for-specidentity_center)) - `insecure_skip_verify` (Boolean) InsecureSkipVerify disables app's TLS certificate verification. - `integration` (String) Integration is the integration name that must be used to access this Application. Only applicable to AWS App Access. If present, the Application must use the Integration's credentials instead of ambient credentials to access Cloud APIs. - `mcp` (Attributes) MCP contains MCP server related configurations. (see [below for nested schema](#nested-schema-for-specmcp)) - `public_addr` (String) PublicAddr is the public address the application is accessible at. - `required_app_names` (List of String) RequiredAppNames is a list of app names that are required for this app to function. Any app listed here will be part of the authentication redirect flow and authenticate alongside this app. - `rewrite` (Attributes) Rewrite is a list of rewriting rules to apply to requests and responses. (see [below for nested schema](#nested-schema-for-specrewrite)) - `tcp_ports` (Attributes List) TCPPorts is a list of ports and port ranges that an app agent can forward connections to. Only applicable to TCP App Access. If this field is not empty, URI is expected to contain no port number and start with the tcp protocol. (see [below for nested schema](#nested-schema-for-spectcp_ports)) - `uri` (String) URI is the web app endpoint. - `use_any_proxy_public_addr` (Boolean) UseAnyProxyPublicAddr will rebuild this app's fqdn based on the proxy public addr that the request originated from. This should be true if your proxy has multiple proxy public addrs and you want the app to be accessible from any of them. If `public_addr` is explicitly set in the app spec, setting this value to true will overwrite that public address in the web UI. - `user_groups` (List of String) UserGroups are a list of user group IDs that this app is associated with. ### Nested Schema for `spec.aws` Optional: - `external_id` (String) ExternalID is the AWS External ID used when assuming roles in this app. - `roles_anywhere_profile` (Attributes) RolesAnywhereProfile contains the IAM Roles Anywhere fields associated with this Application. These fields are set when performing the synchronization of AWS IAM Roles Anywhere Profiles into Teleport Apps. (see [below for nested schema](#nested-schema-for-specawsroles_anywhere_profile)) ### Nested Schema for `spec.aws.roles_anywhere_profile` Optional: - `accept_role_session_name` (Boolean) Whether this Roles Anywhere Profile accepts a custom role session name. When not supported, the AWS Session Name will be the X.509 certificate's serial number. When supported, the AWS Session Name will be the identity's username. This value comes from: / acceptRoleSessionName - `profile_arn` (String) ProfileARN is the AWS IAM Roles Anywhere Profile ARN that originated this Teleport App. ### Nested Schema for `spec.cors` Optional: - `allow_credentials` (Boolean) allow\_credentials indicates whether credentials are allowed. - `allowed_headers` (List of String) allowed\_headers specifies which headers can be used when accessing the app. - `allowed_methods` (List of String) allowed\_methods specifies which methods are allowed when accessing the app. - `allowed_origins` (List of String) allowed\_origins specifies which origins are allowed to access the app. - `exposed_headers` (List of String) exposed\_headers indicates which headers are made available to scripts via the browser. - `max_age` (Number) max\_age indicates how long (in seconds) the results of a preflight request can be cached. ### Nested Schema for `spec.dynamic_labels` Optional: - `command` (List of String) Command is a command to run - `period` (String) Period is a time between command runs - `result` (String) Result captures standard output ### Nested Schema for `spec.identity_center` Optional: - `account_id` (String) Account ID is the AWS-assigned ID of the account - `permission_sets` (Attributes List) PermissionSets lists the available permission sets on the given account (see [below for nested schema](#nested-schema-for-specidentity_centerpermission_sets)) ### Nested Schema for `spec.identity_center.permission_sets` Optional: - `arn` (String) ARN is the fully-formed ARN of the Permission Set. - `assignment_name` (String) AssignmentID is the ID of the Teleport Account Assignment resource that represents this permission being assigned on the enclosing Account. - `name` (String) Name is the human-readable name of the Permission Set. ### Nested Schema for `spec.mcp` Optional: - `args` (List of String) Args to execute with the command. - `command` (String) Command to launch stdio-based MCP servers. - `run_as_host_user` (String) RunAsHostUser is the host user account under which the command will be executed. Required for stdio-based MCP servers. ### Nested Schema for `spec.rewrite` Optional: - `headers` (Attributes List) Headers is a list of headers to inject when passing the request over to the application. (see [below for nested schema](#nested-schema-for-specrewriteheaders)) - `jwt_claims` (String) JWTClaims configures whether roles/traits are included in the JWT token. - `redirect` (List of String) Redirect defines a list of hosts which will be rewritten to the public address of the application if they occur in the "Location" header. ### Nested Schema for `spec.rewrite.headers` Optional: - `name` (String) Name is the http header name. - `value` (String) Value is the http header value. ### Nested Schema for `spec.tcp_ports` Optional: - `end_port` (Number) EndPort describes the end of the range, inclusive. If set, it must be between 2 and 65535 and be greater than Port when describing a port range. When omitted or set to zero, it signifies that the port range defines a single port. - `port` (Number) Port describes the start of the range. It must be between 1 and 65535.