# Reference for the teleport\_database Terraform data-source This page describes the supported values of the `teleport_database` data source of the Teleport Terraform provider. ## Schema ### Required - `version` (String) Version is the resource version. It must be specified. Supported values are: `v3`. ### Optional - `metadata` (Attributes) Metadata is the database metadata. (see [below for nested schema](#nested-schema-for-metadata)) - `spec` (Attributes) Spec is the database spec. (see [below for nested schema](#nested-schema-for-spec)) - `sub_kind` (String) SubKind is an optional resource subkind. ### Nested Schema for `metadata` Required: - `name` (String) Name is an object name Optional: - `description` (String) Description is object description - `expires` (String) Expires is a global expiry time header can be set on any resource in the system. - `labels` (Map of String) Labels is a set of labels ### Nested Schema for `spec` Required: - `protocol` (String) Protocol is the database protocol: postgres, mysql, mongodb, etc. - `uri` (String) URI is the database connection endpoint. Optional: - `ad` (Attributes) AD is the Active Directory configuration for the database. (see [below for nested schema](#nested-schema-for-specad)) - `admin_user` (Attributes) AdminUser is the database admin user for automatic user provisioning. (see [below for nested schema](#nested-schema-for-specadmin_user)) - `aws` (Attributes) AWS contains AWS specific settings for RDS/Aurora/Redshift databases. (see [below for nested schema](#nested-schema-for-specaws)) - `azure` (Attributes) Azure contains Azure specific database metadata. (see [below for nested schema](#nested-schema-for-specazure)) - `ca_cert` (String) CACert is the PEM-encoded database CA certificate. DEPRECATED: Moved to TLS.CACert. DELETE IN 10.0. - `dynamic_labels` (Attributes Map) DynamicLabels is the database dynamic labels. (see [below for nested schema](#nested-schema-for-specdynamic_labels)) - `gcp` (Attributes) GCP contains parameters specific to GCP Cloud SQL databases. (see [below for nested schema](#nested-schema-for-specgcp)) - `mongo_atlas` (Attributes) MongoAtlas contains Atlas metadata about the database. (see [below for nested schema](#nested-schema-for-specmongo_atlas)) - `mysql` (Attributes) MySQL is an additional section with MySQL database options. (see [below for nested schema](#nested-schema-for-specmysql)) - `oracle` (Attributes) Oracle is an additional Oracle configuration options. (see [below for nested schema](#nested-schema-for-specoracle)) - `tls` (Attributes) TLS is the TLS configuration used when establishing connection to target database. Allows to provide custom CA cert or override server name. (see [below for nested schema](#nested-schema-for-spectls)) ### Nested Schema for `spec.ad` Optional: - `domain` (String) Domain is the Active Directory domain the database resides in. - `kdc_host_name` (String) KDCHostName is the host name for a KDC for x509 Authentication. - `keytab_file` (String) KeytabFile is the path to the Kerberos keytab file. - `krb5_file` (String) Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf. - `ldap_cert` (String) LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication. - `ldap_service_account_name` (String) LDAPServiceAccountName is the name of service account for performing LDAP queries. Required for x509 Auth / PKINIT. - `ldap_service_account_sid` (String) LDAPServiceAccountSID is the SID of service account for performing LDAP queries. Required for x509 Auth / PKINIT. - `spn` (String) SPN is the service principal name for the database. ### Nested Schema for `spec.admin_user` Optional: - `default_database` (String) DefaultDatabase is the database that the privileged database user logs into by default. Depending on the database type, this database may be used to store procedures or data for managing database users. - `name` (String) Name is the username of the privileged database user. ### Nested Schema for `spec.aws` Optional: - `account_id` (String) AccountID is the AWS account ID this database belongs to. - `assume_role_arn` (String) AssumeRoleARN is an optional AWS role ARN to assume when accessing a database. Set this field and ExternalID to enable access across AWS accounts. - `docdb` (Attributes) DocumentDB contains Amazon DocumentDB-specific metadata. (see [below for nested schema](#nested-schema-for-specawsdocdb)) - `elasticache` (Attributes) ElastiCache contains Amazon ElastiCache Redis-specific metadata. (see [below for nested schema](#nested-schema-for-specawselasticache)) - `elasticache_serverless` (Attributes) ElastiCacheServerless contains Amazon ElastiCache Serverless metadata. (see [below for nested schema](#nested-schema-for-specawselasticache_serverless)) - `external_id` (String) ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts. - `iam_policy_status` (Number) IAMPolicyStatus indicates whether the IAM Policy is configured properly for database access. If not, the user must update the AWS profile identity to allow access to the Database. Eg for an RDS Database: the underlying AWS profile allows for `rds-db:connect` for the Database. - `memorydb` (Attributes) MemoryDB contains AWS MemoryDB specific metadata. (see [below for nested schema](#nested-schema-for-specawsmemorydb)) - `opensearch` (Attributes) OpenSearch contains AWS OpenSearch specific metadata. (see [below for nested schema](#nested-schema-for-specawsopensearch)) - `rds` (Attributes) RDS contains RDS specific metadata. (see [below for nested schema](#nested-schema-for-specawsrds)) - `rdsproxy` (Attributes) RDSProxy contains AWS Proxy specific metadata. (see [below for nested schema](#nested-schema-for-specawsrdsproxy)) - `redshift` (Attributes) Redshift contains Redshift specific metadata. (see [below for nested schema](#nested-schema-for-specawsredshift)) - `redshift_serverless` (Attributes) RedshiftServerless contains metatada specific to Amazon Redshift Serverless. (see [below for nested schema](#nested-schema-for-specawsredshift_serverless)) - `region` (String) Region is a AWS cloud region. - `secret_store` (Attributes) SecretStore contains secret store configurations. (see [below for nested schema](#nested-schema-for-specawssecret_store)) - `session_tags` (Map of String) SessionTags is a list of AWS STS session tags. ### Nested Schema for `spec.aws.docdb` Optional: - `cluster_id` (String) ClusterID is the cluster identifier. - `endpoint_type` (String) EndpointType is the type of the endpoint. - `instance_id` (String) InstanceID is the instance identifier. ### Nested Schema for `spec.aws.elasticache` Optional: - `endpoint_type` (String) EndpointType is the type of the endpoint. - `replication_group_id` (String) ReplicationGroupID is the Redis replication group ID. - `transit_encryption_enabled` (Boolean) TransitEncryptionEnabled indicates whether in-transit encryption (TLS) is enabled. - `user_group_ids` (List of String) UserGroupIDs is a list of user group IDs. ### Nested Schema for `spec.aws.elasticache_serverless` Optional: - `cache_name` (String) CacheName is an ElastiCache Serverless cache name. ### Nested Schema for `spec.aws.memorydb` Optional: - `acl_name` (String) ACLName is the name of the ACL associated with the cluster. - `cluster_name` (String) ClusterName is the name of the MemoryDB cluster. - `endpoint_type` (String) EndpointType is the type of the endpoint. - `tls_enabled` (Boolean) TLSEnabled indicates whether in-transit encryption (TLS) is enabled. ### Nested Schema for `spec.aws.opensearch` Optional: - `domain_id` (String) DomainID is the ID of the domain. - `domain_name` (String) DomainName is the name of the domain. - `endpoint_type` (String) EndpointType is the type of the endpoint. ### Nested Schema for `spec.aws.rds` Optional: - `cluster_id` (String) ClusterID is the RDS cluster (Aurora) identifier. - `iam_auth` (Boolean) IAMAuth indicates whether database IAM authentication is enabled. - `instance_id` (String) InstanceID is the RDS instance identifier. - `resource_id` (String) ResourceID is the RDS instance resource identifier (db-xxx). - `security_groups` (List of String) SecurityGroups is a list of attached security groups for the RDS instance. - `subnets` (List of String) Subnets is a list of subnets for the RDS instance. - `vpc_id` (String) VPCID is the VPC where the RDS is running. ### Nested Schema for `spec.aws.rdsproxy` Optional: - `custom_endpoint_name` (String) CustomEndpointName is the identifier of an RDS Proxy custom endpoint. - `name` (String) Name is the identifier of an RDS Proxy. - `resource_id` (String) ResourceID is the RDS instance resource identifier (prx-xxx). ### Nested Schema for `spec.aws.redshift` Optional: - `cluster_id` (String) ClusterID is the Redshift cluster identifier. ### Nested Schema for `spec.aws.redshift_serverless` Optional: - `endpoint_name` (String) EndpointName is the VPC endpoint name. - `workgroup_id` (String) WorkgroupID is the workgroup ID. - `workgroup_name` (String) WorkgroupName is the workgroup name. ### Nested Schema for `spec.aws.secret_store` Optional: - `key_prefix` (String) KeyPrefix specifies the secret key prefix. - `kms_key_id` (String) KMSKeyID specifies the AWS KMS key for encryption. ### Nested Schema for `spec.azure` Optional: - `is_flexi_server` (Boolean) IsFlexiServer is true if the database is an Azure Flexible server. - `name` (String) Name is the Azure database server name. - `redis` (Attributes) Redis contains Azure Cache for Redis specific database metadata. (see [below for nested schema](#nested-schema-for-specazureredis)) - `resource_id` (String) ResourceID is the Azure fully qualified ID for the resource. ### Nested Schema for `spec.azure.redis` Optional: - `clustering_policy` (String) ClusteringPolicy is the clustering policy for Redis Enterprise. ### Nested Schema for `spec.dynamic_labels` Optional: - `command` (List of String) Command is a command to run - `period` (String) Period is a time between command runs - `result` (String) Result captures standard output ### Nested Schema for `spec.gcp` Optional: - `alloydb` (Attributes) AlloyDB contains AlloyDB specific configuration elements. (see [below for nested schema](#nested-schema-for-specgcpalloydb)) - `instance_id` (String) InstanceID is the Cloud SQL instance ID. - `project_id` (String) ProjectID is the GCP project ID the Cloud SQL instance resides in. ### Nested Schema for `spec.gcp.alloydb` Optional: - `endpoint_override` (String) EndpointOverride is an override of endpoint address to use. - `endpoint_type` (String) EndpointType is the database endpoint type to use. Should be one of: "private", "public", "psc". ### Nested Schema for `spec.mongo_atlas` Optional: - `name` (String) Name is the Atlas database instance name. ### Nested Schema for `spec.mysql` Optional: - `server_version` (String) ServerVersion is the server version reported by DB proxy if the runtime information is not available. ### Nested Schema for `spec.oracle` Optional: - `audit_user` (String) AuditUser is the name of the Oracle database user that should be used to access the internal audit trail. - `retry_count` (Number) RetryCount is the maximum number of times to retry connecting to a host upon failure. If not specified it defaults to 2, for a total of 3 connection attempts. - `shuffle_hostnames` (Boolean) ShuffleHostnames, when true, randomizes the order of hosts to connect to from the provided list. ### Nested Schema for `spec.tls` Optional: - `ca_cert` (String) CACert is an optional user provided CA certificate used for verifying database TLS connection. - `mode` (Number) Mode is a TLS connection mode. 0 is "verify-full"; 1 is "verify-ca", 2 is "insecure". - `server_name` (String) ServerName allows to provide custom hostname. This value will override the servername/hostname on a certificate during validation. - `trust_system_cert_pool` (Boolean) TrustSystemCertPool allows Teleport to trust certificate authorities available on the host system. If not set (by default), Teleport only trusts self-signed databases with TLS certificates signed by Teleport's Database Server CA or the ca\_cert specified in this TLS setting. For cloud-hosted databases, Teleport downloads the corresponding required CAs for validation.