# Reference for the teleport\_user Terraform resource

This page describes the supported values of the teleport\_user resource of the Teleport Terraform provider.

## Example Usage

```
# Teleport User resource

resource "teleport_user" "example" {
  version = "v2"
  # Tells Terraform that the role could not be destroyed while this user exists
  depends_on = [
    teleport_role.example
  ]

  metadata = {
    name        = "example"
    description = "Example Teleport User"

    expires = "2022-10-12T07:20:50Z"

    labels = {
      example = "yes"
    }
  }

  spec = {
    roles = ["example"]

    oidc_identities = [{
      connector_id = "oidc1"
      username     = "example"
    }]

    traits = {
      "logins1" = ["example"]
      "logins2" = ["example"]
    }

    github_identities = [{
      connector_id = "github"
      username     = "example"
    }]

    saml_identities = [{
      connector_id = "example-saml"
      username     = "example"
    }]
  }
}

```

## Schema

### Required

- `version` (String) Version is the resource version. It must be specified. Supported values are: `v2`.

### Optional

- `metadata` (Attributes) Metadata is resource metadata (see [below for nested schema](#nested-schema-for-metadata))
- `spec` (Attributes) Spec is a user specification (see [below for nested schema](#nested-schema-for-spec))
- `status` (Attributes) (see [below for nested schema](#nested-schema-for-status))
- `sub_kind` (String) SubKind is an optional resource sub kind, used in some resources

### Nested Schema for `metadata`

Required:

- `name` (String) Name is an object name

Optional:

- `description` (String) Description is object description
- `expires` (String) Expires is a global expiry time header can be set on any resource in the system.
- `labels` (Map of String) Labels is a set of labels

### Nested Schema for `spec`

Optional:

- `github_identities` (Attributes List) GithubIdentities list associated Github OAuth2 identities that let user log in using externally verified identity (see [below for nested schema](#nested-schema-for-specgithub_identities))
- `oidc_identities` (Attributes List) OIDCIdentities lists associated OpenID Connect identities that let user log in using externally verified identity (see [below for nested schema](#nested-schema-for-specoidc_identities))
- `roles` (List of String) Roles is a list of roles assigned to user
- `saml_identities` (Attributes List) SAMLIdentities lists associated SAML identities that let user log in using externally verified identity (see [below for nested schema](#nested-schema-for-specsaml_identities))
- `traits` (Map of List of String) Traits are key/value pairs received from an identity provider (through OIDC claims or SAML assertions) or from a system administrator for local accounts. Traits are used to populate role variables.
- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only. Managed by the Device Trust subsystem, avoid manual edits.

### Nested Schema for `spec.github_identities`

Optional:

- `connector_id` (String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
- `samlSingleLogoutUrl` (String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.
- `user_id` (String) UserID is the ID of the identity. Some connectors like GitHub have an unique ID apart from the username.
- `username` (String) Username is username supplied by external identity provider

### Nested Schema for `spec.oidc_identities`

Optional:

- `connector_id` (String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
- `samlSingleLogoutUrl` (String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.
- `user_id` (String) UserID is the ID of the identity. Some connectors like GitHub have an unique ID apart from the username.
- `username` (String) Username is username supplied by external identity provider

### Nested Schema for `spec.saml_identities`

Optional:

- `connector_id` (String) ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
- `samlSingleLogoutUrl` (String) SAMLSingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out), if applicable.
- `user_id` (String) UserID is the ID of the identity. Some connectors like GitHub have an unique ID apart from the username.
- `username` (String) Username is username supplied by external identity provider

### Nested Schema for `status`

Optional:

- `mfa_weakest_device` (Number) mfa\_weakest\_device reflects what the system knows about the user's weakest MFA device. Note that this is a "best effort" property, in that it can be UNSPECIFIED.
- `password_state` (Number) password\_state reflects what the system knows about the user's password. Note that this is a "best effort" property, in that it can be UNSPECIFIED for users who were created before this property was introduced and didn't perform any password-related activity since then. See RFD 0159 for details. Do NOT use this value for authentication purposes!