Skip to content

Releases: cruxstack/terraform-provider-teleportconnect

v0.3.1

Choose a tag to compare

@github-actions github-actions released this 18 Jun 20:18
13de6ce
v0.3.1

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 31 May 21:58
908a84f

Delegated joins now connect the way tsh/tbot do, fixing database and SSH access on proxy-fronted clusters (TLS routing, L4/L7 load balancers, PrivateLink).

Fixed

  • Bot identities now get authorized db/SSH certs. A delegated-join bot authenticates as bot-<name>, whose only role is a wrapper that grants access via role impersonation. The provider previously issued certs keyed on the bot user alone, so they carried none of the access roles and the agent denied the connection (access to db denied). It now discovers the wrapper role's impersonated roles and requests them (RoleRequests + UseRoleRequests), matching tsh/tbot. Normal user identities are unaffected. (#5)

Changed

  • The post-join auth client connects via the official tsh/tbot path (api/client/proxy.Client.ClientConfig) instead of a hand-built dialer; the join now also requests an SSH certificate. This makes behavior on proxy-fronted clusters match the official Teleport clients.

Added

  • join_alpn_conn_upgrade and auth_alpn_conn_upgrade (both default auto) give the join handshake and the post-join auth client independent HTTPS connection-upgrade controls, separate from alpn_conn_upgrade (tunnels). On an L4 load balancer with a private endpoint, a working combination is join_alpn_conn_upgrade = "no" and auth_alpn_conn_upgrade = "yes".

Upgrade notes

Pre-1.0 breaking change: the post-join connection strategy changed and new schema attributes were added. No config change is required for the common case (all three upgrade knobs default to auto).

Full Changelog: v0.2.4...v0.3.0

v0.2.4

Choose a tag to compare

@github-actions github-actions released this 31 May 17:46
07e1853

A patch release removing the auth-server fallback on the delegated-join path.

Fixed

  • Delegated join: post-join client is now pinned to the proxy. It was previously given the proxy as a client.Config.Addrs entry, which let the Teleport SDK fall back to dialing the auth server directly. On proxy-only topologies where the auth service is internal/unreachable, that fallback failed against the auth server's internal certificate (*.teleport.cluster.local). The client now uses an explicit ALPN dialer pinned to the proxy (no auth-server fallback) and honors alpn_conn_upgrade. (#5)

Known limitation

On a proxy behind an L7 load balancer that also requires PrivateLink (hostname resolves to a private IP), forcing alpn_conn_upgrade = "yes" can fail with cannot validate certificate for <ip> ... no IP SANs — the upstream SDK's connection-upgrade step infers the TLS server name from the resolved IP. For an L4 NLB the upgrade isn't needed, so set alpn_conn_upgrade = "no".

Upgrade notes

No configuration changes. If delegated join failed against a proxy-fronted cluster with an auth-server certificate mismatch, upgrade to v0.2.4 and set alpn_conn_upgrade to match your load balancer ("no" for L4 NLB).

Full Changelog: v0.2.3...v0.2.4

v0.2.3

Choose a tag to compare

@github-actions github-actions released this 31 May 13:59
caedfec

A patch release making delegated join honor alpn_conn_upgrade on proxy-fronted clusters.

Fixed

  • Delegated join now honors alpn_conn_upgrade for the join and auth dials. Previously these paths always used the IsALPNConnUpgradeRequired probe, which is unreliable behind some L7 load balancers (e.g. AWS NLB + PrivateLink): even with alpn_conn_upgrade = "yes", the probe could return false, the HTTPS upgrade was skipped, and the client fell back to dialing the auth server directly — failing against its internal certificate (*.teleport.cluster.local). The setting now applies to the join/auth path the same way it already applies to tunnels (yes / no / auto). (#5)

Upgrade notes

If your proxy is behind an L7 load balancer (AWS NLB/ALB + PrivateLink, etc.) and delegated join failed with an auth-server certificate mismatch, set alpn_conn_upgrade = "yes" on the provider and upgrade to v0.2.3.

Full Changelog: v0.2.2...v0.2.3

v0.2.2

Choose a tag to compare

@github-actions github-actions released this 31 May 12:57
103ea20

A patch release completing the delegated-join fix for proxy-fronted clusters.

Fixed

  • Delegated join now routes the post-join client through the proxy by embedding the auth ALPN route and proxy SNI directly in the credentials' TLS config (proxy host as SNI, teleport-auth@<cluster> ALPN, system + cluster CAs). The v0.2.1 fix relied on the SDK's ALPNSNIAuthDialClusterName, which on some topologies — e.g. an NLB + PrivateLink proxy with a separate auth load balancer — still dialed the auth server directly and failed against the auth server's internal certificate (*.teleport.cluster.local). This mirrors the dial construction the join-service and database-tunnel paths already use. (#5)

Upgrade notes

No configuration changes. If you saw a TLS error citing the auth server's internal cert on v0.2.1, upgrading to v0.2.2 resolves it.

Full Changelog: v0.2.1...v0.2.2

v0.2.1

Choose a tag to compare

@github-actions github-actions released this 31 May 10:41
64ca62b

A patch release fixing delegated joins against proxy-fronted clusters.

Fixed

  • Delegated join now works against proxy-fronted clusters. With join_method + join_token, the post-join API client now routes through the proxy via ALPN-SNI auth dial, so TLS verifies against the proxy's public certificate instead of the cluster identity. Previously the join handshake succeeded but the subsequent client connection failed with an SNI mismatch (certificate is valid for <proxy>, not <cluster>) on clusters using TLS routing behind an L7 load balancer. The cluster name is derived automatically from the issued certificate — no new configuration. (#5)

Upgrade notes

No configuration changes required. If you hit the SNI mismatch on v0.2.0, upgrading to v0.2.1 resolves it.

Full Changelog: v0.2.0...v0.2.1

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 30 May 18:38
5dfb270

A CI-focused release. The provider can now authenticate to Teleport without an identity file or a tbot sidecar, plus a new data source and example module for cleaner database configurations.

Added

  • Delegated Machine ID join auth mode. Set join_method + join_token (and optional join_audience) and the provider fetches the platform's OIDC/JWT token and joins the cluster in-process. Supported methods: github, gitlab, kubernetes, spacelift. No identity file, no sidecar, nothing written to disk or state. Implemented against the Apache-2.0 api/ module only (no AGPL lib/tbot import).

    provider "teleportconnect" {
      proxy_address = "teleport.example.com:443"
      join_method   = "github"
      join_token    = "teleportconnect-ci"
    }

    For GitHub Actions the only workflow change is permissions: id-token: write. See the Delegated join methods guide.

  • data.teleportconnect_cluster — exposes cluster_name, server_version, and the cluster TLS CA bundle (ca_certificate). The CA is cluster-scoped, so it can be written to a single file and reused as sslrootcert across many database configurations.

  • examples/modules/teleport-postgresql — a reusable module that wires data.teleportconnect_cluster, a local_file, and an ephemeral database certificate together for the cyrilgdn/postgresql provider (verify-full TLS).

Changed

  • CI guide certificate path rewritten to pass the client certificate and key inline via clientcert.sslinline = true, leaving only the public CA bundle on disk (one local_file instead of three local_sensitive_files).

Upgrade notes

No breaking changes. Existing use_local_profile / identity_file_path / identity_file_data setups continue to work; join_method is purely additive and mutually exclusive with them.

Full Changelog: v0.1.0...v0.2.0

v0.1.0

Choose a tag to compare

@github-actions github-actions released this 30 May 14:37
f501153
v0.1.0