generating terraform and operator resources from proto

api/proto/teleport/legacy/types/types.proto

@@ -2883,7 +2883,7 @@ message RoleOptions {
     (gogoproto.casttype) = "Duration"
   ];
 
-  // Deprecated: Use PortForwardMode instead
+  // Deprecated: Use PortForwardConfig instead
   BoolValue PortForwarding = 3 [
     (gogoproto.nullable) = true,
     (gogoproto.jsontag) = "port_forwarding,omitempty",
@@ -3052,7 +3052,7 @@ message RoleOptions {
   // CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.
   string CreateHostUserDefaultShell = 31 [(gogoproto.jsontag) = "create_host_user_default_shell,omitempty"];
 
-  // PortForwardConfig
+  // PortForwardConfig defines which types of port forwarding are permitted, if any.
   PortForwardConfig PortForwardConfig = 32 [
     (gogoproto.nullable) = true,
     (gogoproto.jsontag) = "port_forward_config,omitempty"

docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx

@@ -388,7 +388,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forward_config|[object](#specoptionsport_forward_config)|PortForwardConfig|
+|port_forwarding|boolean|Deprecated: Use PortForwardMode instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
@@ -416,6 +417,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |---|---|---|
 |enabled|boolean|Enabled is set to true if this option allows access to the Teleport SAML IdP.|
 
+### spec.options.port_forward_config
+
+|Field|Type|Description|
+|---|---|---|
+|local|boolean||
+|remote|boolean||
+
 ### spec.options.record_session
 
 |Field|Type|Description|
@@ -801,7 +809,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forward_config|[object](#specoptionsport_forward_config)|PortForwardConfig|
+|port_forwarding|boolean|Deprecated: Use PortForwardMode instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
@@ -829,6 +838,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |---|---|---|
 |enabled|boolean|Enabled is set to true if this option allows access to the Teleport SAML IdP.|
 
+### spec.options.port_forward_config
+
+|Field|Type|Description|
+|---|---|---|
+|local|boolean||
+|remote|boolean||
+
 ### spec.options.record_session
 
 |Field|Type|Description|

docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx

@@ -388,7 +388,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forward_config|[object](#specoptionsport_forward_config)|PortForwardConfig|
+|port_forwarding|boolean|Deprecated: Use PortForwardMode instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
@@ -416,6 +417,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |---|---|---|
 |enabled|boolean|Enabled is set to true if this option allows access to the Teleport SAML IdP.|
 
+### spec.options.port_forward_config
+
+|Field|Type|Description|
+|---|---|---|
+|local|boolean||
+|remote|boolean||
+
 ### spec.options.record_session
 
 |Field|Type|Description|

docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx

@@ -388,7 +388,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forward_config|[object](#specoptionsport_forward_config)|PortForwardConfig|
+|port_forwarding|boolean|Deprecated: Use PortForwardMode instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
@@ -416,6 +417,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |---|---|---|
 |enabled|boolean|Enabled is set to true if this option allows access to the Teleport SAML IdP.|
 
+### spec.options.port_forward_config
+
+|Field|Type|Description|
+|---|---|---|
+|local|boolean||
+|remote|boolean||
+
 ### spec.options.record_session
 
 |Field|Type|Description|

docs/pages/reference/terraform-provider/data-sources/role.mdx

@@ -432,7 +432,8 @@ Optional:
 - `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
 - `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
 - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
-- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer
+- `port_forward_config` (Attributes) PortForwardConfig (see [below for nested schema](#nested-schema-for-specoptionsport_forward_config))
+- `port_forwarding` (Boolean) Deprecated: Use PortForwardMode instead
 - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
 - `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
@@ -463,6 +464,14 @@ Optional:
 
 
 
+### Nested Schema for `spec.options.port_forward_config`
+
+Optional:
+
+- `local` (Boolean)
+- `remote` (Boolean)
+
+
 ### Nested Schema for `spec.options.record_session`
 
 Optional:

docs/pages/reference/terraform-provider/resources/role.mdx

@@ -486,7 +486,8 @@ Optional:
 - `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
 - `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
 - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
-- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer
+- `port_forward_config` (Attributes) PortForwardConfig (see [below for nested schema](#nested-schema-for-specoptionsport_forward_config))
+- `port_forwarding` (Boolean) Deprecated: Use PortForwardMode instead
 - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
 - `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
@@ -517,6 +518,14 @@ Optional:
 
 
 
+### Nested Schema for `spec.options.port_forward_config`
+
+Optional:
+
+- `local` (Boolean)
+- `remote` (Boolean)
+
+
 ### Nested Schema for `spec.options.record_session`
 
 Optional:

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml

@@ -1280,10 +1280,17 @@ spec:
                     description: PinSourceIP forces the same client IP for certificate
                       generation and usage
                     type: boolean
+                  port_forward_config:
+                    description: PortForwardConfig
+                    nullable: true
+                    properties:
+                      local:
+                        type: boolean
+                      remote:
+                        type: boolean
+                    type: object
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use PortForwardMode instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access
@@ -2661,10 +2668,17 @@ spec:
                     description: PinSourceIP forces the same client IP for certificate
                       generation and usage
                     type: boolean
+                  port_forward_config:
+                    description: PortForwardConfig
+                    nullable: true
+                    properties:
+                      local:
+                        type: boolean
+                      remote:
+                        type: boolean
+                    type: object
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use PortForwardMode instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml

@@ -1283,10 +1283,17 @@ spec:
                     description: PinSourceIP forces the same client IP for certificate
                       generation and usage
                     type: boolean
+                  port_forward_config:
+                    description: PortForwardConfig
+                    nullable: true
+                    properties:
+                      local:
+                        type: boolean
+                      remote:
+                        type: boolean
+                    type: object
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use PortForwardMode instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml

@@ -1283,10 +1283,17 @@ spec:
                     description: PinSourceIP forces the same client IP for certificate
                       generation and usage
                     type: boolean
+                  port_forward_config:
+                    description: PortForwardConfig
+                    nullable: true
+                    properties:
+                      local:
+                        type: boolean
+                      remote:
+                        type: boolean
+                    type: object
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use PortForwardMode instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access

integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml

@@ -1280,10 +1280,17 @@ spec:
                     description: PinSourceIP forces the same client IP for certificate
                       generation and usage
                     type: boolean
+                  port_forward_config:
+                    description: PortForwardConfig
+                    nullable: true
+                    properties:
+                      local:
+                        type: boolean
+                      remote:
+                        type: boolean
+                    type: object
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use PortForwardMode instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access
@@ -2661,10 +2668,17 @@ spec:
                     description: PinSourceIP forces the same client IP for certificate
                       generation and usage
                     type: boolean
+                  port_forward_config:
+                    description: PortForwardConfig
+                    nullable: true
+                    properties:
+                      local:
+                        type: boolean
+                      remote:
+                        type: boolean
+                    type: object
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use PortForwardMode instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access

integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml

@@ -1283,10 +1283,17 @@ spec:
                     description: PinSourceIP forces the same client IP for certificate
                       generation and usage
                     type: boolean
+                  port_forward_config:
+                    description: PortForwardConfig
+                    nullable: true
+                    properties:
+                      local:
+                        type: boolean
+                      remote:
+                        type: boolean
+                    type: object
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use PortForwardMode instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access

integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml

@@ -1283,10 +1283,17 @@ spec:
                     description: PinSourceIP forces the same client IP for certificate
                       generation and usage
                     type: boolean
+                  port_forward_config:
+                    description: PortForwardConfig
+                    nullable: true
+                    properties:
+                      local:
+                        type: boolean
+                      remote:
+                        type: boolean
+                    type: object
                   port_forwarding:
-                    description: PortForwarding defines if the certificate will have
-                      "permit-port-forwarding" in the certificate. PortForwarding
-                      is "yes" if not set, that's why this is a pointer
+                    description: 'Deprecated: Use PortForwardMode instead'
                     type: boolean
                   record_session:
                     description: RecordDesktopSession indicates whether desktop access