[v16] CI: lint proto changes (#44541)

.github/workflows/lint.yaml

@@ -14,6 +14,7 @@ jobs:
     outputs:
       has_go: ${{ steps.changes.outputs.has_go }}
       has_rust: ${{ steps.changes.outputs.has_rust }}
+      has_proto: ${{ steps.changes.outputs.has_proto }}
     steps:
       - name: Checkout
         if: ${{ github.event_name == 'merge_group' }}
@@ -221,4 +222,4 @@ jobs:
 
       - name: Check if Terraform resources are up to date
         # We have to add the current directory as a safe directory or else git commands will not work as expected.
-        run: git config --global --add safe.directory $(realpath .) && make terraform-resources-up-to-date
+        run: git config --global --add safe.directory $(realpath .) && go install github.com/gravitational/protoc-gen-terraform@main && make terraform-resources-up-to-date

api/proto/teleport/clusterconfig/v1/clusterconfig_service.proto

@@ -53,7 +53,7 @@ service ClusterConfigService {
   // GetClusterAuditConfig retrieves the active cluster audit configuration.
   rpc GetClusterAuditConfig(GetClusterAuditConfigRequest) returns (types.ClusterAuditConfigV2);
 
-  // GetClusterAccessGraphConfig retrieves the Cluster Access Graph configuration from Auth server.
+  // GetClusterAccessGraphConfig retrieves the cluster Access Graph configuration from Auth service.
   rpc GetClusterAccessGraphConfig(GetClusterAccessGraphConfigRequest) returns (GetClusterAccessGraphConfigResponse);
 }
 

api/proto/teleport/legacy/types/types.proto

@@ -2779,7 +2779,7 @@ message RoleOptions {
   // concurrent sessions per connection.
   int64 MaxSessions = 10 [(gogoproto.jsontag) = "max_sessions,omitempty"];
 
-  // RequestAccess defines the access request strategy (optional|note|always)
+  // RequestAccess defines the request strategy (optional|note|always)
   // where optional is the default.
   string RequestAccess = 11 [
     (gogoproto.jsontag) = "request_access,omitempty",

docs/pages/enroll-resources/agents/deploy-agents-terraform.mdx

@@ -1,17 +1,19 @@
 ---
-title: "Deploy Teleport Agents with Terraform"
-description: "In this guide, we will show you how to deploy a pool of Teleport agents so you can apply dynamic resources to enroll your infrastructure with Teleport."
+title: "Deploy Agents with Terraform"
+description: "In this guide, we will show you how to deploy a pool of Agents so you can apply dynamic resources to enroll your infrastructure with Teleport."
 ---
 
+## How it works
+
 An agent is a Teleport instance configured to run one or more Teleport services
 in order to proxy infrastructure resources. For a brief architectural overview
 of how agents run in a Teleport cluster, read the [Introduction to Teleport
 Agents](introduction.mdx).
 
-This guide shows you how to deploy a pool of Teleport agents running on virtual
+This guide shows you how to deploy a pool of Agents running on virtual
 machines by declaring it as code using Terraform.
 
-There are several methods you can use to join a Teleport agent to your cluster,
+There are several methods you can use to join a Agents to your cluster,
 which we discuss in the [Joining Services to your
 Cluster](join-services-to-your-cluster.mdx) guide. In this guide, we will use
 the **join token** method, where the operator stores a secure token on the Auth
@@ -23,7 +25,7 @@ resources:
 - Compute instances to run Teleport services
 - A join token for each compute instance in the agent pool
 
-![A Teleport agent pool](../../../img/tf-agent-diagram.png)
+![An Agent pool](../../../img/tf-agent-diagram.png)
 
 ## Prerequisites
 
@@ -36,7 +38,7 @@ see how an agent pool works. After you are familiar with the setup, apply the
 lessons from this guide to protect your infrastructure. You can get started with
 a demo cluster using:
 - A demo deployment on a [Linux server](../../deploy-a-cluster/linux-demo.mdx)
-- A [Teleport Enterprise Cloud trial](https://goteleport.com/signup)
+- A [Teleport Enterprise (managed) trial](https://goteleport.com/signup)
 
 </Admonition>
 
@@ -320,7 +322,7 @@ provider "aws" {
 }
 
 provider "teleport" {
-  # Update addr to point to your Teleport Cloud tenant URL's host:port
+  # Update addr to point to your Teleport Enterprise (managed) tenant URL's host:port
   addr               = PROXY_SERVICE_ADDRESS
   identity_file_path = "terraform-identity"
 }
@@ -356,7 +358,7 @@ provider "google" {
 }
 
 provider "teleport" {
-  # Update addr to point to your Teleport Cloud tenant URL's host:port
+  # Update addr to point to your Teleport Enterprise (managed) tenant URL's host:port
   addr               = PROXY_SERVICE_ADDRESS
   identity_file_path = "terraform-identity"
 }
@@ -390,7 +392,7 @@ terraform {
 
 provider "teleport" {
   identity_file_path = "terraform-identity"
-  # Update addr to point to your Teleport Cloud tenant URL's host:port
+  # Update addr to point to your Teleport Enterprise (managed) tenant URL's host:port
   addr               = PROXY_SERVICE_ADDRESS
 }
 
@@ -529,7 +531,7 @@ In this section, we explain the resources configured in the
 ### Join token
 
 The `agent-pool-terraform` module deploys one virtual machine instance for each
-Teleport agent. Each agent joins the cluster using a token. We create each token
+Agent. Each agent joins the cluster using a token. We create each token
 using the `teleport_provision_token` Terraform resource, specifying the token's
 value with a `random_string` resource:
 
@@ -542,7 +544,7 @@ provider creates them on the Teleport Auth Service backend.
 
 ### User data script
 
-Each Teleport agent deployed by the `agent-pool-terraform` module loads a user
+Each Agent deployed by the `agent-pool-terraform` module loads a user
 data script that creates a Teleport configuration file for the agent. The
 services enabled by the configuration file depend on the value of the
 `agent_roles` input variable:

docs/pages/reference/terraform-provider.mdx

@@ -63,7 +63,7 @@ terraform {
 }
 
 provider "teleport" {
-  # Update addr to point to your Teleport Cloud tenant URL's host:port
+  # Update addr to point to your Teleport Enterprise (managed) tenant URL's host:port
   addr               = "mytenant.teleport.sh:443"
   identity_file_path = "terraform-identity/identity"
 }
@@ -127,7 +127,7 @@ This auth method has the following limitations:
 
 ### Optional
 
-- `addr` (String) host:port where Teleport Auth server is running. This can also be set with the environment variable `TF_TELEPORT_ADDR`.
+- `addr` (String) host:port where Teleport Auth Service is running. This can also be set with the environment variable `TF_TELEPORT_ADDR`.
 - `cert_base64` (String) Base64 encoded TLS auth certificate. This can also be set with the environment variable `TF_TELEPORT_CERT_BASE64`.
 - `cert_path` (String) Path to Teleport auth certificate file. This can also be set with the environment variable `TF_TELEPORT_CERT`.
 - `dial_timeout_duration` (String) DialTimeout sets timeout when trying to connect to the server. This can also be set with the environment variable `TF_TELEPORT_DIAL_TIMEOUT_DURATION`.

docs/pages/reference/terraform-provider/data-sources/role.mdx

@@ -381,7 +381,7 @@ Optional:
 - `create_host_user_mode` (Number) CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop".
 - `desktop_clipboard` (Boolean)
 - `desktop_directory_sharing` (Boolean)
-- `device_trust_mode` (String) DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. Reserved for future use, not yet used by Teleport.
+- `device_trust_mode` (String) DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode.
 - `disconnect_expired_cert` (Boolean) DisconnectExpiredCert sets disconnect clients on expired certificates.
 - `enhanced_recording` (List of String) BPF defines what events to record for the BPF-based session recorder.
 - `forward_agent` (Boolean) ForwardAgent is SSH agent forwarding.
@@ -395,7 +395,7 @@ Optional:
 - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
 - `port_forwarding` (Boolean)
 - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
-- `request_access` (String) RequestAccess defines the access request strategy (optional|note|always) where optional is the default.
+- `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `ssh_file_copy` (Boolean)

docs/pages/reference/terraform-provider/resources/role.mdx

@@ -434,7 +434,7 @@ Optional:
 - `create_host_user_mode` (Number) CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop".
 - `desktop_clipboard` (Boolean)
 - `desktop_directory_sharing` (Boolean)
-- `device_trust_mode` (String) DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode. Reserved for future use, not yet used by Teleport.
+- `device_trust_mode` (String) DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode.
 - `disconnect_expired_cert` (Boolean) DisconnectExpiredCert sets disconnect clients on expired certificates.
 - `enhanced_recording` (List of String) BPF defines what events to record for the BPF-based session recorder.
 - `forward_agent` (Boolean) ForwardAgent is SSH agent forwarding.
@@ -448,7 +448,7 @@ Optional:
 - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
 - `port_forwarding` (Boolean)
 - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
-- `request_access` (String) RequestAccess defines the access request strategy (optional|note|always) where optional is the default.
+- `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `ssh_file_copy` (Boolean)

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml

@@ -1241,8 +1241,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
-                      (optional|note|always) where optional is the default.
+                    description: RequestAccess defines the request strategy (optional|note|always)
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells
@@ -2572,8 +2572,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
-                      (optional|note|always) where optional is the default.
+                    description: RequestAccess defines the request strategy (optional|note|always)
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml

@@ -1244,8 +1244,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
-                      (optional|note|always) where optional is the default.
+                    description: RequestAccess defines the request strategy (optional|note|always)
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml

@@ -1244,8 +1244,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
-                      (optional|note|always) where optional is the default.
+                    description: RequestAccess defines the request strategy (optional|note|always)
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

examples/resources/terraform/provider-cloud.tf

@@ -8,7 +8,7 @@ terraform {
 }
 
 provider "teleport" {
-  # Update addr to point to your Teleport Cloud tenant URL's host:port
+  # Update addr to point to your Teleport Enterprise (managed) tenant URL's host:port
   addr               = "mytenant.teleport.sh:443"
   identity_file_path = "terraform-identity/identity"
 }

integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml

@@ -1241,8 +1241,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
-                      (optional|note|always) where optional is the default.
+                    description: RequestAccess defines the request strategy (optional|note|always)
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells
@@ -2572,8 +2572,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
-                      (optional|note|always) where optional is the default.
+                    description: RequestAccess defines the request strategy (optional|note|always)
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml

@@ -1244,8 +1244,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
-                      (optional|note|always) where optional is the default.
+                    description: RequestAccess defines the request strategy (optional|note|always)
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml

@@ -1244,8 +1244,8 @@ spec:
                         type: string
                     type: object
                   request_access:
-                    description: RequestAccess defines the access request strategy
-                      (optional|note|always) where optional is the default.
+                    description: RequestAccess defines the request strategy (optional|note|always)
+                      where optional is the default.
                     type: string
                   request_prompt:
                     description: RequestPrompt is an optional message which tells

integrations/terraform/Makefile

@@ -56,7 +56,7 @@ endif
 
 # The wrappers.proto file needed for this generator exist only inside the go mod cache,
 # so we retrieve the file path for the cached proto files with go mod tools.
-	$(eval PROTOBUF_MOD_PATH := $(shell go mod download --json github.com/gogo/protobuf | jq .Dir))
+	$(eval PROTOBUF_MOD_PATH := $(shell go list -m -u -f '{{.Dir}}' github.com/gogo/protobuf))
 
 	@protoc \
 		-I=../../api/proto \

integrations/terraform/examples/provider/provider-cloud.tf

@@ -8,7 +8,7 @@ terraform {
 }
 
 provider "teleport" {
-  # Update addr to point to your Teleport Cloud tenant URL's host:port
+  # Update addr to point to your Teleport Enterprise (managed) tenant URL's host:port
   addr               = "mytenant.teleport.sh:443"
   identity_file_path = "terraform-identity/identity"
 }

integrations/terraform/provider/provider.go

@@ -107,7 +107,7 @@ func (p *Provider) GetSchema(_ context.Context) (tfsdk.Schema, diag.Diagnostics)
 			"addr": {
 				Type:        types.StringType,
 				Optional:    true,
-				Description: "host:port where Teleport Auth server is running. This can also be set with the environment variable `TF_TELEPORT_ADDR`.",
+				Description: "host:port where Teleport Auth Service is running. This can also be set with the environment variable `TF_TELEPORT_ADDR`.",
 			},
 			"cert_path": {
 				Type:        types.StringType,

integrations/terraform/templates/index.md.tmpl

@@ -55,7 +55,7 @@ The identity file can be obtained via several ways:
 
 #### Obtaining an identity file via `tbot`
 
-Tbot relies on [MachineID](../machine-id/introduction.mdx) to obtain and automatically renew short-lived credentials.
+Tbot relies on [MachineID](../enroll-resources/machine-id/introduction.mdx) to obtain and automatically renew short-lived credentials.
 Such credentials are harder to exfiltrate, and you can control more precisely who has access to which roles
 (e.g. you can allow only GitHub Actions pipelines targeting the `prod` environment to get certificates).