[v14] terraform: Add/restore support for TELEPORT_AUTH_TYPE (#34124)

* terraform: Add/restore support for TELEPORT_AUTH_TYPE

* Trailing newlines

* Apply suggestions from code review

Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>

* Add teleport_auth_type to starter-cluster docs

---------

Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>

docs/pages/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx

@@ -350,6 +350,22 @@ This setting should always be used unless you have a specific need to use separa
 
 For the simplest, cheapest deployment, enable both ACM and TLS routing to funnel all traffic through a single Application Load Balancer with an AWS-managed certificate.
 
+### teleport_auth_type
+
+```code
+$ export TF_VAR_teleport_auth_type="local"
+```
+
+This value can be used to change the default authentication type used for the Teleport cluster. This is useful for persisting a
+default authentication type across AMI upgrades when you have a SAML, OIDC or GitHub connector configured in DynamoDB.
+The default is `local`.
+
+- Teleport Community Edition supports `local` or `github`
+- Teleport Enterprise Edition supports `local`, `github`, `oidc` or `saml`
+- Teleport Enterprise FIPS deployments have local authentication disabled, so should use `github`, `oidc` or `saml`
+
+See the [Teleport authentication reference](../../reference/authentication.mdx) for more information.
+
 ## Reference deployment defaults
 
 ### Instances

docs/pages/deploy-a-cluster/deployments/aws-starter-cluster-terraform.mdx

@@ -363,6 +363,21 @@ This setting should always be used unless you have a specific need to use separa
 
 When using this `starter-cluster` deployment, if ACM is enabled, TLS routing will automatically be enabled too.
 
+### teleport_auth_type
+
+```code
+$ export TF_VAR_teleport_auth_type="local"
+```
+
+This value can be used to change the default authentication type used for the Teleport cluster. This is useful for persisting a
+default authentication type across AMI upgrades when you have a SAML, OIDC or GitHub connector configured in DynamoDB.
+The default is `local`.
+
+- Teleport Community Edition supports `local` or `github`
+- Teleport Enterprise Edition supports `local`, `github`, `oidc` or `saml`
+- Teleport Enterprise FIPS deployments have local authentication disabled, so should use `github`, `oidc` or `saml`
+
+See the [Teleport authentication reference](../../reference/authentication.mdx) for more information.
 
 ## Reference deployment defaults
 

examples/aws/terraform/ha-autoscale-cluster/Makefile

@@ -64,6 +64,15 @@ TF_VAR_use_acm ?= false
 # - you must use `tsh proxy` commands for Kubernetes/database access
 TF_VAR_use_tls_routing ?= false
 
+# (optional) Change the default authentication type used for the Teleport cluster.
+# See https://goteleport.com/docs/reference/authentication for more information.
+# This is useful for persisting a different default authentication type across AMI upgrades when you have a SAML, OIDC
+# or GitHub connector configured in DynamoDB. The default if not set is "local".
+# Teleport Community Edition supports "local" or "github"
+# Teleport Enterprise Edition supports "local", "github", "oidc" or "saml"
+# Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc" or "saml"
+TF_VAR_teleport_auth_type ?= "local"
+
 export
 
 # Plan launches terraform plan

examples/aws/terraform/ha-autoscale-cluster/README.md

@@ -107,6 +107,15 @@ export TF_VAR_email="support@example.com"
 # Setup grafana password for "admin" user. Grafana will be served on https://cluster.example.com:8443 after install
 export TF_VAR_grafana_pass="CHANGE_THIS_VALUE"
 
+# This value can be used to change the default authentication type used for the Teleport cluster.
+# See https://goteleport.com/docs/reference/authentication for more information.
+# This is useful for persisting a different default authentication type across AMI upgrades when you have a SAML, OIDC
+# or GitHub connector configured in DynamoDB. The default is "local".
+# Teleport Community Edition supports "local" or "github"
+# Teleport Enterprise Edition supports "local", "github", "oidc" or "saml"
+# Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc" or "saml"
+export TF_VAR_teleport_auth_type="local"
+
 # plan
 make plan
 ```

examples/aws/terraform/ha-autoscale-cluster/auth-user-data.tpl

@@ -3,6 +3,7 @@ cat >/etc/teleport.d/conf <<EOF
 TELEPORT_ROLE=auth
 EC2_REGION=${region}
 TELEPORT_AUTH_SERVER_LB=${auth_server_addr}
+TELEPORT_AUTH_TYPE=${teleport_auth_type}
 TELEPORT_CLUSTER_NAME=${cluster_name}
 TELEPORT_DOMAIN_ADMIN_EMAIL=${email}
 TELEPORT_DOMAIN_NAME=${domain_name}

examples/aws/terraform/ha-autoscale-cluster/auth_asg.tf

@@ -57,6 +57,7 @@ resource "aws_launch_template" "auth" {
       region                   = var.region
       locks_table_name         = aws_dynamodb_table.locks.name
       auth_server_addr         = aws_lb.auth.dns_name
+      teleport_auth_type       = var.teleport_auth_type
       cluster_name             = var.cluster_name
       dynamo_table_name        = aws_dynamodb_table.teleport.name
       dynamo_events_table_name = aws_dynamodb_table.teleport_events.name

examples/aws/terraform/ha-autoscale-cluster/vars.tf

@@ -268,3 +268,15 @@ variable "route53_domain_acm_nlb_alias" {
   type    = string
   default = ""
 }
+
+// (optional) Change the default authentication type used for the Teleport cluster.
+// See https://goteleport.com/docs/reference/authentication for more information.
+// This is useful for persisting a different default authentication type across AMI upgrades when you have a SAML, OIDC
+// or GitHub connector configured in DynamoDB. The default if not set is "local".
+// Teleport Community Edition supports "local" or "github"
+// Teleport Enterprise Edition supports "local", "github", "oidc" or "saml"
+// Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc" or "saml"
+variable "teleport_auth_type" {
+  type    = string
+  default = "local"
+}

examples/aws/terraform/starter-cluster/Makefile

@@ -71,6 +71,15 @@ TF_VAR_use_acm ?= false
 # and will be ignored.
 TF_VAR_use_tls_routing ?= true
 
+# (optional) Change the default authentication type used for the Teleport cluster.
+# See https://goteleport.com/docs/reference/authentication for more information.
+# This is useful for persisting a different default authentication type across AMI upgrades when you have a SAML, OIDC
+# or GitHub connector configured in DynamoDB. The default if not set is "local".
+# Teleport Community Edition supports "local" or "github"
+# Teleport Enterprise Edition supports "local", "github", "oidc" or "saml"
+# Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc" or "saml"
+TF_VAR_teleport_auth_type ?= "local"
+
 export
 
 # Plan launches terraform plan

examples/aws/terraform/starter-cluster/README.md

@@ -150,6 +150,15 @@ export TF_VAR_use_acm="false"
 # and will be ignored.
 export TF_VAR_use_tls_routing="true"
 
+# This value can be used to change the default authentication type used for the Teleport cluster.
+# See https://goteleport.com/docs/reference/authentication for more information.
+# This is useful for persisting a different default authentication type across AMI upgrades when you have a SAML, OIDC
+# or GitHub connector configured in DynamoDB. The default is "local".
+# Teleport Community Edition supports "local" or "github"
+# Teleport Enterprise Edition supports "local", "github", "oidc" or "saml"
+# Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc" or "saml"
+export TF_VAR_teleport_auth_type="local"
+
 # plan
 make plan
 ```

examples/aws/terraform/starter-cluster/cluster.tf

@@ -12,6 +12,7 @@ resource "aws_instance" "cluster" {
     "data.tpl",
     {
       region                   = var.region
+      teleport_auth_type       = var.teleport_auth_type
       cluster_name             = var.cluster_name
       email                    = var.email
       domain_name              = var.route53_domain

examples/aws/terraform/starter-cluster/data.tpl

@@ -3,6 +3,7 @@ cat >/etc/teleport.d/conf <<EOF
 TELEPORT_ROLE=auth,node,proxy
 EC2_REGION=${region}
 TELEPORT_AUTH_SERVER_LB=localhost
+TELEPORT_AUTH_TYPE=${teleport_auth_type}
 TELEPORT_CLUSTER_NAME=${cluster_name}
 TELEPORT_DOMAIN_ADMIN_EMAIL=${email}
 TELEPORT_DOMAIN_NAME=${domain_name}

examples/aws/terraform/starter-cluster/vars.tf

@@ -121,3 +121,15 @@ variable "kms_alias_name" {
 variable "cluster_instance_type" {
   type = string
 }
+
+// (optional) Change the default authentication type used for the Teleport cluster.
+// See https://goteleport.com/docs/reference/authentication for more information.
+// This is useful for persisting a different default authentication type across AMI upgrades when you have a SAML, OIDC
+// or GitHub connector configured in DynamoDB. The default if not set is "local".
+// Teleport Community Edition supports "local" or "github"
+// Teleport Enterprise Edition supports "local", "github", "oidc" or "saml"
+// Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc" or "saml"
+variable "teleport_auth_type" {
+  type    = string
+  default = "local"
+}