Support IntegrationV1 in terraform provider

* Updated the audience field docs and validation error message to
  clarify what values are supported.
* Updated subkind validation error message when marshaling an
  IntegrationV1 to clarify what values are supported.

Author: GavinFrazar

api/proto/teleport/legacy/types/types.proto

@@ -8688,7 +8688,7 @@ message AWSOIDCIntegrationSpecV1 {
   // This bucket/prefix/* files must be publicly accessible and contain the following:
   // > .well-known/openid-configuration
   // > .well-known/jwks
-  // Format: s3://<bucket>/<prefix>
+  // Format: `s3://<bucket>/<prefix>`
   // Optional. The proxy's endpoint is used if it is not specified.
   //
   // DEPRECATED: Thumbprint validation requires the issuer to update the IdP in AWS everytime the issuer changes the certificate.
@@ -8700,9 +8700,9 @@ message AWSOIDCIntegrationSpecV1 {
     deprecated = true
   ];
 
-  // Audience is used to record a name of a plugin or a discover service in Teleport
-  // that depends on this integration.
-  // Audience value can be empty or configured with supported preset audience type.
+  // Audience is used to record a name of a plugin or a discover service in
+  // Teleport that depends on this integration.
+  // Audience value can either be empty or "aws-identity-center".
   // Preset audience may impose specific behavior on the integration CRUD API,
   // such as preventing integration from update or deletion. Empty audience value
   // should be treated as a default and backward-compatible behavior of the integration.

api/types/integration.go

@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/url"
+	"slices"
 
 	"github.com/gravitational/trace"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -42,6 +43,14 @@ const (
 	IntegrationSubKindAWSRolesAnywhere = "aws-ra"
 )
 
+// integrationSubKindValues is a list of supported integration subkind values.
+var integrationSubKindValues = []string{
+	IntegrationSubKindAWSOIDC,
+	IntegrationSubKindAzureOIDC,
+	IntegrationSubKindAWSRolesAnywhere,
+	IntegrationSubKindGitHub,
+}
+
 const (
 	// IntegrationAWSOIDCAudienceUnspecified denotes an empty audience value. Empty audience value
 	// is used to maintain default OIDC integration behavior and backward compatibility.
@@ -50,6 +59,14 @@ const (
 	IntegrationAWSOIDCAudienceAWSIdentityCenter = "aws-identity-center"
 )
 
+// integrationAWSOIDCAudienceValues is a list of the supported AWS OIDC Audience
+// values. If this list is updated, be sure to also update the audience field's
+// godoc string in the [AWSOIDCIntegrationSpecV1] protobuf definition.
+var integrationAWSOIDCAudienceValues = []string{
+	IntegrationAWSOIDCAudienceUnspecified,
+	IntegrationAWSOIDCAudienceAWSIdentityCenter,
+}
+
 const (
 	// IntegrationAWSRolesAnywhereProfileSyncStatusSuccess indicates that the profile sync was successful.
 	IntegrationAWSRolesAnywhereProfileSyncStatusSuccess = "SUCCESS"
@@ -300,12 +317,13 @@ func (s *IntegrationSpecV1_AWSOIDC) CheckAndSetDefaults() error {
 // ValidateAudience validates if the audience field is configured with
 // a supported audience value.
 func (s *IntegrationSpecV1_AWSOIDC) ValidateAudience() error {
-	switch s.AWSOIDC.Audience {
-	case IntegrationAWSOIDCAudienceUnspecified, IntegrationAWSOIDCAudienceAWSIdentityCenter:
-		return nil
-	default:
-		return trace.BadParameter("unsupported audience value %q", s.AWSOIDC.Audience)
+	if !slices.Contains(integrationAWSOIDCAudienceValues, s.AWSOIDC.Audience) {
+		return trace.BadParameter("unsupported audience value %q, supported values are %q",
+			s.AWSOIDC.Audience,
+			integrationAWSOIDCAudienceValues,
+		)
 	}
+	return nil
 }
 
 // Validate validates the configuration for Azure OIDC integration subkind.
@@ -615,7 +633,7 @@ func (ig *IntegrationV1) MarshalJSON() ([]byte, error) {
 		}
 		d.Spec.AWSRA = *ig.GetAWSRolesAnywhereIntegrationSpec()
 	default:
-		return nil, trace.BadParameter("invalid subkind %q", ig.SubKind)
+		return nil, trace.BadParameter("invalid subkind %q, supported values are %q", ig.SubKind, integrationSubKindValues)
 	}
 
 	out, err := json.Marshal(d)

api/types/integration_test.go

@@ -18,6 +18,7 @@ package types
 
 import (
 	"encoding/json"
+	"strings"
 	"testing"
 
 	"github.com/google/uuid"
@@ -68,6 +69,10 @@ func TestIntegrationJSONMarshalCycle(t *testing.T) {
 			require.Equal(t, &ig2, ig)
 		})
 	}
+
+	aws.SubKind = ""
+	_, err = json.MarshalIndent(aws, "", "  ")
+	require.ErrorContains(t, err, `invalid subkind "", supported values are ["aws-oidc" "azure-oidc" "aws-ra" "github"]`)
 }
 
 func TestIntegrationCheckAndSetDefaults(t *testing.T) {
@@ -223,7 +228,12 @@ func TestIntegrationCheckAndSetDefaults(t *testing.T) {
 					},
 				)
 			},
-			expectedErrorIs: trace.IsBadParameter,
+			expectedErrorIs: func(err error) bool {
+				return trace.IsBadParameter(err) &&
+					strings.Contains(err.Error(),
+						`unsupported audience value "testvalue", supported values are ["" "aws-identity-center"]`,
+					)
+			},
 		},
 		{
 			name: "azure-oidc: valid",
@@ -468,8 +478,8 @@ func TestIntegrationCheckAndSetDefaults(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			name := uuid.NewString()
 			ig, err := tt.integration(name)
-			require.True(t, tt.expectedErrorIs(err), "expected another error", err)
-			if err != nil {
+			require.True(t, tt.expectedErrorIs(err), "expected another error %v", err)
+			if err != nil && trace.IsBadParameter(err) {
 				return
 			}
 

api/types/types.pb.go

@@ -27,6 +27,7 @@ The Teleport Terraform provider supports the following data-sources:
   - [`teleport_github_connector`](./github_connector.mdx)
   - [`teleport_health_check_config`](./health_check_config.mdx)
   - [`teleport_installer`](./installer.mdx)
+  - [`teleport_integration`](./integration.mdx)
   - [`teleport_login_rule`](./login_rule.mdx)
   - [`teleport_oidc_connector`](./oidc_connector.mdx)
   - [`teleport_okta_import_rule`](./okta_import_rule.mdx)

docs/pages/reference/infrastructure-as-code/terraform-provider/data-sources/data-sources.mdx

@@ -0,0 +1,82 @@
+---
+title: Reference for the teleport_integration Terraform data-source
+sidebar_label: integration
+description: This page describes the supported values of the teleport_integration data-source of the Teleport Terraform provider.
+---
+
+{/*Auto-generated file. Do not edit.*/}
+{/*To regenerate, navigate to integrations/terraform and run `make docs`.*/}
+
+This page describes the supported values of the `teleport_integration` data source of the
+Teleport Terraform provider.
+
+
+
+
+
+{/*  schema generated by tfplugindocs */}
+## Schema
+
+### Required
+
+- `metadata` (Attributes) Metadata is resource metadata (see [below for nested schema](#nested-schema-for-metadata))
+- `spec` (Attributes) Spec is an Integration specification. (see [below for nested schema](#nested-schema-for-spec))
+- `sub_kind` (String) SubKind is an optional resource sub kind, used in some resources
+- `version` (String) Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: `v1`
+
+### Nested Schema for `metadata`
+
+Required:
+
+- `name` (String) Name is an object name
+
+Optional:
+
+- `description` (String) Description is object description
+- `expires` (String) Expires is a global expiry time header can be set on any resource in the system.
+- `labels` (Map of String) Labels is a set of labels
+
+
+### Nested Schema for `spec`
+
+Optional:
+
+- `aws_oidc` (Attributes) AWSOIDC contains the specific fields to handle the AWS OIDC Integration subkind (see [below for nested schema](#nested-schema-for-specaws_oidc))
+- `aws_ra` (Attributes) AWSRA contains the specific fields to handle the AWS Roles Anywhere Integration subkind. (see [below for nested schema](#nested-schema-for-specaws_ra))
+- `azure_oidc` (Attributes) AzureOIDC contains the specific fields to handle the Azure OIDC Integration subkind (see [below for nested schema](#nested-schema-for-specazure_oidc))
+
+### Nested Schema for `spec.aws_oidc`
+
+Optional:
+
+- `audience` (String) Audience is used to record a name of a plugin or a discover service in Teleport that depends on this integration. Audience value can either be empty or "aws-identity-center". Preset audience may impose specific behavior on the integration CRUD API, such as preventing integration from update or deletion. Empty audience value should be treated as a default and backward-compatible behavior of the integration.
+- `issuer_s3_uri` (String) IssuerS3URI is the Identity Provider that was configured in AWS. This bucket/prefix/* files must be publicly accessible and contain the following: > .well-known/openid-configuration > .well-known/jwks Format: `s3://<bucket>/<prefix>` Optional. The proxy's endpoint is used if it is not specified.  DEPRECATED: Thumbprint validation requires the issuer to update the IdP in AWS everytime the issuer changes the certificate. Amazon had some whitelisted providers where the thumbprint was ignored. S3 hosted providers was in that list. Amazon is now trusting all the root certificate authorities, and this workaround is no longer needed. DELETE IN 18.0.
+- `role_arn` (String) RoleARN contains the Role ARN used to set up the Integration. This is the AWS Role that Teleport will use to issue tokens for API Calls.
+
+
+### Nested Schema for `spec.aws_ra`
+
+Optional:
+
+- `profile_sync_config` (Attributes) ProfileSyncConfig contains the configuration for the AWS Roles Anywhere Profile sync. This is used to create AWS Roles Anywhere profiles as application servers. (see [below for nested schema](#nested-schema-for-specaws_raprofile_sync_config))
+- `trust_anchor_arn` (String) TrustAnchorARN contains the AWS IAM Roles Anywhere Trust Anchor ARN used to set up the Integration.
+
+### Nested Schema for `spec.aws_ra.profile_sync_config`
+
+Optional:
+
+- `enabled` (Boolean) Enabled is set to true if this integration should sync profiles as application servers.
+- `profile_accepts_role_session_name` (Boolean) ProfileAcceptsRoleSessionName indicates whether the profile accepts a custom Role Session name.
+- `profile_arn` (String) ProfileARN is the ARN of the Roles Anywhere Profile used to generate credentials to access the AWS APIs.
+- `profile_name_filters` (List of String) ProfileNameFilters is a list of filters applied to the profile name. Only matching profiles will be synchronized as application servers. If empty, no filtering is applied.  Filters can be globs, for example:  profile* *name*  Or regexes if they're prefixed and suffixed with ^ and $, for example:  ^profile.*$ ^.*name.*$
+- `role_arn` (String) RoleARN is the ARN of the IAM Role to assume when accessing the AWS APIs.
+
+
+
+### Nested Schema for `spec.azure_oidc`
+
+Optional:
+
+- `client_id` (String) ClientID specifies the ID of Azure enterprise application (client) that corresponds to this plugin.
+- `tenant_id` (String) TenantID specifies the ID of Entra Tenant (Directory) that this plugin integrates with.
+

docs/pages/reference/infrastructure-as-code/terraform-provider/data-sources/integration.mdx

@@ -0,0 +1,152 @@
+---
+title: Reference for the teleport_integration Terraform resource
+sidebar_label: integration
+description: This page describes the supported values of the teleport_integration resource of the Teleport Terraform provider.
+---
+
+{/*Auto-generated file. Do not edit.*/}
+{/*To regenerate, navigate to integrations/terraform and run `make docs`.*/}
+
+This page describes the supported values of the teleport_integration resource of the Teleport Terraform provider.
+
+
+
+
+## Example Usage
+
+```hcl
+resource "teleport_integration" "aws_oidc" {
+  version  = "v1"
+  sub_kind = "aws-oidc"
+  metadata = {
+    name        = "example"
+    description = "AWS OIDC integration"
+    labels = {
+      env = "dev"
+    }
+  }
+
+  spec = {
+    aws_oidc = {
+      role_arn = "arn:aws:iam::123456789012:role/example-role-name"
+    }
+  }
+}
+
+resource "teleport_integration" "azure_oidc" {
+  version  = "v1"
+  sub_kind = "azure-oidc"
+  metadata = {
+    name        = "azure-oidc"
+    description = "Example Azure OIDC integration"
+    labels = {
+      env = "dev"
+    }
+  }
+
+  spec = {
+    azure_oidc = {
+      // Azure Entra ID tenant ID
+      tenant_id = "a1b2c3d4-f2e4-97a8-9abc-1234567890ab"
+      // Azure enterprise application client ID
+      client_id = "7f12e3b5-6789-4abc-def0-112233445566"
+    }
+  }
+}
+
+resource "teleport_integration" "aws_roles_anywhere" {
+  version  = "v1"
+  sub_kind = "aws-ra"
+  metadata = {
+    name        = "aws-ra"
+    description = "Example AWS Roles Anywhere integration"
+    labels = {
+      env = "dev"
+    }
+  }
+
+  spec = {
+    aws_ra = {
+      profile_sync_config = {
+        // sync AWS profiles as Teleport applications
+        enabled                           = true
+        profile_accepts_role_session_name = false
+        profile_arn                       = "arn:aws:rolesanywhere:us-east-1:123456789012:profile/<random-uuid>"
+        role_arn                          = "arn:aws:iam::123456789012:role/example-role-name"
+        // only sync AWS profiles as Teleport applications if the profile name matches
+        profile_name_filters = [
+          "teleport-*",    // supports globs
+          "^teleport-.*$", // and regex if the string is enclosed in regex anchors
+        ]
+      }
+      trust_anchor_arn = "arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/<random-uuid>"
+    }
+  }
+}
+```
+
+{/*  schema generated by tfplugindocs */}
+## Schema
+
+### Required
+
+- `metadata` (Attributes) Metadata is resource metadata (see [below for nested schema](#nested-schema-for-metadata))
+- `spec` (Attributes) Spec is an Integration specification. (see [below for nested schema](#nested-schema-for-spec))
+- `sub_kind` (String) SubKind is an optional resource sub kind, used in some resources
+- `version` (String) Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: `v1`
+
+### Nested Schema for `metadata`
+
+Required:
+
+- `name` (String) Name is an object name
+
+Optional:
+
+- `description` (String) Description is object description
+- `expires` (String) Expires is a global expiry time header can be set on any resource in the system.
+- `labels` (Map of String) Labels is a set of labels
+
+
+### Nested Schema for `spec`
+
+Optional:
+
+- `aws_oidc` (Attributes) AWSOIDC contains the specific fields to handle the AWS OIDC Integration subkind (see [below for nested schema](#nested-schema-for-specaws_oidc))
+- `aws_ra` (Attributes) AWSRA contains the specific fields to handle the AWS Roles Anywhere Integration subkind. (see [below for nested schema](#nested-schema-for-specaws_ra))
+- `azure_oidc` (Attributes) AzureOIDC contains the specific fields to handle the Azure OIDC Integration subkind (see [below for nested schema](#nested-schema-for-specazure_oidc))
+
+### Nested Schema for `spec.aws_oidc`
+
+Optional:
+
+- `audience` (String) Audience is used to record a name of a plugin or a discover service in Teleport that depends on this integration. Audience value can either be empty or "aws-identity-center". Preset audience may impose specific behavior on the integration CRUD API, such as preventing integration from update or deletion. Empty audience value should be treated as a default and backward-compatible behavior of the integration.
+- `issuer_s3_uri` (String) IssuerS3URI is the Identity Provider that was configured in AWS. This bucket/prefix/* files must be publicly accessible and contain the following: > .well-known/openid-configuration > .well-known/jwks Format: `s3://<bucket>/<prefix>` Optional. The proxy's endpoint is used if it is not specified.  DEPRECATED: Thumbprint validation requires the issuer to update the IdP in AWS everytime the issuer changes the certificate. Amazon had some whitelisted providers where the thumbprint was ignored. S3 hosted providers was in that list. Amazon is now trusting all the root certificate authorities, and this workaround is no longer needed. DELETE IN 18.0.
+- `role_arn` (String) RoleARN contains the Role ARN used to set up the Integration. This is the AWS Role that Teleport will use to issue tokens for API Calls.
+
+
+### Nested Schema for `spec.aws_ra`
+
+Optional:
+
+- `profile_sync_config` (Attributes) ProfileSyncConfig contains the configuration for the AWS Roles Anywhere Profile sync. This is used to create AWS Roles Anywhere profiles as application servers. (see [below for nested schema](#nested-schema-for-specaws_raprofile_sync_config))
+- `trust_anchor_arn` (String) TrustAnchorARN contains the AWS IAM Roles Anywhere Trust Anchor ARN used to set up the Integration.
+
+### Nested Schema for `spec.aws_ra.profile_sync_config`
+
+Optional:
+
+- `enabled` (Boolean) Enabled is set to true if this integration should sync profiles as application servers.
+- `profile_accepts_role_session_name` (Boolean) ProfileAcceptsRoleSessionName indicates whether the profile accepts a custom Role Session name.
+- `profile_arn` (String) ProfileARN is the ARN of the Roles Anywhere Profile used to generate credentials to access the AWS APIs.
+- `profile_name_filters` (List of String) ProfileNameFilters is a list of filters applied to the profile name. Only matching profiles will be synchronized as application servers. If empty, no filtering is applied.  Filters can be globs, for example:  profile* *name*  Or regexes if they're prefixed and suffixed with ^ and $, for example:  ^profile.*$ ^.*name.*$
+- `role_arn` (String) RoleARN is the ARN of the IAM Role to assume when accessing the AWS APIs.
+
+
+
+### Nested Schema for `spec.azure_oidc`
+
+Optional:
+
+- `client_id` (String) ClientID specifies the ID of Azure enterprise application (client) that corresponds to this plugin.
+- `tenant_id` (String) TenantID specifies the ID of Entra Tenant (Directory) that this plugin integrates with.