adding SSHPortForwarding config to RoleOptions (#50215)

api/proto/teleport/legacy/types/types.proto

@@ -2928,6 +2928,38 @@ enum CreateDatabaseUserMode {
   DB_USER_MODE_BEST_EFFORT_DROP = 3;
 }
 
+// SSHLocalPortForwarding configures access controls for local SSH port forwarding.
+message SSHLocalPortForwarding {
+  BoolValue Enabled = 1 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "enabled,omitempty",
+    (gogoproto.customtype) = "BoolOption"
+  ];
+}
+
+// SSHRemotePortForwarding configures access controls for remote SSH port forwarding.
+message SSHRemotePortForwarding {
+  BoolValue Enabled = 1 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "enabled,omitempty",
+    (gogoproto.customtype) = "BoolOption"
+  ];
+}
+
+// SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.
+message SSHPortForwarding {
+  // Allow local port forwarding.
+  SSHLocalPortForwarding Local = 1 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "local,omitempty"
+  ];
+  // Allow remote port forwarding.
+  SSHRemotePortForwarding Remote = 2 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "remote,omitempty"
+  ];
+}
+
 // RoleOptions is a set of role options
 message RoleOptions {
   // ForwardAgent is SSH agent forwarding.
@@ -2942,11 +2974,9 @@ message RoleOptions {
     (gogoproto.casttype) = "Duration"
   ];
 
-  // PortForwarding defines if the certificate will have
-  // "permit-port-forwarding"
-  // in the certificate. PortForwarding is "yes" if not set,
-  // that's why this is a pointer
+  // Deprecated: Use SSHPortForwarding instead
   BoolValue PortForwarding = 3 [
+    deprecated = true,
     (gogoproto.nullable) = true,
     (gogoproto.jsontag) = "port_forwarding,omitempty",
     (gogoproto.customtype) = "BoolOption"
@@ -3113,6 +3143,12 @@ message RoleOptions {
 
   // CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.
   string CreateHostUserDefaultShell = 31 [(gogoproto.jsontag) = "create_host_user_default_shell,omitempty"];
+
+  // SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.
+  SSHPortForwarding SSHPortForwarding = 32 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "ssh_port_forwarding,omitempty"
+  ];
 }
 
 message RecordSession {

docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx

@@ -406,12 +406,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|
 
 ### spec.options.cert_extensions items
 
@@ -442,6 +443,25 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
 |ssh|string|SSH indicates the session mode used on SSH sessions.|
 
+### spec.options.ssh_port_forwarding
+
+|Field|Type|Description|
+|---|---|---|
+|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
+|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|
+
+### spec.options.ssh_port_forwarding.local
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
+### spec.options.ssh_port_forwarding.remote
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
 ## resources.teleport.dev/v6
 
 **apiVersion:** resources.teleport.dev/v6
@@ -837,12 +857,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|
 
 ### spec.options.cert_extensions items
 
@@ -873,3 +894,22 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
 |ssh|string|SSH indicates the session mode used on SSH sessions.|
 
+### spec.options.ssh_port_forwarding
+
+|Field|Type|Description|
+|---|---|---|
+|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
+|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|
+
+### spec.options.ssh_port_forwarding.local
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
+### spec.options.ssh_port_forwarding.remote
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+

docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx

@@ -406,12 +406,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|
 
 ### spec.options.cert_extensions items
 
@@ -442,3 +443,22 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
 |ssh|string|SSH indicates the session mode used on SSH sessions.|
 
+### spec.options.ssh_port_forwarding
+
+|Field|Type|Description|
+|---|---|---|
+|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
+|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|
+
+### spec.options.ssh_port_forwarding.local
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
+### spec.options.ssh_port_forwarding.remote
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+

docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx

@@ -406,12 +406,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |mfa_verification_interval|string|MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.|
 |permit_x11_forwarding|boolean|PermitX11Forwarding authorizes use of X11 forwarding.|
 |pin_source_ip|boolean|PinSourceIP forces the same client IP for certificate generation and usage|
-|port_forwarding|boolean|PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer|
+|port_forwarding|boolean|Deprecated: Use SSHPortForwarding instead|
 |record_session|[object](#specoptionsrecord_session)|RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.|
 |request_access|string|RequestAccess defines the request strategy (optional|note|always) where optional is the default.|
 |request_prompt|string|RequestPrompt is an optional message which tells users what they aught to request.|
 |require_session_mfa|string or integer|RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN". Can be either the string or the integer representation of each option.|
 |ssh_file_copy|boolean|SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.|
+|ssh_port_forwarding|[object](#specoptionsssh_port_forwarding)|SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.|
 
 ### spec.options.cert_extensions items
 
@@ -442,3 +443,22 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |desktop|boolean|Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.|
 |ssh|string|SSH indicates the session mode used on SSH sessions.|
 
+### spec.options.ssh_port_forwarding
+
+|Field|Type|Description|
+|---|---|---|
+|local|[object](#specoptionsssh_port_forwardinglocal)|Allow local port forwarding.|
+|remote|[object](#specoptionsssh_port_forwardingremote)|Allow remote port forwarding.|
+
+### spec.options.ssh_port_forwarding.local
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+
+### spec.options.ssh_port_forwarding.remote
+
+|Field|Type|Description|
+|---|---|---|
+|enabled|boolean||
+

docs/pages/reference/terraform-provider/data-sources/role.mdx

@@ -453,12 +453,13 @@ Optional:
 - `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
 - `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
 - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
-- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer
+- `port_forwarding` (Boolean) Deprecated: Use SSHPortForwarding instead
 - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
 - `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `ssh_file_copy` (Boolean) SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
+- `ssh_port_forwarding` (Attributes) SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))
 
 ### Nested Schema for `spec.options.cert_extensions`
 
@@ -492,3 +493,24 @@ Optional:
 - `desktop` (Boolean) Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.
 - `ssh` (String) SSH indicates the session mode used on SSH sessions.
 
+
+### Nested Schema for `spec.options.ssh_port_forwarding`
+
+Optional:
+
+- `local` (Attributes) Allow local port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardinglocal))
+- `remote` (Attributes) Allow remote port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardingremote))
+
+### Nested Schema for `spec.options.ssh_port_forwarding.local`
+
+Optional:
+
+- `enabled` (Boolean)
+
+
+### Nested Schema for `spec.options.ssh_port_forwarding.remote`
+
+Optional:
+
+- `enabled` (Boolean)
+

docs/pages/reference/terraform-provider/resources/role.mdx

@@ -507,12 +507,13 @@ Optional:
 - `mfa_verification_interval` (String) MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to `max_session_ttl`.
 - `permit_x11_forwarding` (Boolean) PermitX11Forwarding authorizes use of X11 forwarding.
 - `pin_source_ip` (Boolean) PinSourceIP forces the same client IP for certificate generation and usage
-- `port_forwarding` (Boolean) PortForwarding defines if the certificate will have "permit-port-forwarding" in the certificate. PortForwarding is "yes" if not set, that's why this is a pointer
+- `port_forwarding` (Boolean) Deprecated: Use SSHPortForwarding instead
 - `record_session` (Attributes) RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. (see [below for nested schema](#nested-schema-for-specoptionsrecord_session))
 - `request_access` (String) RequestAccess defines the request strategy (optional|note|always) where optional is the default.
 - `request_prompt` (String) RequestPrompt is an optional message which tells users what they aught to request.
 - `require_session_mfa` (Number) RequireMFAType is the type of MFA requirement enforced for this user. 0 is "OFF", 1 is "SESSION", 2 is "SESSION_AND_HARDWARE_KEY", 3 is "HARDWARE_KEY_TOUCH", 4 is "HARDWARE_KEY_PIN", 5 is "HARDWARE_KEY_TOUCH_AND_PIN".
 - `ssh_file_copy` (Boolean) SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false.
+- `ssh_port_forwarding` (Attributes) SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwarding))
 
 ### Nested Schema for `spec.options.cert_extensions`
 
@@ -546,3 +547,24 @@ Optional:
 - `desktop` (Boolean) Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false.
 - `ssh` (String) SSH indicates the session mode used on SSH sessions.
 
+
+### Nested Schema for `spec.options.ssh_port_forwarding`
+
+Optional:
+
+- `local` (Attributes) Allow local port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardinglocal))
+- `remote` (Attributes) Allow remote port forwarding. (see [below for nested schema](#nested-schema-for-specoptionsssh_port_forwardingremote))
+
+### Nested Schema for `spec.options.ssh_port_forwarding.local`
+
+Optional:
+
+- `enabled` (Boolean)
+
+
+### Nested Schema for `spec.options.ssh_port_forwarding.remote`
+
+Optional:
+
+- `enabled` (Boolean)
+