Feature Request - Ability to configure tctl YAML resource via REST API (outside the tctl cli)

[mechastorm]

Currently we are configure the tctl resources like auth connectors and roles via the tctl create command. This requires our setup process to include either

• A manual step after provisioning to run our tctl create commands directly on a random Auth server
• OR run a script on the startup of an Auth server to create these resources

Right now the only way we can directly run our command is on the Auth server. This requires access to an Auth server which involves either

• create a separate ssh key to login to Auth server to run our tctl create command
• create a separate local teleport admin user just to login to an Auth server to run the tctl create command

Ideally, we feel if we can create these resources through a REST API endpoint (via a generate secret token) we can avoid having to set up adhoc access. A REST API endpoint may not be the best solution, I am open to other solutions how to create our tctl resources without the CLI.

We have found provisioning our tctl resources with tools like Ansible modules or Terraform Providers would fit most Ops workflow. Examples is the modules provided to set up Keycloak

• Keycloak Terraform Provider
• Keycloak Ansible Module

This is a suggestion for a feature. We are not blocked by this but it greatly help when deploying to wider groups. I am also aware that there will need to be deep security considerations on how we can enable TCTL resources to be created in a programmatic manner without the CLI.

[benarent]

Thanks for the feature request @mechastorm, since this is already close to #1525 , I'm going to close this issue and merge it into the other issue and make sure we cover everything there.