diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
index 311206ce291ec..246a7ed3c665e 100644
--- a/api/proto/teleport/legacy/types/types.proto
+++ b/api/proto/teleport/legacy/types/types.proto
@@ -2939,7 +2939,7 @@ message RoleOptions {
(gogoproto.customtype) = "BoolOption"
];
- // CreateHostUser allows users to be automatically created on a host
+ // Deprecated: Should use CreateHostUserMode instead.
BoolValue CreateHostUser = 20 [
(gogoproto.nullable) = true,
(gogoproto.jsontag) = "create_host_user,omitempty",
diff --git a/api/types/types.pb.go b/api/types/types.pb.go
index d3a4806f3e2ec..6a05782300edc 100644
--- a/api/types/types.pb.go
+++ b/api/types/types.pb.go
@@ -7801,7 +7801,7 @@ type RoleOptions struct {
// workstation and the remote desktop. It defaults to false unless explicitly set to
// true.
DesktopDirectorySharing *BoolOption `protobuf:"bytes,19,opt,name=DesktopDirectorySharing,proto3,customtype=BoolOption" json:"desktop_directory_sharing"`
- // CreateHostUser allows users to be automatically created on a host
+ // Deprecated: Should use CreateHostUserMode instead.
CreateHostUser *BoolOption `protobuf:"bytes,20,opt,name=CreateHostUser,proto3,customtype=BoolOption" json:"create_host_user,omitempty"`
// PinSourceIP forces the same client IP for certificate generation and usage
PinSourceIP Bool `protobuf:"varint,21,opt,name=PinSourceIP,proto3,casttype=Bool" json:"pin_source_ip"`
diff --git a/docs/cspell.json b/docs/cspell.json
index 2af57642fd77f..0ffe552c38b42 100644
--- a/docs/cspell.json
+++ b/docs/cspell.json
@@ -848,6 +848,7 @@
"snowsql",
"spacectl",
"spacelift",
+ "specoptions",
"spfile",
"spiffe",
"splunkd",
diff --git a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx
index 20d6d03eaa3b4..ab002cbd99e97 100644
--- a/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx
+++ b/docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx
@@ -108,6 +108,20 @@ permission to restart the Nginx service as root. In Teleport 16.4.0 and later,
the default shell for a created user can be configured with `create_host_user_default_shell`.
Otherwise the host's default shell will be used.
+
+
+When using the terraform provider, the values for `create_host_user_mode` are represented numerically
+as reflected in the
+[role reference](/reference/terraform-provider/resources/role/#nested-schema-for-specoptions).
+
+Possible values are:
+- `0` is `unspecified`.
+- `1` is `off`.
+- `2` is `keep`.
+- `4` is `insecure-drop`.
+
+
+
{/*TODO (ptgott): We should move the information below into a reference guide*/}
diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx
index 5a8b17bcc12d8..7d22e71d93b2c 100644
--- a/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx
+++ b/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx
@@ -340,7 +340,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|create_db_user|boolean|CreateDatabaseUser enabled automatic database user creation.|
|create_db_user_mode|string or integer|CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.|
|create_desktop_user|boolean|CreateDesktopUser allows users to be automatically created on a Windows desktop|
-|create_host_user|boolean|CreateHostUser allows users to be automatically created on a host|
+|create_host_user|boolean|Deprecated: Should use CreateHostUserMode instead.|
|create_host_user_default_shell|string|CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.|
|create_host_user_mode|string or integer|CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.|
|desktop_clipboard|boolean|DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.|
@@ -723,7 +723,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|create_db_user|boolean|CreateDatabaseUser enabled automatic database user creation.|
|create_db_user_mode|string or integer|CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.|
|create_desktop_user|boolean|CreateDesktopUser allows users to be automatically created on a Windows desktop|
-|create_host_user|boolean|CreateHostUser allows users to be automatically created on a host|
+|create_host_user|boolean|Deprecated: Should use CreateHostUserMode instead.|
|create_host_user_default_shell|string|CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.|
|create_host_user_mode|string or integer|CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.|
|desktop_clipboard|boolean|DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.|
diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx
index 72496075a135b..061f1063ae4d2 100644
--- a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx
+++ b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx
@@ -340,7 +340,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|create_db_user|boolean|CreateDatabaseUser enabled automatic database user creation.|
|create_db_user_mode|string or integer|CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.|
|create_desktop_user|boolean|CreateDesktopUser allows users to be automatically created on a Windows desktop|
-|create_host_user|boolean|CreateHostUser allows users to be automatically created on a host|
+|create_host_user|boolean|Deprecated: Should use CreateHostUserMode instead.|
|create_host_user_default_shell|string|CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.|
|create_host_user_mode|string or integer|CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.|
|desktop_clipboard|boolean|DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.|
diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx
index 18b86829bb115..b759d2d7699fb 100644
--- a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx
+++ b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx
@@ -340,7 +340,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
|create_db_user|boolean|CreateDatabaseUser enabled automatic database user creation.|
|create_db_user_mode|string or integer|CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is "unspecified", 1 is "off", 2 is "keep", 3 is "best_effort_drop". Can be either the string or the integer representation of each option.|
|create_desktop_user|boolean|CreateDesktopUser allows users to be automatically created on a Windows desktop|
-|create_host_user|boolean|CreateHostUser allows users to be automatically created on a host|
+|create_host_user|boolean|Deprecated: Should use CreateHostUserMode instead.|
|create_host_user_default_shell|string|CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users.|
|create_host_user_mode|string or integer|CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is "unspecified"; 1 is "off"; 2 is "drop" (removed for v15 and above), 3 is "keep"; 4 is "insecure-drop". Can be either the string or the integer representation of each option.|
|desktop_clipboard|boolean|DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false.|
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
index bf726074a0f8b..c2935a5008ebb 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
@@ -1133,8 +1133,7 @@ spec:
created on a Windows desktop
type: boolean
create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
+ description: 'Deprecated: Should use CreateHostUserMode instead.'
type: boolean
create_host_user_default_shell:
description: CreateHostUserDefaultShell is used to configure the
@@ -2465,8 +2464,7 @@ spec:
created on a Windows desktop
type: boolean
create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
+ description: 'Deprecated: Should use CreateHostUserMode instead.'
type: boolean
create_host_user_default_shell:
description: CreateHostUserDefaultShell is used to configure the
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
index 688636acc275b..217e76f0125da 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml
@@ -1136,8 +1136,7 @@ spec:
created on a Windows desktop
type: boolean
create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
+ description: 'Deprecated: Should use CreateHostUserMode instead.'
type: boolean
create_host_user_default_shell:
description: CreateHostUserDefaultShell is used to configure the
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
index 7287b21409569..c58bb1907d0fe 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml
@@ -1136,8 +1136,7 @@ spec:
created on a Windows desktop
type: boolean
create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
+ description: 'Deprecated: Should use CreateHostUserMode instead.'
type: boolean
create_host_user_default_shell:
description: CreateHostUserDefaultShell is used to configure the
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml
index bf726074a0f8b..c2935a5008ebb 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml
@@ -1133,8 +1133,7 @@ spec:
created on a Windows desktop
type: boolean
create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
+ description: 'Deprecated: Should use CreateHostUserMode instead.'
type: boolean
create_host_user_default_shell:
description: CreateHostUserDefaultShell is used to configure the
@@ -2465,8 +2464,7 @@ spec:
created on a Windows desktop
type: boolean
create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
+ description: 'Deprecated: Should use CreateHostUserMode instead.'
type: boolean
create_host_user_default_shell:
description: CreateHostUserDefaultShell is used to configure the
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml
index 688636acc275b..217e76f0125da 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml
@@ -1136,8 +1136,7 @@ spec:
created on a Windows desktop
type: boolean
create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
+ description: 'Deprecated: Should use CreateHostUserMode instead.'
type: boolean
create_host_user_default_shell:
description: CreateHostUserDefaultShell is used to configure the
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml
index 7287b21409569..c58bb1907d0fe 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml
@@ -1136,8 +1136,7 @@ spec:
created on a Windows desktop
type: boolean
create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
+ description: 'Deprecated: Should use CreateHostUserMode instead.'
type: boolean
create_host_user_default_shell:
description: CreateHostUserDefaultShell is used to configure the
diff --git a/lib/services/access_checker.go b/lib/services/access_checker.go
index 0c8c9557d91a5..bbf9cb7e450e1 100644
--- a/lib/services/access_checker.go
+++ b/lib/services/access_checker.go
@@ -1035,6 +1035,7 @@ func (a *accessChecker) HostUsers(s types.Server) (*HostUsersInfo, error) {
}
createHostUserMode := role.GetOptions().CreateHostUserMode
+ //nolint:staticcheck // this field is preserved for existing deployments, but shouldn't be used going forward
createHostUser := role.GetOptions().CreateHostUser
if createHostUserMode == types.CreateHostUserMode_HOST_USER_MODE_UNSPECIFIED {
createHostUserMode = types.CreateHostUserMode_HOST_USER_MODE_OFF
diff --git a/lib/srv/regular/sshserver_test.go b/lib/srv/regular/sshserver_test.go
index 1e7a81b3a7859..e9c724cb17bd6 100644
--- a/lib/srv/regular/sshserver_test.go
+++ b/lib/srv/regular/sshserver_test.go
@@ -2848,6 +2848,7 @@ func newUpack(testSvr *auth.TestServer, username string, allowedLogins []string,
role.SetRules(types.Allow, rules)
opts := role.GetOptions()
opts.PermitX11Forwarding = types.NewBool(true)
+ //nolint:staticcheck // this field is preserved for existing deployments, but shouldn't be used going forward
opts.CreateHostUser = types.NewBoolOption(true)
role.SetOptions(opts)
role.SetLogins(types.Allow, allowedLogins)