gravitational · bernardjkim · Oct 16, 2025 · Oct 8, 2025 · Oct 10, 2025 · Oct 10, 2025
diff --git a/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules.pb.go b/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules.pb.go
diff --git a/api/proto/teleport/accessmonitoringrules/v1/access_monitoring_rules.proto b/api/proto/teleport/accessmonitoringrules/v1/access_monitoring_rules.proto
@@ -70,6 +70,8 @@ message AccessMonitoringRuleSpec {
 
   // schedules specifies a map of schedules that can be used to configure the
   // access monitoring rule conditions.
+  //
+  // Available in Teleport v18.2.8 or higher.
   map<string, Schedule> schedules = 8;
 }
 
@@ -100,9 +102,16 @@ message Schedule {
 // TimeSchedule specifies an in-line schedule.
 message TimeSchedule {
   // Shifts contains a set of shifts that make up the schedule.
-  // Shifts are configured in UTC.
   repeated Shift shifts = 1;
 
+  // Timezone specifies the schedule timezone. This field is optional and defaults
+  // to "UTC". Accepted values use timezone locations as defined in the IANA
+  // Time Zone Database, such as "America/Los_Angeles", "Europe/Lisbon", or
+  // "Asia/Singapore".
+  //
+  // See https://data.iana.org/time-zones/tzdb/zone1970.tab for a list of supported values.
+  string timezone = 2;
+
   // Shift contains the weekday, start time, and end time of a shift.
   message Shift {
     // Weekday specifies the day of the week, e.g., "Sunday", "Monday", "Tuesday".

diff --git a/...frastructure-as-code/terraform-provider/data-sources/access_monitoring_rule.mdx b/...frastructure-as-code/terraform-provider/data-sources/access_monitoring_rule.mdx
@@ -43,7 +43,7 @@ Optional:
 - `condition` (String) condition is a predicate expression that operates on the specified subject resources, and determines whether the subject will be moved into desired state.
 - `desired_state` (String) desired_state defines the desired state of the subject. For Access Request subjects, the desired_state may be set to `reviewed` to indicate that the Access Request should be automatically reviewed.
 - `notification` (Attributes) notification defines the plugin configuration for notifications if rule is triggered. Both notification and automatic_review may be set within the same access_monitoring_rule. If both fields are set, the rule will trigger both notifications and automatic reviews for the same set of access events. Separate plugins may be used if both notifications and automatic_reviews is set. (see [below for nested schema](#nested-schema-for-specnotification))
-- `schedules` (Attributes Map) schedules specifies a map of schedules that can be used to configure the access monitoring rule conditions. (see [below for nested schema](#nested-schema-for-specschedules))
+- `schedules` (Attributes Map) schedules specifies a map of schedules that can be used to configure the access monitoring rule conditions.  Available in Teleport v18.2.8 or higher. (see [below for nested schema](#nested-schema-for-specschedules))
 - `states` (List of String) states are the desired state which the monitoring rule is attempting to bring the subjects matching the condition to.
 
 ### Nested Schema for `spec.automatic_review`
@@ -72,7 +72,8 @@ Optional:
 
 Optional:
 
-- `shifts` (Attributes List) Shifts contains a set of shifts that make up the schedule. Shifts are configured in UTC. (see [below for nested schema](#nested-schema-for-specschedulestimeshifts))
+- `shifts` (Attributes List) Shifts contains a set of shifts that make up the schedule. (see [below for nested schema](#nested-schema-for-specschedulestimeshifts))
+- `timezone` (String) Timezone specifies the schedule timezone. This field is optional and defaults to "UTC". Accepted values use timezone locations as defined in the IANA Time Zone Database, such as "America/Los_Angeles", "Europe/Lisbon", or "Asia/Singapore".  See https://data.iana.org/time-zones/tzdb/zone1970.tab for a list of supported values.
 
 ### Nested Schema for `spec.schedules.time.shifts`
 

diff --git a/.../infrastructure-as-code/terraform-provider/resources/access_monitoring_rule.mdx b/.../infrastructure-as-code/terraform-provider/resources/access_monitoring_rule.mdx
@@ -65,7 +65,7 @@ Optional:
 - `condition` (String) condition is a predicate expression that operates on the specified subject resources, and determines whether the subject will be moved into desired state.
 - `desired_state` (String) desired_state defines the desired state of the subject. For Access Request subjects, the desired_state may be set to `reviewed` to indicate that the Access Request should be automatically reviewed.
 - `notification` (Attributes) notification defines the plugin configuration for notifications if rule is triggered. Both notification and automatic_review may be set within the same access_monitoring_rule. If both fields are set, the rule will trigger both notifications and automatic reviews for the same set of access events. Separate plugins may be used if both notifications and automatic_reviews is set. (see [below for nested schema](#nested-schema-for-specnotification))
-- `schedules` (Attributes Map) schedules specifies a map of schedules that can be used to configure the access monitoring rule conditions. (see [below for nested schema](#nested-schema-for-specschedules))
+- `schedules` (Attributes Map) schedules specifies a map of schedules that can be used to configure the access monitoring rule conditions.  Available in Teleport v18.2.8 or higher. (see [below for nested schema](#nested-schema-for-specschedules))
 - `states` (List of String) states are the desired state which the monitoring rule is attempting to bring the subjects matching the condition to.
 
 ### Nested Schema for `spec.automatic_review`
@@ -94,7 +94,8 @@ Optional:
 
 Optional:
 
-- `shifts` (Attributes List) Shifts contains a set of shifts that make up the schedule. Shifts are configured in UTC. (see [below for nested schema](#nested-schema-for-specschedulestimeshifts))
+- `shifts` (Attributes List) Shifts contains a set of shifts that make up the schedule. (see [below for nested schema](#nested-schema-for-specschedulestimeshifts))
+- `timezone` (String) Timezone specifies the schedule timezone. This field is optional and defaults to "UTC". Accepted values use timezone locations as defined in the IANA Time Zone Database, such as "America/Los_Angeles", "Europe/Lisbon", or "Asia/Singapore".  See https://data.iana.org/time-zones/tzdb/zone1970.tab for a list of supported values.
 
 ### Nested Schema for `spec.schedules.time.shifts`
 

diff --git a/...grations/terraform/tfschema/accessmonitoringrules/v1/access_monitoring_rules_terraform.go b/...grations/terraform/tfschema/accessmonitoringrules/v1/access_monitoring_rules_terraform.go
diff --git a/lib/services/access_monitoring_rules.go b/lib/services/access_monitoring_rules.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"slices"
 	"time"
+	_ "time/tzdata"
 
 	"github.com/gravitational/trace"
 
@@ -156,6 +157,10 @@ func validateSchedules(schedules map[string]*accessmonitoringrulesv1.Schedule) e
 }
 
 func validateTimeSchedule(schedule *accessmonitoringrulesv1.TimeSchedule) error {
+	if _, err := time.LoadLocation(schedule.GetTimezone()); err != nil {
+		return trace.Wrap(err, "invalid timezone: refer to the IANA Time Zone Database for valid options")
+	}
+
 	if len(schedule.GetShifts()) == 0 {
 		return trace.BadParameter("at least one shift is required")
 	}

diff --git a/lib/services/access_monitoring_rules_test.go b/lib/services/access_monitoring_rules_test.go
@@ -249,6 +249,98 @@ func TestValidateSchedules(t *testing.T) {
 				require.ErrorContains(t, err, "at least one shift is require")
 			},
 		},
+		{
+			description: "valid timezone (UTC)",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "UTC",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: require.NoError,
+		},
+		{
+			description: "valid timezone (America/Los_Angeles)",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "America/Los_Angeles",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: require.NoError,
+		},
+		{
+			description: "valid timezone (Europe/Lisbon)",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "Europe/Lisbon",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: require.NoError,
+		},
+		{
+			description: "valid timezone (Asia/Singapore)",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "Asia/Singapore",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: require.NoError,
+		},
+		{
+			description: "invalid timezone",
+			schedules: map[string]*accessmonitoringrulesv1.Schedule{
+				"default": {
+					Time: &accessmonitoringrulesv1.TimeSchedule{
+						Timezone: "invalid",
+						Shifts: []*accessmonitoringrulesv1.TimeSchedule_Shift{
+							{
+								Weekday: time.Monday.String(),
+								Start:   "00:00",
+								End:     "23:59",
+							},
+						},
+					},
+				},
+			},
+			assertErr: func(t require.TestingT, err error, _ ...interface{}) {
+				require.ErrorContains(t, err, "invalid timezone")
+			},
+		},
 		{
 			description: "start time is not before end time",
 			schedules: map[string]*accessmonitoringrulesv1.Schedule{