This Terraform sub-module assists with the configuration of identity providers (IDPs) for ROSA Classic clusters. It offers support for various IDP types, including GitHub, GitLab, Google, HTPasswd, LDAP, and OpenID. With this module, you can seamlessly integrate external authentication mechanisms into your ROSA Classic clusters, enhancing security and user management capabilities. By enabling the configuration of different IDP types, you can tailor authentication methods to their specific requirements, ensuring flexibility and compatibility within the ROSA Classic cluster environment deployed on AWS.
For more information, see Configuring identity providers for STS in the ROSA documentation.
You must have an existing Red Hat OpenShift Service on AWS (ROSA) Classic cluster deployed. (see rosa-cluster-classic sub-module)
module "htpasswd_idp" {
source = "terraform-redhat/rosa-classic/rhcs//modules/idp"
cluster_id = "cluster-id-123"
name = "htpasswd-idp"
idp_type = "htpasswd"
htpasswd_idp_users = [{ username = "test-user", password = random_password.password.result }]
}
resource "random_password" "password" {
length = 14
special = true
min_lower = 1
min_numeric = 1
min_special = 1
min_upper = 1
}
Name | Version |
---|---|
terraform | >= 1.0 |
rhcs | >= 1.6.2 |
Name | Version |
---|---|
rhcs | >= 1.6.2 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
cluster_id | Identifier of the cluster. | string |
n/a | yes |
github_idp_ca | Path to PEM-encoded certificate file to use when making requests to the server (optional). Valid only to Github Identity Provider (idp_type=github). | string |
null |
no |
github_idp_client_id | Client identifier issued by Github (required). Valid only to Github Identity Provider (idp_type=github). | string |
null |
no |
github_idp_client_secret | Client secret issued by Github (required). Valid only to Github Identity Provider (idp_type=github). | string |
null |
no |
github_idp_hostname | Optional domain to use with a hosted instance of GitHub Enterprise (optional). Valid only to Github Identity Provider (idp_type=github). | string |
null |
no |
github_idp_organizations | Only users that are members of at least one of the listed organizations are allowed to log in (optional). Valid only to Github Identity Provider (idp_type=github). | list(string) |
null |
no |
github_idp_teams | Only users that are members of at least one of the listed teams are allowed to log in. The format is <org> /<team> (optional). Valid only to Github Identity Provider (idp_type=github). |
list(string) |
null |
no |
gitlab_idp_ca | Trusted certificate authority bundle (optional). Valid only to Gitlab Identity Provider (idp_type=gitlab). | string |
null |
no |
gitlab_idp_client_id | Client identifier of a registered Gitlab OAuth application (required). Valid only to Gitlab Identity Provider (idp_type=gitlab). | string |
null |
no |
gitlab_idp_client_secret | Client secret issued by Gitlab (required). Valid only to Gitlab Identity Provider (idp_type=gitlab). | string |
null |
no |
gitlab_idp_url | URL of the Gitlab instance (required). Valid only to Gitlab Identity Provider (idp_type=gitlab). | string |
null |
no |
google_idp_client_id | Client identifier of a registered Google OAuth application (required). Valid only to Google Identity Provider (idp_type=google). | string |
null |
no |
google_idp_client_secret | Client secret issued by Google (required). Valid only to Google Identity Provider (idp_type=google). | string |
null |
no |
google_idp_hosted_domain | Restrict users to a Google Apps domain (optional). Valid only to Google Identity Provider (idp_type=google). | string |
null |
no |
htpasswd_idp_users | A list of htpasswd user credentials (required). Valid only to Htpasswd Identity Provider (idp_type=htpasswd). | list(object({ |
null |
no |
idp_type | n/a | string |
n/a | yes |
ldap_idp_bind_dn | DN to bind with during the search phase (optional). Valid only to Ldap Identity Provider (idp_type=ldap). | string |
null |
no |
ldap_idp_bind_password | Password to bind with during the search phase (optional). Valid only to Ldap Identity Provider (idp_type=ldap). | string |
null |
no |
ldap_idp_ca | Trusted certificate authority bundle (optional). Valid only to Ldap Identity Provider (idp_type=ldap). | string |
null |
no |
ldap_idp_emails | The list of attributes whose values are used as the email address (optional). Valid only to Ldap Identity Provider (idp_type=ldap). | list(string) |
null |
no |
ldap_idp_ids | The list of attributes whose values are used as the user ID. Default ['dn'] (optional). Valid only to Ldap Identity Provider (idp_type=ldap). | list(string) |
null |
no |
ldap_idp_insecure | Do not make TLS connections to the server (optional). Valid only to Ldap Identity Provider (idp_type=ldap). | bool |
null |
no |
ldap_idp_names | The list of attributes whose values are used as the display name. Default ['cn'] (optional). Valid only to Ldap Identity Provider (idp_type=ldap). | list(string) |
null |
no |
ldap_idp_preferred_usernames | The list of attributes whose values are used as the preferred username. Default ['uid'] (optional). Valid only to Ldap Identity Provider (idp_type=ldap). | list(string) |
null |
no |
ldap_idp_url | An RFC 2255 URL which specifies the LDAP search parameters to use (required). Valid only to Ldap Identity Provider (idp_type=ldap). | string |
null |
no |
mapping_method | Specifies how new identities are mapped to users when they log in. Options are add, claim, generate and lookup (default is claim). | string |
null |
no |
name | Name of the identity provider. | string |
n/a | yes |
openid_idp_ca | Trusted certificate authority bundle (optional). Valid only to OpenID Identity Provider (idp_type=openid). | string |
null |
no |
openid_idp_claims_email | List of claims to use as the email address (optional). Valid only to OpenID Identity Provider (idp_type=openid). | list(string) |
null |
no |
openid_idp_claims_groups | List of claims to use as the groups names (optional). Valid only to OpenID Identity Provider (idp_type=openid). | list(string) |
null |
no |
openid_idp_claims_name | List of claims to use as the display name (optional). Valid only to OpenID Identity Provider (idp_type=openid). | list(string) |
null |
no |
openid_idp_claims_preferred_username | List of claims to use as the preferred username when provisioning a user (optional). Valid only to OpenID Identity Provider (idp_type=openid). | list(string) |
null |
no |
openid_idp_client_id | Client ID from the registered application (required). Valid only to OpenID Identity Provider (idp_type=openid). | string |
null |
no |
openid_idp_client_secret | Client secret from the registered application (required). Valid only to OpenID Identity Provider (idp_type=openid). | string |
null |
no |
openid_idp_extra_authorize_parameters | Extra authorization parameters for the OpenID Identity Provider (optional). Valid only to OpenID Identity Provider (idp_type=openid). | map(string) |
null |
no |
openid_idp_extra_scopes | List of scopes to request, in addition to the 'openid' scope, during the authorization token request (optional). Valid only to OpenID Identity Provider (idp_type=openid). | list(string) |
null |
no |
openid_idp_issuer | The URL that the OpenID Provider asserts as the issuer identifier. It must use the https scheme with no URL query parameters or fragment (required). Valid only to OpenID Identity Provider (idp_type=openid). | string |
null |
no |
No outputs.