Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

idp

Introduction

This Terraform sub-module assists with the configuration of identity providers (IDPs) for ROSA Classic clusters. It offers support for various IDP types, including GitHub, GitLab, Google, HTPasswd, LDAP, and OpenID. With this module, you can seamlessly integrate external authentication mechanisms into your ROSA Classic clusters, enhancing security and user management capabilities. By enabling the configuration of different IDP types, you can tailor authentication methods to their specific requirements, ensuring flexibility and compatibility within the ROSA Classic cluster environment deployed on AWS.

For more information, see Configuring identity providers for STS in the ROSA documentation.

Prerequisites

You must have an existing Red Hat OpenShift Service on AWS (ROSA) Classic cluster deployed. (see rosa-cluster-classic sub-module)

Example Usage

module "htpasswd_idp" {
  source = "terraform-redhat/rosa-classic/rhcs//modules/idp"

  cluster_id         = "cluster-id-123"
  name               = "htpasswd-idp"
  idp_type           = "htpasswd"
  htpasswd_idp_users = [{ username = "test-user", password = random_password.password.result }]
}

resource "random_password" "password" {
  length  = 14
  special = true
  min_lower = 1
  min_numeric = 1
  min_special = 1
  min_upper = 1
}

Requirements

Name Version
terraform >= 1.0
rhcs >= 1.6.2

Providers

Name Version
rhcs >= 1.6.2

Modules

No modules.

Resources

Name Type
rhcs_identity_provider.github_identity_provider resource
rhcs_identity_provider.gitlab_identity_provider resource
rhcs_identity_provider.google_identity_provider resource
rhcs_identity_provider.htpasswd_identity_provider resource
rhcs_identity_provider.ldap_identity_provider resource
rhcs_identity_provider.openid_identity_provider resource

Inputs

Name Description Type Default Required
cluster_id Identifier of the cluster. string n/a yes
github_idp_ca Path to PEM-encoded certificate file to use when making requests to the server (optional). Valid only to Github Identity Provider (idp_type=github). string null no
github_idp_client_id Client identifier issued by Github (required). Valid only to Github Identity Provider (idp_type=github). string null no
github_idp_client_secret Client secret issued by Github (required). Valid only to Github Identity Provider (idp_type=github). string null no
github_idp_hostname Optional domain to use with a hosted instance of GitHub Enterprise (optional). Valid only to Github Identity Provider (idp_type=github). string null no
github_idp_organizations Only users that are members of at least one of the listed organizations are allowed to log in (optional). Valid only to Github Identity Provider (idp_type=github). list(string) null no
github_idp_teams Only users that are members of at least one of the listed teams are allowed to log in. The format is <org>/<team> (optional). Valid only to Github Identity Provider (idp_type=github). list(string) null no
gitlab_idp_ca Trusted certificate authority bundle (optional). Valid only to Gitlab Identity Provider (idp_type=gitlab). string null no
gitlab_idp_client_id Client identifier of a registered Gitlab OAuth application (required). Valid only to Gitlab Identity Provider (idp_type=gitlab). string null no
gitlab_idp_client_secret Client secret issued by Gitlab (required). Valid only to Gitlab Identity Provider (idp_type=gitlab). string null no
gitlab_idp_url URL of the Gitlab instance (required). Valid only to Gitlab Identity Provider (idp_type=gitlab). string null no
google_idp_client_id Client identifier of a registered Google OAuth application (required). Valid only to Google Identity Provider (idp_type=google). string null no
google_idp_client_secret Client secret issued by Google (required). Valid only to Google Identity Provider (idp_type=google). string null no
google_idp_hosted_domain Restrict users to a Google Apps domain (optional). Valid only to Google Identity Provider (idp_type=google). string null no
htpasswd_idp_users A list of htpasswd user credentials (required). Valid only to Htpasswd Identity Provider (idp_type=htpasswd).
list(object({
username = string
password = string
}))
null no
idp_type n/a string n/a yes
ldap_idp_bind_dn DN to bind with during the search phase (optional). Valid only to Ldap Identity Provider (idp_type=ldap). string null no
ldap_idp_bind_password Password to bind with during the search phase (optional). Valid only to Ldap Identity Provider (idp_type=ldap). string null no
ldap_idp_ca Trusted certificate authority bundle (optional). Valid only to Ldap Identity Provider (idp_type=ldap). string null no
ldap_idp_emails The list of attributes whose values are used as the email address (optional). Valid only to Ldap Identity Provider (idp_type=ldap). list(string) null no
ldap_idp_ids The list of attributes whose values are used as the user ID. Default ['dn'] (optional). Valid only to Ldap Identity Provider (idp_type=ldap). list(string) null no
ldap_idp_insecure Do not make TLS connections to the server (optional). Valid only to Ldap Identity Provider (idp_type=ldap). bool null no
ldap_idp_names The list of attributes whose values are used as the display name. Default ['cn'] (optional). Valid only to Ldap Identity Provider (idp_type=ldap). list(string) null no
ldap_idp_preferred_usernames The list of attributes whose values are used as the preferred username. Default ['uid'] (optional). Valid only to Ldap Identity Provider (idp_type=ldap). list(string) null no
ldap_idp_url An RFC 2255 URL which specifies the LDAP search parameters to use (required). Valid only to Ldap Identity Provider (idp_type=ldap). string null no
mapping_method Specifies how new identities are mapped to users when they log in. Options are add, claim, generate and lookup (default is claim). string null no
name Name of the identity provider. string n/a yes
openid_idp_ca Trusted certificate authority bundle (optional). Valid only to OpenID Identity Provider (idp_type=openid). string null no
openid_idp_claims_email List of claims to use as the email address (optional). Valid only to OpenID Identity Provider (idp_type=openid). list(string) null no
openid_idp_claims_groups List of claims to use as the groups names (optional). Valid only to OpenID Identity Provider (idp_type=openid). list(string) null no
openid_idp_claims_name List of claims to use as the display name (optional). Valid only to OpenID Identity Provider (idp_type=openid). list(string) null no
openid_idp_claims_preferred_username List of claims to use as the preferred username when provisioning a user (optional). Valid only to OpenID Identity Provider (idp_type=openid). list(string) null no
openid_idp_client_id Client ID from the registered application (required). Valid only to OpenID Identity Provider (idp_type=openid). string null no
openid_idp_client_secret Client secret from the registered application (required). Valid only to OpenID Identity Provider (idp_type=openid). string null no
openid_idp_extra_authorize_parameters Extra authorization parameters for the OpenID Identity Provider (optional). Valid only to OpenID Identity Provider (idp_type=openid). map(string) null no
openid_idp_extra_scopes List of scopes to request, in addition to the 'openid' scope, during the authorization token request (optional). Valid only to OpenID Identity Provider (idp_type=openid). list(string) null no
openid_idp_issuer The URL that the OpenID Provider asserts as the issuer identifier. It must use the https scheme with no URL query parameters or fragment (required). Valid only to OpenID Identity Provider (idp_type=openid). string null no

Outputs

No outputs.