diff --git a/README.md b/README.md index 9aa2452..1c654aa 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ These include * [Policy to Role](./policy-to-role/README.md) - Creates an IAM policy and attaches it with an existing Role. * [User to Group](./user-to-group/README.md) - Creates an IAM user and adds user to a list of groups. * [Managed Role](./managed-role/README.md) - Creates an IAM role and attaches the policy to it. +* [Identity-Provider](./identity-provider/README.md) - Creates an IAM identidy provider for open id connect provider. ## ADR's @@ -44,4 +45,4 @@ See the License for the specific language governing permissions and limitations under the License. ``` -Copyright © 2019 [Hypr NZ](https://www.hypr.nz/) +Copyright © 2019 [Hypr NZ](https://www.hypr.nz/) \ No newline at end of file diff --git a/examples/identity-provider/main.tf b/examples/identity-provider/main.tf new file mode 100644 index 0000000..4a8252b --- /dev/null +++ b/examples/identity-provider/main.tf @@ -0,0 +1,20 @@ +module "example" { + source = "../../identity-provider" + + providers = { + aws = aws + } + + identity_provider_url = "https://accounts.google.com" + client_id_list = ["ExampleClientID"] + thumbprint_list = [] + tags = {"Env": "test"} +} + +provider "aws" { + region = var.aws_region +} + +variable "aws_region" { + default = "ap-southeast-2" +} \ No newline at end of file diff --git a/identity-provider/README.md b/identity-provider/README.md new file mode 100644 index 0000000..b80354d --- /dev/null +++ b/identity-provider/README.md @@ -0,0 +1,36 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12.26 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [client\_id\_list](#input\_client\_id\_list) | A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client\_id parameter on OAuth requests.) | `list(string)` | n/a | yes | +| [identity\_provider\_url](#input\_identity\_provider\_url) | The URL of the identity provider. | `any` | n/a | yes | +| [tags](#input\_tags) | Tags to add to IAM identity provider Resource. | `map(any)` | `{}` | no | +| [thumbprint\_list](#input\_thumbprint\_list) | A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s). | `list(string)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [provider\_arn](#output\_provider\_arn) | The ARN assigned by AWS for this provider. | diff --git a/identity-provider/main.tf b/identity-provider/main.tf new file mode 100644 index 0000000..56c88ec --- /dev/null +++ b/identity-provider/main.tf @@ -0,0 +1,6 @@ +resource "aws_iam_openid_connect_provider" "this" { + url = var.identity_provider_url + client_id_list = var.client_id_list + thumbprint_list = var.thumbprint_list + tags = var.tags +} \ No newline at end of file diff --git a/identity-provider/outputs.tf b/identity-provider/outputs.tf new file mode 100644 index 0000000..4ba5cfc --- /dev/null +++ b/identity-provider/outputs.tf @@ -0,0 +1,4 @@ +output "provider_arn" { + description = "The ARN assigned by AWS for this provider." + value = aws_iam_openid_connect_provider.this.arn +} diff --git a/identity-provider/var.tf b/identity-provider/var.tf new file mode 100644 index 0000000..be95a14 --- /dev/null +++ b/identity-provider/var.tf @@ -0,0 +1,19 @@ +variable "identity_provider_url" { + description = "The URL of the identity provider." +} + +variable "client_id_list" { + description = "A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)" + type = list(string) +} + +variable "thumbprint_list" { + description = "A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)." + type = list(string) +} + +variable "tags" { + description = "Tags to add to IAM identity provider Resource." + type = map(any) + default = {} +} \ No newline at end of file diff --git a/identity-provider/versions.tf b/identity-provider/versions.tf new file mode 100644 index 0000000..f8415c1 --- /dev/null +++ b/identity-provider/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 0.12.26" + + required_providers { + aws = { + source : "hashicorp/aws", + required_version : ">= 3.21.0" + } + } +} \ No newline at end of file