From 46643173c1cf4ce51d9e8321fd2c3a72ed679aec Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Tue, 23 Mar 2021 09:21:02 +1300 Subject: [PATCH 1/6] added identify provider resource template --- identity-provider/main.tf | 5 +++++ identity-provider/outputs.tf | 4 ++++ identity-provider/var.tf | 13 +++++++++++++ 3 files changed, 22 insertions(+) create mode 100644 identity-provider/main.tf create mode 100644 identity-provider/outputs.tf create mode 100644 identity-provider/var.tf diff --git a/identity-provider/main.tf b/identity-provider/main.tf new file mode 100644 index 0000000..1bc6cb8 --- /dev/null +++ b/identity-provider/main.tf @@ -0,0 +1,5 @@ +resource "aws_iam_openid_connect_provider" "this" { + url = var.identity_provider_url + client_id_list = var.client_id_list + thumbprint_list = var.thumbprint_list +} \ No newline at end of file diff --git a/identity-provider/outputs.tf b/identity-provider/outputs.tf new file mode 100644 index 0000000..4ba5cfc --- /dev/null +++ b/identity-provider/outputs.tf @@ -0,0 +1,4 @@ +output "provider_arn" { + description = "The ARN assigned by AWS for this provider." + value = aws_iam_openid_connect_provider.this.arn +} diff --git a/identity-provider/var.tf b/identity-provider/var.tf new file mode 100644 index 0000000..65bc519 --- /dev/null +++ b/identity-provider/var.tf @@ -0,0 +1,13 @@ +variable "identity_provider_url" { + description = "The URL of the identity provider." +} + +variable "client_id_list" { + description = "A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)" + type = list(string) +} + +variable "thumbprint_list" { + description = "A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)." + type = list(string) +} \ No newline at end of file From 42d1bd4dcc162a05f94c9aba82cc5274a5fac616 Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Tue, 23 Mar 2021 09:31:57 +1300 Subject: [PATCH 2/6] resolved merge conflict --- README.md | 3 ++- identity-provider/README.md | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 identity-provider/README.md diff --git a/README.md b/README.md index 9aa2452..1c654aa 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ These include * [Policy to Role](./policy-to-role/README.md) - Creates an IAM policy and attaches it with an existing Role. * [User to Group](./user-to-group/README.md) - Creates an IAM user and adds user to a list of groups. * [Managed Role](./managed-role/README.md) - Creates an IAM role and attaches the policy to it. +* [Identity-Provider](./identity-provider/README.md) - Creates an IAM identidy provider for open id connect provider. ## ADR's @@ -44,4 +45,4 @@ See the License for the specific language governing permissions and limitations under the License. ``` -Copyright © 2019 [Hypr NZ](https://www.hypr.nz/) +Copyright © 2019 [Hypr NZ](https://www.hypr.nz/) \ No newline at end of file diff --git a/identity-provider/README.md b/identity-provider/README.md new file mode 100644 index 0000000..3c5ac51 --- /dev/null +++ b/identity-provider/README.md @@ -0,0 +1,24 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| client\_id\_list | A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client\_id parameter on OAuth requests.) | `list(string)` | n/a | yes | +| identity\_provider\_url | The URL of the identity provider. | `any` | n/a | yes | +| thumbprint\_list | A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s). | `list(string)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| provider\_arn | The ARN assigned by AWS for this provider. | + From 95723cdc875e296a5c53236038ef9196b7b672ca Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Tue, 23 Mar 2021 16:30:48 +1300 Subject: [PATCH 3/6] added version support --- identity-provider/README.md | 8 +++++++- identity-provider/versions.tf | 10 ++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 identity-provider/versions.tf diff --git a/identity-provider/README.md b/identity-provider/README.md index 3c5ac51..50466f6 100644 --- a/identity-provider/README.md +++ b/identity-provider/README.md @@ -1,6 +1,12 @@ +# Terraform Identity Provider modules + +A module to create an identity Provider IAM resource for open id connect provider. + ## Requirements -No requirements. +| Name | Version | +|------|---------| +| terraform | >= 0.12.26 | ## Providers diff --git a/identity-provider/versions.tf b/identity-provider/versions.tf new file mode 100644 index 0000000..f8415c1 --- /dev/null +++ b/identity-provider/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 0.12.26" + + required_providers { + aws = { + source : "hashicorp/aws", + required_version : ">= 3.21.0" + } + } +} \ No newline at end of file From 40e2ff84d84ea98c2f85bbae32bc3da07e90ed2e Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Wed, 24 Mar 2021 10:01:21 +1300 Subject: [PATCH 4/6] added example for identity provider --- examples/identity-provider/main.tf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 examples/identity-provider/main.tf diff --git a/examples/identity-provider/main.tf b/examples/identity-provider/main.tf new file mode 100644 index 0000000..2e557a7 --- /dev/null +++ b/examples/identity-provider/main.tf @@ -0,0 +1,19 @@ +module "example" { + source = "../../identity-provider" + + providers = { + aws = aws + } + + identity_provider_url = "https://accounts.google.com" + client_id_list = ["ExampleClientID"] + thumbprint_list = [] +} + +provider "aws" { + region = var.aws_region +} + +variable "aws_region" { + default = "ap-southeast-2" +} \ No newline at end of file From e082ddde37b04803ef5bacac471521a110e842d7 Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Wed, 31 Mar 2021 12:45:44 +1300 Subject: [PATCH 5/6] added tag support for identity provider module --- examples/identity-provider/main.tf | 1 + identity-provider/README.md | 28 +++++++++++++++++----------- identity-provider/main.tf | 1 + identity-provider/var.tf | 6 ++++++ 4 files changed, 25 insertions(+), 11 deletions(-) diff --git a/examples/identity-provider/main.tf b/examples/identity-provider/main.tf index 2e557a7..4a8252b 100644 --- a/examples/identity-provider/main.tf +++ b/examples/identity-provider/main.tf @@ -8,6 +8,7 @@ module "example" { identity_provider_url = "https://accounts.google.com" client_id_list = ["ExampleClientID"] thumbprint_list = [] + tags = {"Env": "test"} } provider "aws" { diff --git a/identity-provider/README.md b/identity-provider/README.md index 50466f6..b80354d 100644 --- a/identity-provider/README.md +++ b/identity-provider/README.md @@ -1,30 +1,36 @@ -# Terraform Identity Provider modules - -A module to create an identity Provider IAM resource for open id connect provider. - ## Requirements | Name | Version | |------|---------| -| terraform | >= 0.12.26 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | ## Providers | Name | Version | |------|---------| -| aws | n/a | +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| client\_id\_list | A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client\_id parameter on OAuth requests.) | `list(string)` | n/a | yes | -| identity\_provider\_url | The URL of the identity provider. | `any` | n/a | yes | -| thumbprint\_list | A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s). | `list(string)` | n/a | yes | +| [client\_id\_list](#input\_client\_id\_list) | A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client\_id parameter on OAuth requests.) | `list(string)` | n/a | yes | +| [identity\_provider\_url](#input\_identity\_provider\_url) | The URL of the identity provider. | `any` | n/a | yes | +| [tags](#input\_tags) | Tags to add to IAM identity provider Resource. | `map(any)` | `{}` | no | +| [thumbprint\_list](#input\_thumbprint\_list) | A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s). | `list(string)` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| provider\_arn | The ARN assigned by AWS for this provider. | - +| [provider\_arn](#output\_provider\_arn) | The ARN assigned by AWS for this provider. | diff --git a/identity-provider/main.tf b/identity-provider/main.tf index 1bc6cb8..cd7b6d1 100644 --- a/identity-provider/main.tf +++ b/identity-provider/main.tf @@ -2,4 +2,5 @@ resource "aws_iam_openid_connect_provider" "this" { url = var.identity_provider_url client_id_list = var.client_id_list thumbprint_list = var.thumbprint_list + tags = var.tags } \ No newline at end of file diff --git a/identity-provider/var.tf b/identity-provider/var.tf index 65bc519..be95a14 100644 --- a/identity-provider/var.tf +++ b/identity-provider/var.tf @@ -10,4 +10,10 @@ variable "client_id_list" { variable "thumbprint_list" { description = "A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s)." type = list(string) +} + +variable "tags" { + description = "Tags to add to IAM identity provider Resource." + type = map(any) + default = {} } \ No newline at end of file From c09c100448f68d0ebc12965941396d71b0491040 Mon Sep 17 00:00:00 2001 From: Shikha Mishra Date: Wed, 31 Mar 2021 12:49:33 +1300 Subject: [PATCH 6/6] linting on identity provider module --- identity-provider/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/identity-provider/main.tf b/identity-provider/main.tf index cd7b6d1..56c88ec 100644 --- a/identity-provider/main.tf +++ b/identity-provider/main.tf @@ -1,6 +1,6 @@ resource "aws_iam_openid_connect_provider" "this" { - url = var.identity_provider_url - client_id_list = var.client_id_list + url = var.identity_provider_url + client_id_list = var.client_id_list thumbprint_list = var.thumbprint_list - tags = var.tags + tags = var.tags } \ No newline at end of file