-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: added identity oidc auth resource
- Loading branch information
1 parent
a15c47d
commit 0d30e1c
Showing
6 changed files
with
704 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
--- | ||
# generated by https://github.com/hashicorp/terraform-plugin-docs | ||
page_title: "infisical_identity_oidc_auth Resource - terraform-provider-infisical" | ||
subcategory: "" | ||
description: |- | ||
Create and manage identity oidc auth in Infisical. | ||
--- | ||
|
||
# infisical_identity_oidc_auth (Resource) | ||
|
||
Create and manage identity oidc auth in Infisical. | ||
|
||
## Example Usage | ||
|
||
```terraform | ||
terraform { | ||
required_providers { | ||
infisical = { | ||
# version = <latest version> | ||
source = "infisical/infisical" | ||
} | ||
} | ||
} | ||
provider "infisical" { | ||
host = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com | ||
client_id = "<>" | ||
client_secret = "<>" | ||
} | ||
resource "infisical_project" "example" { | ||
name = "example" | ||
slug = "example" | ||
} | ||
resource "infisical_identity" "machine-identity-1" { | ||
name = "machine-identity-1" | ||
role = "admin" | ||
org_id = "<>" | ||
} | ||
resource "infisical_identity_oidc_auth" "oidc-auth" { | ||
identity_id = infisical_identity.machine-identity-1.id | ||
oidc_discovery_url = "<>" | ||
bound_issuer = "<>" | ||
bound_audiences = ["sample-audience"] | ||
bound_subject = "<>" | ||
} | ||
``` | ||
|
||
<!-- schema generated by tfplugindocs --> | ||
## Schema | ||
|
||
### Required | ||
|
||
- `bound_issuer` (String) The unique identifier of the identity provider issuing the OIDC tokens. | ||
- `identity_id` (String) The ID of the identity to attach the configuration onto. | ||
- `oidc_discovery_url` (String) The URL used to retrieve the OpenID Connect configuration from the identity provider. | ||
|
||
### Optional | ||
|
||
- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000 | ||
- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0 | ||
- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address... (see [below for nested schema](#nestedatt--access_token_trusted_ips)) | ||
- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000 | ||
- `bound_audiences` (List of String) The comma-separated list of intended recipients. | ||
- `bound_claims` (Map of String) The attributes that should be present in the JWT for it to be valid. The provided values can be a glob pattern. | ||
- `bound_subject` (String) The expected principal that is the subject of the JWT. | ||
- `oidc_ca_certificate` (String) The PEM-encoded CA cert for establishing secure communication with the Identity Provider endpoints | ||
|
||
### Read-Only | ||
|
||
- `id` (String) The ID of the oidc auth. | ||
|
||
<a id="nestedatt--access_token_trusted_ips"></a> | ||
### Nested Schema for `access_token_trusted_ips` | ||
|
||
Optional: | ||
|
||
- `ip_address` (String) |
33 changes: 33 additions & 0 deletions
33
examples/resources/infisical_identity_oidc_auth/resource.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
terraform { | ||
required_providers { | ||
infisical = { | ||
# version = <latest version> | ||
source = "infisical/infisical" | ||
} | ||
} | ||
} | ||
|
||
provider "infisical" { | ||
host = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com | ||
client_id = "<>" | ||
client_secret = "<>" | ||
} | ||
|
||
resource "infisical_project" "example" { | ||
name = "example" | ||
slug = "example" | ||
} | ||
|
||
resource "infisical_identity" "machine-identity-1" { | ||
name = "machine-identity-1" | ||
role = "admin" | ||
org_id = "<>" | ||
} | ||
|
||
resource "infisical_identity_oidc_auth" "oidc-auth" { | ||
identity_id = infisical_identity.machine-identity-1.id | ||
oidc_discovery_url = "<>" | ||
bound_issuer = "<>" | ||
bound_audiences = ["sample-audience"] | ||
bound_subject = "<>" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
package infisicalclient | ||
|
||
import ( | ||
"fmt" | ||
"net/http" | ||
) | ||
|
||
func (client Client) CreateIdentityOidcAuth(request CreateIdentityOidcAuthRequest) (IdentityOidcAuth, error) { | ||
var body CreateIdentityOidcAuthResponse | ||
response, err := client.Config.HttpClient. | ||
R(). | ||
SetResult(&body). | ||
SetHeader("User-Agent", USER_AGENT). | ||
SetBody(request). | ||
Post("api/v1/auth/oidc-auth/identities/" + request.IdentityID) | ||
|
||
if err != nil { | ||
return IdentityOidcAuth{}, fmt.Errorf("CreateIdentityOidcAuth: Unable to complete api request [err=%s]", err) | ||
} | ||
|
||
if response.IsError() { | ||
return IdentityOidcAuth{}, fmt.Errorf("CreateIdentityOidcAuth: Unsuccessful response. [response=%s]", string(response.Body())) | ||
} | ||
|
||
return body.IdentityOidcAuth, nil | ||
} | ||
|
||
func (client Client) GetIdentityOidcAuth(request GetIdentityOidcAuthRequest) (IdentityOidcAuth, error) { | ||
var body GetIdentityOidcAuthResponse | ||
|
||
httpRequest := client.Config.HttpClient. | ||
R(). | ||
SetResult(&body). | ||
SetHeader("User-Agent", USER_AGENT) | ||
|
||
response, err := httpRequest.Get("api/v1/auth/oidc-auth/identities/" + request.IdentityID) | ||
|
||
if response.StatusCode() == http.StatusNotFound { | ||
return IdentityOidcAuth{}, ErrNotFound | ||
} | ||
|
||
if err != nil { | ||
return IdentityOidcAuth{}, fmt.Errorf("GetIdentityOidcAuth: Unable to complete api request [err=%s]", err) | ||
} | ||
|
||
if response.IsError() { | ||
return IdentityOidcAuth{}, fmt.Errorf("GetIdentityOidcAuth: Unsuccessful response. [response=%v]", string(response.Body())) | ||
} | ||
|
||
return body.IdentityOidcAuth, nil | ||
} | ||
|
||
func (client Client) UpdateIdentityOidcAuth(request UpdateIdentityOidcAuthRequest) (IdentityOidcAuth, error) { | ||
var body UpdateIdentityOidcAuthResponse | ||
response, err := client.Config.HttpClient. | ||
R(). | ||
SetResult(&body). | ||
SetHeader("User-Agent", USER_AGENT). | ||
SetBody(request). | ||
Patch("api/v1/auth/oidc-auth/identities/" + request.IdentityID) | ||
|
||
if err != nil { | ||
return IdentityOidcAuth{}, fmt.Errorf("UpdateIdentityOidcAuth: Unable to complete api request [err=%s]", err) | ||
} | ||
|
||
if response.IsError() { | ||
return IdentityOidcAuth{}, fmt.Errorf("UpdateIdentityOidcAuth: Unsuccessful response. [response=%s]", string(response.Body())) | ||
} | ||
|
||
return body.IdentityOidcAuth, nil | ||
} | ||
|
||
func (client Client) RevokeIdentityOidcAuth(request RevokeIdentityOidcAuthRequest) (IdentityOidcAuth, error) { | ||
var body RevokeIdentityOidcAuthResponse | ||
response, err := client.Config.HttpClient. | ||
R(). | ||
SetResult(&body). | ||
SetHeader("User-Agent", USER_AGENT). | ||
SetBody(request). | ||
Delete("api/v1/auth/oidc-auth/identities/" + request.IdentityID) | ||
|
||
if err != nil { | ||
return IdentityOidcAuth{}, fmt.Errorf("RevokeIdentityOidcAuth: Unable to complete api request [err=%s]", err) | ||
} | ||
|
||
if response.IsError() { | ||
return IdentityOidcAuth{}, fmt.Errorf("RevokeIdentityOidcAuth: Unsuccessful response. [response=%s]", string(response.Body())) | ||
} | ||
|
||
return body.IdentityOidcAuth, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.