Skip to content

Commit

Permalink
Merge pull request #182 from asssaver97/enterprise_multi_account_iden…
Browse files Browse the repository at this point in the history 
…tity_authority_centralized_management

Create template: Enterprise multi account identity authority centrali…
  • Loading branch information
@xiao201208
xiao201208 authored Jan 29, 2024
2 parents 5da88bc + 6830ab4 commit cb8c4f8
Show file tree
Hide file tree
Showing 3 changed files with 366 additions and 0 deletions.
6 changes: 6 additions & 0 deletions README-CN.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,12 @@ ROS 模板的示例和最佳实践。模板分类如下:
<details>
<summary>solution</summary>

- account

| 模板 | 说明 |
|-------------------------------------------------------------------------------------------------------------------|----------------|
|[enterprise-multi-account-identity-authority-centralized-management.yml](documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml) | 企业多账号身份权限集中管理。 |

- ai

| 模板 | 说明 |
Expand Down
6 changes: 6 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,12 @@ Examples and best practices of ROS templates. The templates are categorized as f
<details>
<summary>solution</summary>

- account

| Template | Description |
|-------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
|[enterprise-multi-account-identity-authority-centralized-management.yml](documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml) | Enterprise multi-account identity authority centralized management. |

- ai

| Template | Description |
Expand Down
354 changes: 354 additions & 0 deletions ...s/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,354 @@
ROSTemplateFormatVersion: '2015-09-01'
Description: Enterprise multi account identity authority centralized management
Parameters:
WhetherCreateAccount:
Type: String
Default: create-new
AllowedValues:
- create-new
- use-existing
Label:
zh-cn: 是否新建资源夹与账号
en: Whether to create an account
AssociationPropertyMetadata:
ValueLabelMapping:
create-new:
zh-cn: 新建资源夹与账号
en: Create new accounts
use-existing:
zh-cn: 使用现有账号
en: Use existing accounts
FolderName1:
Type: String
Default: Core
Label:
zh-cn: 资源夹名称
en: Folder name
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${WhetherCreateAccount}
- create-new
DisplayName1:
Type: String
Default: core_account_1
Label:
zh-cn: 账号名称
en: Account name
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${WhetherCreateAccount}
- create-new
Account1:
Type: String
Default: null
Required: true
Label:
zh-cn: 核心资源账号ID
en: Core account id
AssociationProperty: ALIYUN::ResourceManager::Account
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${WhetherCreateAccount}
- use-existing
SamlConfigurationMode:
Type: String
Default: Document
AllowedValues:
- Document
- Manual
Label:
zh-cn: 配置方式
en: Configuration mode
AssociationPropertyMetadata:
ValueLabelMapping:
Manual:
zh-cn: 手动配置
en: Manual
Document:
zh-cn: 元数据文档配置(Base64 编码)
en: Document
EncodedMetadataDocument:
Type: String
Default: null
Required: true
Label:
zh-cn: 元数据文档
en: Metadata file of the IdP
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SamlConfigurationMode}
- Document
EntityId:
Type: String
Default: null
Required: true
Label:
zh-cn: IdP标识
en: Entity ID
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SamlConfigurationMode}
- Manual
LoginUrl:
Type: String
Default: null
Required: true
Label:
zh-cn: IdP登录地址
en: Login URL
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SamlConfigurationMode}
- Manual
X509Certificate:
Type: String
Default: null
Required: true
Label:
zh-cn: IdP证书
en: X.509 certificate
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SamlConfigurationMode}
- Manual
Conditions:
CreateAccount:
Fn::Equals:
- create-new
- Ref: WhetherCreateAccount
IsManualConfiguration:
Fn::Equals:
- Manual
- Ref: SamlConfigurationMode
Resources:
RDFolder1:
Type: ALIYUN::ResourceManager::Folder
Condition: CreateAccount
Properties:
FolderName:
Ref: FolderName1
RDAccount1:
Type: ALIYUN::ResourceManager::Account
Condition: CreateAccount
Properties:
DisplayName:
Ref: DisplayName1
FolderId:
Fn::GetAtt:
- RDFolder1
- FolderId
DeleteAccount: true
EnableCloudSSO:
Type: ALIYUN::ROS::AutoEnableService
Properties:
ServiceName: CloudSSO
CloudSSODirectory:
Type: ALIYUN::CloudSSO::Directory
DependsOn:
- EnableCloudSSO
CloudSSOUser:
Type: ALIYUN::CloudSSO::User
Properties:
DirectoryId:
Ref: CloudSSODirectory
UserName: user1
CloudSSOCredential:
Type: ALIYUN::CloudSSO::SCIMServerCredential
Properties:
DirectoryId:
Ref: CloudSSODirectory
CloudSSOScimSynchronization:
Type: ALIYUN::CloudSSO::SCIMSynchronization
Properties:
DirectoryId:
Ref: CloudSSODirectory
CloudSSOSamlIdentityProvider:
Type: ALIYUN::CloudSSO::SAMLIdentityProvider
Properties:
DirectoryId:
Ref: CloudSSODirectory
EncodedMetadataDocument:
Fn::If:
- IsManualConfiguration
- Ref: ALIYUN::NoValue
- Ref: EncodedMetadataDocument
EntityId:
Fn::If:
- IsManualConfiguration
- Ref: EntityId
- Ref: ALIYUN::NoValue
LoginUrl:
Fn::If:
- IsManualConfiguration
- Ref: LoginUrl
- Ref: ALIYUN::NoValue
X509Certificate:
Fn::If:
- IsManualConfiguration
- Ref: X509Certificate
- Ref: ALIYUN::NoValue
SSOStatus: Enabled
CloudSSOAccessConfiguration:
Type: ALIYUN::CloudSSO::AccessConfiguration
Properties:
DirectoryId:
Ref: CloudSSODirectory
AccessConfigurationName: Configuration-ReadOnly
CloudSSOAddPermissionPolicy:
Type: ALIYUN::CloudSSO::PermissionPolicyToAccessConfigurationAddition
Properties:
DirectoryId:
Ref: CloudSSODirectory
AccessConfigurationId:
Ref: CloudSSOAccessConfiguration
PermissionPolicyType: System
PermissionPolicyName: ReadOnlyAccess
CloudSSOAccessConfigurationProvision1:
Type: ALIYUN::CloudSSO::AccessConfigurationProvision
Properties:
DirectoryId:
Ref: CloudSSODirectory
AccessConfigurationId:
Ref: CloudSSOAccessConfiguration
TargetType: RD-Account
TargetId:
Fn::If:
- CreateAccount
- Fn::GetAtt:
- RDAccount1
- AccountId
- Ref: Account1
CloudSSOAccessAssignment1:
Type: ALIYUN::CloudSSO::AccessAssignment
DependsOn:
- CloudSSOAccessConfigurationProvision1
Properties:
DirectoryId:
Ref: CloudSSODirectory
AccessConfigurationId:
Ref: CloudSSOAccessConfiguration
TargetType: RD-Account
TargetId:
Fn::If:
- CreateAccount
- Fn::GetAtt:
- RDAccount1
- AccountId
- Ref: Account1
PrincipalType: User
PrincipalId:
Fn::GetAtt:
- CloudSSOUser
- UserId
UserProvision1:
Type: ALIYUN::CloudSSO::UserProvision
Properties:
DirectoryId:
Ref: CloudSSODirectory
DuplicationStrategy: TakeOver
DeletionStrategy: Keep
PrincipalType: User
PrincipalId:
Fn::GetAtt:
- CloudSSOUser
- UserId
TargetType: RD-Account
TargetId:
Fn::If:
- CreateAccount
- Fn::GetAtt:
- RDAccount1
- AccountId
- Ref: Account1
Metadata:
ALIYUN::ROS::Interface:
ParameterGroups:
- Parameters:
- WhetherCreateAccount
- FolderName1
- DisplayName1
- Account1
Label:
default:
zh-cn: 配置资源目录
en:
Resource account
- Parameters:
- SamlConfigurationMode
- EncodedMetadataDocument
- EntityId
- LoginUrl
- X509Certificate
Label:
default:
zh-cn: 配置单点登录
en: Configuration single sign-on
TemplateTags:
- acs:technical-solution:account:企业多账号身份权限集中管理
Outputs:
FolderId:
Condition: CreateAccount
Description:
zh-cn: 资源管理资源夹ID
en: Resource management resource folder ID
Value:
Fn::GetAtt:
- RDFolder1
- FolderId
AccountId:
Condition: CreateAccount
Description:
zh-cn: 资源管理账号ID
en: Resource management account ID
Value:
Fn::GetAtt:
- RDAccount1
- AccountId
DirectoryId:
Description:
zh-cn: 云SSO目录Id
en: CloudSSO directory ID
Value:
Fn::GetAtt:
- CloudSSODirectory
- DirectoryId
UserId:
Description:
zh-cn: 云SSO用户Id
en: CloudSSO user ID
Value:
Fn::GetAtt:
- CloudSSOUser
- UserId
AccessConfigurationId:
Description:
zh-cn: 云SSO访问配置Id
en: CloudSSO access configuration ID
Value:
Fn::GetAtt:
- CloudSSOAccessConfiguration
- AccessConfigurationId
SCIMCredentialSecret:
Description:
zh-cn: 云SSO SCIM密钥
en: CloudSSO SCIM credential secret
NoEcho: true
Value:
Fn::GetAtt:
- CloudSSOCredential
- CredentialSecret

0 comments on commit cb8c4f8

Please sign in to comment.