From 6830ab4a7b35d8f54d64004a9ba1ac2c7144b927 Mon Sep 17 00:00:00 2001 From: yingzhao Date: Thu, 25 Jan 2024 17:13:21 +0800 Subject: [PATCH] Create template: Enterprise multi account identity authority centralized management --- README-CN.md | 6 + README.md | 6 + ...ntity-authority-centralized-management.yml | 354 ++++++++++++++++++ 3 files changed, 366 insertions(+) create mode 100644 documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml diff --git a/README-CN.md b/README-CN.md index 18ac5a68..e285e190 100644 --- a/README-CN.md +++ b/README-CN.md @@ -430,6 +430,12 @@ ROS 模板的示例和最佳实践。模板分类如下:
solution +- account + +| 模板 | 说明 | +|-------------------------------------------------------------------------------------------------------------------|----------------| +|[enterprise-multi-account-identity-authority-centralized-management.yml](documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml) | 企业多账号身份权限集中管理。 | + - ai | 模板 | 说明 | diff --git a/README.md b/README.md index 3ca2419c..1b9506a6 100644 --- a/README.md +++ b/README.md @@ -432,6 +432,12 @@ Examples and best practices of ROS templates. The templates are categorized as f
solution +- account + +| Template | Description | +|-------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------| +|[enterprise-multi-account-identity-authority-centralized-management.yml](documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml) | Enterprise multi-account identity authority centralized management. | + - ai | Template | Description | diff --git a/documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml b/documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml new file mode 100644 index 00000000..3e3ccfa0 --- /dev/null +++ b/documents/solution/account/enterprise-multi-account-identity-authority-centralized-management.yml @@ -0,0 +1,354 @@ +ROSTemplateFormatVersion: '2015-09-01' +Description: Enterprise multi account identity authority centralized management +Parameters: + WhetherCreateAccount: + Type: String + Default: create-new + AllowedValues: + - create-new + - use-existing + Label: + zh-cn: 是否新建资源夹与账号 + en: Whether to create an account + AssociationPropertyMetadata: + ValueLabelMapping: + create-new: + zh-cn: 新建资源夹与账号 + en: Create new accounts + use-existing: + zh-cn: 使用现有账号 + en: Use existing accounts + FolderName1: + Type: String + Default: Core + Label: + zh-cn: 资源夹名称 + en: Folder name + AssociationPropertyMetadata: + Visible: + Condition: + Fn::Equals: + - ${WhetherCreateAccount} + - create-new + DisplayName1: + Type: String + Default: core_account_1 + Label: + zh-cn: 账号名称 + en: Account name + AssociationPropertyMetadata: + Visible: + Condition: + Fn::Equals: + - ${WhetherCreateAccount} + - create-new + Account1: + Type: String + Default: null + Required: true + Label: + zh-cn: 核心资源账号ID + en: Core account id + AssociationProperty: ALIYUN::ResourceManager::Account + AssociationPropertyMetadata: + Visible: + Condition: + Fn::Equals: + - ${WhetherCreateAccount} + - use-existing + SamlConfigurationMode: + Type: String + Default: Document + AllowedValues: + - Document + - Manual + Label: + zh-cn: 配置方式 + en: Configuration mode + AssociationPropertyMetadata: + ValueLabelMapping: + Manual: + zh-cn: 手动配置 + en: Manual + Document: + zh-cn: 元数据文档配置(Base64 编码) + en: Document + EncodedMetadataDocument: + Type: String + Default: null + Required: true + Label: + zh-cn: 元数据文档 + en: Metadata file of the IdP + AssociationPropertyMetadata: + Visible: + Condition: + Fn::Equals: + - ${SamlConfigurationMode} + - Document + EntityId: + Type: String + Default: null + Required: true + Label: + zh-cn: IdP标识 + en: Entity ID + AssociationPropertyMetadata: + Visible: + Condition: + Fn::Equals: + - ${SamlConfigurationMode} + - Manual + LoginUrl: + Type: String + Default: null + Required: true + Label: + zh-cn: IdP登录地址 + en: Login URL + AssociationPropertyMetadata: + Visible: + Condition: + Fn::Equals: + - ${SamlConfigurationMode} + - Manual + X509Certificate: + Type: String + Default: null + Required: true + Label: + zh-cn: IdP证书 + en: X.509 certificate + AssociationPropertyMetadata: + Visible: + Condition: + Fn::Equals: + - ${SamlConfigurationMode} + - Manual +Conditions: + CreateAccount: + Fn::Equals: + - create-new + - Ref: WhetherCreateAccount + IsManualConfiguration: + Fn::Equals: + - Manual + - Ref: SamlConfigurationMode +Resources: + RDFolder1: + Type: ALIYUN::ResourceManager::Folder + Condition: CreateAccount + Properties: + FolderName: + Ref: FolderName1 + RDAccount1: + Type: ALIYUN::ResourceManager::Account + Condition: CreateAccount + Properties: + DisplayName: + Ref: DisplayName1 + FolderId: + Fn::GetAtt: + - RDFolder1 + - FolderId + DeleteAccount: true + EnableCloudSSO: + Type: ALIYUN::ROS::AutoEnableService + Properties: + ServiceName: CloudSSO + CloudSSODirectory: + Type: ALIYUN::CloudSSO::Directory + DependsOn: + - EnableCloudSSO + CloudSSOUser: + Type: ALIYUN::CloudSSO::User + Properties: + DirectoryId: + Ref: CloudSSODirectory + UserName: user1 + CloudSSOCredential: + Type: ALIYUN::CloudSSO::SCIMServerCredential + Properties: + DirectoryId: + Ref: CloudSSODirectory + CloudSSOScimSynchronization: + Type: ALIYUN::CloudSSO::SCIMSynchronization + Properties: + DirectoryId: + Ref: CloudSSODirectory + CloudSSOSamlIdentityProvider: + Type: ALIYUN::CloudSSO::SAMLIdentityProvider + Properties: + DirectoryId: + Ref: CloudSSODirectory + EncodedMetadataDocument: + Fn::If: + - IsManualConfiguration + - Ref: ALIYUN::NoValue + - Ref: EncodedMetadataDocument + EntityId: + Fn::If: + - IsManualConfiguration + - Ref: EntityId + - Ref: ALIYUN::NoValue + LoginUrl: + Fn::If: + - IsManualConfiguration + - Ref: LoginUrl + - Ref: ALIYUN::NoValue + X509Certificate: + Fn::If: + - IsManualConfiguration + - Ref: X509Certificate + - Ref: ALIYUN::NoValue + SSOStatus: Enabled + CloudSSOAccessConfiguration: + Type: ALIYUN::CloudSSO::AccessConfiguration + Properties: + DirectoryId: + Ref: CloudSSODirectory + AccessConfigurationName: Configuration-ReadOnly + CloudSSOAddPermissionPolicy: + Type: ALIYUN::CloudSSO::PermissionPolicyToAccessConfigurationAddition + Properties: + DirectoryId: + Ref: CloudSSODirectory + AccessConfigurationId: + Ref: CloudSSOAccessConfiguration + PermissionPolicyType: System + PermissionPolicyName: ReadOnlyAccess + CloudSSOAccessConfigurationProvision1: + Type: ALIYUN::CloudSSO::AccessConfigurationProvision + Properties: + DirectoryId: + Ref: CloudSSODirectory + AccessConfigurationId: + Ref: CloudSSOAccessConfiguration + TargetType: RD-Account + TargetId: + Fn::If: + - CreateAccount + - Fn::GetAtt: + - RDAccount1 + - AccountId + - Ref: Account1 + CloudSSOAccessAssignment1: + Type: ALIYUN::CloudSSO::AccessAssignment + DependsOn: + - CloudSSOAccessConfigurationProvision1 + Properties: + DirectoryId: + Ref: CloudSSODirectory + AccessConfigurationId: + Ref: CloudSSOAccessConfiguration + TargetType: RD-Account + TargetId: + Fn::If: + - CreateAccount + - Fn::GetAtt: + - RDAccount1 + - AccountId + - Ref: Account1 + PrincipalType: User + PrincipalId: + Fn::GetAtt: + - CloudSSOUser + - UserId + UserProvision1: + Type: ALIYUN::CloudSSO::UserProvision + Properties: + DirectoryId: + Ref: CloudSSODirectory + DuplicationStrategy: TakeOver + DeletionStrategy: Keep + PrincipalType: User + PrincipalId: + Fn::GetAtt: + - CloudSSOUser + - UserId + TargetType: RD-Account + TargetId: + Fn::If: + - CreateAccount + - Fn::GetAtt: + - RDAccount1 + - AccountId + - Ref: Account1 +Metadata: + ALIYUN::ROS::Interface: + ParameterGroups: + - Parameters: + - WhetherCreateAccount + - FolderName1 + - DisplayName1 + - Account1 + Label: + default: + zh-cn: 配置资源目录 + en: + Resource account + - Parameters: + - SamlConfigurationMode + - EncodedMetadataDocument + - EntityId + - LoginUrl + - X509Certificate + Label: + default: + zh-cn: 配置单点登录 + en: Configuration single sign-on + TemplateTags: + - acs:technical-solution:account:企业多账号身份权限集中管理 +Outputs: + FolderId: + Condition: CreateAccount + Description: + zh-cn: 资源管理资源夹ID + en: Resource management resource folder ID + Value: + Fn::GetAtt: + - RDFolder1 + - FolderId + AccountId: + Condition: CreateAccount + Description: + zh-cn: 资源管理账号ID + en: Resource management account ID + Value: + Fn::GetAtt: + - RDAccount1 + - AccountId + DirectoryId: + Description: + zh-cn: 云SSO目录Id + en: CloudSSO directory ID + Value: + Fn::GetAtt: + - CloudSSODirectory + - DirectoryId + UserId: + Description: + zh-cn: 云SSO用户Id + en: CloudSSO user ID + Value: + Fn::GetAtt: + - CloudSSOUser + - UserId + AccessConfigurationId: + Description: + zh-cn: 云SSO访问配置Id + en: CloudSSO access configuration ID + Value: + Fn::GetAtt: + - CloudSSOAccessConfiguration + - AccessConfigurationId + SCIMCredentialSecret: + Description: + zh-cn: 云SSO SCIM密钥 + en: CloudSSO SCIM credential secret + NoEcho: true + Value: + Fn::GetAtt: + - CloudSSOCredential + - CredentialSecret +