-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Add OIDC support
- Loading branch information
Showing
15 changed files
with
1,415 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| --- | ||
| # generated by https://github.com/hashicorp/terraform-plugin-docs | ||
| page_title: "platform_oidc_configuration Resource - terraform-provider-platform" | ||
| subcategory: "" | ||
| description: |- | ||
| Manage OIDC configuration in JFrog platform. See the JFrog OIDC configuration documentation https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration for more information. | ||
| --- | ||
|
|
||
| # platform_oidc_configuration (Resource) | ||
|
|
||
| Manage OIDC configuration in JFrog platform. See the JFrog [OIDC configuration documentation](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration) for more information. | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ```terraform | ||
| resource "platform_oidc_configuration" "my-github-oidc-configuration" { | ||
| name = "my-github-oidc-configuration" | ||
| description = "My GitHub OIDC configuration" | ||
| issuer_url = "https://token.actions.githubusercontent.com/" | ||
| provider_type = "GitHub" | ||
| audience = "jfrog-github" | ||
| } | ||
| resource "platform_oidc_configuration" "my-generic-oidc-configuration" { | ||
| name = "my-generic-oidc-configuration" | ||
| description = "My generic OIDC configuration" | ||
| issuer_url = "https://tempurl.org/" | ||
| provider_type = "generic" | ||
| audience = "jfrog-generic" | ||
| } | ||
| ``` | ||
|
|
||
| <!-- schema generated by tfplugindocs --> | ||
| ## Schema | ||
|
|
||
| ### Required | ||
|
|
||
| - `issuer_url` (String) OIDC issuer URL. For GitHub actions, the URL must be https://token.actions.githubusercontent.com/. | ||
| - `name` (String) Name of the OIDC provider | ||
| - `provider_type` (String) Type of OIDC provider. Can be `generic` or `GitHub`. | ||
|
|
||
| ### Optional | ||
|
|
||
| - `audience` (String) Informational field that you can use to include details of the audience that uses the OIDC configuration. | ||
| - `description` (String) Description of the OIDC provider | ||
|
|
||
| ## Import | ||
|
|
||
| Import is supported using the following syntax: | ||
|
|
||
| ```shell | ||
| terraform import platform_oidc_configuration.my-oidc-configuration my-oidc-configuration | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| --- | ||
| # generated by https://github.com/hashicorp/terraform-plugin-docs | ||
| page_title: "platform_oidc_identity_mapping Resource - terraform-provider-platform" | ||
| subcategory: "" | ||
| description: |- | ||
| Manage OIDC identity mapping for an OIDC configuration in JFrog platform. See the JFrog OIDC identity mappings documentation https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-identity-mappings for more information. | ||
| --- | ||
|
|
||
| # platform_oidc_identity_mapping (Resource) | ||
|
|
||
| Manage OIDC identity mapping for an OIDC configuration in JFrog platform. See the JFrog [OIDC identity mappings documentation](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-identity-mappings) for more information. | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ```terraform | ||
| resource "platform_oidc_identity_mapping" "my-github-oidc-user-identity-mapping" { | ||
| name = "my-github-oidc-user-identity-mapping" | ||
| description = "My GitHub OIDC user identity mapping" | ||
| provider_name = "my-github-oidc-configuration" | ||
| priority = 1 | ||
| claims_json = jsonencode({ | ||
| "sub" = "repo:humpty/access-oidc-poc:ref:refs/heads/main", | ||
| "workflow_ref" = "humpty/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main" | ||
| }) | ||
| token_spec = { | ||
| username = "my-user" | ||
| scope = "applied-permissions/user" | ||
| audience = "*@*" | ||
| expires_in = 7200 | ||
| } | ||
| } | ||
| resource "platform_oidc_identity_mapping" "my-github-oidc-group-identity-mapping" { | ||
| name = "my-github-oidc-group-identity-mapping" | ||
| description = "My GitHub OIDC group identity mapping" | ||
| provider_name = "my-github-oidc-configuration" | ||
| priority = 1 | ||
| claims_json = jsonencode({ | ||
| "sub" = "repo:humpty/access-oidc-poc:ref:refs/heads/main", | ||
| "workflow_ref" = "humpty/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main" | ||
| }) | ||
| token_spec = { | ||
| scope = "applied-permissions/groups:\"readers\",\"my-group\"" | ||
| audience = "jfrt@* jfac@* jfmc@* jfmd@* jfevt@* jfxfer@* jflnk@* jfint@* jfwks@*" | ||
| expires_in = 7200 | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| <!-- schema generated by tfplugindocs --> | ||
| ## Schema | ||
|
|
||
| ### Required | ||
|
|
||
| - `claims_json` (String) Claims JSON from the OIDC provider. Use [Terraform jsonencode function](https://developer.hashicorp.com/terraform/language/functions/jsonencode) to encode the JSON string. Claims constitute the payload part of a JSON web token and represent a set of information exchanged between two parties. The JWT standard distinguishes between reserved claims, public claims, and private claims. In API Gateway context, both public claims and private claims are considered custom claims. For example, an ID token (which is always a JWT) can contain a claim called that asserts that the name of the user authenticating is "John Doe". In a JWT, a claim appears as a name/value pair where the name is always a string and the value can be any JSON value. | ||
| - `name` (String) Name of the OIDC identity mapping | ||
| - `priority` (Number) Priority of the identity mapping. The priority should be a number. The higher priority is set for the lower number. If you do not enter a value, the identity mapping is assigned the lowest priority. We recommend that you assign the highest priority (1) to the strongest permission gate. Set the lowest priority to the weakest permission for a logical and effective access control setup. | ||
| - `provider_name` (String) Name of the OIDC configuration | ||
| - `token_spec` (Attributes) Specifications of the token. In case of success, a token with the following details will be generated and passed to OIDC Provider. (see [below for nested schema](#nestedatt--token_spec)) | ||
|
|
||
| ### Optional | ||
|
|
||
| - `description` (String) Description of the OIDC mapping | ||
|
|
||
| <a id="nestedatt--token_spec"></a> | ||
| ### Nested Schema for `token_spec` | ||
|
|
||
| Required: | ||
|
|
||
| - `scope` (String) Scope of the token. Must start with `applied-permissions/user`, `applied-permissions/admin`, or `applied-permissions/groups:`. Group names must be comma-separated, double quotes wrapped, e.g. `applied-permissions/groups:\"readers\",\"my-group\",` | ||
|
|
||
| Optional: | ||
|
|
||
| - `audience` (String) Sets of (space separated) the JFrog services to which the mapping applies. Default value is `*@*`, which applies to all services. | ||
| - `expires_in` (Number) Token expiry time in seconds. Default value is 60. | ||
| - `username` (String) User name of the OIDC user. Not applicable when `scope` is set to `applied-permissions/groups` | ||
|
|
||
| ## Import | ||
|
|
||
| Import is supported using the following syntax: | ||
|
|
||
| ```shell | ||
| terraform import platform_oidc_identity_mapping.my-oidc-identity-mapping my-oidc-identity-mapping:my-oidc-configuration | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| terraform import platform_oidc_configuration.my-oidc-configuration my-oidc-configuration |
15 changes: 15 additions & 0 deletions
15
examples/resources/platform_oidc_configuration/resource.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| resource "platform_oidc_configuration" "my-github-oidc-configuration" { | ||
| name = "my-github-oidc-configuration" | ||
| description = "My GitHub OIDC configuration" | ||
| issuer_url = "https://token.actions.githubusercontent.com/" | ||
| provider_type = "GitHub" | ||
| audience = "jfrog-github" | ||
| } | ||
|
|
||
| resource "platform_oidc_configuration" "my-generic-oidc-configuration" { | ||
| name = "my-generic-oidc-configuration" | ||
| description = "My generic OIDC configuration" | ||
| issuer_url = "https://tempurl.org/" | ||
| provider_type = "generic" | ||
| audience = "jfrog-generic" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| terraform import platform_oidc_identity_mapping.my-oidc-identity-mapping my-oidc-identity-mapping:my-oidc-configuration |
36 changes: 36 additions & 0 deletions
36
examples/resources/platform_oidc_identity_mapping/resource.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| resource "platform_oidc_identity_mapping" "my-github-oidc-user-identity-mapping" { | ||
| name = "my-github-oidc-user-identity-mapping" | ||
| description = "My GitHub OIDC user identity mapping" | ||
| provider_name = "my-github-oidc-configuration" | ||
| priority = 1 | ||
|
|
||
| claims_json = jsonencode({ | ||
| "sub" = "repo:humpty/access-oidc-poc:ref:refs/heads/main", | ||
| "workflow_ref" = "humpty/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main" | ||
| }) | ||
|
|
||
| token_spec = { | ||
| username = "my-user" | ||
| scope = "applied-permissions/user" | ||
| audience = "*@*" | ||
| expires_in = 7200 | ||
| } | ||
| } | ||
|
|
||
| resource "platform_oidc_identity_mapping" "my-github-oidc-group-identity-mapping" { | ||
| name = "my-github-oidc-group-identity-mapping" | ||
| description = "My GitHub OIDC group identity mapping" | ||
| provider_name = "my-github-oidc-configuration" | ||
| priority = 1 | ||
|
|
||
| claims_json = jsonencode({ | ||
| "sub" = "repo:humpty/access-oidc-poc:ref:refs/heads/main", | ||
| "workflow_ref" = "humpty/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main" | ||
| }) | ||
|
|
||
| token_spec = { | ||
| scope = "applied-permissions/groups:\"readers\",\"my-group\"" | ||
| audience = "jfrt@* jfac@* jfmc@* jfmd@* jfevt@* jfxfer@* jflnk@* jfint@* jfwks@*" | ||
| expires_in = 7200 | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.