Skip to content

Commit

Permalink
Merge pull request #38 from akhilmhdh/feat/identity
Browse files Browse the repository at this point in the history 
Identity and Identity auth resource
  • Loading branch information
@maidul98
maidul98 authored Aug 29, 2024
2 parents 849e0c5 + 8ead91d commit 042d81a
Show file tree
Hide file tree
Showing 30 changed files with 3,972 additions and 8 deletions.
122 changes: 122 additions & 0 deletions docs/resources/identity.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "infisical_identity Resource - terraform-provider-infisical"
subcategory: ""
description: |-
Create and manage identity in Infisical.
---

# infisical_identity (Resource)

Create and manage identity in Infisical.

## Example Usage

```terraform
terraform {
required_providers {
infisical = {
# version = <latest version>
source = "infisical/infisical"
}
}
}
provider "infisical" {
host = "https://app.infisical.com" # Only required if using self hosted instance of Infisical, default is https://app.infisical.com
client_id = "<machine-identity-client-id>"
client_secret = "<machine-identity-client-secret>"
}
# universal authentication identity
resource "infisical_identity" "universal-auth" {
name = "universal-auth"
role = "member"
org_id = "<org_id>"
}
resource "infisical_identity_universal_auth" "ua-auth" {
identity_id = infisical_identity.universal-auth.id
access_token_ttl = 2592000
access_token_max_ttl = 2592000 * 2
access_token_num_uses_limit = 3
}
resource "infisical_identity_universal_auth_client_secret" "client-secret" {
identity_id = infisical_identity.universal-auth.id
depends_on = [infisical_identity_universal_auth.ua-auth]
}
output "client_secret" {
sensitive = true
value = infisical_identity_universal_auth_client_secret.client-secret.client_secret
}
resource "infisical_identity" "aws-auth" {
name = "aws-auth"
role = "member"
org_id = "<org_id>"
}
resource "infisical_identity_aws_auth" "aws-auth" {
identity_id = infisical_identity.aws-auth.id
access_token_ttl = 2592000
access_token_max_ttl = 2592000 * 2
access_token_num_uses_limit = 3
allowed_principal_arns = ["arn:aws:iam::123456789012:user/MyUserName"]
allowed_account_ids = ["123456789012", "123456789013"]
}
resource "infisical_identity" "azure-auth" {
name = "azure-auth"
role = "member"
org_id = "<org_id>"
}
resource "infisical_identity_azure_auth" "azure-auth" {
identity_id = infisical_identity.azure-auth.id
tenant_id = "TENANT_ID"
}
resource "infisical_identity" "gcp-auth" {
name = "gcp-auth"
role = "member"
org_id = "<org_id>"
}
resource "infisical_identity_gcp_auth" "gcp-auth" {
identity_id = infisical_identity.gcp-auth.id
type = "gce"
}
resource "infisical_identity" "k8-auth" {
name = "k8-auth"
role = "member"
org_id = "<org_id>"
}
resource "infisical_identity_kubernetes_auth" "k8-auth" {
identity_id = infisical_identity.k8-auth.id
kubernetes_host = "http://example.com"
token_reviewer_jwt = "ey<example>"
allowed_namespaces = ["namespace-a", "namespace-b"]
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `name` (String) The name for the identity
- `org_id` (String) The ID of the organization for the identity
- `role` (String) The role for the identity. Available default role options are 'admin', 'member', and 'no-access'. If you've created custom roles, you can use their slugs as well.

### Optional

- `auth_mode` (String) The authentication type of the identity

### Read-Only

- `id` (String) The ID of the identity
41 changes: 41 additions & 0 deletions docs/resources/identity_aws_auth.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "infisical_identity_aws_auth Resource - terraform-provider-infisical"
subcategory: ""
description: |-
Create and manage identity aws auth in Infisical.
---

# infisical_identity_aws_auth (Resource)

Create and manage identity aws auth in Infisical.



<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `identity_id` (String) The ID of the identity to attach the configuration onto.

### Optional

- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `allowed_account_ids` (List of String) List of trusted AWS account IDs that are allowed to authenticate with Infisical.
- `allowed_principal_arns` (List of String) List of trusted IAM principal ARNs that are allowed to authenticate with Infisical. The values should take one of three forms: `arn:aws:iam::123456789012:user/MyUserName`, `arn:aws:iam::123456789012:role/MyRoleName`, or `arn:aws:iam::123456789012:*`. Using a wildcard in this case allows any IAM principal in the account `123456789012` to authenticate with Infisical under the identity
- `sts_endpoint` (String) The endpoint URL for the AWS STS API. This value should be adjusted based on the AWS region you are operating in (e.g. `https://sts.us-east-1.amazonaws.com/`); refer to the list of regional STS endpoints [here](https://docs.aws.amazon.com/general/latest/gr/sts.html).

### Read-Only

- `id` (String) The ID of the aws auth

<a id="nestedatt--access_token_trusted_ips"></a>
### Nested Schema for `access_token_trusted_ips`

Optional:

- `ip_address` (String)
41 changes: 41 additions & 0 deletions docs/resources/identity_azure_auth.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "infisical_identity_azure_auth Resource - terraform-provider-infisical"
subcategory: ""
description: |-
Create and manage identity azure auth in Infisical.
---

# infisical_identity_azure_auth (Resource)

Create and manage identity azure auth in Infisical.



<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `identity_id` (String) The ID of the identity to attach the configuration onto.
- `tenant_id` (String) The [tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) for the Azure AD organization.

### Optional

- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `allowed_service_principal_ids` (List of String) List of Azure AD service principal IDs that are allowed to authenticate with Infisical
- `resource_url` (String) The resource URL for the application registered in Azure AD. The value is expected to match the `aud` claim of the access token JWT later used in the login operation against Infisical. See the [resource](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http) parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint. In most cases, this value should be `https://management.azure.com/` which is the default

### Read-Only

- `id` (String) The ID of the azure auth

<a id="nestedatt--access_token_trusted_ips"></a>
### Nested Schema for `access_token_trusted_ips`

Optional:

- `ip_address` (String)
42 changes: 42 additions & 0 deletions docs/resources/identity_gcp_auth.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "infisical_identity_gcp_auth Resource - terraform-provider-infisical"
subcategory: ""
description: |-
Create and manage identity gcp auth in Infisical.
---

# infisical_identity_gcp_auth (Resource)

Create and manage identity gcp auth in Infisical.



<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `identity_id` (String) The ID of the identity to attach the configuration onto.

### Optional

- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `allowed_projects` (List of String) List of trusted GCP projects that the GCE instance must belong to authenticate with Infisical. Note that this validation property will only work for GCE instances
- `allowed_service_account_emails` (List of String) List of trusted service account emails corresponding to the GCE resource(s) allowed to authenticate with Infisical; this could be something like `[email protected]`, `[email protected]`, etc.
- `allowed_zones` (List of String) List of trusted zones that the GCE instances must belong to authenticate with Infisical; this should be the fully-qualified zone name in the format `<region>-<zone>`like `us-central1-a`, `us-west1-b`, etc. Note that this validation property will only work for GCE instances.
- `type` (String) The Type of GCP Auth Method to use: Options are gce, iam. Default:gce

### Read-Only

- `id` (String) The ID of the gcp auth

<a id="nestedatt--access_token_trusted_ips"></a>
### Nested Schema for `access_token_trusted_ips`

Optional:

- `ip_address` (String)
44 changes: 44 additions & 0 deletions docs/resources/identity_kubernetes_auth.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "infisical_identity_kubernetes_auth Resource - terraform-provider-infisical"
subcategory: ""
description: |-
Create and manage identity kubernetes auth in Infisical.
---

# infisical_identity_kubernetes_auth (Resource)

Create and manage identity kubernetes auth in Infisical.



<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `identity_id` (String) The ID of the identity to attach the configuration onto.
- `kubernetes_host` (String) The host string, host:port pair, or URL to the base of the Kubernetes API server. This can usually be obtained by running `kubectl cluster-info`.
- `token_reviewer_jwt` (String) A long-lived service account JWT token for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) to validate other service account JWT tokens submitted by applications/pods. This is the JWT token obtained from step 1.5.

### Optional

- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `allowed_audience` (String) An optional audience claim that the service account JWT token must have to authenticate with Infisical.
- `allowed_namespaces` (List of String) List of trusted namespaces that service accounts must belong to authenticate with Infisical.
- `allowed_service_account_names` (List of String) List of trusted service account names that are allowed to authenticate with Infisical.
- `kubernetes_ca_certificate` (String) The PEM-encoded CA cert for the Kubernetes API server. This is used by the TLS client for secure communication with the Kubernetes API server.

### Read-Only

- `id` (String) The ID of the kubernetes auth

<a id="nestedatt--access_token_trusted_ips"></a>
### Nested Schema for `access_token_trusted_ips`

Optional:

- `ip_address` (String)
47 changes: 47 additions & 0 deletions docs/resources/identity_universal_auth.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "infisical_identity_universal_auth Resource - terraform-provider-infisical"
subcategory: ""
description: |-
Create and manage identity universal auth in Infisical.
---

# infisical_identity_universal_auth (Resource)

Create and manage identity universal auth in Infisical.



<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `identity_id` (String) The ID of the identity to attach the configuration onto.

### Optional

- `access_token_max_ttl` (Number) The maximum lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `access_token_num_uses_limit` (Number) The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses. Default:0
- `access_token_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that access tokens can be used from. You can use 0.0.0.0/0, to allow usage from any network address.. (see [below for nested schema](#nestedatt--access_token_trusted_ips))
- `access_token_ttl` (Number) The lifetime for an access token in seconds. This value will be referenced at renewal time. Default: 2592000
- `client_secret_trusted_ips` (Attributes List) A list of IPs or CIDR ranges that the Client Secret can be used from together with the Client ID to get back an access token. You can use 0.0.0.0/0, to allow usage from any network address. (see [below for nested schema](#nestedatt--client_secret_trusted_ips))

### Read-Only

- `id` (String) The ID of the universal auth

<a id="nestedatt--access_token_trusted_ips"></a>
### Nested Schema for `access_token_trusted_ips`

Optional:

- `ip_address` (String)


<a id="nestedatt--client_secret_trusted_ips"></a>
### Nested Schema for `client_secret_trusted_ips`

Optional:

- `ip_address` (String)
35 changes: 35 additions & 0 deletions docs/resources/identity_universal_auth_client_secret.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "infisical_identity_universal_auth_client_secret Resource - terraform-provider-infisical"
subcategory: ""
description: |-
Create and manage identity universal auth client secret in Infisical.
---

# infisical_identity_universal_auth_client_secret (Resource)

Create and manage identity universal auth client secret in Infisical.



<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `identity_id` (String) The ID of the identity to create a client secret for

### Optional

- `description` (String) The description of the client secret.
- `number_of_uses_limit` (Number) The maximum number of times that the client secret can be used; a value of 0 implies infinite number of uses. Default: 0
- `ttl` (Number) The lifetime for the client secret in seconds. Default: 0 - not expiring

### Read-Only

- `client_id` (String) The client ID of the secret.
- `client_secret` (String, Sensitive) The client secret.
- `created_at` (String) The UTC timestamp of the created at.
- `id` (String) The ID of the universal auth client secret
- `is_revoked` (Boolean) A flag indicating token has been revoked
- `number_of_uses` (Number) The number of times that the client secret is used
Loading

0 comments on commit 042d81a

Please sign in to comment.