Add support for Workforce Identity to organization module and org setup stage (#3530)
* module-level support * fast stage 0 * fix inventory, add outputs/tfvars
This commit is contained in:
Ludovico Magnocavallo
committed by
GitHub
GitHub
parent
5270586a8e
commit
87ed19bc47
@@ -32,6 +32,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b
|
||||
- [Custom Security Health Analytics Modules Factory](#custom-security-health-analytics-modules-factory)
|
||||
- [Tags](#tags)
|
||||
- [Tags Factory](#tags-factory)
|
||||
- [Workforce Identity](#workforce-identity)
|
||||
- [Files](#files)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
@@ -556,7 +557,6 @@ cloudkmKeyRotationPeriod:
|
||||
|
||||
## Tags
|
||||
|
||||
|
||||
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
||||
|
||||
```hcl
|
||||
@@ -708,6 +708,77 @@ values:
|
||||
|
||||
```
|
||||
|
||||
## Workforce Identity
|
||||
|
||||
A Workforce Identity pool and providers can be created via the `workforce_identity_config` variable.
|
||||
|
||||
Auto-population of provider attributes is supported via the `attribute_mapping_template` provider attribute. Currently only `azuread` and `okta` are supported.
|
||||
|
||||
```hcl
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
workforce_identity_config = {
|
||||
# optional, defaults to 'default'
|
||||
pool_name = "test-pool"
|
||||
providers = {
|
||||
saml-basic = {
|
||||
attribute_mapping_template = "azuread"
|
||||
identity_provider = {
|
||||
saml = {
|
||||
idp_metadata_xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>..."
|
||||
}
|
||||
}
|
||||
}
|
||||
saml-full = {
|
||||
attribute_mapping = {
|
||||
"google.subject" = "assertion.sub"
|
||||
}
|
||||
identity_provider = {
|
||||
saml = {
|
||||
idp_metadata_xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>..."
|
||||
}
|
||||
}
|
||||
oauth2_client_config = {
|
||||
extra_attributes = {
|
||||
issuer_uri = "https://login.microsoftonline.com/abcdef/v2.0"
|
||||
client_id = "client-id"
|
||||
client_secret = "client-secret"
|
||||
attributes_type = "AZURE_AD_GROUPS_ID"
|
||||
query_filter = "mail:gcp"
|
||||
}
|
||||
}
|
||||
}
|
||||
oidc-full = {
|
||||
attribute_mapping = {
|
||||
"google.subject" = "assertion.sub"
|
||||
}
|
||||
identity_provider = {
|
||||
oidc = {
|
||||
issuer_uri = "https://sts.windows.net/abcd01234/"
|
||||
client_id = "https://analysis.windows.net/powerbi/connector/GoogleBigQuery"
|
||||
client_secret = "client-secret"
|
||||
web_sso_config = {
|
||||
response_type = "CODE"
|
||||
assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
|
||||
}
|
||||
}
|
||||
}
|
||||
oauth2_client_config = {
|
||||
extra_attributes = {
|
||||
issuer_uri = "https://login.microsoftonline.com/abcd01234/v2.0"
|
||||
client_id = "client-id"
|
||||
client_secret = "client-secret"
|
||||
attributes_type = "AZURE_AD_GROUPS_MAIL"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4 inventory=wfif.yaml
|
||||
```
|
||||
|
||||
<!-- TFDOC OPTS files:1 -->
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Files
|
||||
@@ -715,6 +786,7 @@ values:
|
||||
| name | description | resources |
|
||||
|---|---|---|
|
||||
| [iam.tf](./iam.tf) | IAM bindings. | <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> |
|
||||
| [identity-providers.tf](./identity-providers.tf) | Workforce Identity Federation provider definitions. | <code>google_iam_workforce_pool</code> · <code>google_iam_workforce_pool_provider</code> |
|
||||
| [logging.tf](./logging.tf) | Log sinks and data access logs. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_settings</code> · <code>google_logging_organization_sink</code> · <code>google_organization_iam_audit_config</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_firewall_policy_association</code> · <code>google_essential_contacts_contact</code> |
|
||||
| [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
|
||||
@@ -759,6 +831,7 @@ values:
|
||||
| [tag_bindings](variables-tags.tf#L82) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [tags](variables-tags.tf#L89) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tags_config](variables-tags.tf#L154) | Fine-grained control on tag resource and IAM creation. | <code title="object({ force_context_ids = optional(bool, false) ignore_iam = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [workforce_identity_config](variables.tf#L136) | Workforce Identity Federation pools. | <code title="object({ pool_name = optional(string, "default") providers = optional(map(object({ description = optional(string) display_name = optional(string) attribute_condition = optional(string) attribute_mapping = optional(map(string), {}) attribute_mapping_template = optional(string) disabled = optional(bool, false) identity_provider = object({ oidc = optional(object({ issuer_uri = string client_id = string client_secret = optional(string) jwks_json = optional(string) web_sso_config = optional(object({ response_type = optional(string, "CODE") assertion_claims_behavior = optional(string, "ONLY_ID_TOKEN_CLAIMS") additional_scopes = optional(list(string)) })) })) saml = optional(object({ idp_metadata_xml = string })) }) oauth2_client_config = optional(object({ extended_attributes = optional(object({ issuer_uri = string client_id = string client_secret = string attributes_type = optional(string) query_filter = optional(string) })) extra_attributes = optional(object({ issuer_uri = string client_id = string client_secret = string attributes_type = optional(string) query_filter = optional(string) })) }), {}) })), {}) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
@@ -777,4 +850,5 @@ values:
|
||||
| [sink_writer_identities](outputs.tf#L101) | Writer identities created for each sink. | |
|
||||
| [tag_keys](outputs.tf#L109) | Tag key resources. | |
|
||||
| [tag_values](outputs.tf#L118) | Tag value resources. | |
|
||||
| [workforce_identity_provider_names](outputs.tf#L126) | Workforce Identity provider names. | |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
Reference in New Issue
Block a user