From 612bc4f90163e255941d661e29c05a4d3a29e859 Mon Sep 17 00:00:00 2001 From: joerger Date: Mon, 7 Oct 2024 15:56:50 -0700 Subject: [PATCH] Upate terraform schema and docs and crds. --- .../resources.teleport.dev_samlconnectors.mdx | 5 +- .../data-sources/saml_connector.mdx | 5 +- .../resources/saml_connector.mdx | 5 +- ...resources.teleport.dev_samlconnectors.yaml | 15 +- ...resources.teleport.dev_samlconnectors.yaml | 15 +- integrations/terraform/README.md | 4 +- .../terraform/tfschema/types_terraform.go | 134 +++++++++++++++++- 7 files changed, 175 insertions(+), 8 deletions(-) diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_samlconnectors.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_samlconnectors.mdx index 7c4733bbf0556..76fda10051d10 100644 --- a/docs/pages/reference/operator-resources/resources.teleport.dev_samlconnectors.mdx +++ b/docs/pages/reference/operator-resources/resources.teleport.dev_samlconnectors.mdx @@ -71,10 +71,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator. |Field|Type|Description| |---|---|---| +|cert|string|Cert is the identity provider certificate PEM. IDP signs `` responses using this certificate.| |enabled|boolean|Enabled specified whether this SAML connector supports MFA checks. Defaults to false.| -|entity_descriptor|string|EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.| +|entity_descriptor|string|EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl.| |entity_descriptor_url|string|EntityDescriptorUrl is a URL that supplies a configuration XML.| |force_authn|string or integer|ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions. Can be either the string or the integer representation of each option.| +|issuer|string|Issuer is the identity provider issuer. Usually set from EntityDescriptor.| +|sso|string|SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor.| ### spec.signing_key_pair diff --git a/docs/pages/reference/terraform-provider/data-sources/saml_connector.mdx b/docs/pages/reference/terraform-provider/data-sources/saml_connector.mdx index 09ff72d3faa4a..a1b658d31019f 100644 --- a/docs/pages/reference/terraform-provider/data-sources/saml_connector.mdx +++ b/docs/pages/reference/terraform-provider/data-sources/saml_connector.mdx @@ -78,10 +78,13 @@ Optional: Optional: +- `cert` (String) Cert is the identity provider certificate PEM. IDP signs `` responses using this certificate. - `enabled` (Boolean) Enabled specified whether this SAML connector supports MFA checks. Defaults to false. -- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. +- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl. - `entity_descriptor_url` (String) EntityDescriptorUrl is a URL that supplies a configuration XML. - `force_authn` (Number) ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions. +- `issuer` (String) Issuer is the identity provider issuer. Usually set from EntityDescriptor. +- `sso` (String) SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor. ### Nested Schema for `spec.signing_key_pair` diff --git a/docs/pages/reference/terraform-provider/resources/saml_connector.mdx b/docs/pages/reference/terraform-provider/resources/saml_connector.mdx index d9ebcb09063c4..e2a0fd685433d 100644 --- a/docs/pages/reference/terraform-provider/resources/saml_connector.mdx +++ b/docs/pages/reference/terraform-provider/resources/saml_connector.mdx @@ -123,10 +123,13 @@ Optional: Optional: +- `cert` (String) Cert is the identity provider certificate PEM. IDP signs `` responses using this certificate. - `enabled` (Boolean) Enabled specified whether this SAML connector supports MFA checks. Defaults to false. -- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. +- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl. - `entity_descriptor_url` (String) EntityDescriptorUrl is a URL that supplies a configuration XML. - `force_authn` (Number) ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions. +- `issuer` (String) Issuer is the identity provider issuer. Usually set from EntityDescriptor. +- `sso` (String) SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor. ### Nested Schema for `spec.signing_key_pair` diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml index 70596b79c1c82..c6814333c7831 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml @@ -127,6 +127,10 @@ spec: through this auth connector. nullable: true properties: + cert: + description: Cert is the identity provider certificate PEM. IDP + signs `` responses using this certificate. + type: string enabled: description: Enabled specified whether this SAML connector supports MFA checks. Defaults to false. @@ -134,7 +138,8 @@ spec: entity_descriptor: description: EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather - than supplying them in the individual elements. + than supplying them in the individual elements. Usually set + from EntityDescriptorUrl. type: string entity_descriptor_url: description: EntityDescriptorUrl is a URL that supplies a configuration @@ -147,6 +152,14 @@ spec: NO if the IdP is setup to perform MFA checks on top of active user sessions. x-kubernetes-int-or-string: true + issuer: + description: Issuer is the identity provider issuer. Usually set + from EntityDescriptor. + type: string + sso: + description: SSO is the URL of the identity provider's SSO service. + Usually set from EntityDescriptor. + type: string type: object provider: description: Provider is the external identity provider. diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml index 70596b79c1c82..c6814333c7831 100644 --- a/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml +++ b/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml @@ -127,6 +127,10 @@ spec: through this auth connector. nullable: true properties: + cert: + description: Cert is the identity provider certificate PEM. IDP + signs `` responses using this certificate. + type: string enabled: description: Enabled specified whether this SAML connector supports MFA checks. Defaults to false. @@ -134,7 +138,8 @@ spec: entity_descriptor: description: EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather - than supplying them in the individual elements. + than supplying them in the individual elements. Usually set + from EntityDescriptorUrl. type: string entity_descriptor_url: description: EntityDescriptorUrl is a URL that supplies a configuration @@ -147,6 +152,14 @@ spec: NO if the IdP is setup to perform MFA checks on top of active user sessions. x-kubernetes-int-or-string: true + issuer: + description: Issuer is the identity provider issuer. Usually set + from EntityDescriptor. + type: string + sso: + description: SSO is the URL of the identity provider's SSO service. + Usually set from EntityDescriptor. + type: string type: object provider: description: Provider is the external identity provider. diff --git a/integrations/terraform/README.md b/integrations/terraform/README.md index e927011a19d2b..52b8c48050028 100644 --- a/integrations/terraform/README.md +++ b/integrations/terraform/README.md @@ -7,9 +7,9 @@ Please, refer to [official documentation](https://goteleport.com/docs/admin-guid ## Development 1. Install [`protobuf`](https://grpc.io/docs/protoc-installation/). -2. Install [`protoc-gen-terraform`](https://github.com/gravitational/protoc-gen-terraform). +2. Install [`protoc-gen-terraform`](https://github.com/gravitational/protoc-gen-terraform) @v2.2.0. - ```go install github.com/gravitational/protoc-gen-terraform@main``` + ```go install github.com/gravitational/protoc-gen-terraform@08768262d29336b8ae0915ef41bb6d9768518c66``` 3. Install [`Terraform`](https://learn.hashicorp.com/tutorials/terraform/install-cli) v1.1.0+. Alternatively, you can use [`tfenv`](https://github.com/tfutils/tfenv). Please note that on Mac M1 you need to specify `TFENV_ARCH` (ex: `TFENV_ARCH=arm64 tfenv install 1.1.6`). diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go index 1cef5e613e28b..afd846111510b 100644 --- a/integrations/terraform/tfschema/types_terraform.go +++ b/integrations/terraform/tfschema/types_terraform.go @@ -3066,13 +3066,18 @@ func GenSchemaSAMLConnectorV2(ctx context.Context) (github_com_hashicorp_terrafo }, "mfa": { Attributes: github_com_hashicorp_terraform_plugin_framework_tfsdk.SingleNestedAttributes(map[string]github_com_hashicorp_terraform_plugin_framework_tfsdk.Attribute{ + "cert": { + Description: "Cert is the identity provider certificate PEM. IDP signs `` responses using this certificate.", + Optional: true, + Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, + }, "enabled": { Description: "Enabled specified whether this SAML connector supports MFA checks. Defaults to false.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.BoolType, }, "entity_descriptor": { - Description: "EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.", + Description: "EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl.", Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, @@ -3086,6 +3091,16 @@ func GenSchemaSAMLConnectorV2(ctx context.Context) (github_com_hashicorp_terrafo Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.Int64Type, }, + "issuer": { + Description: "Issuer is the identity provider issuer. Usually set from EntityDescriptor.", + Optional: true, + Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, + }, + "sso": { + Description: "SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor.", + Optional: true, + Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, + }, }), Description: "MFASettings contains settings to enable SSO MFA checks through this auth connector.", Optional: true, @@ -31042,6 +31057,57 @@ func CopySAMLConnectorV2FromTerraform(_ context.Context, tf github_com_hashicorp } } } + { + a, ok := tf.Attrs["issuer"] + if !ok { + diags.Append(attrReadMissingDiag{"SAMLConnectorV2.Spec.MFASettings.issuer"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrReadConversionFailureDiag{"SAMLConnectorV2.Spec.MFASettings.issuer", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } else { + var t string + if !v.Null && !v.Unknown { + t = string(v.Value) + } + obj.Issuer = t + } + } + } + { + a, ok := tf.Attrs["sso"] + if !ok { + diags.Append(attrReadMissingDiag{"SAMLConnectorV2.Spec.MFASettings.sso"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrReadConversionFailureDiag{"SAMLConnectorV2.Spec.MFASettings.sso", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } else { + var t string + if !v.Null && !v.Unknown { + t = string(v.Value) + } + obj.Sso = t + } + } + } + { + a, ok := tf.Attrs["cert"] + if !ok { + diags.Append(attrReadMissingDiag{"SAMLConnectorV2.Spec.MFASettings.cert"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrReadConversionFailureDiag{"SAMLConnectorV2.Spec.MFASettings.cert", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } else { + var t string + if !v.Null && !v.Unknown { + t = string(v.Value) + } + obj.Cert = t + } + } + } } } } @@ -32184,6 +32250,72 @@ func CopySAMLConnectorV2ToTerraform(ctx context.Context, obj *github_com_gravita tf.Attrs["force_authn"] = v } } + { + t, ok := tf.AttrTypes["issuer"] + if !ok { + diags.Append(attrWriteMissingDiag{"SAMLConnectorV2.Spec.MFASettings.issuer"}) + } else { + v, ok := tf.Attrs["issuer"].(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + i, err := t.ValueFromTerraform(ctx, github_com_hashicorp_terraform_plugin_go_tftypes.NewValue(t.TerraformType(ctx), nil)) + if err != nil { + diags.Append(attrWriteGeneralError{"SAMLConnectorV2.Spec.MFASettings.issuer", err}) + } + v, ok = i.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"SAMLConnectorV2.Spec.MFASettings.issuer", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } + v.Null = string(obj.Issuer) == "" + } + v.Value = string(obj.Issuer) + v.Unknown = false + tf.Attrs["issuer"] = v + } + } + { + t, ok := tf.AttrTypes["sso"] + if !ok { + diags.Append(attrWriteMissingDiag{"SAMLConnectorV2.Spec.MFASettings.sso"}) + } else { + v, ok := tf.Attrs["sso"].(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + i, err := t.ValueFromTerraform(ctx, github_com_hashicorp_terraform_plugin_go_tftypes.NewValue(t.TerraformType(ctx), nil)) + if err != nil { + diags.Append(attrWriteGeneralError{"SAMLConnectorV2.Spec.MFASettings.sso", err}) + } + v, ok = i.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"SAMLConnectorV2.Spec.MFASettings.sso", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } + v.Null = string(obj.Sso) == "" + } + v.Value = string(obj.Sso) + v.Unknown = false + tf.Attrs["sso"] = v + } + } + { + t, ok := tf.AttrTypes["cert"] + if !ok { + diags.Append(attrWriteMissingDiag{"SAMLConnectorV2.Spec.MFASettings.cert"}) + } else { + v, ok := tf.Attrs["cert"].(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + i, err := t.ValueFromTerraform(ctx, github_com_hashicorp_terraform_plugin_go_tftypes.NewValue(t.TerraformType(ctx), nil)) + if err != nil { + diags.Append(attrWriteGeneralError{"SAMLConnectorV2.Spec.MFASettings.cert", err}) + } + v, ok = i.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"SAMLConnectorV2.Spec.MFASettings.cert", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } + v.Null = string(obj.Cert) == "" + } + v.Value = string(obj.Cert) + v.Unknown = false + tf.Attrs["cert"] = v + } + } } v.Unknown = false tf.Attrs["mfa"] = v