diff --git a/CHANGELOG.md b/CHANGELOG.md index 7718a73..6a0dea4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -58,6 +58,10 @@ - change ldap.e.tco default to ldap2.e.tco - add -p to mkdir +* 1.4.2 -- 2023-10-11 + - remove default ldap provider, requires links to proper provider ldap configs and passing provider like + providers = { ldap = ldap.bocas } + ## version 2.x branch: compat-tf-0.13 diff --git a/README.md b/README.md index d201074..1a555dc 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,15 @@ Because of this quirk, this is a two-step apply. The first step creates the IAM ``` # Notes +On 2023-10-11, TCO changed the LDAP servers to (1) require authentication, and (2) update the TLS certificate. Because +of #1, the provider calls to the LDAP provider must provide credentials. This module requires you to pass a proper +ldap profile that includes credentials, even if you are not going to create an LDAP role. + +The server replacements are as folows: +* ldap.e.tco.census.gov => ldap2.e.tco.census.gov +* ldap.tco.census.gov => nldap2.tco.census.gov +* nldap.tco.census.gov => nldap2.tco.census.gov + ## Policies When using `attached_policies`, it is important those policy ARNs exist before attempting to use the module @@ -44,6 +53,9 @@ Creating a SAML role with two attached policies ```hcl module "myrole1" { source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + providers = { + ldap = ldap.ebocas + } role_name = "my-role1" role_description = "Role to do some super cool stuff" @@ -66,6 +78,9 @@ Creating a non-SAML role ```hcl module "myrole2" { source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + providers = { + ldap = ldap + } role_name = "my-role2" attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] @@ -86,6 +101,9 @@ data "aws_iam_document_policy" "my-policy-1" { module "myrole3" { source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + providers = { + ldap = ldap + } role_name = "my-role3" attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] diff --git a/main.tf b/main.tf index b6484f5..01d6b55 100644 --- a/main.tf +++ b/main.tf @@ -22,6 +22,15 @@ * ``` * * # Notes +* On 2023-10-11, TCO changed the LDAP servers to (1) require authentication, and (2) update the TLS certificate. Because +* of #1, the provider calls to the LDAP provider must provide credentials. This module requires you to pass a proper +* ldap profile that includes credentials, even if you are not going to create an LDAP role. +* +* The server replacements are as folows: +* * ldap.e.tco.census.gov => ldap2.e.tco.census.gov +* * ldap.tco.census.gov => nldap2.tco.census.gov +* * nldap.tco.census.gov => nldap2.tco.census.gov +* * ## Policies * * When using `attached_policies`, it is important those policy ARNs exist before attempting to use the module @@ -45,6 +54,9 @@ * ```hcl * module "myrole1" { * source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" +* providers = { +* ldap = ldap.ebocas +* } * * role_name = "my-role1" * role_description = "Role to do some super cool stuff" @@ -67,6 +79,9 @@ * ```hcl * module "myrole2" { * source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" +* providers = { +* ldap = ldap +* } * * role_name = "my-role2" * attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] @@ -87,6 +102,9 @@ * * module "myrole3" { * source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" +* providers = { +* ldap = ldap +* } * * role_name = "my-role3" * attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] diff --git a/provider.ldap.tf b/provider.ldap.tf.off similarity index 100% rename from provider.ldap.tf rename to provider.ldap.tf.off diff --git a/version.tf b/version.tf index 7a2122f..f225667 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { - _module_version = "1.4.1" + _module_version = "1.4.2" # _module_version = "2.2.0" }