From b1105ea779ba87644a35ff91abba2695ed0c4c83 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 11 Oct 2023 14:04:56 -0400 Subject: [PATCH] update documentation --- CHANGELOG.md | 2 ++ README.md | 18 ++++++++++++++++++ main.tf | 18 ++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2d0643..c899e5a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -94,3 +94,5 @@ tag: 2.0.1 * 2.3.2 -- 2023-10-06 - change default from ldap.e.tco to ldap2.e.tco + - update documentation 2023-10-11 + diff --git a/README.md b/README.md index 1e8b3fa..1bb264b 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,15 @@ Because of this quirk, this is a two-step apply. The first step creates the IAM ``` # Notes +On 2023-10-11, TCO changed the LDAP servers to (1) require authentication, and (2) update the TLS certificate. Because +of #1, the provider calls to the LDAP provider must provide credentials. This module requires you to pass a proper +ldap profile that includes credentials, even if you are not going to create an LDAP role. + +The server replacements are as folows: +* ldap.e.tco.census.gov => ldap2.e.tco.census.gov +* ldap.tco.census.gov => nldap2.tco.census.gov +* nldap.tco.census.gov => nldap2.tco.census.gov + ## Policies When using `attached_policies`, it is important those policy ARNs exist before attempting to use the module @@ -44,6 +53,9 @@ Creating a SAML role with two attached policies ```hcl module "myrole1" { source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + providers = { + ldap = ldap.ebocas + } role_name = "my-role1" role_description = "Role to do some super cool stuff" @@ -66,6 +78,9 @@ Creating a non-SAML role ```hcl module "myrole2" { source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + providers = { + ldap = ldap + } role_name = "my-role2" attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] @@ -86,6 +101,9 @@ data "aws_iam_document_policy" "my-policy-1" { module "myrole3" { source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" + providers = { + ldap = ldap + } role_name = "my-role3" attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] diff --git a/main.tf b/main.tf index 22d0f54..03a693e 100644 --- a/main.tf +++ b/main.tf @@ -22,6 +22,15 @@ * ``` * * # Notes +* On 2023-10-11, TCO changed the LDAP servers to (1) require authentication, and (2) update the TLS certificate. Because +* of #1, the provider calls to the LDAP provider must provide credentials. This module requires you to pass a proper +* ldap profile that includes credentials, even if you are not going to create an LDAP role. +* +* The server replacements are as folows: +* * ldap.e.tco.census.gov => ldap2.e.tco.census.gov +* * ldap.tco.census.gov => nldap2.tco.census.gov +* * nldap.tco.census.gov => nldap2.tco.census.gov +* * ## Policies * * When using `attached_policies`, it is important those policy ARNs exist before attempting to use the module @@ -45,6 +54,9 @@ * ```hcl * module "myrole1" { * source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" +* providers = { +* ldap = ldap.ebocas +* } * * role_name = "my-role1" * role_description = "Role to do some super cool stuff" @@ -67,6 +79,9 @@ * ```hcl * module "myrole2" { * source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" +* providers = { +* ldap = ldap +* } * * role_name = "my-role2" * attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ] @@ -87,6 +102,9 @@ * * module "myrole3" { * source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git" +* providers = { +* ldap = ldap +* } * * role_name = "my-role3" * attached_policies = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]