v1.9.0: create module ldap-get-attribute

CHANGELOG.md

@@ -72,4 +72,8 @@
   - ses-domain
     - use data resource to get alias
 
+* v1.9.0 -- 20210405
+  - ldap-get-attribute
+    - add new submodule to retrieve an attribute value from a search
+
 

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.8.4"
+  _module_version = "1.9.0"
 }

ldap-get-attribute/bin/external_ldapsearch.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+cleanup()
+{
+   local rstatus=$?
+   if [ ! -z $LDIF]
+   then
+      test -e $LDIF && rm $LDIF
+   fi
+   exit $rstatus
+}
+
+trap cleanup EXIT
+
+#set -e
+eval "$(jq -r '@sh "LDAP_BASE_DN=\(.ldap_base_dn) FILTER=\(.filter) ATTRIBUTE=\(.attribute) LDAP_URL=\(.ldap_url)"')"
+
+if [[ -z $LDAP_BASE_DN ]] || [[ "$LDAP_BASE_DN" == "null" ]]
+then
+  LDAP_BASE_DN="o=U.S. Census Bureau,c=US"
+fi
+
+if [[ -z $LDAP_URL ]] || [[ "$LDAP_URL" == "null" ]]
+then
+  LDAP_URL="ldaps://ldap.tco.census.gov"
+fi
+
+if [[ -z "$FILTER" ]] || [[ "$FILTER" == "null" ]]
+then
+  FILTER=""
+fi
+
+if [[ -z "$ATTRIBUTE" ]] || [[ "$ATTRIBUTE" == "null" ]]
+then
+  ATTRIBUTE="dn"
+fi
+
+if [ -z "$FILTER" ]
+then
+  echo "* no filter provided"
+  exit 1
+fi
+
+LDIF=$(mktemp)
+ldapsearch -x -LLL -o ldif-wrap=no -H "$LDAP_URL" -b "$LDAP_BASE_DN" "$FILTER" "cn $ATTRIBUTE" > $LDIF
+status=$?
+
+DN=$(grep "^dn:" $LDIF | sed -e 's/^dn: //')
+CN=$(grep "^cn:" $LDIF | sed -e 's/^cn: //')
+VALUE=$(grep -i "^$ATTRIBUTE:" $LDIF | sed -e "s/^$ATTRIBUTE: //")
+COUNT=$(grep -c "^dn:" $LDIF)
+
+jq -n --arg dn "$DN" --arg cn "$CN" --arg attribute "$ATTRIBUTE" --arg value "$VALUE" --arg status "$status" --arg count "$COUNT" \
+  '{"dn":$dn,"attribute":$attribute,"attribute_value":$value,"status":$status,"count":$count}'

ldap-get-attribute/data.tf

@@ -0,0 +1 @@
+../common/data.tf

ldap-get-attribute/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

ldap-get-attribute/main.tf

@@ -0,0 +1,81 @@
+/*
+* # aws-inf-setup :: ldap-get-attribute
+* 
+* This allows for a simple LDAP search filter against, by default eDirectory ldap.tco.census.gov.
+* It returns an object with count, status, the attribute, the dn(s) and the attribute value(s).
+* DN and values are returned in a list.  This is intended to search for only a single attribute,
+* which may be multi-value.  It also returns the DN and CN.
+*
+* For a query that returns multiple entries, where those entries do all not possess the same
+* attribute, the DN to attibute value will not match.  That is, it returns only a list of
+* the attributes for the objects which have them in no particular order.
+* 
+* # Usage
+* Here is a simple example to get the email address of use `badra001`.
+*
+* ```hcl
+* module "user_badra001" {
+*   source    = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ldap-get-attribute"
+*
+*   filter    = "cn=badra001"
+*   attribute = "mail"
+*   # optional
+*   # ldap_uri     = "ldaps://ldap.tco.census.gov"
+*   # ldap_base_dn = "o=U.S. Census Bureau,c=US"
+*
+*   # TBD
+*   # ldap_user  =
+*   # ldap_pass  =
+* }
+* ```
+*
+* # Sample Output
+* ```json
+* search_results = {
+*   "attribute" = "mail"
+*   "attribute_value" = [
+*     "donald.e.badrak.ii@census.gov",
+*   ]
+*   "count" = "1"
+*   "dn" = [
+*     "cn=badra001,ou=People,o=U.S. Census Bureau,c=US",
+*   ]
+*   "cn" = [
+*     "badra001"
+*    ]
+*   "status" = "0"
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+data "external" "search" {
+  program = ["bash", "${path.module}/bin/external_ldapsearch.sh"]
+  # output {object}.result.{status,count,dn,attribute,attribute_value}
+  query = {
+    "ldap_uri"     = var.ldap_uri
+    "ldap_base_dn" = var.ldap_base_dn
+    "filter"       = var.filter
+    "attribute"    = var.attribute
+  }
+}
+
+output "search_result" {
+  value = {
+    "count"           = data.external.ldap_user.result.count
+    "status"          = data.external.ldap_user.result.status
+    "attribute"       = data.external.ldap_user.result.attribute
+    "cn"              = split("\n", data.external.ldap_user.result.cn)
+    "dn"              = split("\n", data.external.ldap_user.result.dn)
+    "attribute_value" = split("\n", data.external.ldap_user.result.attribute_value)
+  }
+}

ldap-get-attribute/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

ldap-get-attribute/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

ldap-get-attribute/variables.tf

@@ -0,0 +1,34 @@
+variable "filter" {
+  description = "LDAP search filter"
+  type        = string
+}
+
+variable "attribute" {
+  description = "LDAP attibute to return"
+  type        = string
+  default     = "dn"
+}
+
+variable "ldap_uri" {
+  description = "LDAP URI {scheme}://{hostname}:{port}"
+  type        = string
+  default     = "ldaps://ldap.tco.census.gov"
+}
+
+variable "ldap_base_dn" {
+  description = "LDAP base DN for search"
+  type        = string
+  default     = "o=U.S. Census Bureau,c=US"
+}
+
+# variable "ldap_user" {
+#   description = "LDAP bind username"
+#   type = string
+#   default = ""
+# }
+# 
+# variable "ldap_password" {
+#   description = "LDAP bind password"
+#   type = string
+#   default = ""
+# }

ldap-get-attribute/version.tf

@@ -0,0 +1 @@
+../common/version.tf