From be001958c51b94f7ea6819f3831322ef8cf6b98e Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 24 Feb 2021 11:38:15 -0500 Subject: [PATCH] add submodule iam-saml --- iam-saml/README.md | 74 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 iam-saml/README.md diff --git a/iam-saml/README.md b/iam-saml/README.md new file mode 100644 index 0000000..40e5d9a --- /dev/null +++ b/iam-saml/README.md @@ -0,0 +1,74 @@ +# aws-inf-setup :: iam-saml + +This set up the default SAML provider with the enterprise IDP, id-provider.tco.census.gov. +The appropriate metadata and URL are selected from the environment either East/West (ew) +or GovCloud (gov). + +The resulting metadata XML is saved in `setup/metdata.xml`. + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "saml" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-saml" + + # optional + saml_provider_name = "Census_TCO_IDMS" +} +``` + +When creating a role to use SAML, you will need the SAML policy document as a reference: + +```hcl +resource "aws_iam_role" "role" { + name = "my-role-name" + description = "SAML role for my-role-name" + force_detach_policies = false + max_session_duration = 3600 + assume_role_policy = module.saml.saml_policy_document +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | +| null | n/a | + +## Modules + +No Modules. + +## Resources + +| Name | +|------| +| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | +| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | +| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | +| [aws_iam_saml_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | +| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | +| [null_resource](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| account\_alias | AWS Account Alias (required) | `string` | `""` | no | +| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| component\_tags | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| saml\_provider\_name | SAML Provider Name | `string` | `"Census_TCO_IDMS"` | no | +| tags | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| saml\_assume\_policy | SAML Assume Policy document JSON |