diff --git a/CHANGELOG.md b/CHANGELOG.md
index c9d2c5b..0a65c46 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -158,3 +158,11 @@
* 1.15.3 -- 2022-04-27
- terraform-state
- add r-inf-terraform assumable role for TF operations
+
+## Version 2.x
+
+* 2.0.0 -- 2022-05-09
+ - tag: tf-upgrade
+ - ldap-ou-create
+ - change to use trevx/ldap provider
+
diff --git a/common/version.tf b/common/version.tf
index 01b96da..6b49608 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.15.3"
+ _module_version = "2.0.0"
}
diff --git a/ldap-ou-create/README.md b/ldap-ou-create/README.md
index d3f18bd..146a0f0 100644
--- a/ldap-ou-create/README.md
+++ b/ldap-ou-create/README.md
@@ -20,22 +20,25 @@ module "ou" {
# optional
# account_id = "123456789012"
- ldap_host = "ldap.e.tco.census.gov"
- ldap_port = 389
+ ldap_url = "ldaps://ldap.e.tco.census.gov"
}
```
## Requirements
-No requirements.
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13 |
+| [aws](#requirement\_aws) | > 3.66.0 |
+| [external](#requirement\_external) | > 1.0 |
+| [ldap](#requirement\_ldap) | > 0.5.4 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | n/a |
-| [external](#provider\_external) | n/a |
-| [ldap](#provider\_ldap) | n/a |
+| [aws](#provider\_aws) | > 3.66.0 |
+| [ldap](#provider\_ldap) | > 0.5.4 |
| [null](#provider\_null) | n/a |
| [template](#provider\_template) | n/a |
@@ -47,13 +50,12 @@ No modules.
| Name | Type |
|------|------|
-| [ldap_object.ou](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) | resource |
+| [ldap_object.ou](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource |
| [null_resource.ou_ldif](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [external_external.ldap_provider_bin](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
| [template_file.ou](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
@@ -64,9 +66,10 @@ No modules.
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
| [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | {
"policy": {},
"role": {}
} | no |
| [enable\_ldap\_creation](#input\_enable\_ldap\_creation) | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no |
-| [ldap\_host](#input\_ldap\_host) | LDAP Hostname (default is for eBOCAS) | `string` | `"ldap.e.tco.census.gov"` | no |
| [ldap\_password](#input\_ldap\_password) | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no |
-| [ldap\_port](#input\_ldap\_port) | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no |
+| [ldap\_skip\_verify](#input\_ldap\_skip\_verify) | LDAP skip verify of TLS certificates | `bool` | `false` | no |
+| [ldap\_url](#input\_ldap\_url) | LDAP URL in form ldap(s)://hostname:port | `string` | `"ldaps://ldap.e.tco.census.gov"` | no |
+| [ldap\_use\_starttls](#input\_ldap\_use\_starttls) | LDAP use StartTLS (needed only if port is 389, perhaps) | `bool` | `false` | no |
| [ldap\_user](#input\_ldap\_user) | LDAP user for writing data into eDirectory or Active Directory | `string` | `""` | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/ldap-ou-create/main.tf b/ldap-ou-create/main.tf
index fb43c29..3acd237 100644
--- a/ldap-ou-create/main.tf
+++ b/ldap-ou-create/main.tf
@@ -21,8 +21,7 @@
*
* # optional
* # account_id = "123456789012"
-* ldap_host = "ldap.e.tco.census.gov"
-* ldap_port = 389
+* ldap_url = "ldaps://ldap.e.tco.census.gov"
* }
* ```
*/
@@ -36,8 +35,10 @@ locals {
ldap_exists = fileexists(local.ldif_file)
bocappdata_auth = local.account_environment == "gov" ? "Cloud_AWSGovCloud_Auth" : "Cloud_AWS_Auth"
- ldap_provider_exists = data.external.ldap_provider_bin.result.status == "0" ? true : false
- enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && local.ldap_provider_exists
+ # ldap_provider_exists = data.external.ldap_provider_bin.result.status == "0" ? true : false
+ # enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != "" && local.ldap_provider_exists
+ enable_ldap = var.enable_ldap_creation && var.ldap_user != "" && var.ldap_password != ""
+ use_starttls = length(regexall("ldap://", var.ldap_url)) > 0 ? true : false
base_tags = {
"boc:tf_module_version" = local._module_version
@@ -87,13 +88,13 @@ resource "ldap_object" "ou" {
}
}
-# data.external.ldap_provider_bin.result.path
-# data.external.ldap_provider_bin.result.status
-data "external" "ldap_provider_bin" {
- program = ["bash", "${path.module}/bin/find_binary.sh"]
- query = {
- "program" = "terraform-provider-ldap"
- }
-}
-
-
+## # data.external.ldap_provider_bin.result.path
+## # data.external.ldap_provider_bin.result.status
+## data "external" "ldap_provider_bin" {
+## program = ["bash", "${path.module}/bin/find_binary.sh"]
+## query = {
+## "program" = "terraform-provider-ldap"
+## }
+## }
+##
+##
diff --git a/ldap-ou-create/provider.ldap.tf b/ldap-ou-create/provider.ldap.tf
index a23be2b..7aad122 100644
--- a/ldap-ou-create/provider.ldap.tf
+++ b/ldap-ou-create/provider.ldap.tf
@@ -1,7 +1,10 @@
provider "ldap" {
- ldap_host = var.ldap_host
- ldap_port = var.ldap_port
- use_tls = true
+ url = var.ldap_url
+ use_starttls = local.use_starttls
+ skip_verify = var.ldap_skip_verify
+ # ldap_host = var.ldap_host
+ # ldap_port = var.ldap_port
+ # use_tls = true
bind_user = var.ldap_user
bind_password = var.ldap_password
}
diff --git a/ldap-ou-create/variables.tf b/ldap-ou-create/variables.tf
index 4eb8f14..2c03b51 100644
--- a/ldap-ou-create/variables.tf
+++ b/ldap-ou-create/variables.tf
@@ -4,8 +4,14 @@ variable "enable_ldap_creation" {
default = false
}
+variable "component_tags" {
+ description = "Additional tags for Components (role, policy)"
+ type = map(map(string))
+ default = { "role" = {}, "policy" = {} }
+}
+
#---
-# ldap
+# ldap provider
#---
variable "ldap_user" {
description = "LDAP user for writing data into eDirectory or Active Directory"
@@ -19,20 +25,37 @@ variable "ldap_password" {
default = ""
}
-variable "ldap_host" {
- description = "LDAP Hostname (default is for eBOCAS)"
+#---
+## obsoleted in new trevx/ldap
+#---
+## variable "ldap_host" {
+## description = "LDAP Hostname (default is for eBOCAS)"
+## type = string
+## default = "ldap.e.tco.census.gov"
+## }
+##
+## variable "ldap_port" {
+## description = "LDAP port (default is 389 but also using STARTTLS)"
+## type = number
+## default = 389
+## }
+
+# for trevx/ldap
+variable "ldap_url" {
+ description = "LDAP URL in form ldap(s)://hostname:port"
type = string
- default = "ldap.e.tco.census.gov"
+ default = "ldaps://ldap.e.tco.census.gov"
}
-variable "ldap_port" {
- description = "LDAP port (default is 389 but also using STARTTLS)"
- type = number
- default = 389
+variable "ldap_use_starttls" {
+ description = "LDAP use StartTLS (needed only if port is 389, perhaps)"
+ type = bool
+ default = false
}
-variable "component_tags" {
- description = "Additional tags for Components (role, policy)"
- type = map(map(string))
- default = { "role" = {}, "policy" = {} }
+variable "ldap_skip_verify" {
+ description = "LDAP skip verify of TLS certificates"
+ type = bool
+ default = false
}
+
diff --git a/ldap-ou-create/versions.tf b/ldap-ou-create/versions.tf
new file mode 100644
index 0000000..271117c
--- /dev/null
+++ b/ldap-ou-create/versions.tf
@@ -0,0 +1,17 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "> 3.66.0"
+ }
+ ldap = {
+ source = "trevex/ldap"
+ version = "> 0.5.4"
+ }
+ external = {
+ source = "hashicorp/null"
+ version = "> 1.0"
+ }
+ }
+ required_version = ">= 0.13"
+}