jfrog · alexhung · Mar 26, 2024 · Mar 22, 2024 · Mar 25, 2024 · Mar 25, 2024
@@ -1,3 +1,9 @@
+## 1.5.0 (Mar 26, 2024)
+
+FEATURES:
+
+* **New Resource:** `platform_oidc_configuration` and `platform_oidc_identity_mapping`: PR: [#47](https://github.com/jfrog/terraform-provider-platform/pull/47) Issue: [#26](https://github.com/jfrog/terraform-provider-platform/issues/26), [#29](https://github.com/jfrog/terraform-provider-platform/issues/29), [#31](https://github.com/jfrog/terraform-provider-platform/issues/31), [#38](https://github.com/jfrog/terraform-provider-platform/issues/38)
+
 ## 1.4.1 (Mar 18, 2024)
 
 BUG FIXES:

@@ -0,0 +1,53 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "platform_oidc_configuration Resource - terraform-provider-platform"
+subcategory: ""
+description: |-
+  Manage OIDC configuration in JFrog platform. See the JFrog OIDC configuration documentation https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration for more information.
+---
+
+# platform_oidc_configuration (Resource)
+
+Manage OIDC configuration in JFrog platform. See the JFrog [OIDC configuration documentation](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration) for more information.
+
+## Example Usage
+
+```terraform
+resource "platform_oidc_configuration" "my-github-oidc-configuration" {
+  name          = "my-github-oidc-configuration"
+  description   = "My GitHub OIDC configuration"
+  issuer_url    = "https://token.actions.githubusercontent.com/"
+  provider_type = "GitHub"
+  audience      = "jfrog-github"
+}
+
+resource "platform_oidc_configuration" "my-generic-oidc-configuration" {
+  name          = "my-generic-oidc-configuration"
+  description   = "My generic OIDC configuration"
+  issuer_url    = "https://tempurl.org/"
+  provider_type = "generic"
+  audience      = "jfrog-generic"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `issuer_url` (String) OIDC issuer URL. For GitHub actions, the URL must be https://token.actions.githubusercontent.com/.
+- `name` (String) Name of the OIDC provider
+- `provider_type` (String) Type of OIDC provider. Can be `generic` or `GitHub`.
+
+### Optional
+
+- `audience` (String) Informational field that you can use to include details of the audience that uses the OIDC configuration.
+- `description` (String) Description of the OIDC provider
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import platform_oidc_configuration.my-oidc-configuration my-oidc-configuration
+```
@@ -0,0 +1,88 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "platform_oidc_identity_mapping Resource - terraform-provider-platform"
+subcategory: ""
+description: |-
+  Manage OIDC identity mapping for an OIDC configuration in JFrog platform. See the JFrog OIDC identity mappings documentation https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-identity-mappings for more information.
+---
+
+# platform_oidc_identity_mapping (Resource)
+
+Manage OIDC identity mapping for an OIDC configuration in JFrog platform. See the JFrog [OIDC identity mappings documentation](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-identity-mappings) for more information.
+
+## Example Usage
+
+```terraform
+resource "platform_oidc_identity_mapping" "my-github-oidc-user-identity-mapping" {
+  name          = "my-github-oidc-user-identity-mapping"
+  description   = "My GitHub OIDC user identity mapping"
+  provider_name = "my-github-oidc-configuration"
+  priority      = 1
+
+  claims_json = jsonencode({
+    "sub" = "repo:humpty/access-oidc-poc:ref:refs/heads/main",
+    "workflow_ref" = "humpty/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
+  })
+
+  token_spec = {
+    username   = "my-user"
+    scope      = "applied-permissions/user"
+    audience   = "*@*"
+    expires_in = 7200
+  }
+}
+
+resource "platform_oidc_identity_mapping" "my-github-oidc-group-identity-mapping" {
+  name          = "my-github-oidc-group-identity-mapping"
+  description   = "My GitHub OIDC group identity mapping"
+  provider_name = "my-github-oidc-configuration"
+  priority      = 1
+
+  claims_json = jsonencode({
+    "sub" = "repo:humpty/access-oidc-poc:ref:refs/heads/main",
+    "workflow_ref" = "humpty/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
+  })
+
+  token_spec = {
+    scope      = "applied-permissions/groups:\"readers\",\"my-group\""
+    audience   = "jfrt@* jfac@* jfmc@* jfmd@* jfevt@* jfxfer@* jflnk@* jfint@* jfwks@*"
+    expires_in = 7200
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `claims_json` (String) Claims JSON from the OIDC provider. Use [Terraform jsonencode function](https://developer.hashicorp.com/terraform/language/functions/jsonencode) to encode the JSON string. Claims constitute the payload part of a JSON web token and represent a set of information exchanged between two parties. The JWT standard distinguishes between reserved claims, public claims, and private claims. In API Gateway context, both public claims and private claims are considered custom claims. For example, an ID token (which is always a JWT) can contain a claim called that asserts that the name of the user authenticating is "John Doe". In a JWT, a claim appears as a name/value pair where the name is always a string and the value can be any JSON value.
+- `name` (String) Name of the OIDC identity mapping
+- `priority` (Number) Priority of the identity mapping. The priority should be a number. The higher priority is set for the lower number. If you do not enter a value, the identity mapping is assigned the lowest priority. We recommend that you assign the highest priority (1) to the strongest permission gate. Set the lowest priority to the weakest permission for a logical and effective access control setup.
+- `provider_name` (String) Name of the OIDC configuration
+- `token_spec` (Attributes) Specifications of the token. In case of success, a token with the following details will be generated and passed to OIDC Provider. (see [below for nested schema](#nestedatt--token_spec))
+
+### Optional
+
+- `description` (String) Description of the OIDC mapping
+
+<a id="nestedatt--token_spec"></a>
+### Nested Schema for `token_spec`
+
+Required:
+
+- `scope` (String) Scope of the token. Must start with `applied-permissions/user`, `applied-permissions/admin`, or `applied-permissions/groups:`. Group names must be comma-separated, double quotes wrapped, e.g. `applied-permissions/groups:\"readers\",\"my-group\",`
+
+Optional:
+
+- `audience` (String) Sets of (space separated) the JFrog services to which the mapping applies. Default value is `*@*`, which applies to all services.
+- `expires_in` (Number) Token expiry time in seconds. Default value is 60.
+- `username` (String) User name of the OIDC user. Not applicable when `scope` is set to `applied-permissions/groups`
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import platform_oidc_identity_mapping.my-oidc-identity-mapping my-oidc-identity-mapping:my-oidc-configuration
+```
@@ -0,0 +1 @@
+terraform import platform_oidc_configuration.my-oidc-configuration my-oidc-configuration
@@ -0,0 +1,15 @@
+resource "platform_oidc_configuration" "my-github-oidc-configuration" {
+  name          = "my-github-oidc-configuration"
+  description   = "My GitHub OIDC configuration"
+  issuer_url    = "https://token.actions.githubusercontent.com/"
+  provider_type = "GitHub"
+  audience      = "jfrog-github"
+}
+
+resource "platform_oidc_configuration" "my-generic-oidc-configuration" {
+  name          = "my-generic-oidc-configuration"
+  description   = "My generic OIDC configuration"
+  issuer_url    = "https://tempurl.org/"
+  provider_type = "generic"
+  audience      = "jfrog-generic"
+}
@@ -0,0 +1 @@
+terraform import platform_oidc_identity_mapping.my-oidc-identity-mapping my-oidc-identity-mapping:my-oidc-configuration
@@ -0,0 +1,36 @@
+resource "platform_oidc_identity_mapping" "my-github-oidc-user-identity-mapping" {
+  name          = "my-github-oidc-user-identity-mapping"
+  description   = "My GitHub OIDC user identity mapping"
+  provider_name = "my-github-oidc-configuration"
+  priority      = 1
+
+  claims_json = jsonencode({
+    "sub" = "repo:humpty/access-oidc-poc:ref:refs/heads/main",
+    "workflow_ref" = "humpty/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
+  })
+
+  token_spec = {
+    username   = "my-user"
+    scope      = "applied-permissions/user"
+    audience   = "*@*"
+    expires_in = 7200
+  }
+}
+
+resource "platform_oidc_identity_mapping" "my-github-oidc-group-identity-mapping" {
+  name          = "my-github-oidc-group-identity-mapping"
+  description   = "My GitHub OIDC group identity mapping"
+  provider_name = "my-github-oidc-configuration"
+  priority      = 1
+
+  claims_json = jsonencode({
+    "sub" = "repo:humpty/access-oidc-poc:ref:refs/heads/main",
+    "workflow_ref" = "humpty/access-oidc-poc/.github/workflows/job.yaml@refs/heads/main"
+  })
+
+  token_spec = {
+    scope      = "applied-permissions/groups:\"readers\",\"my-group\""
+    audience   = "jfrt@* jfac@* jfmc@* jfmd@* jfevt@* jfxfer@* jflnk@* jfint@* jfwks@*"
+    expires_in = 7200
+  }
+}
@@ -11,7 +11,6 @@ require (
 	github.com/hashicorp/terraform-plugin-framework v1.7.0
 	github.com/hashicorp/terraform-plugin-framework-validators v0.12.0
 	github.com/hashicorp/terraform-plugin-go v0.22.1
-	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-testing v1.7.0
 	github.com/jfrog/terraform-provider-shared v1.22.1
 	github.com/samber/lo v1.39.0
@@ -48,6 +47,7 @@ require (
 	github.com/hashicorp/logutils v1.0.0 // indirect
 	github.com/hashicorp/terraform-exec v0.20.0 // indirect
 	github.com/hashicorp/terraform-json v0.21.0 // indirect
+	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect

@@ -143,6 +143,8 @@ func (p *PlatformProvider) Resources(ctx context.Context) []func() resource.Reso
 	return []func() resource.Resource{
 		NewLicenseResource,
 		NewGlobalRoleResource,
+		NewOIDCConfigurationResource,
+		NewOIDCIdentityMappingResource,
 		NewPermissionResource,
 		NewReverseProxyResource,
 		NewWorkerServiceResource,