Skip to content

Latest commit

 

History

History
100 lines (69 loc) · 3.29 KB

README.md

File metadata and controls

100 lines (69 loc) · 3.29 KB
Raw

cfn-resource-provider

The cfn-resource-provider is extension for CloudFormation that uses CloudFormation CLI development kit. It creates resource provider that automate the creation of the following resources in a safe and systematic way:

  • Smaato::IAM::OpenIDConnectProvider: creates OpenID connect provider
  • Smaato::IAM::SAMLProvider: creates SAML connect provider

Installation:

To install any of the resources that resource provider supports you need to install CloudFormation CLI (cfn) first:

pip install cloudformation-cli cloudformation-cli-go-plugin

It is recommended to install the previous packages in virtualenv. Then go to the desired resource directory and run:

make -f Makefile.custom

AWS_PROFILE=... cfn submit -v --region us-east-1

The previous command will create the required IAM role and S3 bucket (that keep the resource package). Also it will register the resource in CloudFormation registry.

If you have multiple version of the resource in CloudFormation registry you can set the desired version using for example:

aws cloudformation --region us-east-1 --profile=test set-type-default-version --type "RESOURCE" --type-name "Smaato::IAM::OpenIDConnectProvider" --version-id "00000002"

To de-register the resource type (example):

aws cloudformation deregister-type --profile test --region us-east-1 --arn arn:aws:cloudformation:us-east-1:<ACCOUNT_ID>:type/resource/Smaato-IAM-OpenIDConnectProvider

Resources

Smaato::IAM::OpenIDConnectProvider

The Smaato::IAM::OpenIDConnectProvider resource creates OpenID connect provider. For example:

AWSTemplateFormatVersion: "2010-09-09"
Description: Create OIDC provider

Resources:
  Provider:
    Type: Smaato::IAM::OpenIDConnectProvider
    Properties:
      Url: https://example.com
      ClientIDList:
        - sts.amazonaws.com
        - ...
      ThumbprintList: # optional
        - 9e99a48a9960b14926bb7f3b02e22da2b0ab7280

Outputs:
  ProviderArn:
    Value:
      Fn::GetAtt: Provider.Arn

  • Url: a URL of the OpenID Connect (OIDC) identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens

  • ClientIDList: a list of client IDs (also known as audiences).

  • ThumbprintList: a list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates. If it is not specified, the root CA of issuer server will be retrieved and used.

Smaato::IAM::SAMLProvider

The Smaato::IAM::SAMLProvider resource creates SAML provider. For example:

AWSTemplateFormatVersion: "2010-09-09"
Description: Create SAML provider

Resources:
  Provider:
    Type: Smaato::IAM::SAMLProvider
    Properties:
      Name: example
      SAMLMetadataDocument: ...

Outputs:
  ProviderArn:
    Value:
      Fn::GetAtt: Provider.Arn

  • Name: the name of the SAML provider to create

  • SAMLMetadataDocument: an XML document generated by an identity provider (IdP) that supports SAML 2.0.

Note: to pass SAMLMetadataDocument parameter value as one line and escape the double-quote (") character, copy the contents of the file out.xml after running:

tr -d '\n' <metadata.xml | sed -e 's/"/\"/g' > out.xml