search

patheard / terraform-aws-client-vpn

AWS client VPN using AWS SSO as the IdP
MIT License
1 stars 0 forks source link

Sample of Application Metadata file. #1

Open ZiadMansourM opened 6 months ago

ZiadMansourM commented 6 months ago

Good evening Mr. Heard, Hope you are enjoying your evening ^^

I came across this amazing repo, thank you for your efforts, while trying to use terraform to configure AWS client VPN using AWS IAM Identity Center as the IdP.

I have been through the hole process using ClickOps or the Console.

My Question

I used to add the Application Metadata manually, as the docs mentioned If you don’t have a metadata file, you can manually type your metadata values and enter the following values:

E.g. for aws-client-vpn

But the terraform code is:

resource "aws_iam_saml_provider" "aws-client-vpn" {
  name                   = "aws-client-vpn"
  saml_metadata_document = file("${path.module}/metadata/aws-client-vpn.xml")
}

resource "aws_iam_saml_provider" "aws-client-vpn-self-service" {
  name                   = "aws-client-vpn-self-service"
  saml_metadata_document = file("${path.module}/metadata/aws-client-vpn-self-service.xml")
}

You mentioned in the repo You will need to add the AWS SSO SAML Application metadata files to the terraform/metadata directory.

How can I generate the aws-client-vpn.xml or aws-client-vpn-self-service.xml ? Or are there any sample or docs referring to the structure of the file ? Would I need to create the files manually of I should get them from somewhere ?

Thank you in advance ^^

ZiadMansourM commented 6 months ago

Updates

  1. Used this tool to generate the metadata for the two SAML provider.
    • For aws-client-vpn gen aws-client-vpn.xml:
      • EntityId: urn:amazon:webservices:clientvpn.
      • Attribute Consume Service Endpoint (HTTP-POST): http://127.0.0.1:35001.
    • For aws-client-vpn-self-service gen aws-client-vpn-self-service.xml:
      • EntityId: urn:amazon:webservices:clientvpn.
      • Attribute Consume Service Endpoint (HTTP-POST): https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml.
  2. Use aws_iam_saml_provider terraform resource to create the two SAML providers.
  3. Add attributes mappings according to the following table:
User attribute in the application Maps to this string value or user attribute in AWS IAM Identity Center Format
Subject ${user:email} emailAddress
Name ${user:email} unspecified
FirstName ${user:givenName} unspecified
LastName ${user:familyName} unspecified
memberOf ${user:groups} unspecified

Currently trying to figure out how to make the attributes mappings with terraform, as it is a required step as mentioned here.

patheard commented 6 months ago

Hi Zaid, you can download the metadata file for the IAM Identity Center applications you create from the AWS console by doing the following:

  1. View your application and select Edit configuration
  2. About midway down the page, there's an IAM Identity Center metadata section and the Download link is in there: image

In my case, since Terraform isn't able to manage SAML applications yet (at least that I could find), I just did all the mapping manually in the AWS console.

Hope this helps and glad you found the repo useful!

intel352 commented 2 months ago

In my case, since Terraform isn't able to manage SAML applications yet (at least that I could find), I just did all the mapping manually in the AWS console.

@patheard Can you clarify regarding what you're saying Terraform doesn't support just yet? I'm seeing that IAM Identity Center can be managed from Terraform, I'm also seeing Terraform examples showing SSO/SAML usage. Is it just the app management itself (guessing a custom app, rather than an AWS managed app) that you're referencing isn't manageable from terraform?

patheard commented 2 months ago

Yup, exactly - there isn't a way to create and configure the custom app via Terraform: