search

patheard / terraform-aws-client-vpn

AWS client VPN using AWS SSO as the IdP
MIT License
1 stars 0 forks source link

Sample of Application Metadata file. #1

Open ZiadMansourM opened 2 months ago

ZiadMansourM commented 2 months ago

Good evening Mr. Heard, Hope you are enjoying your evening ^^

I came across this amazing repo, thank you for your efforts, while trying to use terraform to configure AWS client VPN using AWS IAM Identity Center as the IdP.

I have been through the hole process using ClickOps or the Console.

My Question

I used to add the Application Metadata manually, as the docs mentioned If you don’t have a metadata file, you can manually type your metadata values and enter the following values:

E.g. for aws-client-vpn

But the terraform code is:

resource "aws_iam_saml_provider" "aws-client-vpn" {
  name                   = "aws-client-vpn"
  saml_metadata_document = file("${path.module}/metadata/aws-client-vpn.xml")
}

resource "aws_iam_saml_provider" "aws-client-vpn-self-service" {
  name                   = "aws-client-vpn-self-service"
  saml_metadata_document = file("${path.module}/metadata/aws-client-vpn-self-service.xml")
}

You mentioned in the repo You will need to add the AWS SSO SAML Application metadata files to the terraform/metadata directory.

How can I generate the aws-client-vpn.xml or aws-client-vpn-self-service.xml ? Or are there any sample or docs referring to the structure of the file ? Would I need to create the files manually of I should get them from somewhere ?

Thank you in advance ^^

ZiadMansourM commented 2 months ago

Updates

  1. Used this tool to generate the metadata for the two SAML provider.
    • For aws-client-vpn gen aws-client-vpn.xml:
      • EntityId: urn:amazon:webservices:clientvpn.
      • Attribute Consume Service Endpoint (HTTP-POST): http://127.0.0.1:35001.
    • For aws-client-vpn-self-service gen aws-client-vpn-self-service.xml:
      • EntityId: urn:amazon:webservices:clientvpn.
      • Attribute Consume Service Endpoint (HTTP-POST): https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml.
  2. Use aws_iam_saml_provider terraform resource to create the two SAML providers.
  3. Add attributes mappings according to the following table:
User attribute in the application Maps to this string value or user attribute in AWS IAM Identity Center Format
Subject ${user:email} emailAddress
Name ${user:email} unspecified
FirstName ${user:givenName} unspecified
LastName ${user:familyName} unspecified
memberOf ${user:groups} unspecified

Currently trying to figure out how to make the attributes mappings with terraform, as it is a required step as mentioned here.

patheard commented 2 months ago

Hi Zaid, you can download the metadata file for the IAM Identity Center applications you create from the AWS console by doing the following:

  1. View your application and select Edit configuration
  2. About midway down the page, there's an IAM Identity Center metadata section and the Download link is in there: image

In my case, since Terraform isn't able to manage SAML applications yet (at least that I could find), I just did all the mapping manually in the AWS console.

Hope this helps and glad you found the repo useful!