UNPKG

@muhlba91/pulumi-proxmoxve

Version:

A Pulumi package for creating and managing Proxmox Virtual Environment cloud resources.

479 lines 16.3 kB
import * as pulumi from "@pulumi/pulumi"; /** * Manages an LDAP authentication realm in Proxmox VE. * * LDAP realms allow Proxmox to authenticate users against an LDAP directory service. * * ## Privileges Required * * | Path | Attribute | * |-----------------|----------------| * | /access/domains | Realm.Allocate | * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as proxmoxve from "@muhlba91/pulumi-proxmoxve"; * * const example = new proxmoxve.realm.Ldap("example", { * realm: "example-ldap", * server1: "ldap.example.com", * port: 389, * baseDn: "ou=people,dc=example,dc=com", * userAttr: "uid", * bindDn: "cn=admin,dc=example,dc=com", * bindPassword: ldapBindPassword, * mode: "ldap+starttls", * verify: true, * groupDn: "ou=groups,dc=example,dc=com", * groupFilter: "(objectClass=groupOfNames)", * comment: "Example LDAP realm managed by Terraform", * }); * ``` * * ## Notes * * ### Password Security * * The `bindPassword` is sent to Proxmox and stored securely, but it's never returned by the API. This means: * - Terraform cannot detect if the password was changed outside of Terraform * - You must maintain the password in your Terraform configuration or use a variable * - The password will be marked as sensitive in Terraform state * * ### LDAP vs LDAPS * * - **LDAP (port 389)**: Unencrypted connection. Not recommended for production. * - **LDAPS (port 636)**: Encrypted connection using SSL/TLS. Recommended for production. * - **LDAP+StartTLS**: Upgrades plain LDAP connection to TLS. Alternative to LDAPS. * * ### User Synchronization * * To trigger synchronization, use the `proxmoxve.realm.Sync` resource. * * ### Common Configuration Scenarios * * #### Anonymous Binding * For testing or public LDAP servers, omit `bindDn` and `bindPassword` to use anonymous binding: * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as proxmoxve from "@muhlba91/pulumi-proxmoxve"; * * const anonymous = new proxmoxve.realm.Ldap("anonymous", { * realm: "public-ldap", * server1: "ldap.example.com", * baseDn: "ou=users,dc=example,dc=com", * userAttr: "uid", * }); * ``` * * #### Secure LDAPS with Failover * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as proxmoxve from "@muhlba91/pulumi-proxmoxve"; * * const secure = new proxmoxve.realm.Ldap("secure", { * realm: "secure-ldap", * server1: "ldap1.example.com", * server2: "ldap2.example.com", * port: 636, * baseDn: "ou=users,dc=example,dc=com", * bindDn: "cn=readonly,dc=example,dc=com", * bindPassword: ldapPassword, * mode: "ldaps", * verify: true, * caPath: "/etc/pve/priv/ca.crt", * }); * ``` * * #### With Group Synchronization * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as proxmoxve from "@muhlba91/pulumi-proxmoxve"; * * const withGroups = new proxmoxve.realm.Ldap("with_groups", { * realm: "corporate-ldap", * server1: "ldap.corp.example.com", * baseDn: "ou=users,dc=corp,dc=example,dc=com", * bindDn: "cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com", * bindPassword: ldapPassword, * mode: "ldap+starttls", * groupDn: "ou=groups,dc=corp,dc=example,dc=com", * groupFilter: "(objectClass=groupOfNames)", * groupNameAttr: "cn", * syncAttributes: "email=mail,firstname=givenName,lastname=sn", * syncDefaultsOptions: "scope=both,enable-new=1", * }); * ``` * * ## See Also * * - [Proxmox VE User Management](https://pve.proxmox.com/wiki/User_Management) * - [Proxmox VE LDAP Authentication](https://pve.proxmox.com/wiki/User_Management#pveum_ldap) * - [Proxmox API: /access/domains](https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/domains) * * ## Import * * !/usr/bin/env sh * LDAP realms can be imported using the realm identifier, e.g.: * * ```sh * $ pulumi import proxmoxve:realm/ldap:Ldap example example.com * ``` * * > When importing, the `bindPassword` attribute cannot be imported since it's not returned by the Proxmox API. You'll need to set this attribute in your Terraform configuration after the import to manage it with Terraform. */ export declare class Ldap extends pulumi.CustomResource { /** * Get an existing Ldap resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: LdapState, opts?: pulumi.CustomResourceOptions): Ldap; /** * Returns true if the given object is an instance of Ldap. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Ldap; /** * LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com'). */ readonly baseDn: pulumi.Output<string>; /** * LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com'). */ readonly bindDn: pulumi.Output<string | undefined>; /** * Password for the bind DN. Note: stored in Proxmox but not returned by API. */ readonly bindPassword: pulumi.Output<string | undefined>; /** * Path to CA certificate file for SSL verification. */ readonly caPath: pulumi.Output<string | undefined>; /** * Enable case-sensitive username matching. */ readonly caseSensitive: pulumi.Output<boolean>; /** * Path to client certificate key. */ readonly certKeyPath: pulumi.Output<string | undefined>; /** * Path to client certificate for SSL authentication. */ readonly certPath: pulumi.Output<string | undefined>; /** * Description of the realm. */ readonly comment: pulumi.Output<string | undefined>; /** * Use this realm as the default for login. */ readonly default: pulumi.Output<boolean>; /** * LDAP filter for user searches. */ readonly filter: pulumi.Output<string | undefined>; /** * LDAP objectClasses for groups (comma-separated). */ readonly groupClasses: pulumi.Output<string | undefined>; /** * LDAP base DN for group searches. */ readonly groupDn: pulumi.Output<string | undefined>; /** * LDAP filter for group searches. */ readonly groupFilter: pulumi.Output<string | undefined>; /** * LDAP attribute representing the group name. */ readonly groupNameAttr: pulumi.Output<string | undefined>; /** * LDAP connection mode (ldap, ldaps, ldap+starttls). */ readonly mode: pulumi.Output<string | undefined>; /** * LDAP server port. Default: 389 (LDAP) or 636 (LDAPS). */ readonly port: pulumi.Output<number | undefined>; /** * Realm identifier (e.g., 'example.com'). */ readonly realm: pulumi.Output<string>; /** * Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP. * * @deprecated Deprecated by Proxmox: use mode instead. */ readonly secure: pulumi.Output<boolean>; /** * Primary LDAP server hostname or IP address. */ readonly server1: pulumi.Output<string>; /** * Fallback LDAP server hostname or IP address. */ readonly server2: pulumi.Output<string | undefined>; /** * SSL/TLS version (tlsv1, tlsv1*1, tlsv1*2, tlsv1_3). */ readonly sslVersion: pulumi.Output<string | undefined>; /** * Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName'). */ readonly syncAttributes: pulumi.Output<string | undefined>; /** * Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'. */ readonly syncDefaultsOptions: pulumi.Output<string | undefined>; /** * LDAP attribute representing the username. */ readonly userAttr: pulumi.Output<string>; /** * LDAP objectClasses for users (comma-separated). */ readonly userClasses: pulumi.Output<string | undefined>; /** * Verify LDAP server SSL certificate. */ readonly verify: pulumi.Output<boolean>; /** * Create a Ldap resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: LdapArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Ldap resources. */ export interface LdapState { /** * LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com'). */ baseDn?: pulumi.Input<string | undefined>; /** * LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com'). */ bindDn?: pulumi.Input<string | undefined>; /** * Password for the bind DN. Note: stored in Proxmox but not returned by API. */ bindPassword?: pulumi.Input<string | undefined>; /** * Path to CA certificate file for SSL verification. */ caPath?: pulumi.Input<string | undefined>; /** * Enable case-sensitive username matching. */ caseSensitive?: pulumi.Input<boolean | undefined>; /** * Path to client certificate key. */ certKeyPath?: pulumi.Input<string | undefined>; /** * Path to client certificate for SSL authentication. */ certPath?: pulumi.Input<string | undefined>; /** * Description of the realm. */ comment?: pulumi.Input<string | undefined>; /** * Use this realm as the default for login. */ default?: pulumi.Input<boolean | undefined>; /** * LDAP filter for user searches. */ filter?: pulumi.Input<string | undefined>; /** * LDAP objectClasses for groups (comma-separated). */ groupClasses?: pulumi.Input<string | undefined>; /** * LDAP base DN for group searches. */ groupDn?: pulumi.Input<string | undefined>; /** * LDAP filter for group searches. */ groupFilter?: pulumi.Input<string | undefined>; /** * LDAP attribute representing the group name. */ groupNameAttr?: pulumi.Input<string | undefined>; /** * LDAP connection mode (ldap, ldaps, ldap+starttls). */ mode?: pulumi.Input<string | undefined>; /** * LDAP server port. Default: 389 (LDAP) or 636 (LDAPS). */ port?: pulumi.Input<number | undefined>; /** * Realm identifier (e.g., 'example.com'). */ realm?: pulumi.Input<string | undefined>; /** * Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP. * * @deprecated Deprecated by Proxmox: use mode instead. */ secure?: pulumi.Input<boolean | undefined>; /** * Primary LDAP server hostname or IP address. */ server1?: pulumi.Input<string | undefined>; /** * Fallback LDAP server hostname or IP address. */ server2?: pulumi.Input<string | undefined>; /** * SSL/TLS version (tlsv1, tlsv1*1, tlsv1*2, tlsv1_3). */ sslVersion?: pulumi.Input<string | undefined>; /** * Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName'). */ syncAttributes?: pulumi.Input<string | undefined>; /** * Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'. */ syncDefaultsOptions?: pulumi.Input<string | undefined>; /** * LDAP attribute representing the username. */ userAttr?: pulumi.Input<string | undefined>; /** * LDAP objectClasses for users (comma-separated). */ userClasses?: pulumi.Input<string | undefined>; /** * Verify LDAP server SSL certificate. */ verify?: pulumi.Input<boolean | undefined>; } /** * The set of arguments for constructing a Ldap resource. */ export interface LdapArgs { /** * LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com'). */ baseDn: pulumi.Input<string>; /** * LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com'). */ bindDn?: pulumi.Input<string | undefined>; /** * Password for the bind DN. Note: stored in Proxmox but not returned by API. */ bindPassword?: pulumi.Input<string | undefined>; /** * Path to CA certificate file for SSL verification. */ caPath?: pulumi.Input<string | undefined>; /** * Enable case-sensitive username matching. */ caseSensitive?: pulumi.Input<boolean | undefined>; /** * Path to client certificate key. */ certKeyPath?: pulumi.Input<string | undefined>; /** * Path to client certificate for SSL authentication. */ certPath?: pulumi.Input<string | undefined>; /** * Description of the realm. */ comment?: pulumi.Input<string | undefined>; /** * Use this realm as the default for login. */ default?: pulumi.Input<boolean | undefined>; /** * LDAP filter for user searches. */ filter?: pulumi.Input<string | undefined>; /** * LDAP objectClasses for groups (comma-separated). */ groupClasses?: pulumi.Input<string | undefined>; /** * LDAP base DN for group searches. */ groupDn?: pulumi.Input<string | undefined>; /** * LDAP filter for group searches. */ groupFilter?: pulumi.Input<string | undefined>; /** * LDAP attribute representing the group name. */ groupNameAttr?: pulumi.Input<string | undefined>; /** * LDAP connection mode (ldap, ldaps, ldap+starttls). */ mode?: pulumi.Input<string | undefined>; /** * LDAP server port. Default: 389 (LDAP) or 636 (LDAPS). */ port?: pulumi.Input<number | undefined>; /** * Realm identifier (e.g., 'example.com'). */ realm: pulumi.Input<string>; /** * Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP. * * @deprecated Deprecated by Proxmox: use mode instead. */ secure?: pulumi.Input<boolean | undefined>; /** * Primary LDAP server hostname or IP address. */ server1: pulumi.Input<string>; /** * Fallback LDAP server hostname or IP address. */ server2?: pulumi.Input<string | undefined>; /** * SSL/TLS version (tlsv1, tlsv1*1, tlsv1*2, tlsv1_3). */ sslVersion?: pulumi.Input<string | undefined>; /** * Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName'). */ syncAttributes?: pulumi.Input<string | undefined>; /** * Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'. */ syncDefaultsOptions?: pulumi.Input<string | undefined>; /** * LDAP attribute representing the username. */ userAttr?: pulumi.Input<string | undefined>; /** * LDAP objectClasses for users (comma-separated). */ userClasses?: pulumi.Input<string | undefined>; /** * Verify LDAP server SSL certificate. */ verify?: pulumi.Input<boolean | undefined>; } //# sourceMappingURL=ldap.d.ts.map