@muhlba91/pulumi-proxmoxve
Version:
A Pulumi package for creating and managing Proxmox Virtual Environment cloud resources.
481 lines • 16.5 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* > **Deprecated:** Use `proxmoxve.realm.Ldap` instead. This resource will be removed in v1.0.
*
* Manages an LDAP authentication realm in Proxmox VE.
*
* LDAP realms allow Proxmox to authenticate users against an LDAP directory service.
*
* ## Privileges Required
*
* | Path | Attribute |
* |-----------------|----------------|
* | /access/domains | Realm.Allocate |
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
*
* const example = new proxmoxve.realm.LdapLegacy("example", {
* realm: "example-ldap",
* server1: "ldap.example.com",
* port: 389,
* baseDn: "ou=people,dc=example,dc=com",
* userAttr: "uid",
* bindDn: "cn=admin,dc=example,dc=com",
* bindPassword: ldapBindPassword,
* mode: "ldap+starttls",
* verify: true,
* groupDn: "ou=groups,dc=example,dc=com",
* groupFilter: "(objectClass=groupOfNames)",
* comment: "Example LDAP realm managed by Terraform",
* });
* ```
*
* ## Notes
*
* ### Password Security
*
* The `bindPassword` is sent to Proxmox and stored securely, but it's never returned by the API. This means:
* - Terraform cannot detect if the password was changed outside of Terraform
* - You must maintain the password in your Terraform configuration or use a variable
* - The password will be marked as sensitive in Terraform state
*
* ### LDAP vs LDAPS
*
* - **LDAP (port 389)**: Unencrypted connection. Not recommended for production.
* - **LDAPS (port 636)**: Encrypted connection using SSL/TLS. Recommended for production.
* - **LDAP+StartTLS**: Upgrades plain LDAP connection to TLS. Alternative to LDAPS.
*
* ### User Synchronization
*
* To trigger synchronization, use the `proxmoxve.realm.SyncLegacy` resource.
*
* ### Common Configuration Scenarios
*
* #### Anonymous Binding
* For testing or public LDAP servers, omit `bindDn` and `bindPassword` to use anonymous binding:
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
*
* const anonymous = new proxmoxve.realm.LdapLegacy("anonymous", {
* realm: "public-ldap",
* server1: "ldap.example.com",
* baseDn: "ou=users,dc=example,dc=com",
* userAttr: "uid",
* });
* ```
*
* #### Secure LDAPS with Failover
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
*
* const secure = new proxmoxve.realm.LdapLegacy("secure", {
* realm: "secure-ldap",
* server1: "ldap1.example.com",
* server2: "ldap2.example.com",
* port: 636,
* baseDn: "ou=users,dc=example,dc=com",
* bindDn: "cn=readonly,dc=example,dc=com",
* bindPassword: ldapPassword,
* mode: "ldaps",
* verify: true,
* caPath: "/etc/pve/priv/ca.crt",
* });
* ```
*
* #### With Group Synchronization
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
*
* const withGroups = new proxmoxve.realm.LdapLegacy("with_groups", {
* realm: "corporate-ldap",
* server1: "ldap.corp.example.com",
* baseDn: "ou=users,dc=corp,dc=example,dc=com",
* bindDn: "cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com",
* bindPassword: ldapPassword,
* mode: "ldap+starttls",
* groupDn: "ou=groups,dc=corp,dc=example,dc=com",
* groupFilter: "(objectClass=groupOfNames)",
* groupNameAttr: "cn",
* syncAttributes: "email=mail,firstname=givenName,lastname=sn",
* syncDefaultsOptions: "scope=both,enable-new=1",
* });
* ```
*
* ## See Also
*
* - [Proxmox VE User Management](https://pve.proxmox.com/wiki/User_Management)
* - [Proxmox VE LDAP Authentication](https://pve.proxmox.com/wiki/User_Management#pveum_ldap)
* - [Proxmox API: /access/domains](https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/domains)
*
* ## Import
*
* !/usr/bin/env sh
* LDAP realms can be imported using the realm identifier, e.g.:
*
* ```sh
* $ pulumi import proxmoxve:realm/ldapLegacy:LdapLegacy example example.com
* ```
*
* > When importing, the `bindPassword` attribute cannot be imported since it's not returned by the Proxmox API. You'll need to set this attribute in your Terraform configuration after the import to manage it with Terraform.
*/
export declare class LdapLegacy extends pulumi.CustomResource {
/**
* Get an existing LdapLegacy resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: LdapLegacyState, opts?: pulumi.CustomResourceOptions): LdapLegacy;
/**
* Returns true if the given object is an instance of LdapLegacy. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is LdapLegacy;
/**
* LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
*/
readonly baseDn: pulumi.Output<string>;
/**
* LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
*/
readonly bindDn: pulumi.Output<string | undefined>;
/**
* Password for the bind DN. Note: stored in Proxmox but not returned by API.
*/
readonly bindPassword: pulumi.Output<string | undefined>;
/**
* Path to CA certificate file for SSL verification.
*/
readonly caPath: pulumi.Output<string | undefined>;
/**
* Enable case-sensitive username matching.
*/
readonly caseSensitive: pulumi.Output<boolean>;
/**
* Path to client certificate key.
*/
readonly certKeyPath: pulumi.Output<string | undefined>;
/**
* Path to client certificate for SSL authentication.
*/
readonly certPath: pulumi.Output<string | undefined>;
/**
* Description of the realm.
*/
readonly comment: pulumi.Output<string | undefined>;
/**
* Use this realm as the default for login.
*/
readonly default: pulumi.Output<boolean>;
/**
* LDAP filter for user searches.
*/
readonly filter: pulumi.Output<string | undefined>;
/**
* LDAP objectClasses for groups (comma-separated).
*/
readonly groupClasses: pulumi.Output<string | undefined>;
/**
* LDAP base DN for group searches.
*/
readonly groupDn: pulumi.Output<string | undefined>;
/**
* LDAP filter for group searches.
*/
readonly groupFilter: pulumi.Output<string | undefined>;
/**
* LDAP attribute representing the group name.
*/
readonly groupNameAttr: pulumi.Output<string | undefined>;
/**
* LDAP connection mode (ldap, ldaps, ldap+starttls).
*/
readonly mode: pulumi.Output<string | undefined>;
/**
* LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
*/
readonly port: pulumi.Output<number | undefined>;
/**
* Realm identifier (e.g., 'example.com').
*/
readonly realm: pulumi.Output<string>;
/**
* Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
*
* @deprecated Deprecated by Proxmox: use mode instead.
*/
readonly secure: pulumi.Output<boolean>;
/**
* Primary LDAP server hostname or IP address.
*/
readonly server1: pulumi.Output<string>;
/**
* Fallback LDAP server hostname or IP address.
*/
readonly server2: pulumi.Output<string | undefined>;
/**
* SSL/TLS version (tlsv1, tlsv1*1, tlsv1*2, tlsv1_3).
*/
readonly sslVersion: pulumi.Output<string | undefined>;
/**
* Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
*/
readonly syncAttributes: pulumi.Output<string | undefined>;
/**
* Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
*/
readonly syncDefaultsOptions: pulumi.Output<string | undefined>;
/**
* LDAP attribute representing the username.
*/
readonly userAttr: pulumi.Output<string>;
/**
* LDAP objectClasses for users (comma-separated).
*/
readonly userClasses: pulumi.Output<string | undefined>;
/**
* Verify LDAP server SSL certificate.
*/
readonly verify: pulumi.Output<boolean>;
/**
* Create a LdapLegacy resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: LdapLegacyArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering LdapLegacy resources.
*/
export interface LdapLegacyState {
/**
* LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
*/
baseDn?: pulumi.Input<string | undefined>;
/**
* LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
*/
bindDn?: pulumi.Input<string | undefined>;
/**
* Password for the bind DN. Note: stored in Proxmox but not returned by API.
*/
bindPassword?: pulumi.Input<string | undefined>;
/**
* Path to CA certificate file for SSL verification.
*/
caPath?: pulumi.Input<string | undefined>;
/**
* Enable case-sensitive username matching.
*/
caseSensitive?: pulumi.Input<boolean | undefined>;
/**
* Path to client certificate key.
*/
certKeyPath?: pulumi.Input<string | undefined>;
/**
* Path to client certificate for SSL authentication.
*/
certPath?: pulumi.Input<string | undefined>;
/**
* Description of the realm.
*/
comment?: pulumi.Input<string | undefined>;
/**
* Use this realm as the default for login.
*/
default?: pulumi.Input<boolean | undefined>;
/**
* LDAP filter for user searches.
*/
filter?: pulumi.Input<string | undefined>;
/**
* LDAP objectClasses for groups (comma-separated).
*/
groupClasses?: pulumi.Input<string | undefined>;
/**
* LDAP base DN for group searches.
*/
groupDn?: pulumi.Input<string | undefined>;
/**
* LDAP filter for group searches.
*/
groupFilter?: pulumi.Input<string | undefined>;
/**
* LDAP attribute representing the group name.
*/
groupNameAttr?: pulumi.Input<string | undefined>;
/**
* LDAP connection mode (ldap, ldaps, ldap+starttls).
*/
mode?: pulumi.Input<string | undefined>;
/**
* LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
*/
port?: pulumi.Input<number | undefined>;
/**
* Realm identifier (e.g., 'example.com').
*/
realm?: pulumi.Input<string | undefined>;
/**
* Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
*
* @deprecated Deprecated by Proxmox: use mode instead.
*/
secure?: pulumi.Input<boolean | undefined>;
/**
* Primary LDAP server hostname or IP address.
*/
server1?: pulumi.Input<string | undefined>;
/**
* Fallback LDAP server hostname or IP address.
*/
server2?: pulumi.Input<string | undefined>;
/**
* SSL/TLS version (tlsv1, tlsv1*1, tlsv1*2, tlsv1_3).
*/
sslVersion?: pulumi.Input<string | undefined>;
/**
* Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
*/
syncAttributes?: pulumi.Input<string | undefined>;
/**
* Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
*/
syncDefaultsOptions?: pulumi.Input<string | undefined>;
/**
* LDAP attribute representing the username.
*/
userAttr?: pulumi.Input<string | undefined>;
/**
* LDAP objectClasses for users (comma-separated).
*/
userClasses?: pulumi.Input<string | undefined>;
/**
* Verify LDAP server SSL certificate.
*/
verify?: pulumi.Input<boolean | undefined>;
}
/**
* The set of arguments for constructing a LdapLegacy resource.
*/
export interface LdapLegacyArgs {
/**
* LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
*/
baseDn: pulumi.Input<string>;
/**
* LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
*/
bindDn?: pulumi.Input<string | undefined>;
/**
* Password for the bind DN. Note: stored in Proxmox but not returned by API.
*/
bindPassword?: pulumi.Input<string | undefined>;
/**
* Path to CA certificate file for SSL verification.
*/
caPath?: pulumi.Input<string | undefined>;
/**
* Enable case-sensitive username matching.
*/
caseSensitive?: pulumi.Input<boolean | undefined>;
/**
* Path to client certificate key.
*/
certKeyPath?: pulumi.Input<string | undefined>;
/**
* Path to client certificate for SSL authentication.
*/
certPath?: pulumi.Input<string | undefined>;
/**
* Description of the realm.
*/
comment?: pulumi.Input<string | undefined>;
/**
* Use this realm as the default for login.
*/
default?: pulumi.Input<boolean | undefined>;
/**
* LDAP filter for user searches.
*/
filter?: pulumi.Input<string | undefined>;
/**
* LDAP objectClasses for groups (comma-separated).
*/
groupClasses?: pulumi.Input<string | undefined>;
/**
* LDAP base DN for group searches.
*/
groupDn?: pulumi.Input<string | undefined>;
/**
* LDAP filter for group searches.
*/
groupFilter?: pulumi.Input<string | undefined>;
/**
* LDAP attribute representing the group name.
*/
groupNameAttr?: pulumi.Input<string | undefined>;
/**
* LDAP connection mode (ldap, ldaps, ldap+starttls).
*/
mode?: pulumi.Input<string | undefined>;
/**
* LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
*/
port?: pulumi.Input<number | undefined>;
/**
* Realm identifier (e.g., 'example.com').
*/
realm: pulumi.Input<string>;
/**
* Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
*
* @deprecated Deprecated by Proxmox: use mode instead.
*/
secure?: pulumi.Input<boolean | undefined>;
/**
* Primary LDAP server hostname or IP address.
*/
server1: pulumi.Input<string>;
/**
* Fallback LDAP server hostname or IP address.
*/
server2?: pulumi.Input<string | undefined>;
/**
* SSL/TLS version (tlsv1, tlsv1*1, tlsv1*2, tlsv1_3).
*/
sslVersion?: pulumi.Input<string | undefined>;
/**
* Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
*/
syncAttributes?: pulumi.Input<string | undefined>;
/**
* Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
*/
syncDefaultsOptions?: pulumi.Input<string | undefined>;
/**
* LDAP attribute representing the username.
*/
userAttr?: pulumi.Input<string | undefined>;
/**
* LDAP objectClasses for users (comma-separated).
*/
userClasses?: pulumi.Input<string | undefined>;
/**
* Verify LDAP server SSL certificate.
*/
verify?: pulumi.Input<boolean | undefined>;
}
//# sourceMappingURL=ldapLegacy.d.ts.map