@muhlba91/pulumi-proxmoxve
Version:
A Pulumi package for creating and managing Proxmox Virtual Environment cloud resources.
350 lines • 14.2 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* Manages an OpenID Connect authentication realm in Proxmox VE.
*
* OpenID Connect realms allow Proxmox to authenticate users against an external OpenID Connect provider.
*
* ## Privileges Required
*
* | Path | Attribute |
* |-----------------|----------------|
* | /access/domains | Realm.Allocate |
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
*
* const example = new proxmoxve.realm.Openid("example", {
* realm: "example-oidc",
* issuerUrl: "https://auth.example.com",
* clientId: "your-client-id",
* clientKey: oidcClientSecret,
* usernameClaim: "email",
* autocreate: true,
* groupsClaim: "groups",
* groupsAutocreate: true,
* groupsOverwrite: false,
* scopes: "openid email profile",
* queryUserinfo: true,
* comment: "Example OpenID Connect realm managed by Terraform",
* });
* ```
*
* ## Notes
*
* ### Client Key Security
*
* The `clientKey` is sent to Proxmox and stored securely, but it's never returned by the API. This means:
*
* - Terraform cannot detect if the client key was changed outside of Terraform
* - You must maintain the client key in your Terraform configuration or use a variable
* - The client key will be marked as sensitive in Terraform state
*
* #### Minimal Configuration
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
*
* const minimal = new proxmoxve.realm.Openid("minimal", {
* realm: "my-oidc",
* issuerUrl: "https://auth.example.com",
* clientId: oidcClientId,
* clientKey: oidcClientSecret,
* });
* ```
*
* #### With User and Group Provisioning
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
*
* const full = new proxmoxve.realm.Openid("full", {
* realm: "corporate-oidc",
* issuerUrl: "https://auth.example.com/realms/my-realm",
* clientId: oidcClientId,
* clientKey: oidcClientSecret,
* usernameClaim: "email",
* autocreate: true,
* groupsClaim: "groups",
* groupsAutocreate: true,
* scopes: "openid email profile",
* queryUserinfo: true,
* });
* ```
*
* ## See Also
*
* - [Proxmox VE User Management](https://pve.proxmox.com/wiki/User_Management)
* - [Proxmox VE OpenID Connect Authentication](https://pve.proxmox.com/wiki/User_Management#pveum_openid)
* - [Proxmox API: /access/domains](https://pve.proxmox.com/pve-docs/api-viewer/index.html#/access/domains)
*
* ## Import
*
* !/usr/bin/env sh
* OpenID realms can be imported using the realm identifier, e.g.:
*
* ```sh
* $ pulumi import proxmoxve:realm/openid:Openid example example-oidc
* ```
*
* > When importing, the `clientKey` attribute cannot be imported since it's not returned by the Proxmox API. You'll need to set this attribute in your Terraform configuration after the import to manage it with Terraform.
*/
export declare class Openid extends pulumi.CustomResource {
/**
* Get an existing Openid resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OpenidState, opts?: pulumi.CustomResourceOptions): Openid;
/**
* Returns true if the given object is an instance of Openid. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is Openid;
/**
* Authentication Context Class Reference values for the OpenID provider.
*/
readonly acrValues: pulumi.Output<string | undefined>;
/**
* Audiences that the OpenID Issuer may include that are accepted for the client (comma-separated).
*/
readonly audiences: pulumi.Output<string | undefined>;
/**
* Automatically create users on the Proxmox cluster if they do not exist.
*/
readonly autocreate: pulumi.Output<boolean>;
/**
* OpenID Connect Client ID.
*/
readonly clientId: pulumi.Output<string>;
/**
* OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
*/
readonly clientKey: pulumi.Output<string | undefined>;
/**
* **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
* OpenID Connect Client Key (secret), supplied as a [write-only argument](https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only) so it is never stored in Terraform state or plan. Requires Terraform 1.11+. Mutually exclusive with `clientKey`. Pair with `clientKeyWoVersion` to push a rotated secret.
*/
readonly clientKeyWo: pulumi.Output<string | undefined>;
/**
* Version counter for `clientKeyWo`. Because write-only values are not stored in state, Terraform cannot detect when `clientKeyWo` changes; increment this value to signal a rotation and force the new secret to be sent.
*/
readonly clientKeyWoVersion: pulumi.Output<number | undefined>;
/**
* Description of the realm.
*/
readonly comment: pulumi.Output<string | undefined>;
/**
* Use this realm as the default for login.
*/
readonly default: pulumi.Output<boolean>;
/**
* Automatically create groups from claims rather than using existing Proxmox VE groups.
*/
readonly groupsAutocreate: pulumi.Output<boolean>;
/**
* OpenID claim used to retrieve user group memberships.
*/
readonly groupsClaim: pulumi.Output<string | undefined>;
/**
* Replace assigned groups on login instead of appending to existing ones.
*/
readonly groupsOverwrite: pulumi.Output<boolean>;
/**
* OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
*/
readonly issuerUrl: pulumi.Output<string>;
/**
* Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
*/
readonly prompt: pulumi.Output<string | undefined>;
/**
* Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
*/
readonly queryUserinfo: pulumi.Output<boolean>;
/**
* Realm identifier (e.g., 'my-oidc').
*/
readonly realm: pulumi.Output<string>;
/**
* Space-separated list of OpenID scopes to request.
*/
readonly scopes: pulumi.Output<string>;
/**
* OpenID claim used to generate the unique username. Common values are `subject`, `username`, `email`, and `upn`.
*/
readonly usernameClaim: pulumi.Output<string | undefined>;
/**
* Create a Openid resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: OpenidArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering Openid resources.
*/
export interface OpenidState {
/**
* Authentication Context Class Reference values for the OpenID provider.
*/
acrValues?: pulumi.Input<string | undefined>;
/**
* Audiences that the OpenID Issuer may include that are accepted for the client (comma-separated).
*/
audiences?: pulumi.Input<string | undefined>;
/**
* Automatically create users on the Proxmox cluster if they do not exist.
*/
autocreate?: pulumi.Input<boolean | undefined>;
/**
* OpenID Connect Client ID.
*/
clientId?: pulumi.Input<string | undefined>;
/**
* OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
*/
clientKey?: pulumi.Input<string | undefined>;
/**
* **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
* OpenID Connect Client Key (secret), supplied as a [write-only argument](https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only) so it is never stored in Terraform state or plan. Requires Terraform 1.11+. Mutually exclusive with `clientKey`. Pair with `clientKeyWoVersion` to push a rotated secret.
*/
clientKeyWo?: pulumi.Input<string | undefined>;
/**
* Version counter for `clientKeyWo`. Because write-only values are not stored in state, Terraform cannot detect when `clientKeyWo` changes; increment this value to signal a rotation and force the new secret to be sent.
*/
clientKeyWoVersion?: pulumi.Input<number | undefined>;
/**
* Description of the realm.
*/
comment?: pulumi.Input<string | undefined>;
/**
* Use this realm as the default for login.
*/
default?: pulumi.Input<boolean | undefined>;
/**
* Automatically create groups from claims rather than using existing Proxmox VE groups.
*/
groupsAutocreate?: pulumi.Input<boolean | undefined>;
/**
* OpenID claim used to retrieve user group memberships.
*/
groupsClaim?: pulumi.Input<string | undefined>;
/**
* Replace assigned groups on login instead of appending to existing ones.
*/
groupsOverwrite?: pulumi.Input<boolean | undefined>;
/**
* OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
*/
issuerUrl?: pulumi.Input<string | undefined>;
/**
* Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
*/
prompt?: pulumi.Input<string | undefined>;
/**
* Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
*/
queryUserinfo?: pulumi.Input<boolean | undefined>;
/**
* Realm identifier (e.g., 'my-oidc').
*/
realm?: pulumi.Input<string | undefined>;
/**
* Space-separated list of OpenID scopes to request.
*/
scopes?: pulumi.Input<string | undefined>;
/**
* OpenID claim used to generate the unique username. Common values are `subject`, `username`, `email`, and `upn`.
*/
usernameClaim?: pulumi.Input<string | undefined>;
}
/**
* The set of arguments for constructing a Openid resource.
*/
export interface OpenidArgs {
/**
* Authentication Context Class Reference values for the OpenID provider.
*/
acrValues?: pulumi.Input<string | undefined>;
/**
* Audiences that the OpenID Issuer may include that are accepted for the client (comma-separated).
*/
audiences?: pulumi.Input<string | undefined>;
/**
* Automatically create users on the Proxmox cluster if they do not exist.
*/
autocreate?: pulumi.Input<boolean | undefined>;
/**
* OpenID Connect Client ID.
*/
clientId: pulumi.Input<string>;
/**
* OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
*/
clientKey?: pulumi.Input<string | undefined>;
/**
* **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
* OpenID Connect Client Key (secret), supplied as a [write-only argument](https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only) so it is never stored in Terraform state or plan. Requires Terraform 1.11+. Mutually exclusive with `clientKey`. Pair with `clientKeyWoVersion` to push a rotated secret.
*/
clientKeyWo?: pulumi.Input<string | undefined>;
/**
* Version counter for `clientKeyWo`. Because write-only values are not stored in state, Terraform cannot detect when `clientKeyWo` changes; increment this value to signal a rotation and force the new secret to be sent.
*/
clientKeyWoVersion?: pulumi.Input<number | undefined>;
/**
* Description of the realm.
*/
comment?: pulumi.Input<string | undefined>;
/**
* Use this realm as the default for login.
*/
default?: pulumi.Input<boolean | undefined>;
/**
* Automatically create groups from claims rather than using existing Proxmox VE groups.
*/
groupsAutocreate?: pulumi.Input<boolean | undefined>;
/**
* OpenID claim used to retrieve user group memberships.
*/
groupsClaim?: pulumi.Input<string | undefined>;
/**
* Replace assigned groups on login instead of appending to existing ones.
*/
groupsOverwrite?: pulumi.Input<boolean | undefined>;
/**
* OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
*/
issuerUrl: pulumi.Input<string>;
/**
* Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
*/
prompt?: pulumi.Input<string | undefined>;
/**
* Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
*/
queryUserinfo?: pulumi.Input<boolean | undefined>;
/**
* Realm identifier (e.g., 'my-oidc').
*/
realm: pulumi.Input<string>;
/**
* Space-separated list of OpenID scopes to request.
*/
scopes?: pulumi.Input<string | undefined>;
/**
* OpenID claim used to generate the unique username. Common values are `subject`, `username`, `email`, and `upn`.
*/
usernameClaim?: pulumi.Input<string | undefined>;
}
//# sourceMappingURL=openid.d.ts.map