@pulumi/juniper-mist
Version:
A Pulumi package for creating and managing Juniper Mist resources.
479 lines • 19.4 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* This resource manages NAC IDPs (Identity Providers).
*
* The NAC IDPs are used to validate NAC client accounts against an IDP with OAuth2.0, LDAP/LDAPS, or a local Mist Edge.\
* Mist Access Assurance can also retrieve group membership from the IDP, and use this information in the NAC Rules (`junipermist.org.Nacrule` resource)
*
* IMPORTANT:
* * Once created, the NAC IDP must be registered in the `junipermist.org.Setting` resource (full path: `mist_org_setting.mist_nac.idps`).
* * The associated REALMS are configured under `mist_org_setting.mist_nac.idps`
* * To make the IDP the Default IDP, set the IDP ID under `mist_org_setting.mist_nac.default_idp_id`
*
* For SAML IDP, the NAC IDP Metadata can be retrieved with the `junipermist.org.getNacidpMetadata` data source.
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as junipermist from "@pulumi/juniper-mist";
*
* // OAuth with Azure Example
* const idpAzure = new junipermist.org.Nacidp("idp_azure", {
* orgId: terraformTest.id,
* name: "idp_azure",
* idpType: "oauth",
* oauthCcClientId: "client_id",
* oauthCcClientSecret: "-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----",
* oauthRopcClientId: "ropc_client_id",
* oauthRopcClientSecret: "ropc_client_secret",
* oauthTenantId: "tenant_id",
* oauthType: "azure",
* });
* // Custom LDAP Example
* const idpLdap = new junipermist.org.Nacidp("idp_ldap", {
* orgId: terraformTest.id,
* name: "idp_ldap",
* idpType: "ldap",
* ldapType: "custom",
* groupFilter: "memberOf",
* memberFilter: "memberOf",
* ldapUserFilter: "(mail=%s)",
* ldapServerHosts: [
* "ldap.mycorp.com",
* "1.2.3.4",
* ],
* ldapBaseDn: "DC=abc,DC=com",
* ldapBindDn: "CN=admin,CN=users,DC=abc,DC=com",
* ldapBindPassword: "secret!password",
* ldapCacerts: [
* `-----BEGIN CERTIFICATE-----
* MIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE
* -----END CERTIFICATE-----`,
* `-----BEGIN CERTIFICATE-----
* BhMCRVMxFDASBgNVBAoMC1N0YXJ0Q29tIENBMSwwKgYDVn-----END CERTIFICATE-----`,
* ],
* ldapClientCert: `-----BEGIN CERTIFICATE-----
* MIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE
* -----END CERTIFICATE-----`,
* ldapClientKey: "-----BEGIN PRI...",
* });
* ```
*
* ## Import
*
* Using `pulumi import`, import `junipermist.org.Nacidp` with:
* Org PSK can be imported by specifying the orgId and the nacidpId
*
* ```sh
* $ pulumi import junipermist:org/nacidp:Nacidp idp_azure 17b46405-3a6d-4715-8bb4-6bb6d06f316a.d3c42998-9012-4859-9743-6b9bee475309
* ```
*/
export declare class Nacidp extends pulumi.CustomResource {
/**
* Get an existing Nacidp resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: NacidpState, opts?: pulumi.CustomResourceOptions): Nacidp;
/**
* Returns true if the given object is an instance of Nacidp. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is Nacidp;
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
*/
readonly groupFilter: pulumi.Output<string | undefined>;
/**
* enum: `ldap`, `mxedgeProxy`, `oauth`, `openroaming`
*/
readonly idpType: pulumi.Output<string>;
/**
* Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
*/
readonly ldapBaseDn: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
*/
readonly ldapBindDn: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
*/
readonly ldapBindPassword: pulumi.Output<string | undefined>;
/**
* CA certificates used to validate LDAP or LDAPS server certificates. Required if `idpType`==`ldap`
*/
readonly ldapCacerts: pulumi.Output<string[] | undefined>;
/**
* If `idpType`==`ldap`, LDAPS Client certificate
*/
readonly ldapClientCert: pulumi.Output<string | undefined>;
/**
* If `idpType`==`ldap`, Key for the `ldapClientCert`
*/
readonly ldapClientKey: pulumi.Output<string | undefined>;
/**
* Group attribute used to resolve LDAP memberships. If `ldapType`==`custom`
*/
readonly ldapGroupAttr: pulumi.Output<string | undefined>;
/**
* Group search base used for custom LDAP group lookup. If `ldapType`==`custom`
*/
readonly ldapGroupDn: pulumi.Output<string | undefined>;
/**
* If `idpType`==`ldap`, whether to recursively resolve LDAP groups
*/
readonly ldapResolveGroups: pulumi.Output<boolean>;
/**
* Server hostnames or IP addresses for LDAP or LDAPS when `idpType`==`ldap`
*/
readonly ldapServerHosts: pulumi.Output<string[] | undefined>;
/**
* Provider template for LDAP SSO when `idpType`==`ldap`
*/
readonly ldapType: pulumi.Output<string | undefined>;
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
*/
readonly ldapUserFilter: pulumi.Output<string | undefined>;
/**
* Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
*/
readonly memberFilter: pulumi.Output<string | undefined>;
/**
* Display name of the NAC IDP configuration
*/
readonly name: pulumi.Output<string>;
/**
* Required if `idpType`==`oauth`, Client Credentials
*/
readonly oauthCcClientId: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
*/
readonly oauthCcClientSecret: pulumi.Output<string | undefined>;
/**
* OAuth discovery document URL used when `idpType`==`oauth`
*/
readonly oauthDiscoveryUrl: pulumi.Output<string | undefined>;
/**
* Ping Identity region for OAuth SSO when `oauthType`==`pingIdentity`
*/
readonly oauthPingIdentityRegion: pulumi.Output<string>;
/**
* Provider domain for Okta OAuth SSO when `oauthType`==`okta`
*/
readonly oauthProviderDomain: pulumi.Output<string>;
/**
* If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
*/
readonly oauthRopcClientId: pulumi.Output<string | undefined>;
/**
* If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
*/
readonly oauthRopcClientSecret: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`oauth`, oauth*tenant*id
*/
readonly oauthTenantId: pulumi.Output<string | undefined>;
/**
* Provider type for OAuth SSO when `idpType`==`oauth`
*/
readonly oauthType: pulumi.Output<string>;
/**
* SSIDs that support OpenRoaming, used when `idpType`==`openroaming`
*/
readonly openroamingSsids: pulumi.Output<string[] | undefined>;
/**
* Optional WBA-issued client certificate for OpenRoaming. If not provided, the default WBA-issued certificate for Juniper will be used.
*/
readonly openroamingWbaClientCert: pulumi.Output<string | undefined>;
/**
* Optional WBA-issued client private key for OpenRoaming. If not provided, the default WBA-issued key for Juniper will be used.
*/
readonly openroamingWbaClientKey: pulumi.Output<string | undefined>;
/**
* Owning organization identifier for this NAC IDP configuration
*/
readonly orgId: pulumi.Output<string>;
/**
* If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
*/
readonly scimEnabled: pulumi.Output<boolean>;
/**
* If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
*/
readonly scimSecretToken: pulumi.Output<string>;
/**
* Create a Nacidp resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: NacidpArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering Nacidp resources.
*/
export interface NacidpState {
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
*/
groupFilter?: pulumi.Input<string | undefined>;
/**
* enum: `ldap`, `mxedgeProxy`, `oauth`, `openroaming`
*/
idpType?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
*/
ldapBaseDn?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
*/
ldapBindDn?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
*/
ldapBindPassword?: pulumi.Input<string | undefined>;
/**
* CA certificates used to validate LDAP or LDAPS server certificates. Required if `idpType`==`ldap`
*/
ldapCacerts?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* If `idpType`==`ldap`, LDAPS Client certificate
*/
ldapClientCert?: pulumi.Input<string | undefined>;
/**
* If `idpType`==`ldap`, Key for the `ldapClientCert`
*/
ldapClientKey?: pulumi.Input<string | undefined>;
/**
* Group attribute used to resolve LDAP memberships. If `ldapType`==`custom`
*/
ldapGroupAttr?: pulumi.Input<string | undefined>;
/**
* Group search base used for custom LDAP group lookup. If `ldapType`==`custom`
*/
ldapGroupDn?: pulumi.Input<string | undefined>;
/**
* If `idpType`==`ldap`, whether to recursively resolve LDAP groups
*/
ldapResolveGroups?: pulumi.Input<boolean | undefined>;
/**
* Server hostnames or IP addresses for LDAP or LDAPS when `idpType`==`ldap`
*/
ldapServerHosts?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Provider template for LDAP SSO when `idpType`==`ldap`
*/
ldapType?: pulumi.Input<string | undefined>;
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
*/
ldapUserFilter?: pulumi.Input<string | undefined>;
/**
* Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
*/
memberFilter?: pulumi.Input<string | undefined>;
/**
* Display name of the NAC IDP configuration
*/
name?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`oauth`, Client Credentials
*/
oauthCcClientId?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
*/
oauthCcClientSecret?: pulumi.Input<string | undefined>;
/**
* OAuth discovery document URL used when `idpType`==`oauth`
*/
oauthDiscoveryUrl?: pulumi.Input<string | undefined>;
/**
* Ping Identity region for OAuth SSO when `oauthType`==`pingIdentity`
*/
oauthPingIdentityRegion?: pulumi.Input<string | undefined>;
/**
* Provider domain for Okta OAuth SSO when `oauthType`==`okta`
*/
oauthProviderDomain?: pulumi.Input<string | undefined>;
/**
* If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
*/
oauthRopcClientId?: pulumi.Input<string | undefined>;
/**
* If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
*/
oauthRopcClientSecret?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`oauth`, oauth*tenant*id
*/
oauthTenantId?: pulumi.Input<string | undefined>;
/**
* Provider type for OAuth SSO when `idpType`==`oauth`
*/
oauthType?: pulumi.Input<string | undefined>;
/**
* SSIDs that support OpenRoaming, used when `idpType`==`openroaming`
*/
openroamingSsids?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Optional WBA-issued client certificate for OpenRoaming. If not provided, the default WBA-issued certificate for Juniper will be used.
*/
openroamingWbaClientCert?: pulumi.Input<string | undefined>;
/**
* Optional WBA-issued client private key for OpenRoaming. If not provided, the default WBA-issued key for Juniper will be used.
*/
openroamingWbaClientKey?: pulumi.Input<string | undefined>;
/**
* Owning organization identifier for this NAC IDP configuration
*/
orgId?: pulumi.Input<string | undefined>;
/**
* If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
*/
scimEnabled?: pulumi.Input<boolean | undefined>;
/**
* If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
*/
scimSecretToken?: pulumi.Input<string | undefined>;
}
/**
* The set of arguments for constructing a Nacidp resource.
*/
export interface NacidpArgs {
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
*/
groupFilter?: pulumi.Input<string | undefined>;
/**
* enum: `ldap`, `mxedgeProxy`, `oauth`, `openroaming`
*/
idpType: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
*/
ldapBaseDn?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
*/
ldapBindDn?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
*/
ldapBindPassword?: pulumi.Input<string | undefined>;
/**
* CA certificates used to validate LDAP or LDAPS server certificates. Required if `idpType`==`ldap`
*/
ldapCacerts?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* If `idpType`==`ldap`, LDAPS Client certificate
*/
ldapClientCert?: pulumi.Input<string | undefined>;
/**
* If `idpType`==`ldap`, Key for the `ldapClientCert`
*/
ldapClientKey?: pulumi.Input<string | undefined>;
/**
* Group attribute used to resolve LDAP memberships. If `ldapType`==`custom`
*/
ldapGroupAttr?: pulumi.Input<string | undefined>;
/**
* Group search base used for custom LDAP group lookup. If `ldapType`==`custom`
*/
ldapGroupDn?: pulumi.Input<string | undefined>;
/**
* If `idpType`==`ldap`, whether to recursively resolve LDAP groups
*/
ldapResolveGroups?: pulumi.Input<boolean | undefined>;
/**
* Server hostnames or IP addresses for LDAP or LDAPS when `idpType`==`ldap`
*/
ldapServerHosts?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Provider template for LDAP SSO when `idpType`==`ldap`
*/
ldapType?: pulumi.Input<string | undefined>;
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
*/
ldapUserFilter?: pulumi.Input<string | undefined>;
/**
* Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
*/
memberFilter?: pulumi.Input<string | undefined>;
/**
* Display name of the NAC IDP configuration
*/
name?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`oauth`, Client Credentials
*/
oauthCcClientId?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
*/
oauthCcClientSecret?: pulumi.Input<string | undefined>;
/**
* OAuth discovery document URL used when `idpType`==`oauth`
*/
oauthDiscoveryUrl?: pulumi.Input<string | undefined>;
/**
* Ping Identity region for OAuth SSO when `oauthType`==`pingIdentity`
*/
oauthPingIdentityRegion?: pulumi.Input<string | undefined>;
/**
* Provider domain for Okta OAuth SSO when `oauthType`==`okta`
*/
oauthProviderDomain?: pulumi.Input<string | undefined>;
/**
* If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
*/
oauthRopcClientId?: pulumi.Input<string | undefined>;
/**
* If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
*/
oauthRopcClientSecret?: pulumi.Input<string | undefined>;
/**
* Required if `idpType`==`oauth`, oauth*tenant*id
*/
oauthTenantId?: pulumi.Input<string | undefined>;
/**
* Provider type for OAuth SSO when `idpType`==`oauth`
*/
oauthType?: pulumi.Input<string | undefined>;
/**
* SSIDs that support OpenRoaming, used when `idpType`==`openroaming`
*/
openroamingSsids?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Optional WBA-issued client certificate for OpenRoaming. If not provided, the default WBA-issued certificate for Juniper will be used.
*/
openroamingWbaClientCert?: pulumi.Input<string | undefined>;
/**
* Optional WBA-issued client private key for OpenRoaming. If not provided, the default WBA-issued key for Juniper will be used.
*/
openroamingWbaClientKey?: pulumi.Input<string | undefined>;
/**
* Owning organization identifier for this NAC IDP configuration
*/
orgId: pulumi.Input<string>;
/**
* If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
*/
scimEnabled?: pulumi.Input<boolean | undefined>;
/**
* If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
*/
scimSecretToken?: pulumi.Input<string | undefined>;
}
//# sourceMappingURL=nacidp.d.ts.map