@pulumi/juniper-mist
Version:
A Pulumi package for creating and managing Juniper Mist resources.
423 lines (422 loc) • 15.9 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
/**
* This resource manages NAC IDPs (Identity Providers).
*
* The NAC IDPs are used to validate NAC client accounts against an IDP with OAuth2.0, LDAP/LDAPS, or a local Mist Edge.\
* Mist Access Assurance can also retrieve group membership from the IDP, and use this information in the NAC Rules (`junipermist.org.Nacrule` resource)
*
* IMPORTANT:
* * Once created, the NAC IDP must be registered in the `junipermist.org.Setting` resource (full path: `mist_org_setting.mist_nac.idps`).
* * The associated REALMS are configured under `mist_org_setting.mist_nac.idps`
* * To make the IDP the Default IDP, set the IDP ID under `mist_org_setting.mist_nac.default_idp_id`
*
* For SAML IDP, the NAC IDP Metadata can be retrieved with the `junipermist.org.getNacidpMetadata` data source.
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as junipermist from "@pulumi/juniper-mist";
*
* // OAuth with Azure Example
* const idpAzure = new junipermist.org.Nacidp("idp_azure", {
* orgId: terraformTest.id,
* name: "idp_azure",
* idpType: "oauth",
* oauthCcClientId: "client_id",
* oauthCcClientSecret: "-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----",
* oauthRopcClientId: "ropc_client_id",
* oauthRopcClientSecret: "ropc_client_secret",
* oauthTenantId: "tenant_id",
* oauthType: "azure",
* });
* // Custom LDAP Example
* const idpLdap = new junipermist.org.Nacidp("idp_ldap", {
* orgId: terraformTest.id,
* name: "idp_ldap",
* idpType: "ldap",
* ldapType: "custom",
* groupFilter: "memberOf",
* memberFilter: "memberOf",
* ldapUserFilter: "(mail=%s)",
* ldapServerHosts: [
* "ldap.mycorp.com",
* "1.2.3.4",
* ],
* ldapBaseDn: "DC=abc,DC=com",
* ldapBindDn: "CN=admin,CN=users,DC=abc,DC=com",
* ldapBindPassword: "secret!password",
* ldapCacerts: [
* `-----BEGIN CERTIFICATE-----
* MIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE
* -----END CERTIFICATE-----`,
* `-----BEGIN CERTIFICATE-----
* BhMCRVMxFDASBgNVBAoMC1N0YXJ0Q29tIENBMSwwKgYDVn-----END CERTIFICATE-----`,
* ],
* ldapClientCert: `-----BEGIN CERTIFICATE-----
* MIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE
* -----END CERTIFICATE-----`,
* ldapClientKey: "-----BEGIN PRI...",
* });
* ```
*
* ## Import
*
* Using `pulumi import`, import `mist_org_nacidp` with:
*
* Org PSK can be imported by specifying the org_id and the nacidp_id
*
* ```sh
* $ pulumi import junipermist:org/nacidp:Nacidp idp_azure 17b46405-3a6d-4715-8bb4-6bb6d06f316a.d3c42998-9012-4859-9743-6b9bee475309
* ```
*/
export declare class Nacidp extends pulumi.CustomResource {
/**
* Get an existing Nacidp resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: NacidpState, opts?: pulumi.CustomResourceOptions): Nacidp;
/**
* Returns true if the given object is an instance of Nacidp. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is Nacidp;
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
*/
readonly groupFilter: pulumi.Output<string | undefined>;
/**
* enum: `ldap`, `mxedgeProxy`, `oauth`
*/
readonly idpType: pulumi.Output<string>;
/**
* Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
*/
readonly ldapBaseDn: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
*/
readonly ldapBindDn: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
*/
readonly ldapBindPassword: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`ldap`, list of CA certificates to validate the LDAP certificate
*/
readonly ldapCacerts: pulumi.Output<string[] | undefined>;
/**
* If `idpType`==`ldap`, LDAPS Client certificate
*/
readonly ldapClientCert: pulumi.Output<string | undefined>;
/**
* If `idpType`==`ldap`, Key for the `ldapClientCert`
*/
readonly ldapClientKey: pulumi.Output<string | undefined>;
/**
* If `ldapType`==`custom`
*/
readonly ldapGroupAttr: pulumi.Output<string | undefined>;
/**
* If `ldapType`==`custom`
*/
readonly ldapGroupDn: pulumi.Output<string | undefined>;
/**
* If `idpType`==`ldap`, whether to recursively resolve LDAP groups
*/
readonly ldapResolveGroups: pulumi.Output<boolean>;
/**
* If `idpType`==`ldap`, list of LDAP/LDAPS server IP Addresses or Hostnames
*/
readonly ldapServerHosts: pulumi.Output<string[] | undefined>;
/**
* if `idpType`==`ldap`. enum: `azure`, `custom`, `google`, `okta`, `pingIdentity`
*/
readonly ldapType: pulumi.Output<string | undefined>;
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
*/
readonly ldapUserFilter: pulumi.Output<string | undefined>;
/**
* Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
*/
readonly memberFilter: pulumi.Output<string | undefined>;
/**
* Name
*/
readonly name: pulumi.Output<string>;
/**
* Required if `idpType`==`oauth`, Client Credentials
*/
readonly oauthCcClientId: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
*/
readonly oauthCcClientSecret: pulumi.Output<string | undefined>;
/**
* If `idpType`==`oauth`
*/
readonly oauthDiscoveryUrl: pulumi.Output<string | undefined>;
/**
* enum: `us` (United States, default), `ca` (Canada), `eu` (Europe), `asia` (Asia), `au` (Australia)
*/
readonly oauthPingIdentityRegion: pulumi.Output<string>;
/**
* If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
*/
readonly oauthRopcClientId: pulumi.Output<string | undefined>;
/**
* If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
*/
readonly oauthRopcClientSecret: pulumi.Output<string | undefined>;
/**
* Required if `idpType`==`oauth`, oauth*tenant*id
*/
readonly oauthTenantId: pulumi.Output<string | undefined>;
/**
* if `idpType`==`oauth`. enum: `azure`, `azure-gov`, `okta`, `pingIdentity`
*/
readonly oauthType: pulumi.Output<string>;
readonly orgId: pulumi.Output<string>;
/**
* If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
*/
readonly scimEnabled: pulumi.Output<boolean>;
/**
* If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
*/
readonly scimSecretToken: pulumi.Output<string>;
/**
* Create a Nacidp resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: NacidpArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering Nacidp resources.
*/
export interface NacidpState {
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
*/
groupFilter?: pulumi.Input<string>;
/**
* enum: `ldap`, `mxedgeProxy`, `oauth`
*/
idpType?: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
*/
ldapBaseDn?: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
*/
ldapBindDn?: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
*/
ldapBindPassword?: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, list of CA certificates to validate the LDAP certificate
*/
ldapCacerts?: pulumi.Input<pulumi.Input<string>[]>;
/**
* If `idpType`==`ldap`, LDAPS Client certificate
*/
ldapClientCert?: pulumi.Input<string>;
/**
* If `idpType`==`ldap`, Key for the `ldapClientCert`
*/
ldapClientKey?: pulumi.Input<string>;
/**
* If `ldapType`==`custom`
*/
ldapGroupAttr?: pulumi.Input<string>;
/**
* If `ldapType`==`custom`
*/
ldapGroupDn?: pulumi.Input<string>;
/**
* If `idpType`==`ldap`, whether to recursively resolve LDAP groups
*/
ldapResolveGroups?: pulumi.Input<boolean>;
/**
* If `idpType`==`ldap`, list of LDAP/LDAPS server IP Addresses or Hostnames
*/
ldapServerHosts?: pulumi.Input<pulumi.Input<string>[]>;
/**
* if `idpType`==`ldap`. enum: `azure`, `custom`, `google`, `okta`, `pingIdentity`
*/
ldapType?: pulumi.Input<string>;
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
*/
ldapUserFilter?: pulumi.Input<string>;
/**
* Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
*/
memberFilter?: pulumi.Input<string>;
/**
* Name
*/
name?: pulumi.Input<string>;
/**
* Required if `idpType`==`oauth`, Client Credentials
*/
oauthCcClientId?: pulumi.Input<string>;
/**
* Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
*/
oauthCcClientSecret?: pulumi.Input<string>;
/**
* If `idpType`==`oauth`
*/
oauthDiscoveryUrl?: pulumi.Input<string>;
/**
* enum: `us` (United States, default), `ca` (Canada), `eu` (Europe), `asia` (Asia), `au` (Australia)
*/
oauthPingIdentityRegion?: pulumi.Input<string>;
/**
* If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
*/
oauthRopcClientId?: pulumi.Input<string>;
/**
* If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
*/
oauthRopcClientSecret?: pulumi.Input<string>;
/**
* Required if `idpType`==`oauth`, oauth*tenant*id
*/
oauthTenantId?: pulumi.Input<string>;
/**
* if `idpType`==`oauth`. enum: `azure`, `azure-gov`, `okta`, `pingIdentity`
*/
oauthType?: pulumi.Input<string>;
orgId?: pulumi.Input<string>;
/**
* If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
*/
scimEnabled?: pulumi.Input<boolean>;
/**
* If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
*/
scimSecretToken?: pulumi.Input<string>;
}
/**
* The set of arguments for constructing a Nacidp resource.
*/
export interface NacidpArgs {
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
*/
groupFilter?: pulumi.Input<string>;
/**
* enum: `ldap`, `mxedgeProxy`, `oauth`
*/
idpType: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
*/
ldapBaseDn?: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
*/
ldapBindDn?: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
*/
ldapBindPassword?: pulumi.Input<string>;
/**
* Required if `idpType`==`ldap`, list of CA certificates to validate the LDAP certificate
*/
ldapCacerts?: pulumi.Input<pulumi.Input<string>[]>;
/**
* If `idpType`==`ldap`, LDAPS Client certificate
*/
ldapClientCert?: pulumi.Input<string>;
/**
* If `idpType`==`ldap`, Key for the `ldapClientCert`
*/
ldapClientKey?: pulumi.Input<string>;
/**
* If `ldapType`==`custom`
*/
ldapGroupAttr?: pulumi.Input<string>;
/**
* If `ldapType`==`custom`
*/
ldapGroupDn?: pulumi.Input<string>;
/**
* If `idpType`==`ldap`, whether to recursively resolve LDAP groups
*/
ldapResolveGroups?: pulumi.Input<boolean>;
/**
* If `idpType`==`ldap`, list of LDAP/LDAPS server IP Addresses or Hostnames
*/
ldapServerHosts?: pulumi.Input<pulumi.Input<string>[]>;
/**
* if `idpType`==`ldap`. enum: `azure`, `custom`, `google`, `okta`, `pingIdentity`
*/
ldapType?: pulumi.Input<string>;
/**
* Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
*/
ldapUserFilter?: pulumi.Input<string>;
/**
* Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
*/
memberFilter?: pulumi.Input<string>;
/**
* Name
*/
name?: pulumi.Input<string>;
/**
* Required if `idpType`==`oauth`, Client Credentials
*/
oauthCcClientId?: pulumi.Input<string>;
/**
* Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
*/
oauthCcClientSecret?: pulumi.Input<string>;
/**
* If `idpType`==`oauth`
*/
oauthDiscoveryUrl?: pulumi.Input<string>;
/**
* enum: `us` (United States, default), `ca` (Canada), `eu` (Europe), `asia` (Asia), `au` (Australia)
*/
oauthPingIdentityRegion?: pulumi.Input<string>;
/**
* If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
*/
oauthRopcClientId?: pulumi.Input<string>;
/**
* If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
*/
oauthRopcClientSecret?: pulumi.Input<string>;
/**
* Required if `idpType`==`oauth`, oauth*tenant*id
*/
oauthTenantId?: pulumi.Input<string>;
/**
* if `idpType`==`oauth`. enum: `azure`, `azure-gov`, `okta`, `pingIdentity`
*/
oauthType?: pulumi.Input<string>;
orgId: pulumi.Input<string>;
/**
* If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
*/
scimEnabled?: pulumi.Input<boolean>;
/**
* If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
*/
scimSecretToken?: pulumi.Input<string>;
}