From 6fb51c251222e334b10b5ecc652f7398292d101c Mon Sep 17 00:00:00 2001 From: Patrick Cowland Date: Wed, 10 Jul 2024 14:00:55 +0100 Subject: [PATCH 1/5] Uplift HCL for pingone provider v1 --- terraform/davinci.tf | 72 +++++++-------- terraform/main.tf | 4 +- terraform/pingone.tf | 197 +++++++++++++++++++++++++---------------- terraform/variables.tf | 17 +++- 4 files changed, 172 insertions(+), 118 deletions(-) diff --git a/terraform/davinci.tf b/terraform/davinci.tf index e7754b9..4e1adb3 100644 --- a/terraform/davinci.tf +++ b/terraform/davinci.tf @@ -74,12 +74,12 @@ resource "davinci_connection" "PingOne" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options[0].client_id + value = pingone_application.dv_worker_app.id } property { name = "clientSecret" - value = pingone_application.dv_worker_app.oidc_options[0].client_secret + value = pingone_application_secret.dv_worker_app.secret } property { @@ -106,12 +106,12 @@ resource "davinci_connection" "PingOne-MFA" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options[0].client_id + value = pingone_application.dv_worker_app.id } property { name = "clientSecret" - value = pingone_application.dv_worker_app.oidc_options[0].client_secret + value = pingone_application_secret.dv_worker_app.secret } property { @@ -125,8 +125,8 @@ resource "davinci_connection" "PingOne-MFA" { } property { - name = "policyId" - value = pingone_mfa_policy.master_flow_mfa_policy.id + name = "policyId" + value = pingone_mfa_device_policy.master_flow_mfa_device_policy.id } } @@ -137,12 +137,12 @@ resource "davinci_connection" "PingOne-Authorize" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options[0].client_id + value = pingone_application.dv_worker_app.id } property { name = "clientSecret" - value = pingone_application.dv_worker_app.oidc_options[0].client_secret + value = pingone_application_secret.dv_worker_app.secret } property { @@ -158,12 +158,12 @@ resource "davinci_connection" "PingOne-Notifications" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options[0].client_id + value = pingone_application.dv_worker_app.id } property { name = "clientSecret" - value = pingone_application.dv_worker_app.oidc_options[0].client_secret + value = pingone_application_secret.dv_worker_app.secret } property { @@ -184,12 +184,12 @@ resource "davinci_connection" "PingOne-Protect" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options[0].client_id + value = pingone_application.dv_worker_app.id } property { name = "clientSecret" - value = pingone_application.dv_worker_app.oidc_options[0].client_secret + value = pingone_application_secret.dv_worker_app.secret } property { @@ -210,12 +210,12 @@ resource "davinci_connection" "PingOne-Verify" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options[0].client_id + value = pingone_application.dv_worker_app.id } property { name = "clientSecret" - value = pingone_application.dv_worker_app.oidc_options[0].client_secret + value = pingone_application_secret.dv_worker_app.secret } property { @@ -641,27 +641,27 @@ resource "davinci_variable" "gv-p1PasswordPolicy" { mutable = "true" name = "gv-p1PasswordPolicy" type = "object" - value = replace(replace(replace(jsonencode({ - "id": data.pingone_password_policy.standard_password_policy.id, - "environment": { "id": data.pingone_password_policy.standard_password_policy.environment_id }, - "name": data.pingone_password_policy.standard_password_policy.name, - "description": data.pingone_password_policy.standard_password_policy.description, - "excludesProfileData": data.pingone_password_policy.standard_password_policy.exclude_profile_data, - "notSimilarToCurrent": data.pingone_password_policy.standard_password_policy.not_similar_to_current, - "excludesCommonlyUsed": data.pingone_password_policy.standard_password_policy.exclude_commonly_used_passwords, - "maxAgeDays": 22, - "history": { "count": data.pingone_password_policy.standard_password_policy.password_history[0].prior_password_count, "retentionDays": data.pingone_password_policy.standard_password_policy.password_history[0].retention_days }, - "lockout": { "failureCount": data.pingone_password_policy.standard_password_policy.account_lockout[0].fail_count, "durationSeconds": data.pingone_password_policy.standard_password_policy.account_lockout[0].duration_seconds }, - "length": { "min": data.pingone_password_policy.standard_password_policy.password_length[0].min, "max": data.pingone_password_policy.standard_password_policy.password_length[0].max }, - "minCharacters": { - "~!@#$%^&*()-_=+[]{}|;:,.<>/?": data.pingone_password_policy.standard_password_policy.min_characters[0].special_characters, - "0123456789": data.pingone_password_policy.standard_password_policy.min_characters[0].numeric, - "ABCDEFGHIJKLMNOPQRSTUVWXYZ": data.pingone_password_policy.standard_password_policy.min_characters[0].alphabetical_uppercase, - "abcdefghijklmnopqrstuvwxyz": data.pingone_password_policy.standard_password_policy.min_characters[0].alphabetical_lowercase - }, - "populationCount": data.pingone_password_policy.standard_password_policy.population_count, - "default": true - }), "\\u0026", "&"), "\\u003c", "<"), "\\u003e", ">") + value = replace(replace(replace(jsonencode({ + "id" : data.pingone_password_policy.standard_password_policy.id, + "environment" : { "id" : data.pingone_password_policy.standard_password_policy.environment_id }, + "name" : data.pingone_password_policy.standard_password_policy.name, + "description" : data.pingone_password_policy.standard_password_policy.description, + "excludesProfileData" : data.pingone_password_policy.standard_password_policy.excludes_profile_data, + "notSimilarToCurrent" : data.pingone_password_policy.standard_password_policy.not_similar_to_current, + "excludesCommonlyUsed" : data.pingone_password_policy.standard_password_policy.excludes_commonly_used_passwords, + "maxAgeDays" : 22, + "history" : { "count" : data.pingone_password_policy.standard_password_policy.history.count, "retentionDays" : data.pingone_password_policy.standard_password_policy.history.retention_days }, + "lockout" : { "failureCount" : data.pingone_password_policy.standard_password_policy.lockout.failure_count, "durationSeconds" : data.pingone_password_policy.standard_password_policy.lockout.duration_seconds }, + "length" : { "min" : data.pingone_password_policy.standard_password_policy.length.min, "max" : data.pingone_password_policy.standard_password_policy.length.max }, + "minCharacters" : { + "~!@#$%^&*()-_=+[]{}|;:,.<>/?" : data.pingone_password_policy.standard_password_policy.min_characters.special_characters, + "0123456789" : data.pingone_password_policy.standard_password_policy.min_characters.numeric, + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" : data.pingone_password_policy.standard_password_policy.min_characters.alphabetical_uppercase, + "abcdefghijklmnopqrstuvwxyz" : data.pingone_password_policy.standard_password_policy.min_characters.alphabetical_lowercase + }, + "populationCount" : data.pingone_password_policy.standard_password_policy.population_count, + "default" : true + }), "\\u0026", "&"), "\\u003c", "<"), "\\u003e", ">") } resource "davinci_variable" "gv-p1PopulationId" { @@ -1100,7 +1100,7 @@ resource "davinci_variable" "gv-mfaPolicyId" { mutable = "true" name = "gv-mfaPolicyId" type = "string" - value = pingone_mfa_policy.master_flow_mfa_policy.id + value = pingone_mfa_device_policy.master_flow_mfa_device_policy.id } resource "davinci_variable" "gv-progressiveProfilingAuthentication" { diff --git a/terraform/main.tf b/terraform/main.tf index 90dfcde..b547145 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { pingone = { source = "pingidentity/pingone" - version = ">= 0.27.0, < 1.0.0" + version = ">= 1.0.0, < 2.0.0" } davinci = { source = "pingidentity/davinci" @@ -15,7 +15,7 @@ provider "pingone" { client_id = var.worker_id client_secret = var.worker_secret environment_id = var.pingone_environment_id - region = var.region + region_code = var.region_code } provider "davinci" { diff --git a/terraform/pingone.tf b/terraform/pingone.tf index 9a5d056..3189712 100644 --- a/terraform/pingone.tf +++ b/terraform/pingone.tf @@ -4,22 +4,24 @@ resource "pingone_environment" "master_flow_environment" { type = var.environment_type license_id = var.license_id != "" ? var.license_id : data.pingone_licenses.internal_license.ids[0] - service { - type = "SSO" - } - service { - type = "MFA" - } - service { - type = "DaVinci" - tags = ["DAVINCI_MINIMAL"] - } - service { - type = "Verify" - } - service { - type = "Risk" - } + services = [ + { + type = "SSO" + }, + { + type = "MFA" + }, + { + type = "DaVinci" + tags = ["DAVINCI_MINIMAL"] + }, + { + type = "Verify" + }, + { + type = "Risk" + } + ] } resource "pingone_role_assignment_user" "id_admin" { @@ -197,6 +199,8 @@ resource "pingone_group" "my_awesome_group" { # PingOne MFA Policy # ######################## +// We leave this policy in place for the time being, but we don't actually use it. +// We do this because if people have already created an environment and are updating HCL, this will not break their existing state resource "pingone_mfa_policy" "master_flow_mfa_policy" { environment_id = pingone_environment.master_flow_environment.id name = "Master Flow MFA Policy" @@ -228,6 +232,40 @@ resource "pingone_mfa_policy" "master_flow_mfa_policy" { } } +resource "pingone_mfa_device_policy" "master_flow_mfa_device_policy" { + environment_id = pingone_environment.master_flow_environment.id + name = "Master Flow MFA Device Policy" + new_device_notification = "EMAIL_THEN_SMS" + + authentication = { + device_selection = "ALWAYS_DISPLAY_DEVICES" + } + + mobile = { + enabled = false + } + + totp = { + enabled = true + } + + fido2 = { + enabled = true + } + + sms = { + enabled = true + } + + voice = { + enabled = true + } + + email = { + enabled = true + } +} + ############################ # Social Login Providers # @@ -240,7 +278,7 @@ resource "pingone_identity_provider" "google" { name = "Google" enabled = true - google { + google = { client_id = var.google_client_id == "" ? "client-id" : var.google_client_id client_secret = var.google_client_secret == "" ? "client-secret" : var.google_client_secret } @@ -258,7 +296,7 @@ resource "pingone_identity_provider" "facebook" { name = "Facebook" enabled = true - facebook { + facebook = { app_id = var.facebook_app_id == "" ? "app-id" : var.facebook_app_id app_secret = var.facebook_app_secret == "" ? "app-secret" : var.facebook_app_secret } @@ -359,7 +397,7 @@ resource "pingone_webhook" "master_flow_webhook" { format = "ACTIVITY" - filter_options { + filter_options = { included_action_types = ["ACCOUNT.LINKED", "ACCOUNT.UNLINKED", "ACTION.CREATED", "ACTION.DELETED", "ACTION.UPDATED", "ADVANCEDSERVICES_ORCHESTRATION.CREATION_COMPLETED", "ADVANCEDSERVICES_ORCHESTRATION.CREATION_FAILED", "ADVANCEDSERVICES_ORCHESTRATION.CREATION_STARTED", "ADVANCEDSERVICES_ORCHESTRATION.CREATION_START_FAILED", "ADVANCEDSERVICES_ORCHESTRATION.DELETION_COMPLETED", "ADVANCEDSERVICES_ORCHESTRATION.DELETION_FAILED", "ADVANCEDSERVICES_ORCHESTRATION.DELETION_STARTED", "ADVANCEDSERVICES_ORCHESTRATION.DELETION_START_FAILED", "AGREEMENT.CREATED", "AGREEMENT.DELETED", "AGREEMENT.UPDATED", "AGREEMENT_CONSENT.ACCEPTED", "AGREEMENT_CONSENT.REVOKED", "AGREEMENT_LANGUAGE.CREATED", "AGREEMENT_LANGUAGE.DELETED", "AGREEMENT_LANGUAGE.UPDATED", "AGREEMENT_LANGUAGE_REVISION.CREATED", "AGREEMENT_LANGUAGE_REVISION.DELETED", "AGREEMENT_LANGUAGE_REVISION.UPDATED", "API_ACCESS_LOG_ENTRY.HTTP_REQUEST_POLICY_EVALUATED", "API_ACCESS_LOG_ENTRY.HTTP_RESPONSE_POLICY_EVALUATED", "API_SERVER.CREATED", "API_SERVER.DELETED", "API_SERVER.POLICIES_DEPLOYED", "API_SERVER.UPDATED", "APPLICATION.CREATED", "APPLICATION.DELETED", "APPLICATION.PLAY_INTEGRITY_MISCONFIGURATION", "APPLICATION.UPDATED", "APPLICATION_PERMISSION.CREATED", "APPLICATION_PERMISSION.DELETED", "APPLICATION_ROLE.CREATED", "APPLICATION_ROLE_ENTRY.ADDED", "APPLICATION_ROLE_ENTRY.REMOVED", "ASSERTION.CHECK_FAILED", "ASSERTION.CHECK_SUCCESS", "AUTHENTICATION.CREATED", "AUTHENTICATION.UPDATED", "AUTHENTICATION_CODE.CREATED", "AUTHENTICATION_CODE.DELETED", "AUTHENTICATION_CODE.UPDATED", "AUTHORIZE_ATTRIBUTE.CREATED", "AUTHORIZE_ATTRIBUTE.DELETED", "AUTHORIZE_ATTRIBUTE.UPDATED", "AUTHORIZE_CONDITION.CREATED", "AUTHORIZE_CONDITION.DELETED", "AUTHORIZE_CONDITION.UPDATED", "AUTHORIZE_POLICY.CREATED", "AUTHORIZE_POLICY.DELETED", "AUTHORIZE_POLICY.UPDATED", "AUTHORIZE_PROCESSOR.CREATED", "AUTHORIZE_PROCESSOR.DELETED", "AUTHORIZE_PROCESSOR.UPDATED", "AUTHORIZE_SERVICE.CREATED", "AUTHORIZE_SERVICE.DELETED", "AUTHORIZE_SERVICE.UPDATED", "AUTHORIZE_SHARED_ADVICE.CREATED", "AUTHORIZE_SHARED_ADVICE.DELETED", "AUTHORIZE_SHARED_ADVICE.UPDATED", "AUTHORIZE_SHARED_RULE.CREATED", "AUTHORIZE_SHARED_RULE.DELETED", "AUTHORIZE_SHARED_RULE.UPDATED", "AUTHORIZE_TAG.DELETED", "AUTHORIZE_TAG.UPDATED", "BRANDING.DELETED", "BRANDING.UPDATED", "CERTIFICATE.CREATED", "CERTIFICATE.DELETED", "CERTIFICATE.READ", "CERTIFICATE.UPDATED", "CONTENT.CREATED", "CONTENT.DELETED", "CONTENT.UPDATED", "CONTENTS.DELETED", "CONTENTS.UPDATED", "CREDENTIAL_TYPE.CREATED", "CREDENTIAL_TYPE.DELETED", "CREDENTIAL_TYPE.UPDATED", "CUSTOM_DOMAIN.CREATED", "CUSTOM_DOMAIN.DELETED", "CUSTOM_DOMAIN.UPDATED", "DAVINCI_INTERACTION.CUSTOM_ANALYTICS", "DAVINCI_INTERACTION.RECEIVE_REQUEST", "DAVINCI_INTERACTION.SEND_ERROR_RESPONSE", "DAVINCI_INTERACTION.SEND_RESPONSE", "DAVINCI_INTERACTION.START_INTERACTION", "DECISION_ENDPOINT.CREATED", "DECISION_ENDPOINT.DECISION_REQUEST_EVALUATED", "DECISION_ENDPOINT.DELETED", "DECISION_ENDPOINT.UPDATED", "DEVICE.ACTIVATED", "DEVICE.ACTIVATION_FAILED", "DEVICE.ACTIVATION_OTP_FAILED", "DEVICE.ACTIVATION_OTP_INVALID", "DEVICE.BLOCKED", "DEVICE.CREATED", "DEVICE.DELETED", "DEVICE.FRAUD_REPORTED", "DEVICE.KEY_ROTATION_FAILED", "DEVICE.KEY_ROTATION_SUCCEEDED", "DEVICE.LOCKED", "DEVICE.LOGS_RECEIVED", "DEVICE.NICKNAME_UPDATED", "DEVICE.PAIRING_FAILED_COMPROMISED", "DEVICE.UNBLOCKED", "DEVICE.UNLOCKED", "DEVICE.UPDATED", "DEVICE.WEBAUTHN_UPDATED", "DEVICES.ORDER_CREATED", "DEVICES.ORDER_DELETED", "DEVICES.ORDER_UPDATED", "DEVICE_AUTHENTICATION_POLICY.CREATED", "DEVICE_AUTHENTICATION_POLICY.DELETED", "DEVICE_AUTHENTICATION_POLICY.UPDATED", "DIGITAL_WALLET.ACTIVE", "DIGITAL_WALLET.DELETED", "DIGITAL_WALLET.DISABLED", "DIGITAL_WALLET.EXPIRED", "DIGITAL_WALLET.PAIRING_REQUIRED", "DIGITAL_WALLET_APPLICATION.CREATED", "DIGITAL_WALLET_APPLICATION.DELETED", "DIGITAL_WALLET_APPLICATION.UPDATED", "EMAIL_DOMAIN.CREATED", "EMAIL_DOMAIN.DELETED", "ENVIRONMENT.CAPABILITIES", "ENVIRONMENT.CREATED", "ENVIRONMENT.DELETED", "ENVIRONMENT.DEMOTED", "ENVIRONMENT.PROMOTED", "ENVIRONMENT.UPDATED", "FIDO_METADATA.CREATED", "FIDO_METADATA.DELETED", "FIDO_POLICY.CREATED", "FIDO_POLICY.DELETED", "FIDO_POLICY.UPDATED", "FLOW.CREATED", "FLOW.DELETED", "FLOW.UPDATED", "FLOW_DEFINITION.CREATED", "FLOW_DEFINITION.DELETED", "FLOW_DEFINITION.UPDATED", "FLOW_EXECUTION.CREATED", "FLOW_EXECUTION.UPDATED", "FLOW_POLICY_ASSIGNMENT.CREATED", "FLOW_POLICY_ASSIGNMENT.DELETED", "FLOW_POLICY_ASSIGNMENT.UPDATED", "GATEWAY.CREATED", "GATEWAY.DELETED", "GATEWAY.UPDATED", "GATEWAY_INSTANCE.CREATED", "GATEWAY_INSTANCE.DELETED", "GATEWAY_INSTANCE.UPDATED", "GRANT.CREATED", "GRANT.DELETED", "GRANT.UPDATED", "GROUP.CREATED", "GROUP.DELETED", "GROUP.UPDATED", "IDENTITY_PROVIDER.CREATED", "IDENTITY_PROVIDER.DELETED", "IDENTITY_PROVIDER.UPDATED", "IDP_ATTRIBUTE.CREATED", "IDP_ATTRIBUTE.DELETED", "IDP_ATTRIBUTE.UPDATED", "IMAGE.ACTIVATED", "IMAGE.CREATED", "IMAGE.DELETED", "INSTANT_MESSAGING_DELIVERY_SETTINGS.CREATED", "INSTANT_MESSAGING_DELIVERY_SETTINGS.DELETED", "INSTANT_MESSAGING_DELIVERY_SETTINGS.UPDATED", "ISSUANCE.CREATED", "ISSUANCE_RULE.CREATED", "ISSUANCE_RULE.DELETED", "ISSUANCE_RULE.UPDATED", "KEY.CREATED", "KEY.DELETED", "KEY.READ", "KEY.UPDATED", "KRP.CREATED", "KRP.DELETED", "KRP.ROTATED", "KRP.UPDATED", "LICENSE.CREATED", "LICENSE.DELETED", "LICENSE.UPDATED", "MEMBER_OF_GROUP.CREATED", "MEMBER_OF_GROUP.DELETED", "MFA_SETTINGS.UPDATED", "NOTIFICATION.CREATED", "NOTIFICATION.REJECTED", "NOTIFICATION.UPDATED", "NOTIFICATIONS_SETTINGS.UPDATED", "NOTIFICATION_POLICY.CREATED", "NOTIFICATION_POLICY.DELETED", "NOTIFICATION_POLICY.UPDATED", "OAUTH_CONSENT.ACCEPTED", "OAUTH_CONSENT.DECLINED", "OAUTH_CONSENT.DELETED", "OAUTH_CONSENT.REVOKED", "ORGANIZATION.CAPABILITIES", "ORGANIZATION.CREATED", "ORGANIZATION.DELETED", "ORGANIZATION.UPDATED", "OTP.CHECK_FAILED", "OTP.CHECK_INVALID", "OTP.CHECK_SUCCESS", "PASSWORD.CHECK_FAILED", "PASSWORD.CHECK_SUCCEEDED", "PASSWORD.FORCE_CHANGE", "PASSWORD.RECOVERY", "PASSWORD.RESET", "PASSWORD.SET", "PASSWORD.UNLOCKED", "PASSWORD.UNSET", "PHONE_DELIVERY_SETTINGS.CREATED", "PHONE_DELIVERY_SETTINGS.DELETED", "PHONE_DELIVERY_SETTINGS.UPDATED", "POLICY.CREATED", "POLICY.DELETED", "POLICY.UPDATED", "POPULATION.CREATED", "POPULATION.DELETED", "POPULATION.UPDATED", "PROVISIONING_CONNECTION.CREATED", "PROVISIONING_CONNECTION.DELETED", "PROVISIONING_CONNECTION.UPDATED", "PROVISIONING_GROUP_MEMBERSHIP_SYNC.FAILURE", "PROVISIONING_GROUP_SYNC.FAILURE", "PROVISIONING_IDENTITY_SYNC.FAILURE", "PROVISIONING_MAPPING.CREATED", "PROVISIONING_MAPPING.DELETED", "PROVISIONING_MAPPING.UPDATED", "PROVISIONING_POLL.FAILURE", "PROVISIONING_RULE.CREATED", "PROVISIONING_RULE.DELETED", "PROVISIONING_RULE.UPDATED", "PROVISIONING_SYNC.FAILURE", "PROVISIONING_SYNC.STARTED", "PROVISION_CREDENTIAL.ACCEPTED", "PROVISION_CREDENTIAL.CREATED", "PROVISION_CREDENTIAL.DELETED", "PROVISION_CREDENTIAL.DELETED_FROM_WALLET", "PROVISION_CREDENTIAL.REJECTED", "PROVISION_CREDENTIAL.REVOKED", "PUSH_CREDENTIALS.CREATED", "PUSH_CREDENTIALS.DELETED", "PUSH_CREDENTIALS.UPDATED", "RADIUS_SESSION.CREATED", "RADIUS_SESSION.UPDATED", "RESCUE_IDENTITY.CREATED", "RESOURCE.CREATED", "RESOURCE.DELETED", "RESOURCE.UPDATED", "RESOURCE_ATTRIBUTE.CREATED", "RESOURCE_ATTRIBUTE.DELETED", "RESOURCE_ATTRIBUTE.UPDATED", "RISK_EVALUATION.CREATED", "RISK_EVALUATION.STAGING_CREATED", "RISK_EVALUATION.UPDATED", "RISK_POLICY_SET.CREATED", "RISK_POLICY_SET.DELETED", "RISK_POLICY_SET.UPDATED", "RISK_PREDICTOR.CREATED", "RISK_PREDICTOR.DELETED", "RISK_PREDICTOR.UPDATED", "ROLE_ASSIGNMENT.CREATED", "ROLE_ASSIGNMENT.DELETED", "SAML_ATTRIBUTE.CREATED", "SAML_ATTRIBUTE.DELETED", "SAML_ATTRIBUTE.UPDATED", "SCHEMA_ATTRIBUTE.CREATED", "SCHEMA_ATTRIBUTE.DELETED", "SCHEMA_ATTRIBUTE.UPDATED", "SCOPE.CREATED", "SCOPE.DELETED", "SCOPE.UPDATED", "SECRET.READ", "SECRET.UPDATED", "SEEN_DEVICE.CREATED", "SEEN_DEVICE.DELETED", "SEEN_DEVICE.UPDATED", "SESSION.CREATED", "SESSION.DELETED", "SESSION.UPDATED", "SETTINGS.CREATED", "SETTINGS.UPDATED", "SIGN_ON_POLICY_ASSIGNMENT.CREATED", "SIGN_ON_POLICY_ASSIGNMENT.DELETED", "SIGN_ON_POLICY_ASSIGNMENT.UPDATED", "SOLUTIONS_WORKFLOW.CREATION_SUCCESS", "SOLUTIONS_WORKFLOW.RETRIEVE_FAILED", "SOLUTIONS_WORKFLOW.RETRIEVE_SUCCESS", "SOLUTIONS_WORKFLOW.UPDATE_SUCCESS", "STAGED_CHANGE.COMPLETED", "STAGED_CHANGE.CREATED", "STAGED_CHANGE.DELETED", "STAGED_CHANGE.FAILED", "STAGED_CHANGE.UPDATED", "SUBSCRIPTION.CREATED", "SUBSCRIPTION.DELETED", "SUBSCRIPTION.UPDATED", "THEME.CREATED", "THEME.DELETED", "THEME.UPDATED", "TRUSTED_EMAIL.ACTIVE", "TRUSTED_EMAIL.CREATED", "TRUSTED_EMAIL.DELETED", "TRUSTED_EMAIL.SEND_CODE", "USER.ACCESS_ALLOWED", "USER.ACCESS_DENIED", "USER.CREATED", "USER.DELETED", "USER.LOCKED", "USER.MOVED", "USER.QUOTA_RESET", "USER.SLO_FAILURE", "USER.SLO_REQUESTED", "USER.SLO_SUCCESS", "USER.UNLOCKED", "USER.UPDATED", "USER_CREDENTIAL.DELETED", "USER_CREDENTIAL.ISSUED", "USER_CREDENTIAL.PENDING", "USER_CREDENTIAL.REVOKED", "USER_SEEN_DEVICE.CREATED", "USER_SEEN_DEVICE.DELETED", "USER_SEEN_DEVICE.UPDATED", "VALIDATION_TRANSACTION.CREATED", "VALIDATION_TRANSACTION.DELETED", "VALIDATION_TRANSACTION.UPDATED", "VERIFY_APPEVENT.CREATED", "VERIFY_METADATA.CREATED", "VERIFY_POLICY.CREATED", "VERIFY_POLICY.DELETED", "VERIFY_POLICY.UPDATED"] } } @@ -373,7 +411,7 @@ resource "pingone_application" "master_flow_webhook_link" { name = "PingOne Facile Decoder" enabled = true - external_link_options { + external_link_options = { home_page_url = "https://decoder.pingidentity.cloud/webhooks/${pingone_environment.master_flow_environment.id}" } @@ -387,13 +425,13 @@ resource "pingone_application" "dv_worker_app" { name = "PingOne DaVinci Connection" enabled = true - oidc_options { - type = "WORKER" - grant_types = ["CLIENT_CREDENTIALS"] - token_endpoint_authn_method = "CLIENT_SECRET_BASIC" + oidc_options = { + type = "WORKER" + grant_types = ["CLIENT_CREDENTIALS"] + token_endpoint_auth_method = "CLIENT_SECRET_BASIC" } - icon { + icon = { id = "c6dbb456-0857-4fab-bfb0-909944233017" href = "https://assets.pingone.com/ux/ui-library/4.18.0/images/logo-pingidentity.png" } @@ -403,6 +441,11 @@ resource "pingone_application" "dv_worker_app" { ] } +resource "pingone_application_secret" "dv_worker_app" { + environment_id = pingone_environment.master_flow_environment.id + application_id = pingone_application.dv_worker_app.id +} + resource "pingone_application_role_assignment" "id_admin" { environment_id = pingone_environment.master_flow_environment.id application_id = pingone_application.dv_worker_app.id @@ -432,15 +475,15 @@ resource "pingone_application" "oidc_app" { enabled = true name = "Master Flow OIDC App" - oidc_options { - type = "WEB_APP" - grant_types = ["AUTHORIZATION_CODE"] - response_types = ["CODE"] - token_endpoint_authn_method = "NONE" - redirect_uris = ["https://auth.pingone.com/${pingone_environment.master_flow_environment.id}/rp/callback/openid_connect"] + oidc_options = { + type = "WEB_APP" + grant_types = ["AUTHORIZATION_CODE"] + response_types = ["CODE"] + token_endpoint_auth_method = "NONE" + redirect_uris = ["https://auth.pingone.com/${pingone_environment.master_flow_environment.id}/rp/callback/openid_connect"] } - icon { + icon = { id = "c6dbb456-0857-4fab-bfb0-909944233017" href = "https://assets.pingone.com/ux/ui-library/4.18.0/images/logo-pingidentity.png" } @@ -508,18 +551,18 @@ resource "pingone_notification_template_content" "device_pairing" { locale = "en" variant = "OTP" - email { - body = "${file("${path.module}/data/notification_templates/devicePairing OTP.html")}" + email = { + body = file("${path.module}/data/notification_templates/devicePairing OTP.html") subject = "Device Pairing OTP" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } @@ -535,18 +578,18 @@ resource "pingone_notification_template_content" "email_verification_user" { template_name = "email_verification_user" locale = "en" - email { - body = "${file("${path.module}/data/notification_templates/Email Address Verification (User) - OTP.html")}" + email = { + body = file("${path.module}/data/notification_templates/Email Address Verification (User) - OTP.html") subject = "Email Verification (User)" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } @@ -563,18 +606,18 @@ resource "pingone_notification_template_content" "magic_link" { locale = "en" variant = "MagicLink" - email { - body = "${file("${path.module}/data/notification_templates/magiclink.html")}" + email = { + body = file("${path.module}/data/notification_templates/magiclink.html") subject = "Magic Link" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } @@ -590,18 +633,18 @@ resource "pingone_notification_template_content" "new_device_paired" { template_name = "new_device_paired" locale = "en" - email { - body = "${file("${path.module}/data/notification_templates/newDevicePaired.html")}" + email = { + body = file("${path.module}/data/notification_templates/newDevicePaired.html") subject = "New Device Paired" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } @@ -618,18 +661,18 @@ resource "pingone_notification_template_content" "forgot_username" { locale = "en" variant = "Forgot Username" - email { - body = "${file("${path.module}/data/notification_templates/forgotusername.html")}" + email = { + body = file("${path.module}/data/notification_templates/forgotusername.html") subject = "Forgot Username" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } @@ -646,18 +689,18 @@ resource "pingone_notification_template_content" "general_otp" { locale = "en" variant = "OTP" - email { - body = "${file("${path.module}/data/notification_templates/general-otp.html")}" + email = { + body = file("${path.module}/data/notification_templates/general-otp.html") subject = "General OTP" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } @@ -673,18 +716,18 @@ resource "pingone_notification_template_content" "strong_authentication" { template_name = "strong_authentication" locale = "en" - email { - body = "${file("${path.module}/data/notification_templates/strongAuthentication.html")}" + email = { + body = file("${path.module}/data/notification_templates/strongAuthentication.html") subject = "Strong Authentication" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } @@ -700,18 +743,18 @@ resource "pingone_notification_template_content" "verification_code" { template_name = "verification_code_template" locale = "en" - email { - body = "${file("${path.module}/data/notification_templates/verification code.html")}" + email = { + body = file("${path.module}/data/notification_templates/verification code.html") subject = "Verification Code" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } @@ -727,18 +770,18 @@ resource "pingone_notification_template_content" "password_recovery" { template_name = "recovery_code_template" locale = "en" - email { - body = "${file("${path.module}/data/notification_templates/Password Recovery.html")}" + email = { + body = file("${path.module}/data/notification_templates/Password Recovery.html") subject = "Verification Code" content_type = "text/html" character_set = "UTF-8" - from { + from = { name = "PingOne" address = "noreply@pingidentity.com" } - - reply_to { + + reply_to = { name = "PingOne" address = "noreply@pingidentity.com" } diff --git a/terraform/variables.tf b/terraform/variables.tf index f824b6e..a60fc5e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -12,9 +12,20 @@ variable "pingone_environment_id" { type = string } variable "region" { - description = "Region" - type = string - default = "NorthAmerica" + description = "Region" + type = string + default = "NorthAmerica" +} + +variable "region_code" { + description = "Region Code" + type = string + default = "NA" + + validation { + condition = contains(["EU", "NA", "CA", "AP", "AU"], var.region_code) + error_message = "Allowed values for region_code are \"EU\", \"NA\", \"CA\", \"AP\", \"AU\"." + } } variable "admin_user_id" { From 98f4a8064fc8fab847ae308e84ed16682cc2c486 Mon Sep 17 00:00:00 2001 From: Patrick Cowland Date: Wed, 10 Jul 2024 14:01:42 +0100 Subject: [PATCH 2/5] update tfvars template --- terraform/terraform.tfvars | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars index 48fd970..9b3fd20 100644 --- a/terraform/terraform.tfvars +++ b/terraform/terraform.tfvars @@ -1,4 +1,5 @@ region = "NorthAmerica" +region_code = "NA" pingone_environment_id = "" admin_user_id = "" license_id = "" From b78ce2bd012bfa9b4941051e7a0126ee232281ec Mon Sep 17 00:00:00 2001 From: Patrick Cowland Date: Wed, 10 Jul 2024 15:01:34 +0100 Subject: [PATCH 3/5] testing corrections --- terraform/davinci.tf | 4 ++-- terraform/pingone.tf | 46 +++++++------------------------------------- 2 files changed, 9 insertions(+), 41 deletions(-) diff --git a/terraform/davinci.tf b/terraform/davinci.tf index 4e1adb3..949ccf9 100644 --- a/terraform/davinci.tf +++ b/terraform/davinci.tf @@ -673,7 +673,7 @@ resource "davinci_variable" "gv-p1PopulationId" { mutable = "true" name = "gv-p1PopulationId" type = "string" - value = data.pingone_population.default_population.id + value = pingone_population_default.default_population.id } resource "davinci_variable" "gv-passwordlessAllowedTypes" { @@ -891,7 +891,7 @@ resource "davinci_variable" "populationId" { mutable = "true" name = "populationId" type = "string" - value = data.pingone_population.default_population.id + value = pingone_population_default.default_population.id } resource "davinci_variable" "preppedDevices" { diff --git a/terraform/pingone.tf b/terraform/pingone.tf index 3189712..f14ceed 100644 --- a/terraform/pingone.tf +++ b/terraform/pingone.tf @@ -82,9 +82,10 @@ data "pingone_licenses" "internal_license" { scim_filter = var.license_id != "" ? "(status eq \"active\")" : "(status eq \"active\") and (envId eq \"${var.pingone_environment_id}\")" } -data "pingone_population" "default_population" { +resource "pingone_population_default" "default_population" { environment_id = pingone_environment.master_flow_environment.id - name = "Default" + + name = "Default" } data "pingone_password_policy" "standard_password_policy" { @@ -144,7 +145,7 @@ output "webhook_decoder_url" { resource "pingone_user" "master_flow_user" { environment_id = pingone_environment.master_flow_environment.id - population_id = data.pingone_population.default_population.id + population_id = pingone_population_default.default_population.id email = var.master_flow_user_email username = var.master_flow_user_email @@ -199,39 +200,6 @@ resource "pingone_group" "my_awesome_group" { # PingOne MFA Policy # ######################## -// We leave this policy in place for the time being, but we don't actually use it. -// We do this because if people have already created an environment and are updating HCL, this will not break their existing state -resource "pingone_mfa_policy" "master_flow_mfa_policy" { - environment_id = pingone_environment.master_flow_environment.id - name = "Master Flow MFA Policy" - device_selection = "ALWAYS_DISPLAY_DEVICES" - new_device_notification = "EMAIL_THEN_SMS" - - mobile { - enabled = false - } - - totp { - enabled = true - } - - fido2 { - enabled = true - } - - sms { - enabled = true - } - - voice { - enabled = true - } - - email { - enabled = true - } -} - resource "pingone_mfa_device_policy" "master_flow_mfa_device_policy" { environment_id = pingone_environment.master_flow_environment.id name = "Master Flow MFA Device Policy" @@ -282,8 +250,8 @@ resource "pingone_identity_provider" "google" { client_id = var.google_client_id == "" ? "client-id" : var.google_client_id client_secret = var.google_client_secret == "" ? "client-secret" : var.google_client_secret } - registration_population_id = data.pingone_population.default_population.id - + registration_population_id = pingone_population_default.default_population.id + depends_on = [ pingone_webhook.master_flow_webhook ] @@ -300,7 +268,7 @@ resource "pingone_identity_provider" "facebook" { app_id = var.facebook_app_id == "" ? "app-id" : var.facebook_app_id app_secret = var.facebook_app_secret == "" ? "app-secret" : var.facebook_app_secret } - registration_population_id = data.pingone_population.default_population.id + registration_population_id = pingone_population_default.default_population.id depends_on = [ pingone_webhook.master_flow_webhook From 615335e6581081c455b6c601bf661acf8613f81b Mon Sep 17 00:00:00 2001 From: Patrick Cowland Date: Wed, 17 Jul 2024 14:03:07 +0100 Subject: [PATCH 4/5] revert `client_id` change --- terraform/README.md | 2 ++ terraform/davinci.tf | 12 ++++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 191bcd7..b32bcbc 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -57,6 +57,7 @@ The following variables must be set for your environment: `worker_secret` - The client secret from the worker the **Terraform Administration** environment that you created. \ `pingone_environment_id` - The environment ID of the **Terraform Administration** environment that you created. \ `region` - Options are `AsiaPacific` `Canada` `Europe` and `NorthAmerica` \ +`region_code` - Options are `AP` `AU` `CA` `EU` and `NA` \ `license_id` - The license ID that you would like to use. If left blank, it will default to the license used for the environment that you created. \ `admin_user_id` - The id of the user account that you created. This can be found on the API tab of your user. \ `admin_username` - The username of the user account that you created. \ @@ -72,6 +73,7 @@ The following variables must be set for your environment: | worker_secret | STRING | Required: **TRUE** Default: | | pingone_environment_id | STRING | Required: **TRUE** Default: | | region | STRING | Required: **TRUE** Default: | +| region_code | STRING | Required: **TRUE** Default: | | license_name | STRING | Required: **TRUE** Default: | | admin_user_id | STRING | Required: **TRUE** Default: | | admin_username | STRING | Required: **TRUE** Default: | diff --git a/terraform/davinci.tf b/terraform/davinci.tf index 949ccf9..e31d344 100644 --- a/terraform/davinci.tf +++ b/terraform/davinci.tf @@ -74,7 +74,7 @@ resource "davinci_connection" "PingOne" { property { name = "clientId" - value = pingone_application.dv_worker_app.id + value = pingone_application.dv_worker_app.oidc_options.id } property { @@ -106,7 +106,7 @@ resource "davinci_connection" "PingOne-MFA" { property { name = "clientId" - value = pingone_application.dv_worker_app.id + value = pingone_application.dv_worker_app.oidc_options.id } property { @@ -137,7 +137,7 @@ resource "davinci_connection" "PingOne-Authorize" { property { name = "clientId" - value = pingone_application.dv_worker_app.id + value = pingone_application.dv_worker_app.oidc_options.id } property { @@ -158,7 +158,7 @@ resource "davinci_connection" "PingOne-Notifications" { property { name = "clientId" - value = pingone_application.dv_worker_app.id + value = pingone_application.dv_worker_app.oidc_options.id } property { @@ -184,7 +184,7 @@ resource "davinci_connection" "PingOne-Protect" { property { name = "clientId" - value = pingone_application.dv_worker_app.id + value = pingone_application.dv_worker_app.oidc_options.id } property { @@ -210,7 +210,7 @@ resource "davinci_connection" "PingOne-Verify" { property { name = "clientId" - value = pingone_application.dv_worker_app.id + value = pingone_application.dv_worker_app.oidc_options.id } property { From 4982c470ff8df6128d9d85d8c65e31144aa982f6 Mon Sep 17 00:00:00 2001 From: Patrick Cowland Date: Wed, 17 Jul 2024 14:04:37 +0100 Subject: [PATCH 5/5] bug fix --- terraform/davinci.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/davinci.tf b/terraform/davinci.tf index e31d344..71c377b 100644 --- a/terraform/davinci.tf +++ b/terraform/davinci.tf @@ -74,7 +74,7 @@ resource "davinci_connection" "PingOne" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options.id + value = pingone_application.dv_worker_app.oidc_options.client_id } property { @@ -106,7 +106,7 @@ resource "davinci_connection" "PingOne-MFA" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options.id + value = pingone_application.dv_worker_app.oidc_options.client_id } property { @@ -137,7 +137,7 @@ resource "davinci_connection" "PingOne-Authorize" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options.id + value = pingone_application.dv_worker_app.oidc_options.client_id } property { @@ -158,7 +158,7 @@ resource "davinci_connection" "PingOne-Notifications" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options.id + value = pingone_application.dv_worker_app.oidc_options.client_id } property { @@ -184,7 +184,7 @@ resource "davinci_connection" "PingOne-Protect" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options.id + value = pingone_application.dv_worker_app.oidc_options.client_id } property { @@ -210,7 +210,7 @@ resource "davinci_connection" "PingOne-Verify" { property { name = "clientId" - value = pingone_application.dv_worker_app.oidc_options.id + value = pingone_application.dv_worker_app.oidc_options.client_id } property {