-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathpolicy-ldap.tf
152 lines (140 loc) · 4.49 KB
/
policy-ldap.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# =============================================================================
# Local users
# -----------------------------------------------------------------------------
resource "intersight_iam_end_point_user_policy" "user_policy1" {
name = "${var.policy_prefix}-local-user"
description = var.description
password_properties {
enforce_strong_password = true
enable_password_expiry = false
password_expiry_duration = 50
password_history = 5
notification_period = 1
grace_period = 2
force_send_password = true
}
organization {
object_type = "organization.Organization"
moid = var.organization
}
dynamic "tags" {
for_each = var.tags
content {
key = tags.value.key
value = tags.value.value
}
}
}
# Mapping of endpoint user to endpoint roles.
resource "intersight_iam_end_point_user_role" "roleadmin" {
enabled = true
password = var.imc_admin_password
end_point_role {
moid = data.intersight_iam_end_point_role.admin_role.results[0].moid
object_type = data.intersight_iam_end_point_role.admin_role.results[0].object_type
}
end_point_user {
moid = intersight_iam_end_point_user.iam_end_point_user1.moid
object_type = intersight_iam_end_point_user.iam_end_point_user1.object_type
}
end_point_user_policy {
moid = intersight_iam_end_point_user_policy.user_policy1.moid
object_type = intersight_iam_end_point_user_policy.user_policy1.object_type
}
}
resource "intersight_iam_end_point_user" "iam_end_point_user1" {
name = "${var.policy_prefix}-user"
organization {
object_type = "organization.Organization"
moid = var.organization
}
}
# get the IMC role named admin
data "intersight_iam_end_point_role" "admin_role" {
name = "admin"
type = "IMC"
}
# =============================================================================
# Groups (map built-in roles to AD groups)
# -----------------------------------------------------------------------------
# Mapping of LDAP Group to EndPointRoles
resource "intersight_iam_ldap_group" "group1" {
domain = "auslab.cisco.com"
name = "super_admin"
end_point_role {
moid = data.intersight_iam_end_point_role.imc_admin.results[0].moid
}
ldap_policy {
moid = intersight_iam_ldap_policy.policy1.moid
}
}
resource "intersight_iam_ldap_group" "group2" {
domain = "auslab.cisco.com"
name = "WWDC Lab Users"
end_point_role {
moid = data.intersight_iam_end_point_role.imc_user.results[0].moid
}
ldap_policy {
moid = intersight_iam_ldap_policy.policy1.moid
}
}
resource "intersight_iam_ldap_group" "group3" {
domain = "auslab.cisco.com"
name = "Domain Users"
end_point_role {
moid = data.intersight_iam_end_point_role.imc_readonly.results[0].moid
}
ldap_policy {
moid = intersight_iam_ldap_policy.policy1.moid
}
}
# =============================================================================
# Providers (LDAP servers)
# -----------------------------------------------------------------------------
# LDAP Provider or LDAP Server for user authentication.
resource "intersight_iam_ldap_provider" "provider1" {
ldap_policy {
moid = intersight_iam_ldap_policy.policy1.moid
}
port = 389
server = "172.16.1.90"
}
resource "intersight_iam_ldap_provider" "provider2" {
ldap_policy {
moid = intersight_iam_ldap_policy.policy1.moid
}
port = 389
server = "172.16.1.91"
}
# =============================================================================
# LDAP Policy
# -----------------------------------------------------------------------------
resource "intersight_iam_ldap_policy" "policy1" {
base_properties {
attribute = "CiscoAvPair"
base_dn = "dc=auslab,dc=cisco,dc=com"
bind_method = "LoginCredentials"
domain = "auslab.cisco.com"
enable_encryption = false
enable_group_authorization = true
filter = "samAccountName"
group_attribute = "memberOf"
nested_group_search_depth = 128
timeout = 30
}
description = var.description
enable_dns = false
enabled = true
name = "${var.policy_prefix}-ldap"
user_search_precedence = "LDAPUserDb"
organization {
moid = var.organization
}
dynamic "tags" {
for_each = var.tags
content {
key = tags.value.key
value = tags.value.value
}
}
}