The cfn-resource-provider is extension for CloudFormation that uses CloudFormation CLI development kit. It creates resource provider that automate the creation of the following resources in a safe and systematic way:
Appspero::IAM::OpenIDConnectProvider
: creates OpenID connect providerAppspero::IAM::SAMLProvider
: creates SAML connect provider
To install any of the resources that resource provider supports you need to install CloudFormation CLI (cfn) first:
pip install cloudformation-cli cloudformation-cli-go-plugin
It is recommended to install the previous packages in virtualenv
. Then go to the desired resource directory and run:
make
AWS_PROFILE=... cfn submit -v --region us-east-1
The previous command will create the required IAM role and S3 bucket (that keep the resource package). Also it will register the resource in CloudFormation registry.
If you have multiple version of the resource in CloudFormation registry you can set the desired version using for example:
aws cloudformation --region us-east-1 --profile=test set-type-default-version --type "RESOURCE" --type-name "Appspero::IAM::OpenIDConnectProvider" --version-id "00000002"
To de-register the resource type (example):
aws cloudformation deregister-type --profile test --region us-east-1 --arn arn:aws:cloudformation:us-east-1:<ACCOUNT_ID>:type/resource/Appspero-IAM-OpenIDConnectProvider
The Appspero::IAM::OpenIDConnectProvider
resource creates OpenID connect provider. For example:
AWSTemplateFormatVersion: "2010-09-09"
Description: Create OIDC provider
Resources:
Provider:
Type: Appspero::IAM::OpenIDConnectProvider
Properties:
Url: https://example.com
ClientIDList:
- sts.amazonaws.com
- ...
ThumbprintList: # optional
- 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
Outputs:
ProviderArn:
Value:
Fn::GetAtt: Provider.Arn
-
Url
: a URL of the OpenID Connect (OIDC) identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens -
ClientIDList
: a list of client IDs (also known as audiences). -
ThumbprintList
: a list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates. If it is not specified, the root CA of issuer server will be retrieved and used.
The Appspero::IAM::SAMLProvider
resource creates SAML provider. For example:
AWSTemplateFormatVersion: "2010-09-09"
Description: Create SAML provider
Resources:
Provider:
Type: Appspero::IAM::SAMLProvider
Properties:
Name: example
SAMLMetadataDocument: ...
Outputs:
ProviderArn:
Value:
Fn::GetAtt: Provider.Arn
-
Name
: the name of the SAML provider to create -
SAMLMetadataDocument
: an XML document generated by an identity provider (IdP) that supports SAML 2.0.
Note: to pass SAMLMetadataDocument
parameter value as one line and escape the double-quote (") character, copy the contents of the file out.xml
after running:
tr -d '\n' <metadata.xml | sed -e 's/"/\"/g' > out.xml