Merge pull request #3 from komminarlabs/tk/saml

Added SAML resource

README.md

@@ -26,6 +26,7 @@ No modules.
 | [aws_grafana_role_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_role_association) | resource |
 | [aws_grafana_workspace.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace) | resource |
 | [aws_grafana_workspace_api_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_api_key) | resource |
+| [aws_grafana_workspace_saml_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/grafana_workspace_saml_configuration) | resource |
 | [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.data_sources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -55,16 +56,18 @@ No modules.
 | <a name="input_organizational_units"></a> [organizational\_units](#input\_organizational\_units) | The Amazon Organizations organizational units that the workspace is authorized to use data sources from | `list(string)` | `[]` | no |
 | <a name="input_permission_type"></a> [permission\_type](#input\_permission\_type) | The permission type of the workspace. If `SERVICE_MANAGED` is specified, the IAM roles and IAM policy attachments are generated automatically. If `CUSTOMER_MANAGED` is specified, the IAM roles and IAM policy attachments will not be created | `string` | `"SERVICE_MANAGED"` | no |
 | <a name="input_role_association"></a> [role\_association](#input\_role\_association) | List of user/group IDs to assocaite to a role | <pre>list(object({<br>    group_ids = optional(list(string))<br>    role      = string<br>    user_ids  = optional(list(string))<br>  }))</pre> | `[]` | no |
+| <a name="input_saml_configuration"></a> [saml\_configuration](#input\_saml\_configuration) | The SAML configuration for the workspace | <pre>object({<br>    admin_role_values       = optional(list(string))<br>    allowed_organizations   = optional(list(string))<br>    editor_role_values      = list(string)<br>    email_assertion         = optional(string)<br>    groups_assertion        = optional(string)<br>    idp_metadata_url        = optional(string)<br>    idp_metadata_xml        = optional(string)<br>    login_assertion         = optional(string)<br>    login_validity_duration = optional(number)<br>    name_assertion          = optional(string)<br>    org_assertion           = optional(string)<br>    role_assertion          = optional(string)<br>  })</pre> | `null` | no |
 | <a name="input_vpc_configuration"></a> [vpc\_configuration](#input\_vpc\_configuration) | The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to | <pre>object({<br>    security_group_ids = list(string)<br>    subnet_ids         = list(string)<br>  })</pre> | `null` | no |
 | <a name="input_workspace_api_key"></a> [workspace\_api\_key](#input\_workspace\_api\_key) | List of workspace API Key resources to create | <pre>list(object({<br>    name            = string<br>    role            = string<br>    seconds_to_live = number<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_license_expiration"></a> [license\_expiration](#output\_license\_expiration) | If `license_type` is set to `ENTERPRISE`, this is the expiration date of the enterprise license |
-| <a name="output_license_free_trial_expiration"></a> [license\_free\_trial\_expiration](#output\_license\_free\_trial\_expiration) | If `license_type` is set to `ENTERPRISE_FREE_TRIAL`, this is the expiration date of the free trial |
+| <a name="output_license_expiration"></a> [license\_expiration](#output\_license\_expiration) | The expiration date of the enterprise license |
+| <a name="output_license_free_trial_expiration"></a> [license\_free\_trial\_expiration](#output\_license\_free\_trial\_expiration) | The expiration date of the free trial |
 | <a name="output_workspace"></a> [workspace](#output\_workspace) | The Grafana workspace details |
 | <a name="output_workspace_api_keys"></a> [workspace\_api\_keys](#output\_workspace\_api\_keys) | The workspace API keys created including their attributes |
-| <a name="output_workspace_iam_role"></a> [workspace\_iam\_role](#output\_workspace\_iam\_role) | IAM role details of the Grafana workspace |
+| <a name="output_workspace_iam_role"></a> [workspace\_iam\_role](#output\_workspace\_iam\_role) | The IAM role details of the Grafana workspace |
+| <a name="output_workspace_saml"></a> [workspace\_saml](#output\_workspace\_saml) | The Grafana workspace saml configuration details |
 <!-- END_TF_DOCS -->

iam.tf

@@ -1,7 +1,7 @@
 locals {
   create_iam_role = var.iam_role_arn == null ? true : false
 
-  iam_data_source_policies = {
+  data_source_iam_policies = {
     ATHENA     = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess"
     CLOUDWATCH = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonGrafanaCloudWatchAccess"
     REDSHIFT   = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonGrafanaRedshiftAccess"
@@ -97,7 +97,7 @@ resource "aws_iam_policy" "default" {
 }
 
 resource "aws_iam_role_policy_attachment" "data_sources" {
-  for_each = { for i, v in var.data_sources : v => local.iam_data_source_policies[v] if local.create_iam_role }
+  for_each = { for i, v in var.data_sources : v => local.data_source_iam_policies[v] if local.create_iam_role }
 
   role       = aws_iam_role.default[0].name
   policy_arn = each.value

main.tf

@@ -1,6 +1,22 @@
 data "aws_partition" "current" {}
 data "aws_caller_identity" "current" {}
 
+resource "aws_grafana_license_association" "default" {
+  count = var.license_type != null ? 1 : 0
+
+  license_type = var.license_type
+  workspace_id = aws_grafana_workspace.default.id
+}
+
+resource "aws_grafana_role_association" "this" {
+  for_each = { for i, v in var.role_association : v.role => v }
+
+  group_ids    = each.value.group_ids
+  role         = each.value.role
+  user_ids     = each.value.user_ids
+  workspace_id = aws_grafana_workspace.default.id
+}
+
 resource "aws_grafana_workspace" "default" {
   account_access_type       = var.account_access_type
   authentication_providers  = var.authentication_providers
@@ -44,18 +60,20 @@ resource "aws_grafana_workspace_api_key" "default" {
   workspace_id    = aws_grafana_workspace.default.id
 }
 
-resource "aws_grafana_license_association" "default" {
-  count = var.license_type != null ? 1 : 0
-
-  license_type = var.license_type
-  workspace_id = aws_grafana_workspace.default.id
-}
+resource "aws_grafana_workspace_saml_configuration" "default" {
+  count = var.saml_configuration != null ? 1 : 0
 
-resource "aws_grafana_role_association" "this" {
-  for_each = { for i, v in var.role_association : v.role => v }
-
-  group_ids    = each.value.group_ids
-  role         = each.value.role
-  user_ids     = each.value.user_ids
-  workspace_id = aws_grafana_workspace.default.id
-}
+  admin_role_values       = var.saml_configuration.admin_role_values
+  allowed_organizations   = var.saml_configuration.allowed_organizations
+  editor_role_values      = var.saml_configuration.editor_role_values
+  email_assertion         = var.saml_configuration.email_assertion
+  groups_assertion        = var.saml_configuration.groups_assertion
+  idp_metadata_url        = var.saml_configuration.idp_metadata_url
+  idp_metadata_xml        = var.saml_configuration.idp_metadata_xml
+  login_assertion         = var.saml_configuration.login_assertion
+  login_validity_duration = var.saml_configuration.login_validity_duration
+  name_assertion          = var.saml_configuration.name_assertion
+  org_assertion           = var.saml_configuration.org_assertion
+  role_assertion          = var.saml_configuration.role_assertion
+  workspace_id            = aws_grafana_workspace.default.id
+}

outputs.tf

@@ -9,16 +9,21 @@ output "workspace_api_keys" {
 }
 
 output "workspace_iam_role" {
-  description = "IAM role details of the Grafana workspace"
+  description = "The IAM role details of the Grafana workspace"
+  value       = try(aws_iam_role.default, null)
+}
+
+output "workspace_saml" {
+  description = "The Grafana workspace saml configuration details"
   value       = try(aws_iam_role.default, null)
 }
 
 output "license_free_trial_expiration" {
-  description = "If `license_type` is set to `ENTERPRISE_FREE_TRIAL`, this is the expiration date of the free trial"
+  description = "The expiration date of the free trial"
   value       = try(aws_grafana_license_association.default[0].free_trial_expiration, null)
 }
 
 output "license_expiration" {
-  description = "If `license_type` is set to `ENTERPRISE`, this is the expiration date of the enterprise license"
+  description = "The expiration date of the enterprise license"
   value       = try(aws_grafana_license_association.default[0].license_expiration, null)
 }

variables.tf

@@ -122,6 +122,25 @@ variable "role_association" {
   description = "List of user/group IDs to assocaite to a role"
 }
 
+variable "saml_configuration" {
+  type = object({
+    admin_role_values       = optional(list(string))
+    allowed_organizations   = optional(list(string))
+    editor_role_values      = list(string)
+    email_assertion         = optional(string)
+    groups_assertion        = optional(string)
+    idp_metadata_url        = optional(string)
+    idp_metadata_xml        = optional(string)
+    login_assertion         = optional(string)
+    login_validity_duration = optional(number)
+    name_assertion          = optional(string)
+    org_assertion           = optional(string)
+    role_assertion          = optional(string)
+  })
+  default     = null
+  description = "The SAML configuration for the workspace"
+}
+
 variable "vpc_configuration" {
   type = object({
     security_group_ids = list(string)