The OIDC auth method resource allows you to configure a Boundary auth_method_oidc.
resource "boundary_scope" "org" {
name = "organization_one"
description = "My first scope!"
scope_id = "global"
auto_create_admin_role = true
auto_create_default_role = true
}
resource "boundary_auth_method_oidc" "vault" {
api_url_prefix = "https://XO-XO-XO-XO-XOXOXO.boundary.hashicorp.cloud:9200"
client_id = "eieio"
client_secret = "hvo_secret_XO"
description = "My Boundary OIDC Auth Method for Vault"
issuer = "https://XO-XO-XO-XO-XOXOXO.vault.hashicorp.cloud:8200/v1/identity/oidc/provider/my-provider"
scope_id = "global"
signing_algorithms = ["RS256"]
type = "oidc"
}
resource "boundary_auth_method_oidc" "oidc_with_one_prompt" {
api_url_prefix = "https://XO-XO-XO-XO-XOXOXO.boundary.hashicorp.cloud:9200"
client_id = "eieio"
client_secret = "hvo_secret_XO"
description = "My Boundary OIDC Auth Method With Prompt"
issuer = "https://sts.windows.net/TENANT_ID/"
scope_id = "global"
signing_algorithms = ["RS256"]
prompts = ["select_account"]
type = "oidc"
}
resource "boundary_auth_method_oidc" "oidc_with_multiple_prompts" {
api_url_prefix = "https://XO-XO-XO-XO-XOXOXO.boundary.hashicorp.cloud:9200"
client_id = "eieio"
client_secret = "hvo_secret_XO"
description = "My Boundary OIDC Auth Method With Multiple Prompts"
issuer = "https://sts.windows.net/TENANT_ID/"
scope_id = "global"
signing_algorithms = ["RS256"]
prompts = ["consent", "select_account"]
type = "oidc"
}
scope_id
(String) The scope ID.account_claim_maps
(List of String) Account claim maps for the to_claim of sub.allowed_audiences
(List of String) Audiences for which the provider responses will be allowedapi_url_prefix
(String) The API prefix to use when generating callback URLs for the provider. Should be set to an address at which the provider can reach back to the controller.callback_url
(String) The URL that should be provided to the IdP for callbacks.claims_scopes
(List of String) Claims scopes.client_id
(String) The client ID assigned to this auth method from the provider.client_secret
(String, Sensitive) The secret key assigned to this auth method from the provider. Once set, only the hash will be kept and the original value can be removed from configuration.client_secret_hmac
(String) The HMAC of the client secret returned by the Boundary controller, which is used for comparison after initial setting of the value.description
(String) The auth method description.disable_discovered_config_validation
(Boolean) Disables validation logic ensuring that the OIDC provider's information from its discovery endpoint matches the information here. The validation is only performed at create or update time.idp_ca_certs
(List of String) A list of CA certificates to trust when validating the IdP's token signatures.is_primary_for_scope
(Boolean) When true, makes this auth method the primary auth method for the scope in which it resides. The primary auth method for a scope means the user will be automatically created when they login using an OIDC account.issuer
(String) The issuer corresponding to the provider, which must match the issuer field in generated tokens.max_age
(Number) The max age to provide to the provider, indicating how much time is allowed to have passed since the last authentication before the user is challenged again. A value of 0 sets an immediate requirement for all users to reauthenticate, and an unset maxAge results in a Terraform value of -1 and the default TTL of the chosen OIDC will be used.name
(String) The auth method name. Defaults to the resource name.prompts
(List of String) The prompts passed to the identity provider to determine whether to prompt the end-user for reauthentication, account selection or consent. Please note the values passed are case-sensitive. The valid values are: none
, login
, consent
and select_account
.signing_algorithms
(List of String) Allowed signing algorithms for the provider's issued tokens.state
(String) Can be one of 'inactive', 'active-private', or 'active-public'. Currently automatically set to active-public.type
(String) The type of auth method; hardcoded.id
(String) The ID of the auth method.Import is supported using the following syntax:
terraform import boundary_auth_method_oidc.foo <my-id>