terraform-provider-cloudflare
terraform-provider-cloudflare copied to clipboard
cloudflare
Support custom claims in cloudflare_access_identity_provider (OIDC) config
Current Terraform and Cloudflare provider version
Terraform v0.14.9
- provider registry.terraform.io/cloudflare/cloudflare v3.8.0
Description
Feature request for supporting custom claims for cloudflare_access_identity_provider resource with the type OIDC. This is supported by the Cloudflare generic OIDC identity provider and can't be configured using terraform.
Sample identity provider configuration returned by Cloudflare API which contains custom claims.
{
"id": "xx",
"type": "oidc",
"uid": "xx",
"name": "xx",
"config": {
"auth_url": "xx",
"certs_url": "xx",
"claims": [
"claim1",
"claim2"
],
"client_id": "xx",
"client_secret": "xx",
"redirect_url": "xx",
"scopes": [
"openid",
"email",
"profile"
],
"token_url": "xx"
},
"version": "xx"
},
Use cases
"cloudflare_access_identity_provider" should have the ability to accept custom claims supported by any given IDP with OIDC protocol. Those claims are passed down to Cloudflare via Token ID and we should have the flexibility to decide which claims should be included in the JWT token generated by Cloudflare.
The ideal configuration would be as follows,
Potential Terraform configuration
resource "cloudflare_access_identity_provider" "idp" {
zone_id = "xxx"
name = "xxx"
type = "oidc"
config {
client_id = "xxx"
client_secret = "xxx"
auth_url = "xxx"
token_url = "xxx"
certs_url = "xxx"
redirect_url = "xxx"
claims = ["claim1","claim2"]
}
}
...
References
No response
i'm not sure if this is supported by the Access service itself but it is definitely not supported in cloudflare-go. i would recommend starting with a support ticket to have this included as a feature and then it can be added downstream before here.
So, this definitely appears to be supported by Access, based on the API docs and the example API configuration. This also seems to to be a single-line addition to cloudflare-go. It appears the the implementation would require adding the following.
type AccessIdentityProviderConfiguration struct {
APIToken string `json:"api_token,omitempty"`
// ...
+ Scopes string `json:"scopes,omitempty"`
}
(Copied from L18-45 in cloudflare-go.) However I'm not sure where else these changes would need to be implemented (e.g., throughout cloudflare-go/access_identity_provider.go there's primarily api.<func> calls (and doesn't seem to have any validation). Then in terraform-.../resource_cloudflare_access_identity_provider.go, it seems that
func convertSchemaToStruct(d *schema.ResourceData) (cloudflare.AccessIdentityProviderConfiguration, error) {
// ...
IDPConfig.PKCEEnabled = cloudflare.BoolPtr(d.Get("config.0.pkce_enabled").(bool))
// I know that `scopes` is supposed to be a list(string), but it's been ages since
// I've used Go, so I'm not sure how this ought to be written.
+ IDPConfig.Scopes = cloudflare.ListPtr(d.Get("config.0.scopes").(string))
}
return IDPConfig, nil
}
and
func convertStructToSchema(d *schema.ResourceData, options cloudflare.AccessIdentityProviderConfiguration) []interface{} {
// ...
"pkce_enabled": options.PKCEEnabled,
+ "scopes": options.Scopes,
}
return []interface{}{m}
}
I pulled the last two examples from here: https://github.com/cloudflare/terraform-provider-cloudflare/blob/7b9490a8a8dd0cb189865204ad69f88178de0a94/internal/sdkv2provider/resource_cloudflare_access_identity_provider.go#L187-L259
