This repository has been archived by the owner on Jan 22, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
/
config.yaml
102 lines (96 loc) · 3.48 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#
# Sample Userplex configuration file
#
# Configuration for using Mozilla's Person API
# https://github.com/mozilla-iam/cis/blob/master/docs/PersonAPI.md
person:
person_client_id: "client_id"
person_client_secret: "client_secret"
person_base_url: "https://person_url.com"
person_auth0_url: "https://auth0.com"
# Configuration for sending notifications. Will only be used
# if the module block has `notify_new_users` set to `true`.
notifications:
email:
# your smtp relay may require authentication (AWS SES does), so make
# sure to set the parameters below to an authorized sender
host: "email-smtp.us-east-1.amazonaws.com"
port: 587
from: "myauthorizedsender@example.net"
cc: "bob.kelso@gmail.com"
replyto: "Something <something@example.com>"
auth:
user: "AKIAI3TZL"
pass: "AoXAy......"
# AWS Module configuration section.
#
# You may have multiple AWS accounts configured and all will
# be operated on. The way to give different permissions based
# on the account is to use the `group_mapping` to give
# different ldap groups different AWS groups. As well, if you do
# not have a `default` in `group_mapping`, a user without a
# matching group will just get ignored.
aws:
- account_name: "myawsaccount"
notify_new_users: true
ignore_usernames:
- legacy_user
credentials:
# if blank, will use the default aws credential flow
access_key: AKIAnnnn
secret_key: XXXXXXX
# Used to translate ldap usernames into "local usernames"
# which will be used as the username in AWS (or which ever
# module they are present in)
username_map:
- ldap_username: bkelso
local_username: bob
- ldap_username: tanderson
local_username: neo
group_mapping:
- ldap_group: "sysadmins"
iam_groups:
- ldapmanaged
- admin
- ldap_group: "developers"
iam_groups:
- ldapmanaged
- dev_only
- default: true
iam_groups:
- ldapmanaged
# Authorized Keys Module configuration section.
#
# As with the AWS Module section, you can have multiple
# authorized keys paths configured. The core
# configuration here is the list of allowed `ldap_groups`
# and how the `path` is setup. You can use `{username}`
# or `{env:<ENV_VAR>}` within the path.
authorized_keys:
- name: all_authorizedkeys
# Used to translate ldap usernames into "local usernames"
# which will be used as the username in authorized keys
# (or which ever module they are present in)
username_map:
- ldap_username: bkelso
local_username: bob
- ldap_username: tanderson
local_username: neo
ldap_groups:
- sysadmins
- developers
- devssh
# {username} will be replaced with the primary username for the user being created
path: /data/puppet/modules/users/files/{username}/.ssh/authorized_keys
# {env:ROOT_DIR} will be replaced with the env var $ROOT_DIR
# path: /data/puppet/modules/users/files/{env:ROOT_DIR}/.ssh/authorized_keys
- name: root_authorizedkeys
ldap_groups:
- sysadmins
# Used to translate ldap usernames into "local usernames"
# which will be used as the username in authorized keys
# (or which ever module they are present in)
username_map:
- ldap_username: tanderson
local_username: neo
path: /data/puppet/modules/users/files/root/.ssh/authorized_keys