Creates a SCIM Bridge to enable 1Password SSO w/Okta and other SSO providers. Based on the 1Password SCIM Examples, but packaged as a ready-to-use module with some security-related improvements.
| Name | Version |
|---|---|
| terraform | >= 0.12.19 |
| aws | >= 2.65 |
| template | >= 2.1 |
| Name | Version |
|---|---|
| aws | >= 2.65 |
| template | >= 2.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_log_bucket | Bucket name to route ELB access logs to | string |
n/a | yes |
| access_log_prefix | Bucket prefix to route ELB access logs to | string |
n/a | yes |
| certificate_arn | ARN of ACM Certificate to use for ELB | string |
n/a | yes |
| private_subnets | Private subnets to associate SCIM instances with (specify 1 or more) | list(string) |
n/a | yes |
| public_subnets | Public subnets to associate ELB with (specify at least 2) | list(string) |
n/a | yes |
| route53_zone_id | Zone ID to register Route53 entry in | string |
n/a | yes |
| scim_host_name | Fully qualified host name (e.g., prod-1password-scim.mycompany.io) | string |
n/a | yes |
| scim_secret_name | Friendly name of manually created secret | string |
n/a | yes |
| vpc_id | VPC ID | string |
n/a | yes |
| ami_id | AMI to build on (must be Ubuntu, ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-* used if this is null) |
string |
null |
no |
| asg_additional_iam_policies | Additional IAM policies to attach to the ASG instance profile | list(string) |
[] |
no |
| asg_additional_security_groups | Additional security group IDs to attach to ASG instances | list(string) |
[] |
no |
| asg_additional_user_data | Additional User Data to attach to the launch template | string |
"" |
no |
| asg_allow_outbound_egress | whether or not the default SG should allow outbound egress | bool |
true |
no |
| asg_desired_capacity | The number of Amazon EC2 instances that should be running in the group. | number |
1 |
no |
| asg_instance_type | Instance type for scim app | string |
"t3a.micro" |
no |
| asg_keypair | Optional keypair to associate with instances | string |
null |
no |
| asg_max_size | Maximum number of instances in the autoscaling group | number |
2 |
no |
| asg_min_size | Minimum number of instances in the autoscaling group | number |
1 |
no |
| elb_allowed_cidrs | List of CIDRs that can reach the ELB (must be reachable by the SSO provider) | list(string) |
[ |
no |
| name | Name of this deployment (e.g., prod-1password-scim) | string |
"1password-scim" |
no |
| scim_cache_dns_name | Redis cache DNS name (this changes the port SCIM tries to reach redis on but does not change the address redis listens on) | string |
"localhost" |
no |
| scim_cache_port | Redis cache port (this changes the port SCIM tries to reach redis on but does not change the port redis listens on) | string |
"6379" |
no |
| scim_group | unprivileged group to run op-scim service | string |
"nogroup" |
no |
| scim_path | op-scim working directory path (e.g: /var/lib/op-scim) | string |
"/var/lib/op-scim" |
no |
| scim_port | Port SCIM should listen on | number |
3002 |
no |
| scim_repo | Repo/package to pull op-scim from |
string |
"deb https://apt.agilebits.com/op-scim/ stable op-scim" |
no |
| scim_session_path | op-scim scimsession file path (e.g: /var/lib/op-scim/.op/scimsession) | string |
"/var/lib/op-scim/.op/scimsession" |
no |
| scim_user | unprivileged user to run op-scim service | string |
"op-scim" |
no |
| tags | Tags to add to supported resources | map(string) |
{} |
no |
No output.