I recently demonstrated how to automate the configuration of the VCF Automation (VCFA) Provider Portal using the new Terraform Provider for VCFA. You can also use the same provider to configure your VCFA Organization Portals.
In this blog post, I will use the Terraform Provider for VCFA (TF4VCFA) to configure a specific VCFA Organization Portal with an External Identity Provider (IdP), which can be super helpful if you need to manage multiple IdPs for each VCFA Organizations. The current release of the TF4VCFA only supports configuring an OIDC or LDAP resource, but VCFA does have support for OIDC, LDAP and SAML IdPs.
Since I use Keycloak as my IdP of choice, I will be demonstrating how to setup the OIDC IdP within VCFA.
Step 1 - Clone the TP4VCFA repo and change into the provider directory
git clone https://github.com/vmware/terraform-provider-vcfa.git cd terraform-provider-vcfa/examples/greenfield/tenant
Step 2 - The directory includes a number of sample manifests demonstrating how to use each resource type, go ahead and move anything that does NOT end with _variables.tf to another folder, since it will attempt to apply those examples if you are using the current working directory.
Download my sample manifests:
- vcfa-tenant-example-main.tf
- vcfa-tenant-example-terraform.tfvars
- vcfa-tenant-example-william_custom_variables.tf
and store them into the current working directory
The main.tf defines the various VCFA resources that it must be created and/or fetched, which has comments for users to understand what it is doing. The custom_variables.tf is my own custom variables manifest for making it easier to describe my VCFA configuration, such that I can easily use the TP4VCFA and is referenced at the bottom of the terraform.tfvars file, so you know which variables are coming from where.
Step 3 - You only need to modify terraform.tfvars to match your VCFA deployment and the desired VCFA Organization Portal that you wish to configure. From the custom variables, you only need to populate: oidc_client_id, oidc_client_secret and oidc_client_well_known_url as the minimal input.
After performing terraform plan, if everything looks good, you can then run terraform apply to setup the OIDC configuration.
If we login to VCFA Organization Portal and navigate to Connections->Identity Providers, we should see that our OIDC configuration has been applied.
Step 4 - Before we open an incognito browser to login to our VCFA Organization Portal, we need to assign permissions to a user within our IdP. As of right now, this functionality is not included in TP4VCFA and must be manually performed using the VCFA Portal or API.
The TP4VCFA makes it super trivial to setup an OIDC IdP, but when I first got started I thought there were more input required like these public keys that you would find if you manually use the VCFA UI.
The TP4VCFA documentation did not make clear what these public keys were. When using the VCFA UI to configure the OIDC IdP, you have a choice of using the auto-generated keys or providing your own, so I took an example and asked ChatGPT 🙂
It turns out these are JSON Web Key Set (JWKS) keys and once generated, the Key ID is a base64 URL-encoded SHA-256 of the public key ... never would have guessed by looking at the documentation! 😅
If you wish to provide your own keys, you can run the following snippet:
# Generate JWKS Public Key 1 openssl genpkey -algorithm RSA -out rsa-key1.pem -pkeyopt rsa_keygen_bits:2048 openssl pkey -in rsa-key1.pem -pubout -out rsa-key1.pub.pem # Generate JWKS Public Key 2 openssl genpkey -algorithm RSA -out rsa-key2.pem -pkeyopt rsa_keygen_bits:2048 openssl pkey -in rsa-key2.pem -pubout -out rsa-key2.pub.pem # Generate SHA256 hash of Public Key 1 openssl pkey -in rsa-key1.pub.pem -pubin -outform DER | \ openssl dgst -binary -sha256 | \ openssl base64 | tr '+/' '-_' | tr -d '=' > kid1.txt # Generate SHA256 hash of Public Key 2 openssl pkey -in rsa-key2.pub.pem -pubin -outform DER | \ openssl dgst -binary -sha256 | \ openssl base64 | tr '+/' '-_' | tr -d '=' > kid2.txt
This will output the two public keys rsa-key1.pub.pem and rsa-key2.pub.pem along with the key IDs for each.
Place the public keys in the directory of the Terraform manifest files and then edit vcfa-tenant-example-terraform.tfvars (L20-L24) and vcfa-tenant-example-main.tf (L45-L56) to make use of your own JWKS keys.
Here is an example screenshot when providing your own custom JWKS keys:
Thanks for the comment!