search

Deploy Instance Configuration

hashtag
Application Scenario

Identity Center is a unified identity management service provided by Huawei Cloud, supporting unified identity authentication and authorization management across clouds and applications. By configuring Identity Center instance SSO configuration, you can set security policies such as Multi-Factor Authentication (MFA) mode, allowed MFA types, no MFA sign-in behavior, no password sign-in behavior, maximum authentication age, etc., improving the security and flexibility of identity authentication. This best practice will introduce how to use Terraform to automatically deploy Identity Center instance configuration, including querying or creating Identity Center instances, registering regions (optional), and configuring SSO configuration.

hashtag
Related Resources/Data Sources

This best practice involves the following main resources and data sources:

hashtag
Data Sources

hashtag
Resources

hashtag
Resource/Data Source Dependencies

huaweicloud_identitycenter_registered_region
    └── huaweicloud_identitycenter_instance
        └── huaweicloud_identitycenter_sso_configuration

data.huaweicloud_identitycenter_instance
    └── huaweicloud_identitycenter_sso_configuration

Note: Identity Center SSO configuration resource depends on Identity Center instance. If the instance does not exist, you need to create the instance first; if the instance already exists, you can query instance information through data source. When creating an instance, if you need to use it in a specific region, you may need to register the region first.

hashtag
Operation Steps

hashtag
1. Script Preparation

Prepare the TF file (e.g., main.tf) in the specified workspace for writing the current best practice script, ensuring that it (or other TF files in the same directory) contains the provider version declaration and Huawei Cloud authentication information required for deploying resources. Refer to the "Preparation Before Deploying Huawei Cloud Resources" document for configuration introduction.

hashtag
2. Query Identity Center Instance Data Source (Optional)

Add the following script to the TF file (e.g., main.tf) to query Identity Center instance information (when the instance already exists):

Parameter Description:

  • count: The number of data source creations, used to control whether to execute Identity Center instance query data source, only creates the data source (i.e., executes Identity Center instance query) when var.is_instance_create is false

hashtag
3. Create Identity Center Registered Region Resource (Optional)

Add the following script to the TF file (e.g., main.tf) to register region (when instance needs to be created and region needs to be registered):

Parameter Description:

  • count: Number of resource creations, used to control whether to create registered region resource, only creates when instance needs to be created and region needs to be registered

  • region_id: Region ID, assigned by referencing input variable region_name

hashtag
4. Create Identity Center Instance Resource (Optional)

Add the following script to the TF file (e.g., main.tf) to create Identity Center instance (when the instance does not exist):

Parameter Description:

  • count: Number of resource creations, used to control whether to create Identity Center instance resource, only creates when var.is_instance_create is true

  • depends_on: Explicit dependency relationship, ensuring instance is created after registered region resource is created

  • alias: Instance alias, assigned by referencing input variable instance_store_id_alias, optional parameter, default value is null

hashtag
5. Create Identity Center SSO Configuration Resource

Add the following script to the TF file (e.g., main.tf) to create Identity Center SSO configuration:

Parameter Description:

  • instance_id: Instance ID, assigned by referencing Identity Center instance resource or data source

  • configuration_type: Configuration type, assigned by referencing input variable configuration_type, default value is "APP_AUTHENTICATION_CONFIGURATION"

  • mfa_mode: MFA mode, assigned by referencing input variable configuration_mfa_mode, optional values are "ALWAYS_ON" (always on), "CONTEXT_AWARE" (context-aware), "DISABLED" (disabled), optional parameter, default value is null

  • allowed_mfa_types: Allowed MFA types list, assigned by referencing input variable configuration_allowed_mfa_types, optional values are "TOTP" (Time-based One-Time Password), "WEBAUTHN_SECURITY_KEY" (WebAuthn security key), optional parameter, default value is null

  • no_mfa_signin_behavior: No MFA sign-in behavior, assigned by referencing input variable configuration_no_mfa_signin_behavior, optional values are "ALLOWED_WITH_ENROLLMENT" (allowed but requires enrollment), "ALLOWED" (allowed), "EMAIL_OTP" (email OTP), "BLOCKED" (blocked), optional parameter, default value is null

  • no_password_signin_behavior: No password sign-in behavior, assigned by referencing input variable configuration_no_password_signin_behavior, optional value is "BLOCKED" (blocked), optional parameter, default value is null

  • max_authentication_age: Maximum authentication age, assigned by referencing input variable configuration_max_authentication_age, uses ISO 8601 duration format (e.g., "PT12H" represents 12 hours), optional parameter, default value is null

Note: Identity Center SSO configuration depends on Identity Center instance. If the instance does not exist, you need to create the instance first; if the instance already exists, you can query instance information through data source. Parameters such as MFA mode, allowed MFA types, no MFA sign-in behavior, etc., need to be configured reasonably according to actual security requirements. It is recommended to follow the principle of least privilege and improve the security of identity authentication.

hashtag
6. Preset Input Parameters Required for Resource Deployment (Optional)

In this practice, some resources and data sources use input variables to assign configuration content. These input parameters need to be manually entered during subsequent deployment. At the same time, Terraform provides a method to preset these configurations through tfvars files, which can avoid repeated input during each execution.

Create a terraform.tfvars file in the working directory with the following example content:

Usage:

  1. Save the above content as a terraform.tfvars file in the working directory (this filename allows users to automatically import the content of this tfvars file when executing terraform commands. For other naming, you need to add .auto before tfvars, such as variables.auto.tfvars)

  2. Modify parameter values according to actual needs, especially:

    • is_instance_create can be set to true to create instance, or set to false to use existing instance

    • is_region_need_register can be set to true to register region, or set to false to not register region

    • instance_store_id_alias can be set to instance alias, optional parameter

    • configuration_type can be set to configuration type, default value is "APP_AUTHENTICATION_CONFIGURATION"

    • configuration_mfa_mode can be set to MFA mode, recommended to set to "CONTEXT_AWARE" or "ALWAYS_ON" to improve security

    • configuration_allowed_mfa_types can be set to allowed MFA types list, recommended to include "TOTP" or "WEBAUTHN_SECURITY_KEY"

    • configuration_no_mfa_signin_behavior can be set to no MFA sign-in behavior, recommended to set to "ALLOWED_WITH_ENROLLMENT" or "BLOCKED"

    • configuration_no_password_signin_behavior can be set to no password sign-in behavior, recommended to set to "BLOCKED" to improve security

    • configuration_max_authentication_age can be set to maximum authentication age, uses ISO 8601 duration format

  3. When executing terraform plan or terraform apply, Terraform will automatically read the variable values in this file

In addition to using the terraform.tfvars file, you can also set variable values in the following ways:

  1. Command line parameters: terraform apply -var="configuration_mfa_mode=ALWAYS_ON" -var='configuration_allowed_mfa_types=["TOTP"]'

  2. Environment variables: export TF_VAR_configuration_mfa_mode=ALWAYS_ON and export TF_VAR_configuration_allowed_mfa_types='["TOTP"]'

  3. Custom named variable file: terraform apply -var-file="custom.tfvars"

Note: If the same variable is set through multiple methods, Terraform will use variable values according to the following priority: command line parameters > variable file > environment variables > default values. Identity Center SSO configuration depends on Identity Center instance. Please ensure the instance exists or is configured to be created. Parameters such as MFA mode, allowed MFA types, no MFA sign-in behavior, etc., need to be configured reasonably according to actual security requirements.

hashtag
7. Initialize and Apply Terraform Configuration

After completing the above script configuration, execute the following steps to create Identity Center instance configuration:

  1. Run terraform init to initialize the environment

  2. Run terraform plan to view the resource creation plan

  3. After confirming that the resource plan is correct, run terraform apply to start creating Identity Center instance (if needed) and SSO configuration

  4. Run terraform show to view the details of the created Identity Center SSO configuration

Note: Before creating Identity Center SSO configuration, ensure that Identity Center instance exists. If the instance does not exist, you need to create the instance first. When creating an instance, if you need to use it in a specific region, you may need to register the region first. It is recommended to confirm the status of Identity Center instance before creating SSO configuration and configure parameters such as MFA mode, allowed MFA types, no MFA sign-in behavior, etc., reasonably according to actual security requirements.

hashtag
Reference Information

PreviousDeploy GroupNextDeploy Password Policy

Last updated