[buddy] Add saml_idp_service_provider resource support to the terraform provider

docs/pages/reference/terraform-provider/data-sources/data-sources.mdx

@@ -29,6 +29,7 @@ The Teleport Terraform provider supports the following data-sources:
   - [`teleport_provision_token`](./provision_token.mdx)
   - [`teleport_role`](./role.mdx)
   - [`teleport_saml_connector`](./saml_connector.mdx)
+  - [`teleport_saml_idp_service_provider`](./saml_idp_service_provider.mdx)
   - [`teleport_session_recording_config`](./session_recording_config.mdx)
   - [`teleport_static_host_user`](./static_host_user.mdx)
   - [`teleport_trusted_cluster`](./trusted_cluster.mdx)

docs/pages/reference/terraform-provider/data-sources/saml_idp_service_provider.mdx

@@ -0,0 +1,60 @@
+---
+title: Reference for the teleport_saml_idp_service_provider Terraform data-source
+sidebar_label: saml_idp_service_provider
+description: This page describes the supported values of the teleport_saml_idp_service_provider data-source of the Teleport Terraform provider.
+---
+
+{/*Auto-generated file. Do not edit.*/}
+{/*To regenerate, navigate to integrations/terraform and run `make docs`.*/}
+
+
+
+
+
+{/*  schema generated by tfplugindocs */}
+## Schema
+
+### Required
+
+- `spec` (Attributes) Spec is the SAML IdP service provider spec. (see [below for nested schema](#nested-schema-for-spec))
+- `version` (String) Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: `v1`
+
+### Optional
+
+- `metadata` (Attributes) Metadata is resource metadata (see [below for nested schema](#nested-schema-for-metadata))
+- `sub_kind` (String) SubKind is an optional resource sub kind, used in some resources
+
+### Nested Schema for `spec`
+
+Optional:
+
+- `acs_url` (String) ACSURL is the endpoint where SAML authentication response will be redirected.
+- `attribute_mapping` (Attributes List) AttributeMapping is used to map service provider requested attributes to username, role and traits in Teleport. (see [below for nested schema](#nested-schema-for-specattribute_mapping))
+- `entity_descriptor` (String) EntityDescriptor is the entity descriptor for the service provider
+- `entity_id` (String) EntityID is the entity ID for the entity descriptor. If entity descriptor is provided, this value is checked that it matches the entity ID in the entity descriptor at upsert time to avoid having to parse the XML blob in the entity descriptor every time we need to use this resource.
+- `launch_urls` (List of String) LaunchURLs is used to configure custom landing URLs for service provider. It is useful in the following scenarios: 1. If a service provider does not support IdP initiated authentication, launch url can be configured to launch users directly into the service provider authentication endpoint. 2. If a service provider does support IdP initiated authentication, it can be useful if that service provider acts as a master authentication service provider for internal services. In such case, Teleport administrator can configure launch URL, that lets user pick a specific internal service URL from the Log In tile in the UI, which would take them to that particular service for authentication instead of directly launching to the master service provider. Each launch URL value must be an HTTPs endpoint.
+- `preset` (String) Preset is used to define service provider profile that will have a custom behavior processed by Teleport.
+- `relay_state` (String) RelayState is used to add custom value in the SAML response as a relay_state HTTP parameter. The value can contain service provider specific redirect URL, static state token etc. The value is only applied in the IdP initiated SSO flow.
+
+### Nested Schema for `spec.attribute_mapping`
+
+Optional:
+
+- `name` (String) name is an attribute name.
+- `name_format` (String) name_format is an attribute name format.
+- `value` (String) value is an attribute value definable with predicate expression.
+
+
+
+### Nested Schema for `metadata`
+
+Required:
+
+- `name` (String) Name is an object name
+
+Optional:
+
+- `description` (String) Description is object description
+- `expires` (String) Expires is a global expiry time header can be set on any resource in the system.
+- `labels` (Map of String) Labels is a set of labels
+

docs/pages/reference/terraform-provider/resources/resources.mdx

@@ -30,6 +30,7 @@ The Teleport Terraform provider supports the following resources:
   - [`teleport_provision_token`](./provision_token.mdx)
   - [`teleport_role`](./role.mdx)
   - [`teleport_saml_connector`](./saml_connector.mdx)
+  - [`teleport_saml_idp_service_provider`](./saml_idp_service_provider.mdx)
   - [`teleport_server`](./server.mdx)
   - [`teleport_session_recording_config`](./session_recording_config.mdx)
   - [`teleport_static_host_user`](./static_host_user.mdx)

docs/pages/reference/terraform-provider/resources/saml_idp_service_provider.mdx

@@ -0,0 +1,79 @@
+---
+title: Reference for the teleport_saml_idp_service_provider Terraform resource
+sidebar_label: saml_idp_service_provider
+description: This page describes the supported values of the teleport_saml_idp_service_provider resource of the Teleport Terraform provider.
+---
+
+{/*Auto-generated file. Do not edit.*/}
+{/*To regenerate, navigate to integrations/terraform and run `make docs`.*/}
+
+
+
+## Example Usage
+
+```hcl
+# Teleport SAML IdP Service Provider
+#
+# Please note that the SAML IdP Service Provider will work in Teleport Enterprise only.
+
+resource "teleport_saml_idp_service_provider" "example" {
+  version = "v1"
+
+  metadata = {
+    name = "iamshowcase"
+  }
+
+  spec = {
+    entity_id = "iamshowcase"
+    acs_url   = "https://sptest.iamshowcase.com/acs"
+  }
+}
+```
+
+{/*  schema generated by tfplugindocs */}
+## Schema
+
+### Required
+
+- `spec` (Attributes) Spec is the SAML IdP service provider spec. (see [below for nested schema](#nested-schema-for-spec))
+- `version` (String) Version is the API version used to create the resource. It must be specified. Based on this version, Teleport will apply different defaults on resource creation or deletion. It must be an integer prefixed by "v". For example: `v1`
+
+### Optional
+
+- `metadata` (Attributes) Metadata is resource metadata (see [below for nested schema](#nested-schema-for-metadata))
+- `sub_kind` (String) SubKind is an optional resource sub kind, used in some resources
+
+### Nested Schema for `spec`
+
+Optional:
+
+- `acs_url` (String) ACSURL is the endpoint where SAML authentication response will be redirected.
+- `attribute_mapping` (Attributes List) AttributeMapping is used to map service provider requested attributes to username, role and traits in Teleport. (see [below for nested schema](#nested-schema-for-specattribute_mapping))
+- `entity_descriptor` (String) EntityDescriptor is the entity descriptor for the service provider
+- `entity_id` (String) EntityID is the entity ID for the entity descriptor. If entity descriptor is provided, this value is checked that it matches the entity ID in the entity descriptor at upsert time to avoid having to parse the XML blob in the entity descriptor every time we need to use this resource.
+- `launch_urls` (List of String) LaunchURLs is used to configure custom landing URLs for service provider. It is useful in the following scenarios: 1. If a service provider does not support IdP initiated authentication, launch url can be configured to launch users directly into the service provider authentication endpoint. 2. If a service provider does support IdP initiated authentication, it can be useful if that service provider acts as a master authentication service provider for internal services. In such case, Teleport administrator can configure launch URL, that lets user pick a specific internal service URL from the Log In tile in the UI, which would take them to that particular service for authentication instead of directly launching to the master service provider. Each launch URL value must be an HTTPs endpoint.
+- `preset` (String) Preset is used to define service provider profile that will have a custom behavior processed by Teleport.
+- `relay_state` (String) RelayState is used to add custom value in the SAML response as a relay_state HTTP parameter. The value can contain service provider specific redirect URL, static state token etc. The value is only applied in the IdP initiated SSO flow.
+
+### Nested Schema for `spec.attribute_mapping`
+
+Optional:
+
+- `name` (String) name is an attribute name.
+- `name_format` (String) name_format is an attribute name format.
+- `value` (String) value is an attribute value definable with predicate expression.
+
+
+
+### Nested Schema for `metadata`
+
+Required:
+
+- `name` (String) Name is an object name
+
+Optional:
+
+- `description` (String) Description is object description
+- `expires` (String) Expires is a global expiry time header can be set on any resource in the system.
+- `labels` (Map of String) Labels is a set of labels
+

integrations/terraform/examples/resources/teleport_saml_idp_service_provider/resource.tf

@@ -0,0 +1,16 @@
+# Teleport SAML IdP Service Provider
+#
+# Please note that the SAML IdP Service Provider will work in Teleport Enterprise only.
+
+resource "teleport_saml_idp_service_provider" "example" {
+  version = "v1"
+
+  metadata = {
+    name = "iamshowcase"
+  }
+
+  spec = {
+    entity_id = "iamshowcase"
+    acs_url   = "https://sptest.iamshowcase.com/acs"
+  }
+}

integrations/terraform/gen/main.go

@@ -275,6 +275,21 @@ var (
 		HasCheckAndSetDefaults: true,
 	}
 
+	samlIdpServiceProvider = payload{
+		Name:                   "SAMLIdPServiceProvider",
+		TypeName:               "SAMLIdPServiceProviderV1",
+		VarName:                "samlIdpServiceProvider",
+		GetMethod:              "GetSAMLIdPServiceProvider",
+		CreateMethod:           "CreateSAMLIdPServiceProvider",
+		UpdateMethod:           "UpdateSAMLIdPServiceProvider",
+		DeleteMethod:           "DeleteSAMLIdPServiceProvider",
+		ID:                     "samlIdpServiceProvider.Metadata.Name",
+		Kind:                   "saml",
+		HasStaticID:            false,
+		TerraformResourceType:  "teleport_saml_idp_service_provider",
+		HasCheckAndSetDefaults: true,
+	}
+
 	provisionToken = payload{
 		Name:                   "ProvisionToken",
 		TypeName:               "ProvisionTokenV2",
@@ -569,6 +584,8 @@ func genTFSchema() {
 	generateDataSource(oidcConnector, pluralDataSource)
 	generateResource(samlConnector, pluralResource)
 	generateDataSource(samlConnector, pluralDataSource)
+	generateResource(samlIdpServiceProvider, pluralResource)
+	generateDataSource(samlIdpServiceProvider, pluralDataSource)
 	generateResource(provisionToken, pluralResource)
 	generateDataSource(provisionToken, pluralDataSource)
 	generateResource(role, pluralResource)

integrations/terraform/protoc-gen-terraform-teleport.yaml

@@ -16,6 +16,7 @@ types:
     - "OktaImportRuleV1"
     - "RoleV6"
     - "SAMLConnectorV2"
+    - "SAMLIdPServiceProviderV1"
     - "ServerV2"
     - "SessionRecordingConfigV2"
     - "TrustedClusterV2"
@@ -96,6 +97,13 @@ injected_fields:
       computed: true
       plan_modifiers:
         - "github.com/hashicorp/terraform-plugin-framework/tfsdk.UseStateForUnknown()"
+  SAMLIdPServiceProviderV1:
+    -
+      name: id
+      type: github.com/hashicorp/terraform-plugin-framework/types.StringType
+      computed: true
+      plan_modifiers:
+        - "github.com/hashicorp/terraform-plugin-framework/tfsdk.UseStateForUnknown()"
   ServerV2:
     -
       name: id
@@ -255,6 +263,11 @@ computed_fields:
     - "SAMLConnectorV2.Spec.EncryptionKeyPair.Cert"
     - "SAMLConnectorV2.Kind"
 
+    # SAML IdP Service Provider
+    - "SAMLIdPServiceProviderV1.Kind"
+    - "SAMLConnectorV2.Spec.EntityDescriptor"
+    - "SAMLConnectorV2.Spec.EntityId"
+
     # Server
     - "ServerV2.Kind"
     # Name is not required for servers, this is a special case.
@@ -331,6 +344,11 @@ required_fields:
     - "SAMLConnectorV2.Metadata.Name"
     - "SAMLConnectorV2.Version"
 
+    # SAML IdP Service Provider
+    - "SAMLIdPServiceProviderV1.Spec"
+    - "SAMLIdPServiceProviderV1.Metadata.Name"
+    - "SAMLIdPServiceProviderV1.Version"
+
     # Server
     - "ServerV2.Version"
     - "ServerV2.SubKind"
@@ -416,6 +434,10 @@ validators:
     - UseVersionBetween(2,2)
   SAMLConnectorV2.Spec:
     - UseAnyOfValidator("entity_descriptor", "entity_descriptor_url")
+  SAMLIdPServiceProviderV1.Version:
+    - UseVersionBetween(1,1)
+  SAMLIdPServiceProviderV1.Spec:
+    - UseAnyOfValidator("entity_descriptor", "entity_id")
   ServerV2.Version:
     - UseVersionBetween(2,2)
   ServerV2.SubKind:

integrations/terraform/provider/provider.go

@@ -505,6 +505,7 @@ func (p *Provider) GetResources(_ context.Context) (map[string]tfsdk.ResourceTyp
 		"teleport_oidc_connector":             resourceTeleportOIDCConnectorType{},
 		"teleport_role":                       resourceTeleportRoleType{},
 		"teleport_saml_connector":             resourceTeleportSAMLConnectorType{},
+		"teleport_saml_idp_service_provider":  resourceTeleportSAMLIdPServiceProviderType{},
 		"teleport_session_recording_config":   resourceTeleportSessionRecordingConfigType{},
 		"teleport_trusted_cluster":            resourceTeleportTrustedClusterType{},
 		"teleport_user":                       resourceTeleportUserType{},
@@ -535,6 +536,7 @@ func (p *Provider) GetDataSources(_ context.Context) (map[string]tfsdk.DataSourc
 		"teleport_oidc_connector":             dataSourceTeleportOIDCConnectorType{},
 		"teleport_role":                       dataSourceTeleportRoleType{},
 		"teleport_saml_connector":             dataSourceTeleportSAMLConnectorType{},
+		"teleport_saml_idp_service_provider":  dataSourceTeleportSAMLIdPServiceProviderType{},
 		"teleport_session_recording_config":   dataSourceTeleportSessionRecordingConfigType{},
 		"teleport_trusted_cluster":            dataSourceTeleportTrustedClusterType{},
 		"teleport_user":                       dataSourceTeleportUserType{},