import * as pulumi from "@pulumi/pulumi"; /** * The federatedIdentity resource allows you to create federated identities to programmatically interact with the Tailscale API using workload identity federation. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as tailscale from "@pulumi/tailscale"; * * const exampleFederatedIdentity = new tailscale.FederatedIdentity("example_federated_identity", { * description: "Example federated identity", * scopes: [ * "auth_keys", * "devices:core", * ], * tags: ["tag:test"], * issuer: "https://example.com", * subject: "example-sub-*", * customClaimRules: { * repo_name: "example-repo-name", * }, * }); * ``` * * ## Import * * The `pulumi import` command can be used, for example: * * ```sh * $ pulumi import tailscale:index/federatedIdentity:FederatedIdentity example k1234511CNTRL-kZDRvszg8621CNTRL * ``` */ export declare class FederatedIdentity extends pulumi.CustomResource { /** * Get an existing FederatedIdentity resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: FederatedIdentityState, opts?: pulumi.CustomResourceOptions): FederatedIdentity; /** * Returns true if the given object is an instance of FederatedIdentity. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is FederatedIdentity; /** * The value used when matching against the `aud` claim from an OIDC identity token. Specifying the audience is optional as Tailscale will generate a secure audience at creation time by default. It is recommended to let Tailscale generate the audience unless the identity provider you are integrating with requires a specific audience format. */ readonly audience: pulumi.Output; /** * The creation timestamp of the key in RFC3339 format */ readonly createdAt: pulumi.Output; /** * A map of claim names to pattern strings used to match against arbitrary claims in the OIDC identity token. Patterns can include `*` characters to match against any character. */ readonly customClaimRules: pulumi.Output<{ [key: string]: string; } | undefined>; /** * A description of the federated identity consisting of alphanumeric characters. Defaults to `""`. */ readonly description: pulumi.Output; /** * The issuer of the OIDC identity token used in the token exchange. Must be a valid and publicly reachable https:// URL. */ readonly issuer: pulumi.Output; /** * Scopes to grant to the federated identity. See https://tailscale.com/kb/1623/ for a list of available scopes. */ readonly scopes: pulumi.Output; /** * The pattern used when matching against the `sub` claim from an OIDC identity token. Patterns can include `*` characters to match against any character. */ readonly subject: pulumi.Output; /** * A list of tags that access tokens generated for the federated identity will be able to assign to devices. Mandatory if the scopes include "devices:core" or "authKeys". */ readonly tags: pulumi.Output; /** * The updated timestamp of the key in RFC3339 format */ readonly updatedAt: pulumi.Output; /** * ID of the user who created this federated identity, empty for federated identities created by other trust credentials. */ readonly userId: pulumi.Output; /** * Create a FederatedIdentity resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: FederatedIdentityArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering FederatedIdentity resources. */ export interface FederatedIdentityState { /** * The value used when matching against the `aud` claim from an OIDC identity token. Specifying the audience is optional as Tailscale will generate a secure audience at creation time by default. It is recommended to let Tailscale generate the audience unless the identity provider you are integrating with requires a specific audience format. */ audience?: pulumi.Input; /** * The creation timestamp of the key in RFC3339 format */ createdAt?: pulumi.Input; /** * A map of claim names to pattern strings used to match against arbitrary claims in the OIDC identity token. Patterns can include `*` characters to match against any character. */ customClaimRules?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * A description of the federated identity consisting of alphanumeric characters. Defaults to `""`. */ description?: pulumi.Input; /** * The issuer of the OIDC identity token used in the token exchange. Must be a valid and publicly reachable https:// URL. */ issuer?: pulumi.Input; /** * Scopes to grant to the federated identity. See https://tailscale.com/kb/1623/ for a list of available scopes. */ scopes?: pulumi.Input[]>; /** * The pattern used when matching against the `sub` claim from an OIDC identity token. Patterns can include `*` characters to match against any character. */ subject?: pulumi.Input; /** * A list of tags that access tokens generated for the federated identity will be able to assign to devices. Mandatory if the scopes include "devices:core" or "authKeys". */ tags?: pulumi.Input[]>; /** * The updated timestamp of the key in RFC3339 format */ updatedAt?: pulumi.Input; /** * ID of the user who created this federated identity, empty for federated identities created by other trust credentials. */ userId?: pulumi.Input; } /** * The set of arguments for constructing a FederatedIdentity resource. */ export interface FederatedIdentityArgs { /** * The value used when matching against the `aud` claim from an OIDC identity token. Specifying the audience is optional as Tailscale will generate a secure audience at creation time by default. It is recommended to let Tailscale generate the audience unless the identity provider you are integrating with requires a specific audience format. */ audience?: pulumi.Input; /** * A map of claim names to pattern strings used to match against arbitrary claims in the OIDC identity token. Patterns can include `*` characters to match against any character. */ customClaimRules?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * A description of the federated identity consisting of alphanumeric characters. Defaults to `""`. */ description?: pulumi.Input; /** * The issuer of the OIDC identity token used in the token exchange. Must be a valid and publicly reachable https:// URL. */ issuer: pulumi.Input; /** * Scopes to grant to the federated identity. See https://tailscale.com/kb/1623/ for a list of available scopes. */ scopes: pulumi.Input[]>; /** * The pattern used when matching against the `sub` claim from an OIDC identity token. Patterns can include `*` characters to match against any character. */ subject: pulumi.Input; /** * A list of tags that access tokens generated for the federated identity will be able to assign to devices. Mandatory if the scopes include "devices:core" or "authKeys". */ tags?: pulumi.Input[]>; }