FlexibleEngineCloud
diff --git a/‎docs/resources/identity_provider.md‎
Lines changed: 154 additions & 0 deletions b/‎docs/resources/identity_provider.md‎
Lines changed: 154 additions & 0 deletions
diff --git a/‎docs/resources/identity_provider_conversion.md‎
Lines changed: 91 additions & 0 deletions b/‎docs/resources/identity_provider_conversion.md‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎flexibleengine/provider.go‎
Lines changed: 2 additions & 0 deletions b/‎flexibleengine/provider.go‎
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,154 @@
+---
+subcategory: "Identity and Access Management (IAM)"
+---
+
+# flexibleengine_identity_provider
+
+Manages the identity providers within FlexibleEngine IAM service.
+
+-> **NOTE:** You can create up to 10 identity providers.
+
+## Example Usage
+
+### Create a SAML protocol provider
+
+```hcl
+resource "flexibleengine_identity_provider" "provider_1" {
+  name     = "saml_idp_demo"
+  protocol = "saml"
+}
+```
+
+### Create a OpenID Connect protocol provider
+
+```hcl
+resource "flexibleengine_identity_provider" "provider_2" {
+  name     = "oidc_idp_demo"
+  protocol = "oidc"
+  
+  openid_connect_config {
+    access_type            = "program_console"
+    provider_url           = "https://accounts.example.com"
+    client_id              = "your_client_id"
+    authorization_endpoint = "https://accounts.example.com/o/oauth2/v2/auth"
+    scopes                 = ["openid"]
+    signing_key            = jsonencode(
+    {
+      keys = [
+        {
+          alg = "RS256"
+          e   = "AQAB"
+          kid = "..."
+          kty = "RSA"
+          n   = "..."
+          use = "sig"
+        },
+      ]
+    }
+    )
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required, String, ForceNew) Specifies the name of the identity provider to be registered.
+  The maximum length is 64 characters. Only letters, digits, underscores (_), and hyphens (-) are allowed.
+  The name is unique, it is recommended to include domain name information.
+  Changing this creates a new resource.
+
+* `protocol` - (Required, String, ForceNew) Specifies the protocol of the identity provider.
+  Valid values are *saml* and *oidc*.
+  Changing this creates a new resource.
+
+* `enabled` - (Optional, Bool) Specifies the status for the identity provider. Defaults to true.
+
+* `description` - (Optional, String) Specifies the description of the identity provider.
+
+* `metadata` - (Optional, String) Specifies the metadata of the IDP(Identity Provider) server.
+  To obtain the metadata file of your enterprise IDP, contact the enterprise administrator.
+  This field is used to import a metadata file to IAM to implement federated identity authentication.
+  This field is required only if the protocol is set to *saml*.
+  The maximum length is 30,000 characters and it stores in the state with SHA1 algorithm.
+
+  -> **NOTE:**
+    The metadata file specifies API addresses and certificate information in compliance with the SAML 2.0 standard.
+    It is usually stored in a file. In the TF script, you can import the metafile through the **file** function,
+    for example:
+    <br/>`metadata = file("/usr/local/data/files/metadata.txt")`
+
+* `openid_connect_config` - (Optional, List) Specifies the description of the identity provider.
+  This field is required only if the protocol is set to *oidc*.
+
+The `openid_connect_config` block supports:
+
+* `access_type` - (Required, String) Specifies the access type of the identity provider.
+  Available options are:
+  + `program`: programmatic access only.
+  + `program_console`: programmatic access and management console access.
+
+* `provider_url` - (Required, String) Specifies the URL of the identity provider.
+  This field corresponds to the iss field in the ID token.
+
+* `client_id` - (Required, String) Specifies the ID of a client registered with the OpenID Connect identity provider.
+
+* `signing_key` - (Required, String) Public key used to sign the ID token of the OpenID Connect identity provider.
+  This field is required only if the protocol is set to *oidc*.
+
+* `authorization_endpoint` - (Optional, String) Specifies the authorization endpoint of the OpenID Connect identity
+  provider. This field is required only if the access type is set to `program_console`.
+
+* `scopes` - (Optional, List) Specifies the scopes of authorization requests. It is an array of one or more scopes.
+  Valid values are *openid*, *email*, *profile* and other values defined by you.
+  This field is required only if the access type is set to `program_console`.
+
+* `response_type` - (Optional, String) Response type. Valid values is *id_token*, default value is *id_token*.
+  This field is required only if the access type is set to `program_console`.
+
+* `response_mode` - (Optional, String) Response mode.
+  Valid values is *form_post* and *fragment*, default value is *form_post*.
+  This field is required only if the access type is set to `program_console`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The resource ID which equals to the name.
+
+* `login_link` - The login link of the identity provider.
+
+* `sso_type` - The single sign-on type of the identity provider.
+
+* `conversion_rules` - The identity conversion rules of the identity provider.
+  The [object](#conversion_rules) structure is documented below
+
+<a name="conversion_rules"></a>
+The `conversion_rules` block supports:
+
+* `local` - The federated user information on the cloud platform.
+
+* `remote` - The description of the identity provider.
+
+The `local` block supports:
+
+* `username` - The name of a federated user on the cloud platform.
+
+* `group` - The user group to which the federated user belongs on the cloud platform.
+
+The `remote` block supports:
+
+* `attribute` - The attribute in the IDP assertion.
+
+* `condition` - The condition of conversion rule.
+
+* `value` - The rule is matched only if the specified strings appear in the attribute type.
+
+## Import
+
+Identity provider can be imported using the `name`, e.g.
+
+```
+$ terraform import flexibleengine_identity_provider.provider_1 example_com_provider_saml
+```
@@ -0,0 +1,91 @@
+---
+subcategory: "Identity and Access Management (IAM)"
+---
+
+# flexibleengine_identity_provider_conversion
+
+Manage the conversion rules of identity provider within FlexibleEngine IAM service.
+
+## Example Usage
+
+```hcl
+variable provider_id {}
+
+resource "flexibleengine_identity_provider_conversion" "conversion" {
+  provider_id = var.provider_id
+
+  conversion_rules {
+    local {
+      username = "Tom"
+    }
+    remote {
+      attribute = "Tom"
+    }
+  }
+
+  conversion_rules {
+    local {
+      username = "FederationUser"
+    }
+    remote {
+      attribute = "username"
+      condition = "any_one_of"
+      value     = ["Tom", "Jerry"]
+    }
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `provider_id` - (Required, String) The ID or name of the identity provider used to manage the conversion rules.
+
+* `conversion_rules` - (Required, List) Specifies the identity conversion rules of the identity provider.
+  You can use identity conversion rules to map the identities of existing users to FlexibleEngine and manage their access
+  to cloud resources.
+  The [object](#conversion_rules) structure is documented below.
+
+<a name="conversion_rules"></a>
+The `conversion_rules` block supports:
+
+* `local` - (Required, List) Specifies the federated user information on the cloud platform.
+
+* `remote` - (Required, List) Specifies Federated user information in the IDP system.
+
+  -> **NOTE:** 
+    If the protocol of identity provider is SAML, this field is an expression consisting of assertion
+    attributes and operators.<br/>
+    If the protocol of identity provider is OIDC, the value of this field is determined by the ID token.
+
+The `local` block supports:
+
+* `username` - (Required, String) Specifies the name of a federated user on the cloud platform.
+
+* `group` - (Optional, String) Specifies the user group to which the federated user belongs on the cloud platform.
+
+The `remote` block supports:
+
+* `attribute` - (Required, String) Specifies the attribute in the IDP assertion.
+
+* `condition` - (Optional, String) Specifies the condition of conversion rule.
+  Available options are:
+  + `any_one_of`: The rule is matched only if the specified strings appear in the attribute type.
+  + `not_any_of`: The rule is matched only if the specified strings do not appear in the attribute type.
+
+* `value` - (Optional, List) Specifies the rule is matched only if the specified strings appear in the attribute type.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The ID of conversion rules.
+
+## Import
+
+Identity provider conversion rules are imported using the `provider_id`, e.g.
+
+```
+$ terraform import flexibleengine_identity_provider_conversion.conversion example_com_provider_oidc
+```
@@ -290,6 +290,8 @@ func Provider() *schema.Provider {
 			"flexibleengine_identity_role_v3":                   resourceIdentityRoleV3(),
 			"flexibleengine_identity_role_assignment_v3":        resourceIdentityRoleAssignmentV3(),
 			"flexibleengine_identity_user_v3":                   resourceIdentityUserV3(),
+			"flexibleengine_identity_provider":                  resourceIdentityProvider(),
+			"flexibleengine_identity_provider_conversion":       resourceIAMProviderConversion(),
 			"flexibleengine_lts_group":                          resourceLTSGroupV2(),
 			"flexibleengine_lts_topic":                          resourceLTSTopicV2(),
 			"flexibleengine_s3_bucket":                          resourceS3Bucket(),