Support for OpenID Connect (OIDC) SSO configuration via tfe provider #1771
Description
Summary
The current tfe provider (as of version 0.67.1) supports SAML-based SSO configuration via the tfe_saml_settings resource, but there is no support for OpenID Connect (OIDC)-based SSO – which is officially supported by Terraform Enterprise since 2023.
Use-cases
We are using Microsoft Entra ID (formerly Azure AD) and wish to configure OIDC SSO for Terraform Enterprise via Terraform itself, as part of our automated platform setup. Manual configuration via the TFE Admin UI is not scalable or GitOps-compliant.
Feature Request
Introduce a resource like:
resource "tfe_oidc_settings" "this" {
enabled = true
issuer = "https://login.microsoftonline.com/<tenant-id>/v2.0"
client_id = var.client_id
client_secret = var.client_secret
authorization_endpoint = "..."
token_endpoint = "..."
userinfo_endpoint = "..."
scopes = ["openid", "profile", "email"]
username_claim = "email"
email_claim = "email"
name_claim = "name"
external_id_claim = "oid"
}Justification
- Terraform Enterprise already supports OIDC SSO via Admin Settings.
- The Admin API endpoint
/api/v2/admin/oidc-settingsexists and is used by the TFE UI. - Enabling this via Terraform aligns with infrastructure-as-code and GitOps principles.
- The provider already supports
tfe_saml_settings, so a consistent implementation for OIDC makes sense.
References
- TFE Admin API (OIDC Settings): https://developer.hashicorp.com/terraform/enterprise/api-docs/admin/settings
- Azure Entra ID integration: https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/single-sign-on/entra-id
- Current Provider Docs: https://registry.terraform.io/providers/hashicorp/tfe/latest/docs
- Terraform Provider Version tested: v0.67.1 (as of July 3, 2025)
Suggested Labels
enhancement, feature-request, oidc, terraform-enterprise, provider-tfe