@@ -14,6 +14,7 @@ import (
14
14
"github.com/mitchellh/go-homedir"
15
15
sdkcommon "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
16
16
commonJson "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/json"
17
+ sdkprofile "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
17
18
sdksts "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts/v20180813"
18
19
19
20
tccommon "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/common"
@@ -370,6 +371,20 @@ func Provider() *schema.Provider {
370
371
DefaultFunc : schema .EnvDefaultFunc (PROVIDER_CAM_ROLE_NAME , nil ),
371
372
Description : "The name of the CVM instance CAM role. It can be sourced from the `TENCENTCLOUD_CAM_ROLE_NAME` environment variable." ,
372
373
},
374
+ "allowed_account_ids" : {
375
+ Type : schema .TypeSet ,
376
+ Elem : & schema.Schema {Type : schema .TypeString },
377
+ Optional : true ,
378
+ ConflictsWith : []string {"forbidden_account_ids" , "assume_role_with_saml" , "assume_role_with_web_identity" },
379
+ Description : "List of allowed TencentCloud account IDs to prevent you from mistakenly using the wrong one (and potentially end up destroying a live environment). Conflicts with `forbidden_account_ids`, If use `assume_role_with_saml` or `assume_role_with_web_identity`, it is not supported." ,
380
+ },
381
+ "forbidden_account_ids" : {
382
+ Type : schema .TypeSet ,
383
+ Elem : & schema.Schema {Type : schema .TypeString },
384
+ Optional : true ,
385
+ ConflictsWith : []string {"allowed_account_ids" , "assume_role_with_saml" , "assume_role_with_web_identity" },
386
+ Description : "List of forbidden TencentCloud account IDs to prevent you from mistakenly using the wrong one (and potentially end up destroying a live environment). Conflicts with `allowed_account_ids`, If use `assume_role_with_saml` or `assume_role_with_web_identity`, it is not supported." ,
387
+ },
373
388
},
374
389
375
390
DataSourcesMap : map [string ]* schema.Resource {
@@ -2211,17 +2226,20 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
2211
2226
}
2212
2227
2213
2228
var (
2214
- secretId string
2215
- secretKey string
2216
- securityToken string
2217
- region string
2218
- protocol string
2219
- domain string
2220
- cosDomain string
2221
- camRoleName string
2229
+ secretId string
2230
+ secretKey string
2231
+ securityToken string
2232
+ region string
2233
+ protocol string
2234
+ domain string
2235
+ cosDomain string
2236
+ camRoleName string
2237
+ allowedAccountIds []string
2238
+ forbiddenAccountIds []string
2239
+ needSecret = true
2240
+ needAccountFilter = false
2222
2241
)
2223
2242
2224
- needSecret := true
2225
2243
if v , ok := d .GetOk ("secret_id" ); ok {
2226
2244
secretId = v .(string )
2227
2245
}
@@ -2281,6 +2299,22 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
2281
2299
CosDomain : cosDomain ,
2282
2300
}
2283
2301
2302
+ if v , ok := d .GetOk ("allowed_account_ids" ); ok && v .(* schema.Set ).Len () > 0 {
2303
+ for _ , v := range v .(* schema.Set ).List () {
2304
+ allowedAccountIds = append (allowedAccountIds , v .(string ))
2305
+ }
2306
+
2307
+ needAccountFilter = true
2308
+ }
2309
+
2310
+ if v , ok := d .GetOk ("forbidden_account_ids" ); ok && v .(* schema.Set ).Len () > 0 {
2311
+ for _ , v := range v .(* schema.Set ).List () {
2312
+ forbiddenAccountIds = append (forbiddenAccountIds , v .(string ))
2313
+ }
2314
+
2315
+ needAccountFilter = true
2316
+ }
2317
+
2284
2318
// get auth from CAM role name
2285
2319
if camRoleName != "" {
2286
2320
needSecret = false
@@ -2424,6 +2458,20 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
2424
2458
return nil , fmt .Errorf ("Please set your `secret_id` and `secret_key`.\n " )
2425
2459
}
2426
2460
2461
+ if needAccountFilter {
2462
+ // get indentity
2463
+ indentity , err := getCallerIdentity (& tcClient )
2464
+ if err != nil {
2465
+ return nil , err
2466
+ }
2467
+
2468
+ // account filter
2469
+ err = verifyAccountIDAllowed (indentity , allowedAccountIds , forbiddenAccountIds )
2470
+ if err != nil {
2471
+ return nil , err
2472
+ }
2473
+ }
2474
+
2427
2475
return & tcClient , nil
2428
2476
}
2429
2477
@@ -2635,3 +2683,53 @@ func genClientWithPodOidc(tcClient *TencentCloudClient) error {
2635
2683
2636
2684
return nil
2637
2685
}
2686
+
2687
+ func getCallerIdentity (tcClient * TencentCloudClient ) (indentity * sdksts.GetCallerIdentityResponseParams , err error ) {
2688
+ ak := tcClient .apiV3Conn .Credential .SecretId
2689
+ sk := tcClient .apiV3Conn .Credential .SecretKey
2690
+ token := tcClient .apiV3Conn .Credential .Token
2691
+ region := tcClient .apiV3Conn .Region
2692
+ credential := sdkcommon .NewTokenCredential (ak , sk , token )
2693
+ cpf := sdkprofile .NewClientProfile ()
2694
+ cpf .HttpProfile .Endpoint = "sts.tencentcloudapi.com"
2695
+ client , _ := sdksts .NewClient (credential , region , cpf )
2696
+ request := sdksts .NewGetCallerIdentityRequest ()
2697
+ response , err := client .GetCallerIdentity (request )
2698
+ if err != nil {
2699
+ return
2700
+ }
2701
+
2702
+ if response == nil || response .Response == nil {
2703
+ return nil , fmt .Errorf ("get GetCallerIdentity failed" )
2704
+ }
2705
+
2706
+ indentity = response .Response
2707
+ return
2708
+ }
2709
+
2710
+ func verifyAccountIDAllowed (indentity * sdksts.GetCallerIdentityResponseParams , allowedAccountIds , forbiddenAccountIds []string ) error {
2711
+ accountId := * indentity .AccountId
2712
+ if len (allowedAccountIds ) > 0 {
2713
+ found := false
2714
+ for _ , allowedAccountID := range allowedAccountIds {
2715
+ if accountId == allowedAccountID {
2716
+ found = true
2717
+ break
2718
+ }
2719
+ }
2720
+
2721
+ if ! found {
2722
+ return fmt .Errorf ("TencentCloud account ID not allowed: %s" , accountId )
2723
+ }
2724
+ }
2725
+
2726
+ if len (forbiddenAccountIds ) > 0 {
2727
+ for _ , forbiddenAccountID := range forbiddenAccountIds {
2728
+ if accountId == forbiddenAccountID {
2729
+ return fmt .Errorf ("TencentCloud account ID not allowed: %s" , accountId )
2730
+ }
2731
+ }
2732
+ }
2733
+
2734
+ return nil
2735
+ }
0 commit comments