Skip to content

Commit 0506aee

Browse files
committed
add
1 parent 8f9eefa commit 0506aee

File tree

1 file changed

+107
-9
lines changed

1 file changed

+107
-9
lines changed

tencentcloud/provider.go

Lines changed: 107 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414
"github.com/mitchellh/go-homedir"
1515
sdkcommon "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
1616
commonJson "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/json"
17+
sdkprofile "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
1718
sdksts "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts/v20180813"
1819

1920
tccommon "github.com/tencentcloudstack/terraform-provider-tencentcloud/tencentcloud/common"
@@ -370,6 +371,20 @@ func Provider() *schema.Provider {
370371
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_CAM_ROLE_NAME, nil),
371372
Description: "The name of the CVM instance CAM role. It can be sourced from the `TENCENTCLOUD_CAM_ROLE_NAME` environment variable.",
372373
},
374+
"allowed_account_ids": {
375+
Type: schema.TypeSet,
376+
Elem: &schema.Schema{Type: schema.TypeString},
377+
Optional: true,
378+
ConflictsWith: []string{"forbidden_account_ids", "assume_role_with_saml", "assume_role_with_web_identity"},
379+
Description: "List of allowed TencentCloud account IDs to prevent you from mistakenly using the wrong one (and potentially end up destroying a live environment). Conflicts with `forbidden_account_ids`, If use `assume_role_with_saml` or `assume_role_with_web_identity`, it is not supported.",
380+
},
381+
"forbidden_account_ids": {
382+
Type: schema.TypeSet,
383+
Elem: &schema.Schema{Type: schema.TypeString},
384+
Optional: true,
385+
ConflictsWith: []string{"allowed_account_ids", "assume_role_with_saml", "assume_role_with_web_identity"},
386+
Description: "List of forbidden TencentCloud account IDs to prevent you from mistakenly using the wrong one (and potentially end up destroying a live environment). Conflicts with `allowed_account_ids`, If use `assume_role_with_saml` or `assume_role_with_web_identity`, it is not supported.",
387+
},
373388
},
374389

375390
DataSourcesMap: map[string]*schema.Resource{
@@ -2211,17 +2226,20 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
22112226
}
22122227

22132228
var (
2214-
secretId string
2215-
secretKey string
2216-
securityToken string
2217-
region string
2218-
protocol string
2219-
domain string
2220-
cosDomain string
2221-
camRoleName string
2229+
secretId string
2230+
secretKey string
2231+
securityToken string
2232+
region string
2233+
protocol string
2234+
domain string
2235+
cosDomain string
2236+
camRoleName string
2237+
allowedAccountIds []string
2238+
forbiddenAccountIds []string
2239+
needSecret = true
2240+
needAccountFilter = false
22222241
)
22232242

2224-
needSecret := true
22252243
if v, ok := d.GetOk("secret_id"); ok {
22262244
secretId = v.(string)
22272245
}
@@ -2281,6 +2299,22 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
22812299
CosDomain: cosDomain,
22822300
}
22832301

2302+
if v, ok := d.GetOk("allowed_account_ids"); ok && v.(*schema.Set).Len() > 0 {
2303+
for _, v := range v.(*schema.Set).List() {
2304+
allowedAccountIds = append(allowedAccountIds, v.(string))
2305+
}
2306+
2307+
needAccountFilter = true
2308+
}
2309+
2310+
if v, ok := d.GetOk("forbidden_account_ids"); ok && v.(*schema.Set).Len() > 0 {
2311+
for _, v := range v.(*schema.Set).List() {
2312+
forbiddenAccountIds = append(forbiddenAccountIds, v.(string))
2313+
}
2314+
2315+
needAccountFilter = true
2316+
}
2317+
22842318
// get auth from CAM role name
22852319
if camRoleName != "" {
22862320
needSecret = false
@@ -2424,6 +2458,20 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
24242458
return nil, fmt.Errorf("Please set your `secret_id` and `secret_key`.\n")
24252459
}
24262460

2461+
if needAccountFilter {
2462+
// get indentity
2463+
indentity, err := getCallerIdentity(&tcClient)
2464+
if err != nil {
2465+
return nil, err
2466+
}
2467+
2468+
// account filter
2469+
err = verifyAccountIDAllowed(indentity, allowedAccountIds, forbiddenAccountIds)
2470+
if err != nil {
2471+
return nil, err
2472+
}
2473+
}
2474+
24272475
return &tcClient, nil
24282476
}
24292477

@@ -2635,3 +2683,53 @@ func genClientWithPodOidc(tcClient *TencentCloudClient) error {
26352683

26362684
return nil
26372685
}
2686+
2687+
func getCallerIdentity(tcClient *TencentCloudClient) (indentity *sdksts.GetCallerIdentityResponseParams, err error) {
2688+
ak := tcClient.apiV3Conn.Credential.SecretId
2689+
sk := tcClient.apiV3Conn.Credential.SecretKey
2690+
token := tcClient.apiV3Conn.Credential.Token
2691+
region := tcClient.apiV3Conn.Region
2692+
credential := sdkcommon.NewTokenCredential(ak, sk, token)
2693+
cpf := sdkprofile.NewClientProfile()
2694+
cpf.HttpProfile.Endpoint = "sts.tencentcloudapi.com"
2695+
client, _ := sdksts.NewClient(credential, region, cpf)
2696+
request := sdksts.NewGetCallerIdentityRequest()
2697+
response, err := client.GetCallerIdentity(request)
2698+
if err != nil {
2699+
return
2700+
}
2701+
2702+
if response == nil || response.Response == nil {
2703+
return nil, fmt.Errorf("get GetCallerIdentity failed")
2704+
}
2705+
2706+
indentity = response.Response
2707+
return
2708+
}
2709+
2710+
func verifyAccountIDAllowed(indentity *sdksts.GetCallerIdentityResponseParams, allowedAccountIds, forbiddenAccountIds []string) error {
2711+
accountId := *indentity.AccountId
2712+
if len(allowedAccountIds) > 0 {
2713+
found := false
2714+
for _, allowedAccountID := range allowedAccountIds {
2715+
if accountId == allowedAccountID {
2716+
found = true
2717+
break
2718+
}
2719+
}
2720+
2721+
if !found {
2722+
return fmt.Errorf("TencentCloud account ID not allowed: %s", accountId)
2723+
}
2724+
}
2725+
2726+
if len(forbiddenAccountIds) > 0 {
2727+
for _, forbiddenAccountID := range forbiddenAccountIds {
2728+
if accountId == forbiddenAccountID {
2729+
return fmt.Errorf("TencentCloud account ID not allowed: %s", accountId)
2730+
}
2731+
}
2732+
}
2733+
2734+
return nil
2735+
}

0 commit comments

Comments
 (0)