@@ -124,11 +124,14 @@ const (
124
124
PROVIDER_DOMAIN = "TENCENTCLOUD_DOMAIN"
125
125
//internal version: replace envYunti begin, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation.
126
126
//internal version: replace envYunti end, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation.
127
- PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN"
128
- PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME"
129
- PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION"
130
- PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR"
131
- PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE"
127
+ PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN"
128
+ PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME"
129
+ PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION"
130
+ PROVIDER_ASSUME_ROLE_SAML_ASSERTION = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION"
131
+ PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN"
132
+ PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN"
133
+ PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR"
134
+ PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE"
132
135
)
133
136
134
137
const (
@@ -234,6 +237,94 @@ func Provider() *schema.Provider {
234
237
},
235
238
},
236
239
},
240
+ "assume_role_with_saml" : {
241
+ Type : schema .TypeList ,
242
+ Optional : true ,
243
+ MaxItems : 1 ,
244
+ ConflictsWith : []string {"assume_role_with_web_identity" },
245
+ Description : "The `assume_role_with_saml` block. If provided, terraform will attempt to assume this role using the supplied credentials." ,
246
+ Elem : & schema.Resource {
247
+ Schema : map [string ]* schema.Schema {
248
+ "saml_assertion" : {
249
+ Type : schema .TypeString ,
250
+ Required : true ,
251
+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_SAML_ASSERTION , nil ),
252
+ Description : "SAML assertion information encoded in base64. It can be sourced from the `PROVIDER_ASSUME_ROLE_SAML_ASSERTION`." ,
253
+ },
254
+ "principal_arn" : {
255
+ Type : schema .TypeString ,
256
+ Required : true ,
257
+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN , nil ),
258
+ Description : "Player Access Description Name. It can be sourced from the `PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN`." ,
259
+ },
260
+ "role_arn" : {
261
+ Type : schema .TypeString ,
262
+ Required : true ,
263
+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_ARN , nil ),
264
+ Description : "The ARN of the role to assume. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN`." ,
265
+ },
266
+ "session_name" : {
267
+ Type : schema .TypeString ,
268
+ Required : true ,
269
+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_SESSION_NAME , nil ),
270
+ Description : "The session name to use when making the AssumeRole call. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`." ,
271
+ },
272
+ "session_duration" : {
273
+ Type : schema .TypeInt ,
274
+ Required : true ,
275
+ DefaultFunc : func () (interface {}, error ) {
276
+ if v := os .Getenv (PROVIDER_ASSUME_ROLE_SESSION_DURATION ); v != "" {
277
+ return strconv .Atoi (v )
278
+ }
279
+ return 7200 , nil
280
+ },
281
+ ValidateFunc : tccommon .ValidateIntegerInRange (0 , 43200 ),
282
+ Description : "The duration of the session when making the AssumeRoleWithSAML call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`." ,
283
+ },
284
+ },
285
+ },
286
+ },
287
+ "assume_role_with_web_identity" : {
288
+ Type : schema .TypeList ,
289
+ Optional : true ,
290
+ MaxItems : 1 ,
291
+ ConflictsWith : []string {"assume_role_with_saml" },
292
+ Description : "The `assume_role_with_web_identity` block. If provided, terraform will attempt to assume this role using the supplied credentials." ,
293
+ Elem : & schema.Resource {
294
+ Schema : map [string ]* schema.Schema {
295
+ "web_identity_token" : {
296
+ Type : schema .TypeString ,
297
+ Required : true ,
298
+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN , nil ),
299
+ Description : "OIDC token issued by IdP. It can be sourced from the `PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN`." ,
300
+ },
301
+ "role_arn" : {
302
+ Type : schema .TypeString ,
303
+ Required : true ,
304
+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_ARN , nil ),
305
+ Description : "The ARN of the role to assume. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN`." ,
306
+ },
307
+ "session_name" : {
308
+ Type : schema .TypeString ,
309
+ Required : true ,
310
+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_SESSION_NAME , nil ),
311
+ Description : "The session name to use when making the AssumeRole call. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`." ,
312
+ },
313
+ "session_duration" : {
314
+ Type : schema .TypeInt ,
315
+ Required : true ,
316
+ DefaultFunc : func () (interface {}, error ) {
317
+ if v := os .Getenv (PROVIDER_ASSUME_ROLE_SESSION_DURATION ); v != "" {
318
+ return strconv .Atoi (v )
319
+ }
320
+ return 7200 , nil
321
+ },
322
+ ValidateFunc : tccommon .ValidateIntegerInRange (0 , 43200 ),
323
+ Description : "The duration of the session when making the AssumeRoleWithWebIdentity call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`." ,
324
+ },
325
+ },
326
+ },
327
+ },
237
328
"shared_credentials_dir" : {
238
329
Type : schema .TypeString ,
239
330
Optional : true ,
@@ -2020,6 +2111,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
2020
2111
domain string
2021
2112
)
2022
2113
2114
+ needSecret := true
2023
2115
if v , ok := d .GetOk ("secret_id" ); ok {
2024
2116
secretId = v .(string )
2025
2117
} else {
@@ -2087,7 +2179,6 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
2087
2179
if assumeRoleArn != "" && assumeRoleSessionName != "" {
2088
2180
assumeRoleSessionDuration = 7200
2089
2181
assumeRolePolicy = ""
2090
-
2091
2182
_ = genClientWithSTS (& tcClient , assumeRoleArn , assumeRoleSessionName , assumeRoleSessionDuration , assumeRolePolicy )
2092
2183
}
2093
2184
@@ -2107,7 +2198,28 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
2107
2198
assumeRoleSessionDuration = 7200
2108
2199
}
2109
2200
2110
- _ = genClientWithSTS (& tcClient , envRoleArn , envSessionName , assumeRoleSessionDuration , "" )
2201
+ // get assume role with saml from env
2202
+ envSamlAssertion := os .Getenv (PROVIDER_ASSUME_ROLE_SAML_ASSERTION )
2203
+ envPrincipalArn := os .Getenv (PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN )
2204
+ // get assume role with web identity from env
2205
+ envWebIdentityToken := os .Getenv (PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN )
2206
+
2207
+ if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" {
2208
+ // use assume role
2209
+ _ = genClientWithSTS (& tcClient , envRoleArn , envSessionName , assumeRoleSessionDuration , "" )
2210
+ } else if envSamlAssertion != "" && envPrincipalArn != "" && envWebIdentityToken != "" {
2211
+ return nil , fmt .Errorf ("can not set `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`, `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`, `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` at the same time.\n " )
2212
+ } else if envSamlAssertion != "" && envPrincipalArn != "" {
2213
+ // use assume role with saml
2214
+ _ = genClientWithSamlSTS (& tcClient , envRoleArn , envSessionName , assumeRoleSessionDuration , envSamlAssertion , envPrincipalArn )
2215
+ needSecret = false
2216
+ } else if envWebIdentityToken != "" {
2217
+ // use assume role with oidc
2218
+ _ = genClientWithOidcSTS (& tcClient , envRoleArn , envSessionName , assumeRoleSessionDuration , envWebIdentityToken )
2219
+ needSecret = false
2220
+ } else {
2221
+ return nil , fmt .Errorf ("get `assume_role` from env error.\n " )
2222
+ }
2111
2223
}
2112
2224
2113
2225
// get assume role from tf
@@ -2124,8 +2236,45 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
2124
2236
}
2125
2237
}
2126
2238
2127
- if secretId == "" || secretKey == "" {
2128
- return nil , fmt .Errorf ("Please set your `secret_id` and `secret_key`." )
2239
+ var (
2240
+ assumeRoleSamlAssertion string
2241
+ assumeRolePrincipalArn string
2242
+ assumeRoleWebIdentityToken string
2243
+ )
2244
+
2245
+ // get assume role with saml from tf
2246
+ if v , ok := d .GetOk ("assume_role_with_saml" ); ok {
2247
+ assumeRoleWithSamlList := v .([]interface {})
2248
+ if len (assumeRoleWithSamlList ) == 1 {
2249
+ assumeRoleWithSaml := assumeRoleWithSamlList [0 ].(map [string ]interface {})
2250
+ assumeRoleSamlAssertion = assumeRoleWithSaml ["saml_assertion" ].(string )
2251
+ assumeRolePrincipalArn = assumeRoleWithSaml ["principal_arn" ].(string )
2252
+ assumeRoleArn = assumeRoleWithSaml ["role_arn" ].(string )
2253
+ assumeRoleSessionName = assumeRoleWithSaml ["session_name" ].(string )
2254
+ assumeRoleSessionDuration = assumeRoleWithSaml ["session_duration" ].(int )
2255
+
2256
+ _ = genClientWithSamlSTS (& tcClient , assumeRoleArn , assumeRoleSessionName , assumeRoleSessionDuration , assumeRoleSamlAssertion , assumeRolePrincipalArn )
2257
+ needSecret = false
2258
+ }
2259
+ }
2260
+
2261
+ // get assume role with web identity from tf
2262
+ if v , ok := d .GetOk ("assume_role_with_web_identity" ); ok {
2263
+ assumeRoleWithWebIdentityList := v .([]interface {})
2264
+ if len (assumeRoleWithWebIdentityList ) == 1 {
2265
+ assumeRoleWithWebIdentity := assumeRoleWithWebIdentityList [0 ].(map [string ]interface {})
2266
+ assumeRoleWebIdentityToken = assumeRoleWithWebIdentity ["web_identity_token" ].(string )
2267
+ assumeRoleArn = assumeRoleWithWebIdentity ["role_arn" ].(string )
2268
+ assumeRoleSessionName = assumeRoleWithWebIdentity ["session_name" ].(string )
2269
+ assumeRoleSessionDuration = assumeRoleWithWebIdentity ["session_duration" ].(int )
2270
+
2271
+ _ = genClientWithOidcSTS (& tcClient , assumeRoleArn , assumeRoleSessionName , assumeRoleSessionDuration , assumeRoleWebIdentityToken )
2272
+ needSecret = false
2273
+ }
2274
+ }
2275
+
2276
+ if needSecret && (secretId == "" || secretKey == "" ) {
2277
+ return nil , fmt .Errorf ("Please set your `secret_id` and `secret_key`.\n " )
2129
2278
}
2130
2279
2131
2280
return & tcClient , nil
@@ -2157,6 +2306,60 @@ func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSes
2157
2306
return nil
2158
2307
}
2159
2308
2309
+ func genClientWithSamlSTS (tcClient * TencentCloudClient , assumeRoleArn , assumeRoleSessionName string , assumeRoleSessionDuration int , assumeRoleSamlAssertion , assumeRolePrincipalArn string ) error {
2310
+ // applying STS credentials
2311
+ request := sdksts .NewAssumeRoleWithSAMLRequest ()
2312
+ request .RoleArn = helper .String (assumeRoleArn )
2313
+ request .RoleSessionName = helper .String (assumeRoleSessionName )
2314
+ request .DurationSeconds = helper .IntUint64 (assumeRoleSessionDuration )
2315
+ request .SAMLAssertion = helper .String (assumeRoleSamlAssertion )
2316
+ request .PrincipalArn = helper .String (assumeRolePrincipalArn )
2317
+
2318
+ ratelimit .Check (request .GetAction ())
2319
+ var stsExtInfo connectivity.StsExtInfo
2320
+ stsExtInfo .Authorization = "SKIP"
2321
+ response , err := tcClient .apiV3Conn .UseStsClient (stsExtInfo ).AssumeRoleWithSAML (request )
2322
+ if err != nil {
2323
+ return err
2324
+ }
2325
+
2326
+ // using STS credentials
2327
+ tcClient .apiV3Conn .Credential = sdkcommon .NewTokenCredential (
2328
+ * response .Response .Credentials .TmpSecretId ,
2329
+ * response .Response .Credentials .TmpSecretKey ,
2330
+ * response .Response .Credentials .Token ,
2331
+ )
2332
+
2333
+ return nil
2334
+ }
2335
+
2336
+ func genClientWithOidcSTS (tcClient * TencentCloudClient , assumeRoleArn , assumeRoleSessionName string , assumeRoleSessionDuration int , assumeRolePolicy string ) error {
2337
+ // applying STS credentials
2338
+ request := sdksts .NewAssumeRoleWithWebIdentityRequest ()
2339
+ request .ProviderId = helper .String ("OIDC" )
2340
+ request .RoleArn = helper .String (assumeRoleArn )
2341
+ request .RoleSessionName = helper .String (assumeRoleSessionName )
2342
+ request .DurationSeconds = helper .IntInt64 (assumeRoleSessionDuration )
2343
+ request .WebIdentityToken = helper .String (assumeRolePolicy )
2344
+
2345
+ ratelimit .Check (request .GetAction ())
2346
+ var stsExtInfo connectivity.StsExtInfo
2347
+ stsExtInfo .Authorization = "SKIP"
2348
+ response , err := tcClient .apiV3Conn .UseStsClient (stsExtInfo ).AssumeRoleWithWebIdentity (request )
2349
+ if err != nil {
2350
+ return err
2351
+ }
2352
+
2353
+ // using STS credentials
2354
+ tcClient .apiV3Conn .Credential = sdkcommon .NewTokenCredential (
2355
+ * response .Response .Credentials .TmpSecretId ,
2356
+ * response .Response .Credentials .TmpSecretKey ,
2357
+ * response .Response .Credentials .Token ,
2358
+ )
2359
+
2360
+ return nil
2361
+ }
2362
+
2160
2363
var providerConfig map [string ]interface {}
2161
2364
2162
2365
func getConfigFromProfile (d * schema.ResourceData , ProfileKey string ) (interface {}, error ) {
0 commit comments