@@ -131,21 +131,27 @@ const (
131131 PROVIDER_COS_DOMAIN = "TENCENTCLOUD_COS_DOMAIN"
132132 //internal version: replace envYunti begin, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation.
133133 //internal version: replace envYunti end, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation.
134- PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN"
135- PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME"
136- PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION"
137- PROVIDER_ASSUME_ROLE_EXTERNAL_ID = "TENCENTCLOUD_ASSUME_ROLE_EXTERNAL_ID"
138- PROVIDER_ASSUME_ROLE_SAML_ASSERTION = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION"
139- PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN"
140- PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN"
141- PROVIDER_ASSUME_ROLE_PROVIDER_ID = "TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID"
142- PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR"
143- PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE"
144- PROVIDER_CAM_ROLE_NAME = "TENCENTCLOUD_CAM_ROLE_NAME"
145- POD_OIDC_TKE_REGION = "TKE_REGION"
146- POD_OIDC_TKE_WEB_IDENTITY_TOKEN_FILE = "TKE_WEB_IDENTITY_TOKEN_FILE"
147- POD_OIDC_TKE_PROVIDER_ID = "TKE_PROVIDER_ID"
148- POD_OIDC_TKE_ROLE_ARN = "TKE_ROLE_ARN"
134+ PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN"
135+ PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME"
136+ PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION"
137+ PROVIDER_ASSUME_ROLE_EXTERNAL_ID = "TENCENTCLOUD_ASSUME_ROLE_EXTERNAL_ID"
138+ PROVIDER_ASSUME_ROLE_SOURCE_IDENTITY = "TENCENTCLOUD_ASSUME_ROLE_SOURCE_IDENTITY"
139+ PROVIDER_ASSUME_ROLE_SERIAL_NUMBER = "TENCENTCLOUD_ASSUME_ROLE_SERIAL_NUMBER"
140+ PROVIDER_ASSUME_ROLE_TOKEN_CODE = "TENCENTCLOUD_ASSUME_ROLE_TOKEN_CODE"
141+ PROVIDER_ASSUME_ROLE_SAML_ASSERTION = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION"
142+ PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN"
143+ PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN"
144+ PROVIDER_ASSUME_ROLE_PROVIDER_ID = "TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID"
145+ PROVIDER_MFA_CERTIFICATION_SERIAL_NUMBER = "TENCENTCLOUD_MFA_CERTIFICATION_SERIAL_NUMBER"
146+ PROVIDER_MFA_CERTIFICATION_TOKEN_CODE = "TENCENTCLOUD_MFA_CERTIFICATION_TOKEN_CODE"
147+ PROVIDER_MFA_CERTIFICATION_DURATION_SECONDS = "TENCENTCLOUD_MFA_CERTIFICATION_DURATION_SECONDS"
148+ PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR"
149+ PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE"
150+ PROVIDER_CAM_ROLE_NAME = "TENCENTCLOUD_CAM_ROLE_NAME"
151+ POD_OIDC_TKE_REGION = "TKE_REGION"
152+ POD_OIDC_TKE_WEB_IDENTITY_TOKEN_FILE = "TKE_WEB_IDENTITY_TOKEN_FILE"
153+ POD_OIDC_TKE_PROVIDER_ID = "TKE_PROVIDER_ID"
154+ POD_OIDC_TKE_ROLE_ARN = "TKE_ROLE_ARN"
149155)
150156
151157const (
@@ -260,6 +266,24 @@ func Provider() *schema.Provider {
260266 DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_EXTERNAL_ID , nil ),
261267 Description : "External role ID, which can be obtained by clicking the role name in the CAM console. It can contain 2-128 letters, digits, and symbols (=,.@:/-). Regex: [\\ w+=,.@:/-]*. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_EXTERNAL_ID`." ,
262268 },
269+ "source_identity" : {
270+ Type : schema .TypeString ,
271+ Optional : true ,
272+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_SOURCE_IDENTITY , nil ),
273+ Description : "Caller identity uin. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SOURCE_IDENTITY`." ,
274+ },
275+ "serial_number" : {
276+ Type : schema .TypeString ,
277+ Optional : true ,
278+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_SERIAL_NUMBER , nil ),
279+ Description : "MFA serial number, the identification number of the MFA device associated with the calling CAM user. Format qcs: cam:uin/${ownerUin}::mfa/${mfaType}. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SERIAL_NUMBER`." ,
280+ },
281+ "token_code" : {
282+ Type : schema .TypeString ,
283+ Optional : true ,
284+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_ASSUME_ROLE_TOKEN_CODE , nil ),
285+ Description : "MFA authentication code. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_TOKEN_CODE`." ,
286+ },
263287 },
264288 },
265289 },
@@ -380,6 +404,40 @@ func Provider() *schema.Provider {
380404 DefaultFunc : schema .EnvDefaultFunc (PROVIDER_CAM_ROLE_NAME , nil ),
381405 Description : "The name of the CVM instance CAM role. It can be sourced from the `TENCENTCLOUD_CAM_ROLE_NAME` environment variable." ,
382406 },
407+ "mfa_certification" : {
408+ Type : schema .TypeSet ,
409+ Optional : true ,
410+ MaxItems : 1 ,
411+ Description : "The `mfa_certification` block. If provided, terraform will attempt to use the provided credentials for MFA authentication." ,
412+ Elem : & schema.Resource {
413+ Schema : map [string ]* schema.Schema {
414+ "serial_number" : {
415+ Type : schema .TypeString ,
416+ Required : true ,
417+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_MFA_CERTIFICATION_SERIAL_NUMBER , nil ),
418+ Description : "MFA serial number, the identification number of the MFA device associated with the calling CAM user. Format qcs: cam:uin/${ownerUin}::mfa/${mfaType}. It can be sourced from the `TENCENTCLOUD_MFA_CERTIFICATION_SERIAL_NUMBER`." ,
419+ },
420+ "token_code" : {
421+ Type : schema .TypeString ,
422+ Required : true ,
423+ DefaultFunc : schema .EnvDefaultFunc (PROVIDER_MFA_CERTIFICATION_TOKEN_CODE , nil ),
424+ Description : "MFA authentication code. It can be sourced from the `TENCENTCLOUD_MFA_CERTIFICATION_TOKEN_CODE`." ,
425+ },
426+ "duration_seconds" : {
427+ Type : schema .TypeInt ,
428+ Optional : true ,
429+ DefaultFunc : func () (interface {}, error ) {
430+ if v := os .Getenv (PROVIDER_MFA_CERTIFICATION_DURATION_SECONDS ); v != "" {
431+ return strconv .Atoi (v )
432+ }
433+ return 1800 , nil
434+ },
435+ ValidateFunc : tccommon .ValidateIntegerInRange (0 , 129600 ),
436+ Description : "Specify the validity period of the temporary certificate. The main account can be set to a maximum validity period of 7200 seconds, and the sub account can be set to a maximum validity period of 129600 seconds, and default is 1800 seconds. It can be sourced from the `TENCENTCLOUD_MFA_CERTIFICATION_DURATION_SECONDS`." ,
437+ },
438+ },
439+ },
440+ },
383441 "allowed_account_ids" : {
384442 Type : schema .TypeSet ,
385443 Elem : & schema.Schema {Type : schema .TypeString },
@@ -2406,6 +2464,9 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
24062464 assumeRoleSessionDuration int
24072465 assumeRolePolicy string
24082466 assumeRoleExternalId string
2467+ assumeRoleSourceIdentity string
2468+ assumeRoleSerialNumber string
2469+ assumeRoleTokenCode string
24092470 )
24102471
24112472 // get assume role from credential
@@ -2419,7 +2480,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
24192480
24202481 if assumeRoleArn != "" && assumeRoleSessionName != "" {
24212482 assumeRoleSessionDuration = 7200
2422- err = genClientWithSTS (& tcClient , assumeRoleArn , assumeRoleSessionName , assumeRoleSessionDuration , assumeRolePolicy , assumeRoleExternalId )
2483+ err = genClientWithSTS (& tcClient , assumeRoleArn , assumeRoleSessionName , assumeRoleSessionDuration , assumeRolePolicy , assumeRoleExternalId , assumeRoleSourceIdentity , assumeRoleSerialNumber , assumeRoleTokenCode )
24232484 if err != nil {
24242485 return nil , fmt .Errorf ("Get auth from assume role by credential failed. Reason: %s" , err .Error ())
24252486 }
@@ -2430,7 +2491,6 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
24302491 envSessionName := os .Getenv (PROVIDER_ASSUME_ROLE_SESSION_NAME )
24312492 if envRoleArn != "" && envSessionName != "" {
24322493 if envSessionDuration := os .Getenv (PROVIDER_ASSUME_ROLE_SESSION_DURATION ); envSessionDuration != "" {
2433- var err error
24342494 assumeRoleSessionDuration , err = strconv .Atoi (envSessionDuration )
24352495 if err != nil {
24362496 return nil , err
@@ -2442,6 +2502,9 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
24422502 }
24432503
24442504 assumeRoleExternalId = os .Getenv (PROVIDER_ASSUME_ROLE_EXTERNAL_ID )
2505+ assumeRoleSourceIdentity = os .Getenv (PROVIDER_ASSUME_ROLE_SOURCE_IDENTITY )
2506+ assumeRoleSerialNumber = os .Getenv (PROVIDER_ASSUME_ROLE_SERIAL_NUMBER )
2507+ assumeRoleTokenCode = os .Getenv (PROVIDER_ASSUME_ROLE_TOKEN_CODE )
24452508
24462509 // get assume role with saml from env
24472510 envSamlAssertion := os .Getenv (PROVIDER_ASSUME_ROLE_SAML_ASSERTION )
@@ -2452,7 +2515,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
24522515
24532516 if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" {
24542517 // use assume role
2455- err = genClientWithSTS (& tcClient , envRoleArn , envSessionName , assumeRoleSessionDuration , "" , assumeRoleExternalId )
2518+ err = genClientWithSTS (& tcClient , envRoleArn , envSessionName , assumeRoleSessionDuration , "" , assumeRoleExternalId , assumeRoleSourceIdentity , assumeRoleSerialNumber , assumeRoleTokenCode )
24562519 if err != nil {
24572520 return nil , fmt .Errorf ("Get auth from assume role by env failed. Reason: %s" , err .Error ())
24582521 }
@@ -2489,8 +2552,11 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
24892552 assumeRoleSessionDuration = assumeRole ["session_duration" ].(int )
24902553 assumeRolePolicy = assumeRole ["policy" ].(string )
24912554 assumeRoleExternalId = assumeRole ["external_id" ].(string )
2555+ assumeRoleSourceIdentity = assumeRole ["source_identity" ].(string )
2556+ assumeRoleSerialNumber = assumeRole ["serial_number" ].(string )
2557+ assumeRoleTokenCode = assumeRole ["token_code" ].(string )
24922558
2493- err = genClientWithSTS (& tcClient , assumeRoleArn , assumeRoleSessionName , assumeRoleSessionDuration , assumeRolePolicy , assumeRoleExternalId )
2559+ err = genClientWithSTS (& tcClient , assumeRoleArn , assumeRoleSessionName , assumeRoleSessionDuration , assumeRolePolicy , assumeRoleExternalId , assumeRoleSourceIdentity , assumeRoleSerialNumber , assumeRoleTokenCode )
24942560 if err != nil {
24952561 return nil , fmt .Errorf ("Get auth from assume role failed. Reason: %s" , err .Error ())
24962562 }
@@ -2549,6 +2615,47 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
25492615 }
25502616 }
25512617
2618+ // get mfa from env
2619+ mfaCertificationSerialNumber := os .Getenv (PROVIDER_MFA_CERTIFICATION_SERIAL_NUMBER )
2620+ mfaCertificationTokenCode := os .Getenv (PROVIDER_MFA_CERTIFICATION_TOKEN_CODE )
2621+ if mfaCertificationSerialNumber != "" && mfaCertificationTokenCode != "" {
2622+ var mfaCertificationDurationSeconds int
2623+ if envDurationSeconds := os .Getenv (PROVIDER_MFA_CERTIFICATION_DURATION_SECONDS ); envDurationSeconds != "" {
2624+ mfaCertificationDurationSeconds , err = strconv .Atoi (envDurationSeconds )
2625+ if err != nil {
2626+ return nil , err
2627+ }
2628+ }
2629+
2630+ if mfaCertificationDurationSeconds == 0 {
2631+ mfaCertificationDurationSeconds = 1800
2632+ }
2633+
2634+ err = genClientWithMfaSTS (& tcClient , mfaCertificationSerialNumber , mfaCertificationTokenCode , mfaCertificationDurationSeconds )
2635+ if err != nil {
2636+ return nil , fmt .Errorf ("Get auth from mfa failed. Reason: %s" , err .Error ())
2637+ }
2638+
2639+ needSecret = false
2640+ }
2641+
2642+ // get mfa from tf
2643+ if v , ok := d .GetOk ("mfa_certification" ); ok {
2644+ mfaCertificationList := v .(* schema.Set ).List ()
2645+ if len (mfaCertificationList ) == 1 {
2646+ mfaCertification := mfaCertificationList [0 ].(map [string ]interface {})
2647+ mfaCertificationSerialNumber := mfaCertification ["serial_number" ].(string )
2648+ mfaCertificationTokenCode := mfaCertification ["token_code" ].(string )
2649+ mfaCertificationDurationSeconds := mfaCertification ["duration_seconds" ].(int )
2650+ err = genClientWithMfaSTS (& tcClient , mfaCertificationSerialNumber , mfaCertificationTokenCode , mfaCertificationDurationSeconds )
2651+ if err != nil {
2652+ return nil , fmt .Errorf ("Get auth from mfa failed. Reason: %s" , err .Error ())
2653+ }
2654+
2655+ needSecret = false
2656+ }
2657+ }
2658+
25522659 if v , ok := d .GetOkExists ("enable_pod_oidc" ); ok && v .(bool ) {
25532660 if os .Getenv (POD_OIDC_TKE_REGION ) != "" && os .Getenv (POD_OIDC_TKE_WEB_IDENTITY_TOKEN_FILE ) != "" && os .Getenv (POD_OIDC_TKE_PROVIDER_ID ) != "" && os .Getenv (POD_OIDC_TKE_ROLE_ARN ) != "" {
25542661 err := genClientWithPodOidc (& tcClient )
@@ -2613,7 +2720,7 @@ func genClientWithCAM(tcClient *TencentCloudClient, roleName string) error {
26132720 return nil
26142721}
26152722
2616- func genClientWithSTS (tcClient * TencentCloudClient , assumeRoleArn , assumeRoleSessionName string , assumeRoleSessionDuration int , assumeRolePolicy string , assumeRoleExternalId string ) error {
2723+ func genClientWithSTS (tcClient * TencentCloudClient , assumeRoleArn , assumeRoleSessionName string , assumeRoleSessionDuration int , assumeRolePolicy string , assumeRoleExternalId string , assumeRoleSourceIdentity string , assumeRoleSerialNumber string , assumeRoleTokenCode string ) error {
26172724 // applying STS credentials
26182725 request := sdksts .NewAssumeRoleRequest ()
26192726 response := sdksts .NewAssumeRoleResponse ()
@@ -2628,6 +2735,18 @@ func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSes
26282735 request .ExternalId = helper .String (assumeRoleExternalId )
26292736 }
26302737
2738+ if assumeRoleSourceIdentity != "" {
2739+ request .SourceIdentity = helper .String (assumeRoleSourceIdentity )
2740+ }
2741+
2742+ if assumeRoleSerialNumber != "" {
2743+ request .SerialNumber = helper .String (assumeRoleSerialNumber )
2744+ }
2745+
2746+ if assumeRoleTokenCode != "" {
2747+ request .TokenCode = helper .String (assumeRoleTokenCode )
2748+ }
2749+
26312750 err := resource .Retry (tccommon .ReadRetryTimeout , func () * resource.RetryError {
26322751 ratelimit .Check (request .GetAction ())
26332752 result , e := tcClient .apiV3Conn .UseStsClient ().AssumeRole (request )
@@ -2752,6 +2871,47 @@ func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRol
27522871 return nil
27532872}
27542873
2874+ func genClientWithMfaSTS (tcClient * TencentCloudClient , mfaCertificationSerialNumber string , mfaCertificationTokenCode string , mfaCertificationDurationSeconds int ) error {
2875+ // applying STS credentials
2876+ request := sdksts .NewGetSessionTokenRequest ()
2877+ response := sdksts .NewGetSessionTokenResponse ()
2878+ request .SerialNumber = helper .String (mfaCertificationSerialNumber )
2879+ request .TokenCode = helper .String (mfaCertificationTokenCode )
2880+ request .DurationSeconds = helper .IntInt64 (mfaCertificationDurationSeconds )
2881+
2882+ err := resource .Retry (tccommon .ReadRetryTimeout , func () * resource.RetryError {
2883+ ratelimit .Check (request .GetAction ())
2884+ result , e := tcClient .apiV3Conn .UseStsClient ().GetSessionToken (request )
2885+ if e != nil {
2886+ return tccommon .RetryError (e )
2887+ }
2888+
2889+ if result == nil || result .Response == nil || result .Response .Credentials == nil {
2890+ return resource .NonRetryableError (fmt .Errorf ("Get Session Token failed, Response is nil." ))
2891+ }
2892+
2893+ response = result
2894+ return nil
2895+ })
2896+
2897+ if err != nil {
2898+ return err
2899+ }
2900+
2901+ if response .Response .Credentials .TmpSecretId == nil || response .Response .Credentials .TmpSecretKey == nil || response .Response .Credentials .Token == nil {
2902+ return fmt .Errorf ("Get Session Token failed, Credentials is nil." )
2903+ }
2904+
2905+ // using STS credentials
2906+ tcClient .apiV3Conn .Credential = sdkcommon .NewTokenCredential (
2907+ * response .Response .Credentials .TmpSecretId ,
2908+ * response .Response .Credentials .TmpSecretKey ,
2909+ * response .Response .Credentials .Token ,
2910+ )
2911+
2912+ return nil
2913+ }
2914+
27552915var providerConfig map [string ]interface {}
27562916
27572917func getConfigFromProfile (d * schema.ResourceData , ProfileKey string ) (interface {}, error ) {
0 commit comments