Merge pull request #414 from gailwang/master

add STS

Author: likexian

tencentcloud/connectivity/client.go

@@ -72,8 +72,8 @@ func NewTencentCloudClient(secretId, secretKey, securityToken, region string) *T
 	}
 }
 
-// newTencentCloudClientProfile returns a new ClientProfile
-func newTencentCloudClientProfile(timeout int) *profile.ClientProfile {
+// NewTencentCloudClientProfile returns a new ClientProfile
+func NewTencentCloudClientProfile(timeout int) *profile.ClientProfile {
 	cpf := profile.NewClientProfile()
 
 	// all request use method POST
@@ -118,7 +118,7 @@ func (me *TencentCloudClient) UseMysqlClient() *cdb.Client {
 		return me.mysqlConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.mysqlConn, _ = cdb.NewClient(me.Credential, me.Region, cpf)
 	me.mysqlConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -131,7 +131,7 @@ func (me *TencentCloudClient) UseRedisClient() *redis.Client {
 		return me.redisConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.redisConn, _ = redis.NewClient(me.Credential, me.Region, cpf)
 	me.redisConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -144,7 +144,7 @@ func (me *TencentCloudClient) UseAsClient() *as.Client {
 		return me.asConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.asConn, _ = as.NewClient(me.Credential, me.Region, cpf)
 	me.asConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -157,7 +157,7 @@ func (me *TencentCloudClient) UseVpcClient() *vpc.Client {
 		return me.vpcConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.vpcConn, _ = vpc.NewClient(me.Credential, me.Region, cpf)
 	me.vpcConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -170,7 +170,7 @@ func (me *TencentCloudClient) UseCbsClient() *cbs.Client {
 		return me.cbsConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.cbsConn, _ = cbs.NewClient(me.Credential, me.Region, cpf)
 	me.cbsConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -183,7 +183,7 @@ func (me *TencentCloudClient) UseDcClient() *dc.Client {
 		return me.dcConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.dcConn, _ = dc.NewClient(me.Credential, me.Region, cpf)
 	me.dcConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -196,7 +196,7 @@ func (me *TencentCloudClient) UseMongodbClient() *mongodb.Client {
 		return me.mongodbConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.mongodbConn, _ = mongodb.NewClient(me.Credential, me.Region, cpf)
 	me.mongodbConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -209,7 +209,7 @@ func (me *TencentCloudClient) UseClbClient() *clb.Client {
 		return me.clbConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.clbConn, _ = clb.NewClient(me.Credential, me.Region, cpf)
 	me.clbConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -222,7 +222,7 @@ func (me *TencentCloudClient) UseCvmClient() *cvm.Client {
 		return me.cvmConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.cvmConn, _ = cvm.NewClient(me.Credential, me.Region, cpf)
 	me.cvmConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -235,7 +235,7 @@ func (me *TencentCloudClient) UseTagClient() *tag.Client {
 		return me.tagConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.tagConn, _ = tag.NewClient(me.Credential, me.Region, cpf)
 	me.tagConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -248,7 +248,7 @@ func (me *TencentCloudClient) UseTkeClient() *tke.Client {
 		return me.tkeConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.tkeConn, _ = tke.NewClient(me.Credential, me.Region, cpf)
 	me.tkeConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -261,7 +261,7 @@ func (me *TencentCloudClient) UseGaapClient() *gaap.Client {
 		return me.gaapConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.gaapConn, _ = gaap.NewClient(me.Credential, me.Region, cpf)
 	me.gaapConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -274,7 +274,7 @@ func (me *TencentCloudClient) UseSslClient() *ssl.Client {
 		return me.sslConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.sslConn, _ = ssl.NewClient(me.Credential, me.Region, cpf)
 	me.sslConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -287,7 +287,7 @@ func (me *TencentCloudClient) UseCamClient() *cam.Client {
 		return me.camConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.camConn, _ = cam.NewClient(me.Credential, me.Region, cpf)
 	me.camConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -300,7 +300,7 @@ func (me *TencentCloudClient) UseCfsClient() *cfs.Client {
 		return me.cfsConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.cfsConn, _ = cfs.NewClient(me.Credential, me.Region, cpf)
 	me.cfsConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -313,7 +313,7 @@ func (me *TencentCloudClient) UseScfClient() *scf.Client {
 		return me.scfConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.scfConn, _ = scf.NewClient(me.Credential, me.Region, cpf)
 	me.scfConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -326,7 +326,7 @@ func (me *TencentCloudClient) UseTcaplusClient() *tcaplusdb.Client {
 		return me.tcaplusConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.tcaplusConn, _ = tcaplusdb.NewClient(me.Credential, me.Region, cpf)
 	me.tcaplusConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -339,7 +339,7 @@ func (me *TencentCloudClient) UseDayuClient() *dayu.Client {
 		return me.dayuConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.dayuConn, _ = dayu.NewClient(me.Credential, me.Region, cpf)
 	me.dayuConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -352,7 +352,7 @@ func (me *TencentCloudClient) UseCdnClient() *cdn.Client {
 		return me.cdnConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.cdnConn, _ = cdn.NewClient(me.Credential, me.Region, cpf)
 	me.cdnConn.WithHttpTransport(&LogRoundTripper{})
 
@@ -365,7 +365,7 @@ func (me *TencentCloudClient) UseMonitorClient() *monitor.Client {
 		return me.monitorConn
 	}
 
-	cpf := newTencentCloudClientProfile(300)
+	cpf := NewTencentCloudClientProfile(300)
 	me.monitorConn, _ = monitor.NewClient(me.Credential, me.Region, cpf)
 	me.monitorConn.WithHttpTransport(&LogRoundTripper{})
 

tencentcloud/provider.go

@@ -15,6 +15,19 @@ provider "tencentcloud" {
   secret_key = var.secret_key
   region     = var.region
 }
+
+#Configure the TencentCloud Provider with STS
+provider "tencentcloud" {
+  secret_id  = var.secret_id
+  secret_key = var.secret_key
+  region     = var.region
+  assume_role  {
+   role_arn = var.assume_role_arn
+   session_name	= var.session_name
+   session_duration = var.session_duration
+   policy = var.policy
+ }
+}
 ```
 
 Resources List
@@ -349,17 +362,27 @@ VPN
 package tencentcloud
 
 import (
+	"net/url"
 	"os"
+	"strconv"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
+	sts "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts/v20180813"
+	con "github.com/terraform-providers/terraform-provider-tencentcloud/tencentcloud/connectivity"
+	"github.com/terraform-providers/terraform-provider-tencentcloud/tencentcloud/internal/helper"
+	"github.com/terraform-providers/terraform-provider-tencentcloud/tencentcloud/ratelimit"
 )
 
 const (
-	PROVIDER_SECRET_ID      = "TENCENTCLOUD_SECRET_ID"
-	PROVIDER_SECRET_KEY     = "TENCENTCLOUD_SECRET_KEY"
-	PROVIDER_SECURITY_TOKEN = "TENCENTCLOUD_SECURITY_TOKEN"
-	PROVIDER_REGION         = "TENCENTCLOUD_REGION"
+	PROVIDER_SECRET_ID                    = "TENCENTCLOUD_SECRET_ID"
+	PROVIDER_SECRET_KEY                   = "TENCENTCLOUD_SECRET_KEY"
+	PROVIDER_SECURITY_TOKEN               = "TENCENTCLOUD_SECURITY_TOKEN"
+	PROVIDER_REGION                       = "TENCENTCLOUD_REGION"
+	PROVIDER_ASSUME_ROLE_ARN              = "TENCENTCLOUD_ASSUME_ROLE_ARN"
+	PROVIDER_ASSUME_ROLE_SESSION_NAME     = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME"
+	PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION"
 )
 
 func Provider() terraform.ResourceProvider {
@@ -392,6 +415,40 @@ func Provider() terraform.ResourceProvider {
 				Description:  "This is the TencentCloud region. It must be provided, but it can also be sourced from the `TENCENTCLOUD_REGION` environment variables. The default input value is ap-guangzhou.",
 				InputDefault: "ap-guangzhou",
 			},
+			"assume_role": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				MaxItems:    1,
+				Description: "The `assume_role` block. If provided, terraform will attempt to assume this role using the supplied credentials.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"role_arn": {
+							Type:        schema.TypeString,
+							Required:    true,
+							DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_ARN, nil),
+							Description: "The ARN of the role to assume. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN`.",
+						},
+						"session_name": {
+							Type:        schema.TypeString,
+							Required:    true,
+							DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SESSION_NAME, nil),
+							Description: "The session name to use when making the AssumeRole call. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`.",
+						},
+						"session_duration": {
+							Type:         schema.TypeInt,
+							Required:     true,
+							InputDefault: "7200",
+							ValidateFunc: validateIntegerInRange(0, 43200),
+							Description:  "The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`.",
+						},
+						"policy": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "A more restrictive policy when making the AssumeRole call. Its content must not contains `principal` elements. Notice: more syntax references, please refer to: [policies syntax logic](https://intl.cloud.tencent.com/document/product/598/10603).",
+						},
+					},
+				},
+			},
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
@@ -612,27 +669,72 @@ func Provider() terraform.ResourceProvider {
 }
 
 func providerConfigure(d *schema.ResourceData) (interface{}, error) {
-	secretId, ok := d.GetOk("secret_id")
-	if !ok {
-		secretId = os.Getenv(PROVIDER_SECRET_ID)
-	}
-	secretKey, ok := d.GetOk("secret_key")
-	if !ok {
-		secretKey = os.Getenv(PROVIDER_SECRET_KEY)
-	}
-	securityToken, ok := d.GetOk("security_token")
-	if !ok {
-		securityToken = os.Getenv(PROVIDER_SECURITY_TOKEN)
-	}
-	region, ok := d.GetOk("region")
-	if !ok {
-		region = os.Getenv(PROVIDER_REGION)
+	secretId := d.Get("secret_id").(string)
+	secretKey := d.Get("secret_key").(string)
+	securityToken := d.Get("security_token").(string)
+	region := d.Get("region").(string)
+
+	//assume arn
+	assumeRoleList := d.Get("assume_role").(*schema.Set).List()
+	if len(assumeRoleList) == 1 {
+		assumeRole := assumeRoleList[0].(map[string]interface{})
+		assumeRoleArn := assumeRole["role_arn"].(string)
+		assumeRoleSessionName := assumeRole["session_name"].(string)
+		assumeRoleSessionDuration := assumeRole["session_duration"].(int)
+		assumeRolePolicy := assumeRole["policy"].(string)
+		if assumeRoleSessionDuration == 0 {
+			var err error
+			if duration := os.Getenv(PROVIDER_ASSUME_ROLE_SESSION_DURATION); duration != "" {
+				assumeRoleSessionDuration, err = strconv.Atoi(duration)
+				if err != nil {
+					return nil, err
+				}
+				if assumeRoleSessionDuration == 0 {
+					assumeRoleSessionDuration = 7200
+				}
+			}
+		}
+		//applying STS credentials
+		request := sts.NewAssumeRoleRequest()
+		request.RoleArn = helper.String(assumeRoleArn)
+		request.RoleSessionName = helper.String(assumeRoleSessionName)
+		request.DurationSeconds = helper.IntUint64(assumeRoleSessionDuration)
+
+		if assumeRolePolicy != "" {
+			//urlencode policy
+			request.Policy = helper.String(url.QueryEscape(assumeRolePolicy))
+		}
+
+		cpf := con.NewTencentCloudClientProfile(300)
+		//send request
+		credential := common.NewTokenCredential(
+			secretId,
+			secretKey,
+			securityToken,
+		)
+
+		client, err := sts.NewClient(credential, region, cpf)
+		if err != nil {
+			return nil, err
+		}
+		ratelimit.Check(request.GetAction())
+		response, err := client.AssumeRole(request)
+		if err != nil {
+			return nil, err
+		}
+
+		//set assume role
+		secretId = *response.Response.Credentials.TmpSecretId
+		secretKey = *response.Response.Credentials.TmpSecretKey
+		securityToken = *response.Response.Credentials.Token
 	}
+
 	config := Config{
-		SecretId:      secretId.(string),
-		SecretKey:     secretKey.(string),
-		SecurityToken: securityToken.(string),
-		Region:        region.(string),
+		SecretId:      secretId,
+		SecretKey:     secretKey,
+		SecurityToken: securityToken,
+		Region:        region,
 	}
+
 	return config.Client()
 }