Skip to content

Commit a1022b5

Browse files
authored
Merge pull request #414 from gailwang/master
add STS
2 parents fec5340 + 6dfd66e commit a1022b5

File tree

10 files changed

+579
-54
lines changed

10 files changed

+579
-54
lines changed

tencentcloud/connectivity/client.go

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -72,8 +72,8 @@ func NewTencentCloudClient(secretId, secretKey, securityToken, region string) *T
7272
}
7373
}
7474

75-
// newTencentCloudClientProfile returns a new ClientProfile
76-
func newTencentCloudClientProfile(timeout int) *profile.ClientProfile {
75+
// NewTencentCloudClientProfile returns a new ClientProfile
76+
func NewTencentCloudClientProfile(timeout int) *profile.ClientProfile {
7777
cpf := profile.NewClientProfile()
7878

7979
// all request use method POST
@@ -118,7 +118,7 @@ func (me *TencentCloudClient) UseMysqlClient() *cdb.Client {
118118
return me.mysqlConn
119119
}
120120

121-
cpf := newTencentCloudClientProfile(300)
121+
cpf := NewTencentCloudClientProfile(300)
122122
me.mysqlConn, _ = cdb.NewClient(me.Credential, me.Region, cpf)
123123
me.mysqlConn.WithHttpTransport(&LogRoundTripper{})
124124

@@ -131,7 +131,7 @@ func (me *TencentCloudClient) UseRedisClient() *redis.Client {
131131
return me.redisConn
132132
}
133133

134-
cpf := newTencentCloudClientProfile(300)
134+
cpf := NewTencentCloudClientProfile(300)
135135
me.redisConn, _ = redis.NewClient(me.Credential, me.Region, cpf)
136136
me.redisConn.WithHttpTransport(&LogRoundTripper{})
137137

@@ -144,7 +144,7 @@ func (me *TencentCloudClient) UseAsClient() *as.Client {
144144
return me.asConn
145145
}
146146

147-
cpf := newTencentCloudClientProfile(300)
147+
cpf := NewTencentCloudClientProfile(300)
148148
me.asConn, _ = as.NewClient(me.Credential, me.Region, cpf)
149149
me.asConn.WithHttpTransport(&LogRoundTripper{})
150150

@@ -157,7 +157,7 @@ func (me *TencentCloudClient) UseVpcClient() *vpc.Client {
157157
return me.vpcConn
158158
}
159159

160-
cpf := newTencentCloudClientProfile(300)
160+
cpf := NewTencentCloudClientProfile(300)
161161
me.vpcConn, _ = vpc.NewClient(me.Credential, me.Region, cpf)
162162
me.vpcConn.WithHttpTransport(&LogRoundTripper{})
163163

@@ -170,7 +170,7 @@ func (me *TencentCloudClient) UseCbsClient() *cbs.Client {
170170
return me.cbsConn
171171
}
172172

173-
cpf := newTencentCloudClientProfile(300)
173+
cpf := NewTencentCloudClientProfile(300)
174174
me.cbsConn, _ = cbs.NewClient(me.Credential, me.Region, cpf)
175175
me.cbsConn.WithHttpTransport(&LogRoundTripper{})
176176

@@ -183,7 +183,7 @@ func (me *TencentCloudClient) UseDcClient() *dc.Client {
183183
return me.dcConn
184184
}
185185

186-
cpf := newTencentCloudClientProfile(300)
186+
cpf := NewTencentCloudClientProfile(300)
187187
me.dcConn, _ = dc.NewClient(me.Credential, me.Region, cpf)
188188
me.dcConn.WithHttpTransport(&LogRoundTripper{})
189189

@@ -196,7 +196,7 @@ func (me *TencentCloudClient) UseMongodbClient() *mongodb.Client {
196196
return me.mongodbConn
197197
}
198198

199-
cpf := newTencentCloudClientProfile(300)
199+
cpf := NewTencentCloudClientProfile(300)
200200
me.mongodbConn, _ = mongodb.NewClient(me.Credential, me.Region, cpf)
201201
me.mongodbConn.WithHttpTransport(&LogRoundTripper{})
202202

@@ -209,7 +209,7 @@ func (me *TencentCloudClient) UseClbClient() *clb.Client {
209209
return me.clbConn
210210
}
211211

212-
cpf := newTencentCloudClientProfile(300)
212+
cpf := NewTencentCloudClientProfile(300)
213213
me.clbConn, _ = clb.NewClient(me.Credential, me.Region, cpf)
214214
me.clbConn.WithHttpTransport(&LogRoundTripper{})
215215

@@ -222,7 +222,7 @@ func (me *TencentCloudClient) UseCvmClient() *cvm.Client {
222222
return me.cvmConn
223223
}
224224

225-
cpf := newTencentCloudClientProfile(300)
225+
cpf := NewTencentCloudClientProfile(300)
226226
me.cvmConn, _ = cvm.NewClient(me.Credential, me.Region, cpf)
227227
me.cvmConn.WithHttpTransport(&LogRoundTripper{})
228228

@@ -235,7 +235,7 @@ func (me *TencentCloudClient) UseTagClient() *tag.Client {
235235
return me.tagConn
236236
}
237237

238-
cpf := newTencentCloudClientProfile(300)
238+
cpf := NewTencentCloudClientProfile(300)
239239
me.tagConn, _ = tag.NewClient(me.Credential, me.Region, cpf)
240240
me.tagConn.WithHttpTransport(&LogRoundTripper{})
241241

@@ -248,7 +248,7 @@ func (me *TencentCloudClient) UseTkeClient() *tke.Client {
248248
return me.tkeConn
249249
}
250250

251-
cpf := newTencentCloudClientProfile(300)
251+
cpf := NewTencentCloudClientProfile(300)
252252
me.tkeConn, _ = tke.NewClient(me.Credential, me.Region, cpf)
253253
me.tkeConn.WithHttpTransport(&LogRoundTripper{})
254254

@@ -261,7 +261,7 @@ func (me *TencentCloudClient) UseGaapClient() *gaap.Client {
261261
return me.gaapConn
262262
}
263263

264-
cpf := newTencentCloudClientProfile(300)
264+
cpf := NewTencentCloudClientProfile(300)
265265
me.gaapConn, _ = gaap.NewClient(me.Credential, me.Region, cpf)
266266
me.gaapConn.WithHttpTransport(&LogRoundTripper{})
267267

@@ -274,7 +274,7 @@ func (me *TencentCloudClient) UseSslClient() *ssl.Client {
274274
return me.sslConn
275275
}
276276

277-
cpf := newTencentCloudClientProfile(300)
277+
cpf := NewTencentCloudClientProfile(300)
278278
me.sslConn, _ = ssl.NewClient(me.Credential, me.Region, cpf)
279279
me.sslConn.WithHttpTransport(&LogRoundTripper{})
280280

@@ -287,7 +287,7 @@ func (me *TencentCloudClient) UseCamClient() *cam.Client {
287287
return me.camConn
288288
}
289289

290-
cpf := newTencentCloudClientProfile(300)
290+
cpf := NewTencentCloudClientProfile(300)
291291
me.camConn, _ = cam.NewClient(me.Credential, me.Region, cpf)
292292
me.camConn.WithHttpTransport(&LogRoundTripper{})
293293

@@ -300,7 +300,7 @@ func (me *TencentCloudClient) UseCfsClient() *cfs.Client {
300300
return me.cfsConn
301301
}
302302

303-
cpf := newTencentCloudClientProfile(300)
303+
cpf := NewTencentCloudClientProfile(300)
304304
me.cfsConn, _ = cfs.NewClient(me.Credential, me.Region, cpf)
305305
me.cfsConn.WithHttpTransport(&LogRoundTripper{})
306306

@@ -313,7 +313,7 @@ func (me *TencentCloudClient) UseScfClient() *scf.Client {
313313
return me.scfConn
314314
}
315315

316-
cpf := newTencentCloudClientProfile(300)
316+
cpf := NewTencentCloudClientProfile(300)
317317
me.scfConn, _ = scf.NewClient(me.Credential, me.Region, cpf)
318318
me.scfConn.WithHttpTransport(&LogRoundTripper{})
319319

@@ -326,7 +326,7 @@ func (me *TencentCloudClient) UseTcaplusClient() *tcaplusdb.Client {
326326
return me.tcaplusConn
327327
}
328328

329-
cpf := newTencentCloudClientProfile(300)
329+
cpf := NewTencentCloudClientProfile(300)
330330
me.tcaplusConn, _ = tcaplusdb.NewClient(me.Credential, me.Region, cpf)
331331
me.tcaplusConn.WithHttpTransport(&LogRoundTripper{})
332332

@@ -339,7 +339,7 @@ func (me *TencentCloudClient) UseDayuClient() *dayu.Client {
339339
return me.dayuConn
340340
}
341341

342-
cpf := newTencentCloudClientProfile(300)
342+
cpf := NewTencentCloudClientProfile(300)
343343
me.dayuConn, _ = dayu.NewClient(me.Credential, me.Region, cpf)
344344
me.dayuConn.WithHttpTransport(&LogRoundTripper{})
345345

@@ -352,7 +352,7 @@ func (me *TencentCloudClient) UseCdnClient() *cdn.Client {
352352
return me.cdnConn
353353
}
354354

355-
cpf := newTencentCloudClientProfile(300)
355+
cpf := NewTencentCloudClientProfile(300)
356356
me.cdnConn, _ = cdn.NewClient(me.Credential, me.Region, cpf)
357357
me.cdnConn.WithHttpTransport(&LogRoundTripper{})
358358

@@ -365,7 +365,7 @@ func (me *TencentCloudClient) UseMonitorClient() *monitor.Client {
365365
return me.monitorConn
366366
}
367367

368-
cpf := newTencentCloudClientProfile(300)
368+
cpf := NewTencentCloudClientProfile(300)
369369
me.monitorConn, _ = monitor.NewClient(me.Credential, me.Region, cpf)
370370
me.monitorConn.WithHttpTransport(&LogRoundTripper{})
371371

tencentcloud/provider.go

Lines changed: 125 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,19 @@ provider "tencentcloud" {
1515
secret_key = var.secret_key
1616
region = var.region
1717
}
18+
19+
#Configure the TencentCloud Provider with STS
20+
provider "tencentcloud" {
21+
secret_id = var.secret_id
22+
secret_key = var.secret_key
23+
region = var.region
24+
assume_role {
25+
role_arn = var.assume_role_arn
26+
session_name = var.session_name
27+
session_duration = var.session_duration
28+
policy = var.policy
29+
}
30+
}
1831
```
1932
2033
Resources List
@@ -349,17 +362,27 @@ VPN
349362
package tencentcloud
350363

351364
import (
365+
"net/url"
352366
"os"
367+
"strconv"
353368

354369
"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
355370
"github.com/hashicorp/terraform-plugin-sdk/terraform"
371+
"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
372+
sts "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/sts/v20180813"
373+
con "github.com/terraform-providers/terraform-provider-tencentcloud/tencentcloud/connectivity"
374+
"github.com/terraform-providers/terraform-provider-tencentcloud/tencentcloud/internal/helper"
375+
"github.com/terraform-providers/terraform-provider-tencentcloud/tencentcloud/ratelimit"
356376
)
357377

358378
const (
359-
PROVIDER_SECRET_ID = "TENCENTCLOUD_SECRET_ID"
360-
PROVIDER_SECRET_KEY = "TENCENTCLOUD_SECRET_KEY"
361-
PROVIDER_SECURITY_TOKEN = "TENCENTCLOUD_SECURITY_TOKEN"
362-
PROVIDER_REGION = "TENCENTCLOUD_REGION"
379+
PROVIDER_SECRET_ID = "TENCENTCLOUD_SECRET_ID"
380+
PROVIDER_SECRET_KEY = "TENCENTCLOUD_SECRET_KEY"
381+
PROVIDER_SECURITY_TOKEN = "TENCENTCLOUD_SECURITY_TOKEN"
382+
PROVIDER_REGION = "TENCENTCLOUD_REGION"
383+
PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN"
384+
PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME"
385+
PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION"
363386
)
364387

365388
func Provider() terraform.ResourceProvider {
@@ -392,6 +415,40 @@ func Provider() terraform.ResourceProvider {
392415
Description: "This is the TencentCloud region. It must be provided, but it can also be sourced from the `TENCENTCLOUD_REGION` environment variables. The default input value is ap-guangzhou.",
393416
InputDefault: "ap-guangzhou",
394417
},
418+
"assume_role": {
419+
Type: schema.TypeSet,
420+
Optional: true,
421+
MaxItems: 1,
422+
Description: "The `assume_role` block. If provided, terraform will attempt to assume this role using the supplied credentials.",
423+
Elem: &schema.Resource{
424+
Schema: map[string]*schema.Schema{
425+
"role_arn": {
426+
Type: schema.TypeString,
427+
Required: true,
428+
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_ARN, nil),
429+
Description: "The ARN of the role to assume. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN`.",
430+
},
431+
"session_name": {
432+
Type: schema.TypeString,
433+
Required: true,
434+
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SESSION_NAME, nil),
435+
Description: "The session name to use when making the AssumeRole call. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`.",
436+
},
437+
"session_duration": {
438+
Type: schema.TypeInt,
439+
Required: true,
440+
InputDefault: "7200",
441+
ValidateFunc: validateIntegerInRange(0, 43200),
442+
Description: "The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`.",
443+
},
444+
"policy": {
445+
Type: schema.TypeString,
446+
Optional: true,
447+
Description: "A more restrictive policy when making the AssumeRole call. Its content must not contains `principal` elements. Notice: more syntax references, please refer to: [policies syntax logic](https://intl.cloud.tencent.com/document/product/598/10603).",
448+
},
449+
},
450+
},
451+
},
395452
},
396453

397454
DataSourcesMap: map[string]*schema.Resource{
@@ -612,27 +669,72 @@ func Provider() terraform.ResourceProvider {
612669
}
613670

614671
func providerConfigure(d *schema.ResourceData) (interface{}, error) {
615-
secretId, ok := d.GetOk("secret_id")
616-
if !ok {
617-
secretId = os.Getenv(PROVIDER_SECRET_ID)
618-
}
619-
secretKey, ok := d.GetOk("secret_key")
620-
if !ok {
621-
secretKey = os.Getenv(PROVIDER_SECRET_KEY)
622-
}
623-
securityToken, ok := d.GetOk("security_token")
624-
if !ok {
625-
securityToken = os.Getenv(PROVIDER_SECURITY_TOKEN)
626-
}
627-
region, ok := d.GetOk("region")
628-
if !ok {
629-
region = os.Getenv(PROVIDER_REGION)
672+
secretId := d.Get("secret_id").(string)
673+
secretKey := d.Get("secret_key").(string)
674+
securityToken := d.Get("security_token").(string)
675+
region := d.Get("region").(string)
676+
677+
//assume arn
678+
assumeRoleList := d.Get("assume_role").(*schema.Set).List()
679+
if len(assumeRoleList) == 1 {
680+
assumeRole := assumeRoleList[0].(map[string]interface{})
681+
assumeRoleArn := assumeRole["role_arn"].(string)
682+
assumeRoleSessionName := assumeRole["session_name"].(string)
683+
assumeRoleSessionDuration := assumeRole["session_duration"].(int)
684+
assumeRolePolicy := assumeRole["policy"].(string)
685+
if assumeRoleSessionDuration == 0 {
686+
var err error
687+
if duration := os.Getenv(PROVIDER_ASSUME_ROLE_SESSION_DURATION); duration != "" {
688+
assumeRoleSessionDuration, err = strconv.Atoi(duration)
689+
if err != nil {
690+
return nil, err
691+
}
692+
if assumeRoleSessionDuration == 0 {
693+
assumeRoleSessionDuration = 7200
694+
}
695+
}
696+
}
697+
//applying STS credentials
698+
request := sts.NewAssumeRoleRequest()
699+
request.RoleArn = helper.String(assumeRoleArn)
700+
request.RoleSessionName = helper.String(assumeRoleSessionName)
701+
request.DurationSeconds = helper.IntUint64(assumeRoleSessionDuration)
702+
703+
if assumeRolePolicy != "" {
704+
//urlencode policy
705+
request.Policy = helper.String(url.QueryEscape(assumeRolePolicy))
706+
}
707+
708+
cpf := con.NewTencentCloudClientProfile(300)
709+
//send request
710+
credential := common.NewTokenCredential(
711+
secretId,
712+
secretKey,
713+
securityToken,
714+
)
715+
716+
client, err := sts.NewClient(credential, region, cpf)
717+
if err != nil {
718+
return nil, err
719+
}
720+
ratelimit.Check(request.GetAction())
721+
response, err := client.AssumeRole(request)
722+
if err != nil {
723+
return nil, err
724+
}
725+
726+
//set assume role
727+
secretId = *response.Response.Credentials.TmpSecretId
728+
secretKey = *response.Response.Credentials.TmpSecretKey
729+
securityToken = *response.Response.Credentials.Token
630730
}
731+
631732
config := Config{
632-
SecretId: secretId.(string),
633-
SecretKey: secretKey.(string),
634-
SecurityToken: securityToken.(string),
635-
Region: region.(string),
733+
SecretId: secretId,
734+
SecretKey: secretKey,
735+
SecurityToken: securityToken,
736+
Region: region,
636737
}
738+
637739
return config.Client()
638740
}

0 commit comments

Comments
 (0)