Skip to content

Commit ea2fac3

Browse files
authored
feat(provider): [119585994] add new auth for cam_role_name (#2892)
* add * add * add * add
1 parent a8c47b0 commit ea2fac3

File tree

3 files changed

+49
-9
lines changed

3 files changed

+49
-9
lines changed

.changelog/2892.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note:enhancement
2+
provider: add new auth for `cam_role_name`
3+
```

tencentcloud/provider.go

Lines changed: 24 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,7 @@ const (
131131
PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN"
132132
PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME"
133133
PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION"
134+
PROVIDER_ASSUME_ROLE_EXTERNAL_ID = "TENCENTCLOUD_ASSUME_ROLE_EXTERNAL_ID"
134135
PROVIDER_ASSUME_ROLE_SAML_ASSERTION = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION"
135136
PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN"
136137
PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN"
@@ -249,6 +250,12 @@ func Provider() *schema.Provider {
249250
Optional: true,
250251
Description: "A more restrictive policy when making the AssumeRole call. Its content must not contains `principal` elements. Notice: more syntax references, please refer to: [policies syntax logic](https://intl.cloud.tencent.com/document/product/598/10603).",
251252
},
253+
"external_id": {
254+
Type: schema.TypeString,
255+
Optional: true,
256+
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_EXTERNAL_ID, nil),
257+
Description: "External role ID, which can be obtained by clicking the role name in the CAM console. It can contain 2-128 letters, digits, and symbols (=,.@:/-). Regex: [\\w+=,.@:/-]*. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_EXTERNAL_ID`.",
258+
},
252259
},
253260
},
254261
},
@@ -2253,6 +2260,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
22532260
assumeRoleSessionName string
22542261
assumeRoleSessionDuration int
22552262
assumeRolePolicy string
2263+
assumeRoleExternalId string
22562264
)
22572265

22582266
// get assume role from credential
@@ -2266,8 +2274,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
22662274

22672275
if assumeRoleArn != "" && assumeRoleSessionName != "" {
22682276
assumeRoleSessionDuration = 7200
2269-
assumeRolePolicy = ""
2270-
_ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy)
2277+
_ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId)
22712278
}
22722279

22732280
// get assume role from env
@@ -2286,6 +2293,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
22862293
assumeRoleSessionDuration = 7200
22872294
}
22882295

2296+
assumeRoleExternalId = os.Getenv(PROVIDER_ASSUME_ROLE_EXTERNAL_ID)
2297+
22892298
// get assume role with saml from env
22902299
envSamlAssertion := os.Getenv(PROVIDER_ASSUME_ROLE_SAML_ASSERTION)
22912300
envPrincipalArn := os.Getenv(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN)
@@ -2294,7 +2303,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
22942303

22952304
if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" {
22962305
// use assume role
2297-
_ = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "")
2306+
_ = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "", assumeRoleExternalId)
22982307
} else if envSamlAssertion != "" && envPrincipalArn != "" && envWebIdentityToken != "" {
22992308
return nil, fmt.Errorf("can not set `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`, `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`, `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` at the same time.\n")
23002309
} else if envSamlAssertion != "" && envPrincipalArn != "" {
@@ -2319,9 +2328,14 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
23192328
assumeRoleSessionName = assumeRole["session_name"].(string)
23202329
assumeRoleSessionDuration = assumeRole["session_duration"].(int)
23212330
assumeRolePolicy = assumeRole["policy"].(string)
2331+
assumeRoleExternalId = assumeRole["external_id"].(string)
23222332

2323-
_ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy)
2324-
needSecret = true
2333+
_ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId)
2334+
if camRoleName != "" {
2335+
needSecret = false
2336+
} else {
2337+
needSecret = true
2338+
}
23252339
}
23262340
}
23272341

@@ -2397,7 +2411,7 @@ func genClientWithCAM(tcClient *TencentCloudClient, roleName string) error {
23972411
return nil
23982412
}
23992413

2400-
func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error {
2414+
func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string, assumeRoleExternalId string) error {
24012415
// applying STS credentials
24022416
request := sdksts.NewAssumeRoleRequest()
24032417
request.RoleArn = helper.String(assumeRoleArn)
@@ -2407,6 +2421,10 @@ func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSes
24072421
request.Policy = helper.String(url.QueryEscape(assumeRolePolicy))
24082422
}
24092423

2424+
if assumeRoleExternalId != "" {
2425+
request.ExternalId = helper.String(assumeRoleExternalId)
2426+
}
2427+
24102428
ratelimit.Check(request.GetAction())
24112429
response, err := tcClient.apiV3Conn.UseStsClient().AssumeRole(request)
24122430
if err != nil {

website/docs/index.html.markdown

Lines changed: 22 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ $ terraform plan
141141

142142
### Assume role
143143

144-
If provided with an assume role, Terraform will attempt to assume this role using the supplied credentials. Assume role can be provided by adding an `role_arn`, `session_name`, `session_duration` and `policy`(optional) in-line in the tencentcloud provider block:
144+
If provided with an assume role, Terraform will attempt to assume this role using the supplied credentials. Assume role can be provided by adding an `role_arn`, `session_name`, `session_duration`, `policy`(optional) and `external_id`(optional) in-line in the tencentcloud provider block:
145145

146146
Usage:
147147

@@ -160,7 +160,7 @@ provider "tencentcloud" {
160160
}
161161
```
162162

163-
The `role_arn`, `session_name`, `session_duration` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` and `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variables.
163+
The `role_arn`, `session_name`, `session_duration` and `external_id` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` and `TENCENTCLOUD_ASSUME_ROLE_EXTERNAL_ID` environment variables.
164164

165165
Usage:
166166

@@ -254,7 +254,7 @@ provider "tencentcloud" {
254254

255255
### Cam role name
256256

257-
If provided with a Cam role name, Terraform will just access the metadata URL: http://metadata.tencentyun.com/latest/meta-data/cam/security-credentials/<cam_role_name> to obtain the STS credential. The CVM Instance Role also can be set using the TENCENTCLOUD_CAM_ROLE_NAME environment variables.
257+
If provided with a Cam role name, Terraform will just access the metadata URL: `http://metadata.tencentyun.com/latest/meta-data/cam/security-credentials/<cam_role_name>` to obtain the STS credential. The CVM Instance Role also can be set using the `TENCENTCLOUD_CAM_ROLE_NAME` environment variables.
258258

259259
-> **Note:** Cam-role-name is used to grant the role entity the permissions to access services and resources and perform operations in Tencent Cloud. You can associate the CAM role with a CVM instance to call other Tencent Cloud APIs from the instance using the periodically updated temporary Security Token Service (STS) key.
260260

@@ -268,6 +268,24 @@ provider "tencentcloud" {
268268
}
269269
```
270270

271+
It can also be authenticated together with method Assume role. Authentication process: Perform CAM authentication first, then proceed with Assume role authentication.
272+
273+
Usage:
274+
275+
```hcl
276+
provider "tencentcloud" {
277+
cam_role_name = "my-cam-role-name"
278+
279+
assume_role {
280+
role_arn = "my-role-arn"
281+
session_name = "my-session-name"
282+
policy = "my-role-policy"
283+
session_duration = 3600
284+
external_id = "my-external-id"
285+
}
286+
}
287+
```
288+
271289
### CDC cos usage
272290

273291
You can set the cos domain by setting the environment variable `TENCENTCLOUD_COS_DOMAIN`, and configure the cdc scenario as follows:
@@ -347,6 +365,7 @@ The nested `assume_role` block supports the following:
347365
* `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable.
348366
* `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable.
349367
* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed.
368+
* `external_id` - (Optional) External role ID, which can be obtained by clicking the role name in the CAM console. It can contain 2-128 letters, digits, and symbols (=,.@\:/-). Regex: [\\w+=,.@\:/-]*. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_EXTERNAL_ID`.
350369

351370
The nested `assume_role_with_saml` block supports the following:
352371
* `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable.

0 commit comments

Comments
 (0)