From d2ef8a04defc58d6c0cf5e56d0f966a6b377276b Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Mon, 22 Jul 2024 20:04:35 +0800 Subject: [PATCH 1/6] add --- tencentcloud/provider.go | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index e66ac94835..565cbb8326 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -1993,17 +1993,6 @@ func Provider() *schema.Provider { } func providerConfigure(d *schema.ResourceData) (interface{}, error) { - //var getProviderConfig = func(str string, key string) string { - // if str == "" { - // value, err := getConfigFromProfile(d, key) - // if err == nil && value != nil { - // str = value.(string) - // } - // } - // - // return str - //} - var getProviderConfig = func(key string) string { var str string value, err := getConfigFromProfile(d, key) @@ -2037,6 +2026,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { if v, ok := d.GetOk("security_token"); ok { securityToken = v.(string) + } else { + securityToken = getProviderConfig("securityToken") } if v, ok := d.GetOk("region"); ok { From cbfc64ec27fbf615ff2399963a3580595c240bc5 Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Mon, 22 Jul 2024 20:09:01 +0800 Subject: [PATCH 2/6] add --- .changelog/2739.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/2739.txt diff --git a/.changelog/2739.txt b/.changelog/2739.txt new file mode 100644 index 0000000000..44bd776f49 --- /dev/null +++ b/.changelog/2739.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +provider: support securityToken for credentials +``` From 72ae327186d1bb754043b709c8cd584fd13d6d11 Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Mon, 22 Jul 2024 20:17:40 +0800 Subject: [PATCH 3/6] add --- tencentcloud/provider.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index 565cbb8326..eae106adc5 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -2027,7 +2027,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { if v, ok := d.GetOk("security_token"); ok { securityToken = v.(string) } else { - securityToken = getProviderConfig("securityToken") + securityToken = getProviderConfig("token") } if v, ok := d.GetOk("region"); ok { From baa21dfaae582127d74e58e5443020d066cecdb1 Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Tue, 23 Jul 2024 11:06:51 +0800 Subject: [PATCH 4/6] add --- tencentcloud/provider.go | 116 +++++++++++++++++++++++++++++++++++---- 1 file changed, 106 insertions(+), 10 deletions(-) diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index eae106adc5..e548199660 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -123,11 +123,14 @@ const ( PROVIDER_DOMAIN = "TENCENTCLOUD_DOMAIN" //internal version: replace envYunti begin, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation. //internal version: replace envYunti end, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation. - PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN" - PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME" - PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION" - PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR" - PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE" + PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN" + PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME" + PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION" + PROVIDER_ASSUME_ROLE_SAML_ASSERTION = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION" + PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN" + PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN" + PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR" + PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE" ) const ( @@ -230,6 +233,29 @@ func Provider() *schema.Provider { Optional: true, Description: "A more restrictive policy when making the AssumeRole call. Its content must not contains `principal` elements. Notice: more syntax references, please refer to: [policies syntax logic](https://intl.cloud.tencent.com/document/product/598/10603).", }, + "saml_assertion": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SAML_ASSERTION, nil), + ConflictsWith: []string{"web_identity_token"}, + RequiredWith: []string{"principal_arn"}, + Description: "SAML assertion information encoded in base64. And it can't be used with `web_identity_token` together.", + }, + "principal_arn": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN, nil), + ConflictsWith: []string{"web_identity_token"}, + RequiredWith: []string{"saml_assertion"}, + Description: "Player Access Description Name. And it can't be used with `web_identity_token` together.", + }, + "web_identity_token": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN, nil), + ConflictsWith: []string{"saml_assertion", "principal_arn"}, + Description: "OIDC token issued by IdP. And it can't be used with `saml_assertion` or `principal_arn` together.", + }, }, }, }, @@ -2061,10 +2087,13 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { } var ( - assumeRoleArn string - assumeRoleSessionName string - assumeRoleSessionDuration int - assumeRolePolicy string + assumeRoleArn string + assumeRoleSessionName string + assumeRoleSessionDuration int + assumeRolePolicy string + assumeRoleSamlAssertion string + assumeRolePrincipalArn string + assumeRoleWebIdentityToken string ) // get assume role from credential @@ -2106,13 +2135,30 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { if v, ok := d.GetOk("assume_role"); ok { assumeRoleList := v.(*schema.Set).List() if len(assumeRoleList) == 1 { + // assume role assumeRole := assumeRoleList[0].(map[string]interface{}) assumeRoleArn = assumeRole["role_arn"].(string) assumeRoleSessionName = assumeRole["session_name"].(string) assumeRoleSessionDuration = assumeRole["session_duration"].(int) assumeRolePolicy = assumeRole["policy"].(string) + // saml + assumeRoleSamlAssertion = assumeRole["saml_assertion"].(string) + assumeRolePrincipalArn = assumeRole["principal_arn"].(string) + // oidc + assumeRoleWebIdentityToken = assumeRole["web_identity_token"].(string) - _ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy) + if assumeRoleSamlAssertion == "" && assumeRolePrincipalArn == "" && assumeRoleWebIdentityToken == "" { + // use assume role + _ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy) + } else if assumeRoleSamlAssertion != "" && assumeRolePrincipalArn != "" { + // use assume role with saml + _ = genClientWithSamlSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleSamlAssertion, assumeRolePrincipalArn) + } else if assumeRoleWebIdentityToken != "" { + // use assume role with oidc + _ = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken) + } else { + return nil, fmt.Errorf("`assume_role` params error.") + } } } @@ -2149,6 +2195,56 @@ func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSes return nil } +func genClientWithSamlSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRoleSamlAssertion, assumeRolePrincipalArn string) error { + // applying STS credentials + request := sdksts.NewAssumeRoleWithSAMLRequest() + request.RoleArn = helper.String(assumeRoleArn) + request.RoleSessionName = helper.String(assumeRoleSessionName) + request.DurationSeconds = helper.IntUint64(assumeRoleSessionDuration) + request.SAMLAssertion = helper.String(assumeRoleSamlAssertion) + request.PrincipalArn = helper.String(assumeRolePrincipalArn) + + ratelimit.Check(request.GetAction()) + response, err := tcClient.apiV3Conn.UseStsClient().AssumeRoleWithSAML(request) + if err != nil { + return err + } + + // using STS credentials + tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential( + *response.Response.Credentials.TmpSecretId, + *response.Response.Credentials.TmpSecretKey, + *response.Response.Credentials.Token, + ) + + return nil +} + +func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error { + // applying STS credentials + request := sdksts.NewAssumeRoleWithWebIdentityRequest() + request.ProviderId = helper.String("OIDC") + request.RoleArn = helper.String(assumeRoleArn) + request.RoleSessionName = helper.String(assumeRoleSessionName) + request.DurationSeconds = helper.IntInt64(assumeRoleSessionDuration) + request.WebIdentityToken = helper.String(assumeRolePolicy) + + ratelimit.Check(request.GetAction()) + response, err := tcClient.apiV3Conn.UseStsClient().AssumeRoleWithWebIdentity(request) + if err != nil { + return err + } + + // using STS credentials + tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential( + *response.Response.Credentials.TmpSecretId, + *response.Response.Credentials.TmpSecretKey, + *response.Response.Credentials.Token, + ) + + return nil +} + var providerConfig map[string]interface{} func getConfigFromProfile(d *schema.ResourceData, ProfileKey string) (interface{}, error) { From 5484210995b1fb99daa91e05f153e0c6182ad35f Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Tue, 23 Jul 2024 14:42:59 +0800 Subject: [PATCH 5/6] add --- tencentcloud/provider.go | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index e548199660..1e4e3868f6 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -198,7 +198,7 @@ func Provider() *schema.Provider { //internal version: replace enableBpass begin, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation. //internal version: replace enableBpass end, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation. "assume_role": { - Type: schema.TypeSet, + Type: schema.TypeList, Optional: true, MaxItems: 1, Description: "The `assume_role` block. If provided, terraform will attempt to assume this role using the supplied credentials.", @@ -237,23 +237,23 @@ func Provider() *schema.Provider { Type: schema.TypeString, Optional: true, DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SAML_ASSERTION, nil), - ConflictsWith: []string{"web_identity_token"}, - RequiredWith: []string{"principal_arn"}, + ConflictsWith: []string{"assume_role.0.web_identity_token"}, + RequiredWith: []string{"assume_role.0.principal_arn"}, Description: "SAML assertion information encoded in base64. And it can't be used with `web_identity_token` together.", }, "principal_arn": { Type: schema.TypeString, Optional: true, DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN, nil), - ConflictsWith: []string{"web_identity_token"}, - RequiredWith: []string{"saml_assertion"}, + ConflictsWith: []string{"assume_role.0.web_identity_token"}, + RequiredWith: []string{"assume_role.0.saml_assertion"}, Description: "Player Access Description Name. And it can't be used with `web_identity_token` together.", }, "web_identity_token": { Type: schema.TypeString, Optional: true, DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN, nil), - ConflictsWith: []string{"saml_assertion", "principal_arn"}, + ConflictsWith: []string{"assume_role.0.saml_assertion", "assume_role.0.principal_arn"}, Description: "OIDC token issued by IdP. And it can't be used with `saml_assertion` or `principal_arn` together.", }, }, @@ -2128,12 +2128,27 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { assumeRoleSessionDuration = 7200 } - _ = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "") + envSamlAssertion := os.Getenv(PROVIDER_ASSUME_ROLE_SAML_ASSERTION) + envPrincipalArn := os.Getenv(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN) + envWebIdentityToken := os.Getenv(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN) + + if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" { + // use assume role + _ = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "") + } else if envSamlAssertion != "" && envPrincipalArn != "" { + // use assume role with saml + _ = genClientWithSamlSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envSamlAssertion, envPrincipalArn) + } else if envWebIdentityToken != "" { + // use assume role with oidc + _ = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken) + } else { + return nil, fmt.Errorf("get `assume_role` from env error.\n") + } } // get assume role from tf if v, ok := d.GetOk("assume_role"); ok { - assumeRoleList := v.(*schema.Set).List() + assumeRoleList := v.([]interface{}) if len(assumeRoleList) == 1 { // assume role assumeRole := assumeRoleList[0].(map[string]interface{}) @@ -2157,13 +2172,13 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { // use assume role with oidc _ = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken) } else { - return nil, fmt.Errorf("`assume_role` params error.") + return nil, fmt.Errorf("get `assume_role` params error.\n") } } } if secretId == "" || secretKey == "" { - return nil, fmt.Errorf("Please set your `secret_id` and `secret_key`.") + return nil, fmt.Errorf("Please set your `secret_id` and `secret_key`.\n") } return &tcClient, nil From f30b5df62f10effa137092c8da902276e4c96460 Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Tue, 23 Jul 2024 14:44:36 +0800 Subject: [PATCH 6/6] add --- .changelog/2741.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/2741.txt diff --git a/.changelog/2741.txt b/.changelog/2741.txt new file mode 100644 index 0000000000..f27d3762f7 --- /dev/null +++ b/.changelog/2741.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +provider: add SAML, OIDC for STS client +```