From 030aee9e5d6f4dde0b3dc6ba357982e0ea393403 Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Mon, 24 Feb 2025 14:54:23 +0800 Subject: [PATCH 1/3] add --- tencentcloud/provider.go | 22 +++++++++++++++++----- website/docs/index.html.markdown | 9 ++++++--- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index 6379a956bf..b83608b1fa 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -137,6 +137,7 @@ const ( PROVIDER_ASSUME_ROLE_SAML_ASSERTION = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION" PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN" PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN" + PROVIDER_ASSUME_ROLE_PROVIDER_ID = "TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID" PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR" PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE" PROVIDER_CAM_ROLE_NAME = "TENCENTCLOUD_CAM_ROLE_NAME" @@ -321,6 +322,12 @@ func Provider() *schema.Provider { Description: "The `assume_role_with_web_identity` block. If provided, terraform will attempt to assume this role using the supplied credentials.", Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ + "provider_id": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_PROVIDER_ID, nil), + Description: "Identity provider name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, Default is OIDC.", + }, "web_identity_token": { Type: schema.TypeString, Required: true, @@ -2399,6 +2406,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { envPrincipalArn := os.Getenv(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN) // get assume role with web identity from env envWebIdentityToken := os.Getenv(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN) + assumeRoleProviderId := os.Getenv(PROVIDER_ASSUME_ROLE_PROVIDER_ID) if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" { // use assume role @@ -2418,7 +2426,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { needSecret = false } else if envWebIdentityToken != "" { // use assume role with oidc - err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken) + err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken, assumeRoleProviderId) if err != nil { return nil, fmt.Errorf("Get auth from assume role with OIDC by env failed. Reason: %s", err.Error()) } @@ -2457,6 +2465,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { assumeRoleSamlAssertion string assumeRolePrincipalArn string assumeRoleWebIdentityToken string + assumeRoleProviderId string ) // get assume role with saml from tf @@ -2488,8 +2497,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { assumeRoleArn = assumeRoleWithWebIdentity["role_arn"].(string) assumeRoleSessionName = assumeRoleWithWebIdentity["session_name"].(string) assumeRoleSessionDuration = assumeRoleWithWebIdentity["session_duration"].(int) - - err = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken) + assumeRoleProviderId = assumeRoleWithWebIdentity["provider_id"].(string) + err = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken, assumeRoleProviderId) if err != nil { return nil, fmt.Errorf("Get auth from assume role with OIDC failed. Reason: %s", err.Error()) } @@ -2654,15 +2663,18 @@ func genClientWithSamlSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRol return nil } -func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error { +func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy, assumeRoleProviderId string) error { // applying STS credentials request := sdksts.NewAssumeRoleWithWebIdentityRequest() response := sdksts.NewAssumeRoleWithWebIdentityResponse() - request.ProviderId = helper.String("OIDC") + if assumeRoleProviderId == "" { + assumeRoleProviderId = "OIDC" + } request.RoleArn = helper.String(assumeRoleArn) request.RoleSessionName = helper.String(assumeRoleSessionName) request.DurationSeconds = helper.IntInt64(assumeRoleSessionDuration) request.WebIdentityToken = helper.String(assumeRolePolicy) + request.ProviderId = helper.String(assumeRoleProviderId) var stsExtInfo connectivity.StsExtInfo stsExtInfo.Authorization = "SKIP" err := resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError { diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 514301b68e..0e8afcbc67 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -240,6 +240,7 @@ Usage: ```hcl provider "tencentcloud" { assume_role_with_web_identity { + provider_id = "OIDC" role_arn = "my-role-arn" session_name = "my-session-name" session_duration = 3600 @@ -248,7 +249,7 @@ provider "tencentcloud" { } ``` -The `role_arn`, `session_name`, `session_duration`, `web_identity_token` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` and `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` environment variables. +The `provider_id`, `role_arn`, `session_name`, `session_duration`, `web_identity_token` can also provided via `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` and `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` environment variables. Usage: @@ -257,6 +258,7 @@ $ export TENCENTCLOUD_SECRET_ID="my-secret-id" $ export TENCENTCLOUD_SECRET_KEY="my-secret-key" $ export TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION=3600 $ export TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN="my-web-identity-token" +$ export TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID="OIDC" $ terraform plan ``` @@ -322,8 +324,8 @@ locals { provider "tencentcloud" { region = local.region - secret_id = "xxxxxx" - secret_key = "xxxxxx" + secret_id = "my-secret-id" + secret_key = "my-secret-key" cos_domain = "https://${local.cdc_id}.cos-cdc.${local.region}.myqcloud.com/" } ``` @@ -399,6 +401,7 @@ The nested `assume_role_with_saml` block supports the following: * `principal_arn` - (Required) Player Access Description Name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`. The nested `assume_role_with_web_identity` block supports the following: +* `provider_id` - (Optional) Identity provider name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, Default is OIDC. * `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable. * `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable. * `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable. From 87442f1628609684b2ece3506bfd34e51fd62553 Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Mon, 24 Feb 2025 14:56:22 +0800 Subject: [PATCH 2/3] add --- .changelog/3152.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/3152.txt diff --git a/.changelog/3152.txt b/.changelog/3152.txt new file mode 100644 index 0000000000..bd45245f8b --- /dev/null +++ b/.changelog/3152.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +provider: OIDC auth support set `provider_id` +``` \ No newline at end of file From 5719fd7ed451f973bbda470726fbdbd0f13d1ddd Mon Sep 17 00:00:00 2001 From: SevenEarth <391613297@qq.com> Date: Wed, 26 Feb 2025 18:00:05 +0800 Subject: [PATCH 3/3] add --- tencentcloud/provider.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index b83608b1fa..46af86e65c 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -2406,7 +2406,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { envPrincipalArn := os.Getenv(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN) // get assume role with web identity from env envWebIdentityToken := os.Getenv(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN) - assumeRoleProviderId := os.Getenv(PROVIDER_ASSUME_ROLE_PROVIDER_ID) + envProviderId := os.Getenv(PROVIDER_ASSUME_ROLE_PROVIDER_ID) if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" { // use assume role @@ -2426,7 +2426,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { needSecret = false } else if envWebIdentityToken != "" { // use assume role with oidc - err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken, assumeRoleProviderId) + err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken, envProviderId) if err != nil { return nil, fmt.Errorf("Get auth from assume role with OIDC by env failed. Reason: %s", err.Error()) }