tencentcloudstack · hellertang · Feb 26, 2025 · Feb 24, 2025 · Feb 24, 2025 · Feb 26, 2025
diff --git a/.changelog/3152.txt b/.changelog/3152.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+provider: OIDC auth support set `provider_id`
+```
diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go
@@ -137,6 +137,7 @@ const (
 	PROVIDER_ASSUME_ROLE_SAML_ASSERTION     = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION"
 	PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN      = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN"
 	PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN"
+	PROVIDER_ASSUME_ROLE_PROVIDER_ID        = "TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID"
 	PROVIDER_SHARED_CREDENTIALS_DIR         = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR"
 	PROVIDER_PROFILE                        = "TENCENTCLOUD_PROFILE"
 	PROVIDER_CAM_ROLE_NAME                  = "TENCENTCLOUD_CAM_ROLE_NAME"
@@ -321,6 +322,12 @@ func Provider() *schema.Provider {
 				Description:   "The `assume_role_with_web_identity` block. If provided, terraform will attempt to assume this role using the supplied credentials.",
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"provider_id": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_PROVIDER_ID, nil),
+							Description: "Identity provider name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, Default is OIDC.",
+						},
 						"web_identity_token": {
 							Type:        schema.TypeString,
 							Required:    true,
@@ -2399,6 +2406,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		envPrincipalArn := os.Getenv(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN)
 		// get assume role with web identity from env
 		envWebIdentityToken := os.Getenv(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN)
+		envProviderId := os.Getenv(PROVIDER_ASSUME_ROLE_PROVIDER_ID)
 
 		if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" {
 			// use assume role
@@ -2418,7 +2426,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 			needSecret = false
 		} else if envWebIdentityToken != "" {
 			// use assume role with oidc
-			err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken)
+			err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken, envProviderId)
 			if err != nil {
 				return nil, fmt.Errorf("Get auth from assume role with OIDC by env failed. Reason: %s", err.Error())
 			}
@@ -2457,6 +2465,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		assumeRoleSamlAssertion    string
 		assumeRolePrincipalArn     string
 		assumeRoleWebIdentityToken string
+		assumeRoleProviderId       string
 	)
 
 	// get assume role with saml from tf
@@ -2488,8 +2497,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 			assumeRoleArn = assumeRoleWithWebIdentity["role_arn"].(string)
 			assumeRoleSessionName = assumeRoleWithWebIdentity["session_name"].(string)
 			assumeRoleSessionDuration = assumeRoleWithWebIdentity["session_duration"].(int)
-
-			err = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken)
+			assumeRoleProviderId = assumeRoleWithWebIdentity["provider_id"].(string)
+			err = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken, assumeRoleProviderId)
 			if err != nil {
 				return nil, fmt.Errorf("Get auth from assume role with OIDC failed. Reason: %s", err.Error())
 			}
@@ -2654,15 +2663,18 @@ func genClientWithSamlSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRol
 	return nil
 }
 
-func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error {
+func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy, assumeRoleProviderId string) error {
 	// applying STS credentials
 	request := sdksts.NewAssumeRoleWithWebIdentityRequest()
 	response := sdksts.NewAssumeRoleWithWebIdentityResponse()
-	request.ProviderId = helper.String("OIDC")
+	if assumeRoleProviderId == "" {
+		assumeRoleProviderId = "OIDC"
+	}
 	request.RoleArn = helper.String(assumeRoleArn)
 	request.RoleSessionName = helper.String(assumeRoleSessionName)
 	request.DurationSeconds = helper.IntInt64(assumeRoleSessionDuration)
 	request.WebIdentityToken = helper.String(assumeRolePolicy)
+	request.ProviderId = helper.String(assumeRoleProviderId)
 	var stsExtInfo connectivity.StsExtInfo
 	stsExtInfo.Authorization = "SKIP"
 	err := resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -240,6 +240,7 @@ Usage:
 ```hcl
 provider "tencentcloud" {
   assume_role_with_web_identity {
+    provider_id        = "OIDC"
     role_arn           = "my-role-arn"
     session_name       = "my-session-name"
     session_duration   = 3600
@@ -248,7 +249,7 @@ provider "tencentcloud" {
 }
 ```
 
-The `role_arn`, `session_name`, `session_duration`, `web_identity_token` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` and `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` environment variables.
+The `provider_id`, `role_arn`, `session_name`, `session_duration`, `web_identity_token` can also provided via `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` and `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` environment variables.
 
 Usage:
 
@@ -257,6 +258,7 @@ $ export TENCENTCLOUD_SECRET_ID="my-secret-id"
 $ export TENCENTCLOUD_SECRET_KEY="my-secret-key"
 $ export TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION=3600
 $ export TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN="my-web-identity-token"
+$ export TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID="OIDC"
 $ terraform plan
 ```
 
@@ -322,8 +324,8 @@ locals {
 
 provider "tencentcloud" {
   region     = local.region
-  secret_id  = "xxxxxx"
-  secret_key = "xxxxxx"
+  secret_id  = "my-secret-id"
+  secret_key = "my-secret-key"
   cos_domain = "https://${local.cdc_id}.cos-cdc.${local.region}.myqcloud.com/"
 }
 ```
@@ -399,6 +401,7 @@ The nested `assume_role_with_saml` block supports the following:
 * `principal_arn` - (Required) Player Access Description Name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`.
 
 The nested `assume_role_with_web_identity` block supports the following:
+* `provider_id` - (Optional) Identity provider name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, Default is OIDC.
 * `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable.
 * `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable.
 * `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable.