Skip to content

fix(provider): [122074743] provider OIDC auth support set provider_id #3152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 26, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/3152.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
provider: OIDC auth support set `provider_id`
```
22 changes: 17 additions & 5 deletions tencentcloud/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ const (
PROVIDER_ASSUME_ROLE_SAML_ASSERTION = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION"
PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN"
PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN"
PROVIDER_ASSUME_ROLE_PROVIDER_ID = "TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID"
PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR"
PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE"
PROVIDER_CAM_ROLE_NAME = "TENCENTCLOUD_CAM_ROLE_NAME"
Expand Down Expand Up @@ -321,6 +322,12 @@ func Provider() *schema.Provider {
Description: "The `assume_role_with_web_identity` block. If provided, terraform will attempt to assume this role using the supplied credentials.",
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"provider_id": {
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_PROVIDER_ID, nil),
Description: "Identity provider name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, Default is OIDC.",
},
"web_identity_token": {
Type: schema.TypeString,
Required: true,
Expand Down Expand Up @@ -2399,6 +2406,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
envPrincipalArn := os.Getenv(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN)
// get assume role with web identity from env
envWebIdentityToken := os.Getenv(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN)
envProviderId := os.Getenv(PROVIDER_ASSUME_ROLE_PROVIDER_ID)

if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" {
// use assume role
Expand All @@ -2418,7 +2426,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
needSecret = false
} else if envWebIdentityToken != "" {
// use assume role with oidc
err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken)
err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken, envProviderId)
if err != nil {
return nil, fmt.Errorf("Get auth from assume role with OIDC by env failed. Reason: %s", err.Error())
}
Expand Down Expand Up @@ -2457,6 +2465,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
assumeRoleSamlAssertion string
assumeRolePrincipalArn string
assumeRoleWebIdentityToken string
assumeRoleProviderId string
)

// get assume role with saml from tf
Expand Down Expand Up @@ -2488,8 +2497,8 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
assumeRoleArn = assumeRoleWithWebIdentity["role_arn"].(string)
assumeRoleSessionName = assumeRoleWithWebIdentity["session_name"].(string)
assumeRoleSessionDuration = assumeRoleWithWebIdentity["session_duration"].(int)

err = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken)
assumeRoleProviderId = assumeRoleWithWebIdentity["provider_id"].(string)
err = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken, assumeRoleProviderId)
if err != nil {
return nil, fmt.Errorf("Get auth from assume role with OIDC failed. Reason: %s", err.Error())
}
Expand Down Expand Up @@ -2654,15 +2663,18 @@ func genClientWithSamlSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRol
return nil
}

func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error {
func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy, assumeRoleProviderId string) error {
// applying STS credentials
request := sdksts.NewAssumeRoleWithWebIdentityRequest()
response := sdksts.NewAssumeRoleWithWebIdentityResponse()
request.ProviderId = helper.String("OIDC")
if assumeRoleProviderId == "" {
assumeRoleProviderId = "OIDC"
}
request.RoleArn = helper.String(assumeRoleArn)
request.RoleSessionName = helper.String(assumeRoleSessionName)
request.DurationSeconds = helper.IntInt64(assumeRoleSessionDuration)
request.WebIdentityToken = helper.String(assumeRolePolicy)
request.ProviderId = helper.String(assumeRoleProviderId)
var stsExtInfo connectivity.StsExtInfo
stsExtInfo.Authorization = "SKIP"
err := resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
Expand Down
9 changes: 6 additions & 3 deletions website/docs/index.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,7 @@ Usage:
```hcl
provider "tencentcloud" {
assume_role_with_web_identity {
provider_id = "OIDC"
role_arn = "my-role-arn"
session_name = "my-session-name"
session_duration = 3600
Expand All @@ -248,7 +249,7 @@ provider "tencentcloud" {
}
```

The `role_arn`, `session_name`, `session_duration`, `web_identity_token` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` and `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` environment variables.
The `provider_id`, `role_arn`, `session_name`, `session_duration`, `web_identity_token` can also provided via `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` and `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` environment variables.

Usage:

Expand All @@ -257,6 +258,7 @@ $ export TENCENTCLOUD_SECRET_ID="my-secret-id"
$ export TENCENTCLOUD_SECRET_KEY="my-secret-key"
$ export TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION=3600
$ export TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN="my-web-identity-token"
$ export TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID="OIDC"
$ terraform plan
```

Expand Down Expand Up @@ -322,8 +324,8 @@ locals {

provider "tencentcloud" {
region = local.region
secret_id = "xxxxxx"
secret_key = "xxxxxx"
secret_id = "my-secret-id"
secret_key = "my-secret-key"
cos_domain = "https://${local.cdc_id}.cos-cdc.${local.region}.myqcloud.com/"
}
```
Expand Down Expand Up @@ -399,6 +401,7 @@ The nested `assume_role_with_saml` block supports the following:
* `principal_arn` - (Required) Player Access Description Name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`.

The nested `assume_role_with_web_identity` block supports the following:
* `provider_id` - (Optional) Identity provider name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PROVIDER_ID`, Default is OIDC.
* `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable.
* `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable.
* `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable.
Expand Down
Loading