From 63fdc17c6be7cc320f789d370199e1a10da9e1ca Mon Sep 17 00:00:00 2001 From: SevenEarth <45937856+SevenEarth@users.noreply.github.com> Date: Tue, 24 Dec 2024 19:08:45 +0800 Subject: [PATCH] fix(provider): [121324945] Update provider auth (#3039) * add * add * add * add * add * add * add --- .changelog/3039.txt | 3 ++ tencentcloud/provider.go | 74 ++++++++++++++++++++++---------- website/docs/index.html.markdown | 6 +-- 3 files changed, 58 insertions(+), 25 deletions(-) create mode 100644 .changelog/3039.txt diff --git a/.changelog/3039.txt b/.changelog/3039.txt new file mode 100644 index 0000000000..9c6932a012 --- /dev/null +++ b/.changelog/3039.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +provider: update provider auth +``` diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index 0e401fa54d..b49df8bbcf 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -3,7 +3,6 @@ package tencentcloud import ( "encoding/json" "fmt" - "io/ioutil" "net/url" "os" "runtime" @@ -272,13 +271,13 @@ func Provider() *schema.Provider { Type: schema.TypeString, Required: true, DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SAML_ASSERTION, nil), - Description: "SAML assertion information encoded in base64. It can be sourced from the `PROVIDER_ASSUME_ROLE_SAML_ASSERTION`.", + Description: "SAML assertion information encoded in base64. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`.", }, "principal_arn": { Type: schema.TypeString, Required: true, DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN, nil), - Description: "Player Access Description Name. It can be sourced from the `PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN`.", + Description: "Player Access Description Name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`.", }, "role_arn": { Type: schema.TypeString, @@ -324,7 +323,7 @@ func Provider() *schema.Provider { Type: schema.TypeString, Required: true, DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN, nil), - Description: "OIDC token issued by IdP. It can be sourced from the `PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.", + Description: "OIDC token issued by IdP. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.", }, "role_arn": { Type: schema.TypeString, @@ -2245,6 +2244,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { forbiddenAccountIds []string needSecret = true needAccountFilter = false + err error ) if v, ok := d.GetOk("secret_id"); ok { @@ -2325,7 +2325,10 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { // get auth from CAM role name if camRoleName != "" { needSecret = false - _ = genClientWithCAM(&tcClient, camRoleName) + err = genClientWithCAM(&tcClient, camRoleName) + if err != nil { + return nil, fmt.Errorf("Get auth from CAM role name failed. Reason: %s", err.Error()) + } } var ( @@ -2337,17 +2340,20 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { ) // get assume role from credential - if providerConfig["role-arn"] != nil { - assumeRoleArn = providerConfig["role-arn"].(string) + if v, ok := providerConfig["role-arn"].(string); ok && v != "" { + assumeRoleArn = v } - if providerConfig["role-session-name"] != nil { - assumeRoleSessionName = providerConfig["role-session-name"].(string) + if v, ok := providerConfig["role-session-name"].(string); ok && v != "" { + assumeRoleSessionName = v } if assumeRoleArn != "" && assumeRoleSessionName != "" { assumeRoleSessionDuration = 7200 - _ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId) + err = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId) + if err != nil { + return nil, fmt.Errorf("Get auth from assume role by credential failed. Reason: %s", err.Error()) + } } // get assume role from env @@ -2376,19 +2382,30 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" { // use assume role - _ = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "", assumeRoleExternalId) + err = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "", assumeRoleExternalId) + if err != nil { + return nil, fmt.Errorf("Get auth from assume role by env failed. Reason: %s", err.Error()) + } } else if envSamlAssertion != "" && envPrincipalArn != "" && envWebIdentityToken != "" { - return nil, fmt.Errorf("can not set `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`, `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`, `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` at the same time.\n") + return nil, fmt.Errorf("Can not set `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`, `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`, `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` at the same time.\n") } else if envSamlAssertion != "" && envPrincipalArn != "" { // use assume role with saml - _ = genClientWithSamlSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envSamlAssertion, envPrincipalArn) + err = genClientWithSamlSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envSamlAssertion, envPrincipalArn) + if err != nil { + return nil, fmt.Errorf("Get auth from assume role with SAML by env failed. Reason: %s", err.Error()) + } + needSecret = false } else if envWebIdentityToken != "" { // use assume role with oidc - _ = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken) + err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken) + if err != nil { + return nil, fmt.Errorf("Get auth from assume role with OIDC by env failed. Reason: %s", err.Error()) + } + needSecret = false } else { - return nil, fmt.Errorf("get `assume_role` from env error.\n") + return nil, fmt.Errorf("Get `assume_role` from env error.\n") } } @@ -2403,7 +2420,11 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { assumeRolePolicy = assumeRole["policy"].(string) assumeRoleExternalId = assumeRole["external_id"].(string) - _ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId) + err = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId) + if err != nil { + return nil, fmt.Errorf("Get auth from assume role failed. Reason: %s", err.Error()) + } + if camRoleName != "" { needSecret = false } else { @@ -2429,7 +2450,11 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { assumeRoleSessionName = assumeRoleWithSaml["session_name"].(string) assumeRoleSessionDuration = assumeRoleWithSaml["session_duration"].(int) - _ = genClientWithSamlSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleSamlAssertion, assumeRolePrincipalArn) + err = genClientWithSamlSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleSamlAssertion, assumeRolePrincipalArn) + if err != nil { + return nil, fmt.Errorf("Get auth from assume role with SAML failed. Reason: %s", err.Error()) + } + needSecret = false } } @@ -2444,7 +2469,11 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { assumeRoleSessionName = assumeRoleWithWebIdentity["session_name"].(string) assumeRoleSessionDuration = assumeRoleWithWebIdentity["session_duration"].(int) - _ = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken) + err = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken) + if err != nil { + return nil, fmt.Errorf("Get auth from assume role with OIDC failed. Reason: %s", err.Error()) + } + needSecret = false } } @@ -2453,8 +2482,9 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { if os.Getenv(POD_OIDC_TKE_REGION) != "" && os.Getenv(POD_OIDC_TKE_WEB_IDENTITY_TOKEN_FILE) != "" && os.Getenv(POD_OIDC_TKE_PROVIDER_ID) != "" && os.Getenv(POD_OIDC_TKE_ROLE_ARN) != "" { err := genClientWithPodOidc(&tcClient) if err != nil { - return nil, err + return nil, fmt.Errorf("Get auth from enable pod OIDC failed. Reason: %s", err.Error()) } + needSecret = false } else { return nil, fmt.Errorf("Can not get `TKE_REGION`, `TKE_WEB_IDENTITY_TOKEN_FILE`, `TKE_PROVIDER_ID`, `TKE_ROLE_ARN`. Must config serviceAccountName for pod.\n") @@ -2623,7 +2653,7 @@ func getConfigFromProfile(d *schema.ResourceData, ProfileKey string) (interface{ providerConfig = make(map[string]interface{}) _, err = os.Stat(credentialPath) if !os.IsNotExist(err) { - data, err := ioutil.ReadFile(credentialPath) + data, err := os.ReadFile(credentialPath) if err != nil { return nil, err } @@ -2643,7 +2673,7 @@ func getConfigFromProfile(d *schema.ResourceData, ProfileKey string) (interface{ _, err = os.Stat(configurePath) if !os.IsNotExist(err) { - data, err := ioutil.ReadFile(configurePath) + data, err := os.ReadFile(configurePath) if err != nil { return nil, err } @@ -2707,7 +2737,7 @@ func getCallerIdentity(tcClient *TencentCloudClient) (indentity *sdksts.GetCalle } if response == nil || response.Response == nil { - return nil, fmt.Errorf("get GetCallerIdentity failed") + return nil, fmt.Errorf("Get GetCallerIdentity failed, Response is nil.") } indentity = response.Response diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 8807e93529..514301b68e 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -395,11 +395,11 @@ The nested `assume_role_with_saml` block supports the following: * `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable. * `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable. * `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable. -* `saml_assertion` - (Required) SAML assertion information encoded in base64. It can be sourced from the `PROVIDER_ASSUME_ROLE_SAML_ASSERTION`. -* `principal_arn` - (Required) Player Access Description Name. It can be sourced from the `PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN`. +* `saml_assertion` - (Required) SAML assertion information encoded in base64. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`. +* `principal_arn` - (Required) Player Access Description Name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`. The nested `assume_role_with_web_identity` block supports the following: * `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable. * `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable. * `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable. -* `web_identity_token` - (Required) OIDC token issued by IdP. It can be sourced from the `PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN`. +* `web_identity_token` - (Required) OIDC token issued by IdP. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.