diff --git a/CHANGELOG.md b/CHANGELOG.md index 66572d7..ddf7b4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +## 1.1.0 (October 17, 2024). Tested on Artifactory 7.90.14 with Terraform 1.9.8 and OpenTofu 1.8.3 + +IMPROVEMENTS: + +* provider: Add `tfc_credential_tag_name` configuration attribute to support use of different/[multiple Workload Identity Token in Terraform Cloud Platform](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens). Issue: [#68](https://github.com/jfrog/terraform-provider-shared/issues/68) PR: [#24](https://github.com/jfrog/terraform-provider-mission-control/pull/24) + ## 1.0.2 (July 16, 2024). Tested on Artifactory 7.84.17 with Terraform 1.9.2 and OpenTofu 1.7.3 IMPROVEMENTS: diff --git a/docs/index.md b/docs/index.md index 24eb734..859ae23 100644 --- a/docs/index.md +++ b/docs/index.md @@ -67,7 +67,7 @@ To setup dynamic credentials, follow these steps: 2. Set environment variable in your Terraform Workspace 3. Setup Terraform Cloud in your configuration -During the provider start up, if it finds env var `TFC_WORKLOAD_IDENTITY_TOKEN` it will use this token with your JFrog instance to exchange for a short-live access token. If that is successful, the provider will the access token for all subsequent API requests with the JFrog instance. +During the provider start up, if it finds env var `TFC_WORKLOAD_IDENTITY_TOKEN` it will use this token with your JFrog instance to exchange for a short-live access token. If that is successful, the provider will use the access token for all subsequent API requests with the JFrog instance. #### Configure Terraform Cloud as generic OIDC provider @@ -81,6 +81,8 @@ In your workspace, add an environment variable `TFC_WORKLOAD_IDENTITY_AUDIENCE` When a run starts on Terraform Cloud, it will create a workload identity token with the specified audience and assigns it to the environment variable `TFC_WORKLOAD_IDENTITY_TOKEN` for the provider to consume. +See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details on using different tokens. + #### Setup Terraform Cloud in your configuration Add `cloud` block to `terraform` block, and add `oidc_provider_name` attribute (from JFrog OIDC integration) to provider block: @@ -105,6 +107,7 @@ terraform { provider "missioncontrol" { url = "https://myinstance.jfrog.io" oidc_provider_name = "terraform-cloud" + tfc_credential_tag_name = "JFROG" } ``` @@ -117,4 +120,5 @@ provider "missioncontrol" { - `access_token` (String, Sensitive) This is a access token that can be given to you by your admin under `Platform Configuration -> User Management -> Access Tokens`. This can also be sourced from the `JFROG_ACCESS_TOKEN` environment variable. - `oidc_provider_name` (String) OIDC provider name. See [Configure an OIDC Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration) for more details. +- `tfc_credential_tag_name` (String) Terraform Cloud Workload Identity Token tag name. Use for generating multiple TFC workload identity tokens. When set, the provider will attempt to use env var with this tag name as suffix. **Note:** this is case sensitive, so if set to `JFROG`, then env var `TFC_WORKLOAD_IDENTITY_TOKEN_JFROG` is used instead of `TFC_WORKLOAD_IDENTITY_TOKEN`. See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details. - `url` (String) JFrog Platform URL. This can also be sourced from the `JFROG_URL` environment variable. diff --git a/go.mod b/go.mod index 23e7ba6..850e7e9 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/jfrog/terraform-provider-mission-control -go 1.22.5 +go 1.22.7 require ( github.com/go-resty/resty/v2 v2.15.3 @@ -10,7 +10,7 @@ require ( github.com/hashicorp/terraform-plugin-go v0.24.0 github.com/hashicorp/terraform-plugin-log v0.9.0 github.com/hashicorp/terraform-plugin-testing v1.10.0 - github.com/jfrog/terraform-provider-shared v1.25.5 + github.com/jfrog/terraform-provider-shared v1.26.0 github.com/samber/lo v1.47.0 ) diff --git a/go.sum b/go.sum index 1d2679e..4ea69fd 100644 --- a/go.sum +++ b/go.sum @@ -130,8 +130,8 @@ github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jfrog/terraform-provider-shared v1.25.5 h1:+hal/9yDAIt2mZljDR8Ymie28yAHr8CAkfthwQ3O3bM= -github.com/jfrog/terraform-provider-shared v1.25.5/go.mod h1:QthwPRUALElMt2RTGqoeB/3Vztx626YPBzIAoqEp0w0= +github.com/jfrog/terraform-provider-shared v1.26.0 h1:xfJfKcgejlFkIyo6VLJPzNtEVfbTYIiGKD2PWysdgw4= +github.com/jfrog/terraform-provider-shared v1.26.0/go.mod h1:IPwXN48K3uzJNDmT2x6zFGa5IS0KG2AK7jnQR2H4G1A= github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c= github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= diff --git a/pkg/missioncontrol/provider.go b/pkg/missioncontrol/provider.go index dee4088..8da50e0 100644 --- a/pkg/missioncontrol/provider.go +++ b/pkg/missioncontrol/provider.go @@ -28,9 +28,10 @@ type MissionControlProvider struct { } type missionControlProviderModel struct { - URL types.String `tfsdk:"url"` - AccessToken types.String `tfsdk:"access_token"` - OIDCProviderName types.String `tfsdk:"oidc_provider_name"` + URL types.String `tfsdk:"url"` + AccessToken types.String `tfsdk:"access_token"` + OIDCProviderName types.String `tfsdk:"oidc_provider_name"` + TFCCredentialTagName types.String `tfsdk:"tfc_credential_tag_name"` } func NewProvider() func() provider.Provider { @@ -73,19 +74,22 @@ func (p *MissionControlProvider) Configure(ctx context.Context, req provider.Con return } - oidcAccessToken, err := util.OIDCTokenExchange(ctx, platformClient, config.OIDCProviderName.ValueString()) - if err != nil { - resp.Diagnostics.AddError( - "Failed OIDC ID token exchange", - err.Error(), - ) - return - } - - // use token from OIDC provider, which should take precedence over - // environment variable data, if found. - if oidcAccessToken != "" { - accessToken = oidcAccessToken + oidcProviderName := config.OIDCProviderName.ValueString() + if oidcProviderName != "" { + oidcAccessToken, err := util.OIDCTokenExchange(ctx, platformClient, oidcProviderName, config.TFCCredentialTagName.ValueString()) + if err != nil { + resp.Diagnostics.AddError( + "Failed OIDC ID token exchange", + err.Error(), + ) + return + } + + // use token from OIDC provider, which should take precedence over + // environment variable data, if found. + if oidcAccessToken != "" { + accessToken = oidcAccessToken + } } // use token from configuration, which should take precedence over @@ -178,6 +182,13 @@ func (p *MissionControlProvider) Schema(ctx context.Context, req provider.Schema }, MarkdownDescription: "OIDC provider name. See [Configure an OIDC Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration) for more details.", }, + "tfc_credential_tag_name": schema.StringAttribute{ + Optional: true, + Validators: []validator.String{ + stringvalidator.LengthAtLeast(1), + }, + Description: "Terraform Cloud Workload Identity Token tag name. Use for generating multiple TFC workload identity tokens. When set, the provider will attempt to use env var with this tag name as suffix. **Note:** this is case sensitive, so if set to `JFROG`, then env var `TFC_WORKLOAD_IDENTITY_TOKEN_JFROG` is used instead of `TFC_WORKLOAD_IDENTITY_TOKEN`. See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details.", + }, }, MarkdownDescription: "The JFrog Mission Control provider provides resources to interact with Mission Control supported by JFrog Platform. See [official documentation](https://jfrog.com/help/r/get-started-with-the-jfrog-platform/jfrog-mission-control) for more details.", } diff --git a/templates/index.md.tmpl b/templates/index.md.tmpl index b271940..ddab71e 100644 --- a/templates/index.md.tmpl +++ b/templates/index.md.tmpl @@ -42,7 +42,7 @@ To setup dynamic credentials, follow these steps: 2. Set environment variable in your Terraform Workspace 3. Setup Terraform Cloud in your configuration -During the provider start up, if it finds env var `TFC_WORKLOAD_IDENTITY_TOKEN` it will use this token with your JFrog instance to exchange for a short-live access token. If that is successful, the provider will the access token for all subsequent API requests with the JFrog instance. +During the provider start up, if it finds env var `TFC_WORKLOAD_IDENTITY_TOKEN` it will use this token with your JFrog instance to exchange for a short-live access token. If that is successful, the provider will use the access token for all subsequent API requests with the JFrog instance. #### Configure Terraform Cloud as generic OIDC provider @@ -56,6 +56,8 @@ In your workspace, add an environment variable `TFC_WORKLOAD_IDENTITY_AUDIENCE` When a run starts on Terraform Cloud, it will create a workload identity token with the specified audience and assigns it to the environment variable `TFC_WORKLOAD_IDENTITY_TOKEN` for the provider to consume. +See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details on using different tokens. + #### Setup Terraform Cloud in your configuration Add `cloud` block to `terraform` block, and add `oidc_provider_name` attribute (from JFrog OIDC integration) to provider block: @@ -80,6 +82,7 @@ terraform { provider "missioncontrol" { url = "https://myinstance.jfrog.io" oidc_provider_name = "terraform-cloud" + tfc_credential_tag_name = "JFROG" } ```