ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

oss backend: flattern assume_role block

This commit is contained in:
Alex Khaerov 2021-08-03 14:21:48 +08:00
parent 2f152f1139
commit 9d5f1752c8
No known key found for this signature in database
GPG Key ID: 67B5BC574DECAF54
2 changed files with 54 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
internal/backend/remote-state/oss/backend.go
View File

@ -146,8 +146,6 @@ func New() backend.Backend {
return nil, nil return nil, nil
}, },
}, },
"assume_role": assumeRoleSchema(),
"shared_credentials_file": { "shared_credentials_file": {
Type: schema.TypeString, Type: schema.TypeString,
Optional: true, Optional: true,
@ -160,6 +158,42 @@ func New() backend.Backend {
Description: "This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.", Description: "This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.",
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_PROFILE", ""), DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_PROFILE", ""),
}, },
"assume_role_role_arn": {
Type: schema.TypeString,
Required: true,
Description: "The ARN of a RAM role to assume prior to making API calls.",
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""),
},
"assume_role_session_name": {
Type: schema.TypeString,
Optional: true,
Description: "The session name to use when assuming the role.",
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", ""),
},
"assume_role_policy": {
Type: schema.TypeString,
Optional: true,
Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.",
},
"assume_role_session_expiration": {
Type: schema.TypeInt,
Optional: true,
Description: "The time after which the established session for assuming role expires.",
ValidateFunc: func(v interface{}, k string) ([]string, []error) {
min := 900
max := 3600
value, ok := v.(int)
if !ok {
return nil, []error{fmt.Errorf("expected type of %s to be int", k)}
}
if value < min || value > max {
return nil, []error{fmt.Errorf("expected %s to be in the range (%d - %d), got %d", k, min, max, v)}
}
return nil, nil
},
},
}, },
} }
@ -168,54 +202,6 @@ func New() backend.Backend {
return result return result
} }
func assumeRoleSchema() *schema.Schema {
return &schema.Schema{
Type: schema.TypeSet,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"role_arn": {
Type: schema.TypeString,
Required: true,
Description: "The ARN of a RAM role to assume prior to making API calls.",
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""),
},
"session_name": {
Type: schema.TypeString,
Optional: true,
Description: "The session name to use when assuming the role.",
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", ""),
},
"policy": {
Type: schema.TypeString,
Optional: true,
Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.",
},
"session_expiration": {
Type: schema.TypeInt,
Optional: true,
Description: "The time after which the established session for assuming role expires.",
ValidateFunc: func(v interface{}, k string) ([]string, []error) {
min := 900
max := 3600
value, ok := v.(int)
if !ok {
return nil, []error{fmt.Errorf("expected type of %s to be int", k)}
}
if value < min || value > max {
return nil, []error{fmt.Errorf("expected %s to be in the range (%d - %d), got %d", k, min, max, v)}
}
return nil, nil
},
},
},
},
}
}
type Backend struct { type Backend struct {
*schema.Backend *schema.Backend
@ -274,31 +260,22 @@ func (b *Backend) configure(ctx context.Context) error {
sessionExpiration = (int)(expiredSeconds.(float64)) sessionExpiration = (int)(expiredSeconds.(float64))
} }
if v, ok := d.GetOk("assume_role"); ok { roleArn = d.Get("assume_role_role_arn").(string)
for _, v := range v.(*schema.Set).List() { sessionName = d.Get("assume_role_session_name").(string)
assumeRole := v.(map[string]interface{}) if sessionName == "" {
if assumeRole["role_arn"].(string) != "" { sessionName = "terraform"
roleArn = assumeRole["role_arn"].(string) }
} policy = d.Get("assume_role_policy").(string)
if assumeRole["session_name"].(string) != "" { sessionExpiration = d.Get("assume_role_session_expiration").(int)
sessionName = assumeRole["session_name"].(string) if sessionExpiration == 0 {
} if v := os.Getenv("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION"); v != "" {
if sessionName == "" { if expiredSeconds, err := strconv.Atoi(v); err == nil {
sessionName = "terraform" sessionExpiration = expiredSeconds
}
policy = assumeRole["policy"].(string)
sessionExpiration = assumeRole["session_expiration"].(int)
if sessionExpiration == 0 {
if v := os.Getenv("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION"); v != "" {
if expiredSeconds, err := strconv.Atoi(v); err == nil {
sessionExpiration = expiredSeconds
}
}
if sessionExpiration == 0 {
sessionExpiration = 3600
}
} }
} }
if sessionExpiration == 0 {
sessionExpiration = 3600
}
} }
if accessKey == "" { if accessKey == "" {

15
website/docs/language/settings/backends/oss.html.md
View File

@ -95,18 +95,11 @@ The following configuration options or environment variables are supported:
to be applied to the state file. to be applied to the state file.
* `shared_credentials_file` - (Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the `ALICLOUD_SHARED_CREDENTIALS_FILE` environment variable. If this is not set and a profile is specified, `~/.aliyun/config.json` will be used. * `shared_credentials_file` - (Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the `ALICLOUD_SHARED_CREDENTIALS_FILE` environment variable. If this is not set and a profile is specified, `~/.aliyun/config.json` will be used.
* `profile` - (Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable. * `profile` - (Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.
* `assume_role` - (Optional, Available in 0.12.6+) If provided with a role ARN, will attempt to assume this role using the supplied credentials. * `assume_role_role_arn` - (Optional, Available in 0.12.6+) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`.
The nested `assume_role` block supports the following:
* `role_arn` - (Required) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`.
Terraform executes configuration on account with provided credentials. Terraform executes configuration on account with provided credentials.
* `assume_role_policy` - (Optional, Available in 0.12.6+) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary
* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary
security credentials. You cannot use this policy to grant permissions which exceed those of the role that is being assumed. security credentials. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.
* `assume_role_session_name` - (Optional, Available in 0.12.6+) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`.
* `session_name` - (Optional) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`. * `assume_role_session_expiration` - (Optional, Available in 0.12.6+) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`.
* `session_expiration` - (Optional) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`.
-> **Note:** If you want to store state in the custom OSS endpoint, you can specify a environment variable `OSS_ENDPOINT`, like "oss-cn-beijing-internal.aliyuncs.com" -> **Note:** If you want to store state in the custom OSS endpoint, you can specify a environment variable `OSS_ENDPOINT`, like "oss-cn-beijing-internal.aliyuncs.com"