From a490dfa4951f9f449d0c3cd15516933aaac4fd9c Mon Sep 17 00:00:00 2001 From: He Guimin Date: Tue, 30 Jul 2019 23:26:51 +0800 Subject: [PATCH] backend/oss: Support for assume role config --- backend/remote-state/oss/backend.go | 75 ++++++++++++ backend/remote-state/oss/backend_test.go | 2 +- .../services/sts/assume_role.go | 108 ++++++++++++++++++ .../services/sts/client.go | 81 +++++++++++++ .../sts/generate_session_access_key.go | 104 +++++++++++++++++ .../services/sts/get_caller_identity.go | 108 ++++++++++++++++++ .../services/sts/struct_assumed_role_user.go | 22 ++++ .../services/sts/struct_credentials.go | 24 ++++ .../services/sts/struct_session_access_key.go | 23 ++++ vendor/modules.txt | 3 +- website/docs/backends/types/oss.html.md | 16 ++- website/docs/providers/index.html.markdown | 2 +- 12 files changed, 563 insertions(+), 5 deletions(-) create mode 100644 vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/assume_role.go create mode 100644 vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/client.go create mode 100644 vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/generate_session_access_key.go create mode 100644 vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/get_caller_identity.go create mode 100644 vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_assumed_role_user.go create mode 100644 vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_credentials.go create mode 100644 vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_session_access_key.go diff --git a/backend/remote-state/oss/backend.go b/backend/remote-state/oss/backend.go index 33c2cbf5c..6cf1b9f8a 100644 --- a/backend/remote-state/oss/backend.go +++ b/backend/remote-state/oss/backend.go @@ -3,9 +3,12 @@ package oss import ( "context" "fmt" + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" + "github.com/aliyun/alibaba-cloud-sdk-go/services/sts" "github.com/aliyun/aliyun-oss-go-sdk/oss" "github.com/hashicorp/terraform/backend" "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/helper/validation" "os" "strings" @@ -129,6 +132,8 @@ func New() backend.Backend { return nil, nil }, }, + + "assume_role": assumeRoleSchema(), }, } @@ -137,6 +142,42 @@ func New() backend.Backend { return result } +func assumeRoleSchema() *schema.Schema { + return &schema.Schema{ + Type: schema.TypeSet, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "role_arn": { + Type: schema.TypeString, + Required: true, + Description: "The ARN of a RAM role to assume prior to making API calls.", + DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""), + }, + "session_name": { + Type: schema.TypeString, + Optional: true, + Description: "The session name to use when assuming the role.", + DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", "terraform"), + }, + "policy": { + Type: schema.TypeString, + Optional: true, + Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.", + }, + "session_expiration": { + Type: schema.TypeInt, + Optional: true, + Description: "The time after which the established session for assuming role expires.", + ValidateFunc: validation.IntBetween(900, 3600), + DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION", 3600), + }, + }, + }, + } +} + type Backend struct { *schema.Backend @@ -175,6 +216,21 @@ func (b *Backend) configure(ctx context.Context) error { endpoint := d.Get("endpoint").(string) schma := "https" + if v, ok := d.GetOk("assume_role"); ok { + for _, v := range v.(*schema.Set).List() { + assumeRole := v.(map[string]interface{}) + roleArn := assumeRole["role_arn"].(string) + sessionName := assumeRole["session_name"].(string) + policy := assumeRole["policy"].(string) + sessionExpiration := assumeRole["session_expiration"].(int) + subAccessKeyId, subAccessKeySecret, subSecurityToken, err := getAssumeRoleAK(accessKey, secretKey, region, roleArn, sessionName, policy, sessionExpiration) + if err != nil { + return err + } + accessKey, secretKey, securityToken = subAccessKeyId, subAccessKeySecret, subSecurityToken + } + } + if endpoint == "" { endpointItem, _ := b.getOSSEndpointByRegion(accessKey, secretKey, securityToken, region) if endpointItem != nil && len(endpointItem.Endpoint) > 0 { @@ -238,6 +294,25 @@ func (b *Backend) getOSSEndpointByRegion(access_key, secret_key, security_token, return endpointsResponse, nil } +func getAssumeRoleAK(accessKey, secretKey, region, roleArn, sessionName, policy string, sessionExpiration int) (string, string, string, error) { + request := sts.CreateAssumeRoleRequest() + request.RoleArn = roleArn + request.RoleSessionName = sessionName + request.DurationSeconds = requests.NewInteger(sessionExpiration) + request.Policy = policy + request.Scheme = "https" + + client, err := sts.NewClientWithAccessKey(region, accessKey, secretKey) + if err != nil { + return "", "", "", err + } + response, err := client.AssumeRole(request) + if err != nil { + return "", "", "", err + } + return response.Credentials.AccessKeyId, response.Credentials.AccessKeySecret, response.Credentials.SecurityToken, nil +} + func getSdkConfig() *sdk.Config { return sdk.NewConfig(). WithMaxRetryTime(5). diff --git a/backend/remote-state/oss/backend_test.go b/backend/remote-state/oss/backend_test.go index c23d935ab..51310388b 100644 --- a/backend/remote-state/oss/backend_test.go +++ b/backend/remote-state/oss/backend_test.go @@ -112,7 +112,7 @@ func createOSSBucket(t *testing.T, ossClient *oss.Client, bucketName string) { } func deleteOSSBucket(t *testing.T, ossClient *oss.Client, bucketName string) { - warning := "WARNING: Failed to delete the test OSS bucket. It may have been left in your Alicloud account and may incur storage charges. (error was %s)" + warning := "WARNING: Failed to delete the test OSS bucket. It may have been left in your Alibaba Cloud account and may incur storage charges. (error was %s)" // first we have to get rid of the env objects, or we can't delete the bucket bucket, err := ossClient.Bucket(bucketName) diff --git a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/assume_role.go b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/assume_role.go new file mode 100644 index 000000000..6311a2d11 --- /dev/null +++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/assume_role.go @@ -0,0 +1,108 @@ +package sts + +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +//http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. +// +// Code generated by Alibaba Cloud SDK Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +import ( + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses" +) + +// AssumeRole invokes the sts.AssumeRole API synchronously +// api document: https://help.aliyun.com/api/sts/assumerole.html +func (client *Client) AssumeRole(request *AssumeRoleRequest) (response *AssumeRoleResponse, err error) { + response = CreateAssumeRoleResponse() + err = client.DoAction(request, response) + return +} + +// AssumeRoleWithChan invokes the sts.AssumeRole API asynchronously +// api document: https://help.aliyun.com/api/sts/assumerole.html +// asynchronous document: https://help.aliyun.com/document_detail/66220.html +func (client *Client) AssumeRoleWithChan(request *AssumeRoleRequest) (<-chan *AssumeRoleResponse, <-chan error) { + responseChan := make(chan *AssumeRoleResponse, 1) + errChan := make(chan error, 1) + err := client.AddAsyncTask(func() { + defer close(responseChan) + defer close(errChan) + response, err := client.AssumeRole(request) + if err != nil { + errChan <- err + } else { + responseChan <- response + } + }) + if err != nil { + errChan <- err + close(responseChan) + close(errChan) + } + return responseChan, errChan +} + +// AssumeRoleWithCallback invokes the sts.AssumeRole API asynchronously +// api document: https://help.aliyun.com/api/sts/assumerole.html +// asynchronous document: https://help.aliyun.com/document_detail/66220.html +func (client *Client) AssumeRoleWithCallback(request *AssumeRoleRequest, callback func(response *AssumeRoleResponse, err error)) <-chan int { + result := make(chan int, 1) + err := client.AddAsyncTask(func() { + var response *AssumeRoleResponse + var err error + defer close(result) + response, err = client.AssumeRole(request) + callback(response, err) + result <- 1 + }) + if err != nil { + defer close(result) + callback(nil, err) + result <- 0 + } + return result +} + +// AssumeRoleRequest is the request struct for api AssumeRole +type AssumeRoleRequest struct { + *requests.RpcRequest + RoleArn string `position:"Query" name:"RoleArn"` + RoleSessionName string `position:"Query" name:"RoleSessionName"` + DurationSeconds requests.Integer `position:"Query" name:"DurationSeconds"` + Policy string `position:"Query" name:"Policy"` +} + +// AssumeRoleResponse is the response struct for api AssumeRole +type AssumeRoleResponse struct { + *responses.BaseResponse + RequestId string `json:"RequestId" xml:"RequestId"` + Credentials Credentials `json:"Credentials" xml:"Credentials"` + AssumedRoleUser AssumedRoleUser `json:"AssumedRoleUser" xml:"AssumedRoleUser"` +} + +// CreateAssumeRoleRequest creates a request to invoke AssumeRole API +func CreateAssumeRoleRequest() (request *AssumeRoleRequest) { + request = &AssumeRoleRequest{ + RpcRequest: &requests.RpcRequest{}, + } + request.InitWithApiInfo("Sts", "2015-04-01", "AssumeRole", "sts", "openAPI") + return +} + +// CreateAssumeRoleResponse creates a response to parse from AssumeRole response +func CreateAssumeRoleResponse() (response *AssumeRoleResponse) { + response = &AssumeRoleResponse{ + BaseResponse: &responses.BaseResponse{}, + } + return +} diff --git a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/client.go b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/client.go new file mode 100644 index 000000000..dcb893d18 --- /dev/null +++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/client.go @@ -0,0 +1,81 @@ +package sts + +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +//http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. +// +// Code generated by Alibaba Cloud SDK Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +import ( + "github.com/aliyun/alibaba-cloud-sdk-go/sdk" + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth" +) + +// Client is the sdk client struct, each func corresponds to an OpenAPI +type Client struct { + sdk.Client +} + +// NewClient creates a sdk client with environment variables +func NewClient() (client *Client, err error) { + client = &Client{} + err = client.Init() + return +} + +// NewClientWithOptions creates a sdk client with regionId/sdkConfig/credential +// this is the common api to create a sdk client +func NewClientWithOptions(regionId string, config *sdk.Config, credential auth.Credential) (client *Client, err error) { + client = &Client{} + err = client.InitWithOptions(regionId, config, credential) + return +} + +// NewClientWithAccessKey is a shortcut to create sdk client with accesskey +// usage: https://help.aliyun.com/document_detail/66217.html +func NewClientWithAccessKey(regionId, accessKeyId, accessKeySecret string) (client *Client, err error) { + client = &Client{} + err = client.InitWithAccessKey(regionId, accessKeyId, accessKeySecret) + return +} + +// NewClientWithStsToken is a shortcut to create sdk client with sts token +// usage: https://help.aliyun.com/document_detail/66222.html +func NewClientWithStsToken(regionId, stsAccessKeyId, stsAccessKeySecret, stsToken string) (client *Client, err error) { + client = &Client{} + err = client.InitWithStsToken(regionId, stsAccessKeyId, stsAccessKeySecret, stsToken) + return +} + +// NewClientWithRamRoleArn is a shortcut to create sdk client with ram roleArn +// usage: https://help.aliyun.com/document_detail/66222.html +func NewClientWithRamRoleArn(regionId string, accessKeyId, accessKeySecret, roleArn, roleSessionName string) (client *Client, err error) { + client = &Client{} + err = client.InitWithRamRoleArn(regionId, accessKeyId, accessKeySecret, roleArn, roleSessionName) + return +} + +// NewClientWithEcsRamRole is a shortcut to create sdk client with ecs ram role +// usage: https://help.aliyun.com/document_detail/66223.html +func NewClientWithEcsRamRole(regionId string, roleName string) (client *Client, err error) { + client = &Client{} + err = client.InitWithEcsRamRole(regionId, roleName) + return +} + +// NewClientWithRsaKeyPair is a shortcut to create sdk client with rsa key pair +// attention: rsa key pair auth is only Japan regions available +func NewClientWithRsaKeyPair(regionId string, publicKeyId, privateKey string, sessionExpiration int) (client *Client, err error) { + client = &Client{} + err = client.InitWithRsaKeyPair(regionId, publicKeyId, privateKey, sessionExpiration) + return +} diff --git a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/generate_session_access_key.go b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/generate_session_access_key.go new file mode 100644 index 000000000..7cf60274a --- /dev/null +++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/generate_session_access_key.go @@ -0,0 +1,104 @@ +package sts + +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +//http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. +// +// Code generated by Alibaba Cloud SDK Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +import ( + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses" +) + +// GenerateSessionAccessKey invokes the sts.GenerateSessionAccessKey API synchronously +// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html +func (client *Client) GenerateSessionAccessKey(request *GenerateSessionAccessKeyRequest) (response *GenerateSessionAccessKeyResponse, err error) { + response = CreateGenerateSessionAccessKeyResponse() + err = client.DoAction(request, response) + return +} + +// GenerateSessionAccessKeyWithChan invokes the sts.GenerateSessionAccessKey API asynchronously +// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html +// asynchronous document: https://help.aliyun.com/document_detail/66220.html +func (client *Client) GenerateSessionAccessKeyWithChan(request *GenerateSessionAccessKeyRequest) (<-chan *GenerateSessionAccessKeyResponse, <-chan error) { + responseChan := make(chan *GenerateSessionAccessKeyResponse, 1) + errChan := make(chan error, 1) + err := client.AddAsyncTask(func() { + defer close(responseChan) + defer close(errChan) + response, err := client.GenerateSessionAccessKey(request) + if err != nil { + errChan <- err + } else { + responseChan <- response + } + }) + if err != nil { + errChan <- err + close(responseChan) + close(errChan) + } + return responseChan, errChan +} + +// GenerateSessionAccessKeyWithCallback invokes the sts.GenerateSessionAccessKey API asynchronously +// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html +// asynchronous document: https://help.aliyun.com/document_detail/66220.html +func (client *Client) GenerateSessionAccessKeyWithCallback(request *GenerateSessionAccessKeyRequest, callback func(response *GenerateSessionAccessKeyResponse, err error)) <-chan int { + result := make(chan int, 1) + err := client.AddAsyncTask(func() { + var response *GenerateSessionAccessKeyResponse + var err error + defer close(result) + response, err = client.GenerateSessionAccessKey(request) + callback(response, err) + result <- 1 + }) + if err != nil { + defer close(result) + callback(nil, err) + result <- 0 + } + return result +} + +// GenerateSessionAccessKeyRequest is the request struct for api GenerateSessionAccessKey +type GenerateSessionAccessKeyRequest struct { + *requests.RpcRequest + DurationSeconds requests.Integer `position:"Query" name:"DurationSeconds"` +} + +// GenerateSessionAccessKeyResponse is the response struct for api GenerateSessionAccessKey +type GenerateSessionAccessKeyResponse struct { + *responses.BaseResponse + RequestId string `json:"RequestId" xml:"RequestId"` + SessionAccessKey SessionAccessKey `json:"SessionAccessKey" xml:"SessionAccessKey"` +} + +// CreateGenerateSessionAccessKeyRequest creates a request to invoke GenerateSessionAccessKey API +func CreateGenerateSessionAccessKeyRequest() (request *GenerateSessionAccessKeyRequest) { + request = &GenerateSessionAccessKeyRequest{ + RpcRequest: &requests.RpcRequest{}, + } + request.InitWithApiInfo("Sts", "2015-04-01", "GenerateSessionAccessKey", "sts", "openAPI") + return +} + +// CreateGenerateSessionAccessKeyResponse creates a response to parse from GenerateSessionAccessKey response +func CreateGenerateSessionAccessKeyResponse() (response *GenerateSessionAccessKeyResponse) { + response = &GenerateSessionAccessKeyResponse{ + BaseResponse: &responses.BaseResponse{}, + } + return +} diff --git a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/get_caller_identity.go b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/get_caller_identity.go new file mode 100644 index 000000000..25763d3d2 --- /dev/null +++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/get_caller_identity.go @@ -0,0 +1,108 @@ +package sts + +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +//http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. +// +// Code generated by Alibaba Cloud SDK Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +import ( + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" + "github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses" +) + +// GetCallerIdentity invokes the sts.GetCallerIdentity API synchronously +// api document: https://help.aliyun.com/api/sts/getcalleridentity.html +func (client *Client) GetCallerIdentity(request *GetCallerIdentityRequest) (response *GetCallerIdentityResponse, err error) { + response = CreateGetCallerIdentityResponse() + err = client.DoAction(request, response) + return +} + +// GetCallerIdentityWithChan invokes the sts.GetCallerIdentity API asynchronously +// api document: https://help.aliyun.com/api/sts/getcalleridentity.html +// asynchronous document: https://help.aliyun.com/document_detail/66220.html +func (client *Client) GetCallerIdentityWithChan(request *GetCallerIdentityRequest) (<-chan *GetCallerIdentityResponse, <-chan error) { + responseChan := make(chan *GetCallerIdentityResponse, 1) + errChan := make(chan error, 1) + err := client.AddAsyncTask(func() { + defer close(responseChan) + defer close(errChan) + response, err := client.GetCallerIdentity(request) + if err != nil { + errChan <- err + } else { + responseChan <- response + } + }) + if err != nil { + errChan <- err + close(responseChan) + close(errChan) + } + return responseChan, errChan +} + +// GetCallerIdentityWithCallback invokes the sts.GetCallerIdentity API asynchronously +// api document: https://help.aliyun.com/api/sts/getcalleridentity.html +// asynchronous document: https://help.aliyun.com/document_detail/66220.html +func (client *Client) GetCallerIdentityWithCallback(request *GetCallerIdentityRequest, callback func(response *GetCallerIdentityResponse, err error)) <-chan int { + result := make(chan int, 1) + err := client.AddAsyncTask(func() { + var response *GetCallerIdentityResponse + var err error + defer close(result) + response, err = client.GetCallerIdentity(request) + callback(response, err) + result <- 1 + }) + if err != nil { + defer close(result) + callback(nil, err) + result <- 0 + } + return result +} + +// GetCallerIdentityRequest is the request struct for api GetCallerIdentity +type GetCallerIdentityRequest struct { + *requests.RpcRequest +} + +// GetCallerIdentityResponse is the response struct for api GetCallerIdentity +type GetCallerIdentityResponse struct { + *responses.BaseResponse + AccountId string `json:"AccountId" xml:"AccountId"` + UserId string `json:"UserId" xml:"UserId"` + RoleId string `json:"RoleId" xml:"RoleId"` + Arn string `json:"Arn" xml:"Arn"` + IdentityType string `json:"IdentityType" xml:"IdentityType"` + PrincipalId string `json:"PrincipalId" xml:"PrincipalId"` + RequestId string `json:"RequestId" xml:"RequestId"` +} + +// CreateGetCallerIdentityRequest creates a request to invoke GetCallerIdentity API +func CreateGetCallerIdentityRequest() (request *GetCallerIdentityRequest) { + request = &GetCallerIdentityRequest{ + RpcRequest: &requests.RpcRequest{}, + } + request.InitWithApiInfo("Sts", "2015-04-01", "GetCallerIdentity", "sts", "openAPI") + return +} + +// CreateGetCallerIdentityResponse creates a response to parse from GetCallerIdentity response +func CreateGetCallerIdentityResponse() (response *GetCallerIdentityResponse) { + response = &GetCallerIdentityResponse{ + BaseResponse: &responses.BaseResponse{}, + } + return +} diff --git a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_assumed_role_user.go b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_assumed_role_user.go new file mode 100644 index 000000000..37107b6ec --- /dev/null +++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_assumed_role_user.go @@ -0,0 +1,22 @@ +package sts + +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +//http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. +// +// Code generated by Alibaba Cloud SDK Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +// AssumedRoleUser is a nested struct in sts response +type AssumedRoleUser struct { + Arn string `json:"Arn" xml:"Arn"` + AssumedRoleId string `json:"AssumedRoleId" xml:"AssumedRoleId"` +} diff --git a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_credentials.go b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_credentials.go new file mode 100644 index 000000000..24d7a2abf --- /dev/null +++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_credentials.go @@ -0,0 +1,24 @@ +package sts + +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +//http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. +// +// Code generated by Alibaba Cloud SDK Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +// Credentials is a nested struct in sts response +type Credentials struct { + SecurityToken string `json:"SecurityToken" xml:"SecurityToken"` + AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"` + AccessKeyId string `json:"AccessKeyId" xml:"AccessKeyId"` + Expiration string `json:"Expiration" xml:"Expiration"` +} diff --git a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_session_access_key.go b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_session_access_key.go new file mode 100644 index 000000000..cda251a31 --- /dev/null +++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_session_access_key.go @@ -0,0 +1,23 @@ +package sts + +//Licensed under the Apache License, Version 2.0 (the "License"); +//you may not use this file except in compliance with the License. +//You may obtain a copy of the License at +// +//http://www.apache.org/licenses/LICENSE-2.0 +// +//Unless required by applicable law or agreed to in writing, software +//distributed under the License is distributed on an "AS IS" BASIS, +//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +//See the License for the specific language governing permissions and +//limitations under the License. +// +// Code generated by Alibaba Cloud SDK Code Generator. +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +// SessionAccessKey is a nested struct in sts response +type SessionAccessKey struct { + SessionAccessKeyId string `json:"SessionAccessKeyId" xml:"SessionAccessKeyId"` + SessionAccessKeySecret string `json:"SessionAccessKeySecret" xml:"SessionAccessKeySecret"` + Expiration string `json:"Expiration" xml:"Expiration"` +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 23f3dfac8..71aa9ff9c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -50,12 +50,13 @@ github.com/agl/ed25519/edwards25519 # github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190329064014-6e358769c32a github.com/aliyun/alibaba-cloud-sdk-go/sdk github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials +github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests github.com/aliyun/alibaba-cloud-sdk-go/services/location +github.com/aliyun/alibaba-cloud-sdk-go/services/sts github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/provider github.com/aliyun/alibaba-cloud-sdk-go/sdk/endpoints github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors -github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses github.com/aliyun/alibaba-cloud-sdk-go/sdk/utils github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/signers diff --git a/website/docs/backends/types/oss.html.md b/website/docs/backends/types/oss.html.md index 62136f29e..8d77ca138 100644 --- a/website/docs/backends/types/oss.html.md +++ b/website/docs/backends/types/oss.html.md @@ -75,8 +75,8 @@ data "terraform_remote_state" "network" { The following configuration options or environment variables are supported: - * `access_key` - (Optional) Alicloud access key. It supports environment variables `ALICLOUD_ACCESS_KEY` and `ALICLOUD_ACCESS_KEY_ID`. - * `secret_key` - (Optional) Alicloud secret access key. It supports environment variables `ALICLOUD_SECRET_KEY` and `ALICLOUD_ACCESS_KEY_SECRET`. + * `access_key` - (Optional) Alibaba Cloud access key. It supports environment variables `ALICLOUD_ACCESS_KEY` and `ALICLOUD_ACCESS_KEY_ID`. + * `secret_key` - (Optional) Alibaba Cloud secret access key. It supports environment variables `ALICLOUD_SECRET_KEY` and `ALICLOUD_ACCESS_KEY_SECRET`. * `security_token` - (Optional) STS access token. It supports environment variable `ALICLOUD_SECURITY_TOKEN`. * `region` - (Optional) The region of the OSS bucket. It supports environment variables `ALICLOUD_REGION` and `ALICLOUD_DEFAULT_REGION`. * `endpoint` - (Optional) A custom endpoint for the OSS API. It supports environment variables `ALICLOUD_OSS_ENDPOINT` and `OSS_ENDPOINT`. @@ -90,6 +90,18 @@ The following configuration options or environment variables are supported: * `acl` - (Optional) [Object ACL](https://www.alibabacloud.com/help/doc-detail/52284.htm) to be applied to the state file. + * `assume_role` - (Optional) If provided with a role ARN, will attempt to assume this role using the supplied credentials. + +The nested `assume_role` block supports the following: +* `role_arn` - (Required) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`. + Terraform executes configuration on account with provided credentials. + +* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary + security credentials. You cannot use this policy to grant permissions which exceed those of the role that is being assumed. + +* `session_name` - (Optional) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`. + +* `session_expiration` - (Optional) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`. -> **Note:** If you want to store state in the custom OSS endpoint, you can specify a environment variable `OSS_ENDPOINT`, like "oss-cn-beijing-internal.aliyuncs.com" diff --git a/website/docs/providers/index.html.markdown b/website/docs/providers/index.html.markdown index 8d3972755..2be52276c 100644 --- a/website/docs/providers/index.html.markdown +++ b/website/docs/providers/index.html.markdown @@ -25,7 +25,7 @@ down to see all providers. - [ACME](/docs/providers/acme/index.html) - [Akamai](/docs/providers/akamai/index.html) -- [Alicloud](/docs/providers/alicloud/index.html) +- [Alibaba Cloud](/docs/providers/alicloud/index.html) - [Archive](/docs/providers/archive/index.html) - [Arukas](/docs/providers/arukas/index.html) - [Avi Vantage](/docs/providers/avi/index.html)