diff --git a/builtin/providers/google/data_source_storage_object_signed_url.go b/builtin/providers/google/data_source_storage_object_signed_url.go new file mode 100644 index 000000000..fced990cf --- /dev/null +++ b/builtin/providers/google/data_source_storage_object_signed_url.go @@ -0,0 +1,368 @@ +package google + +import ( + "bytes" + "crypto" + "crypto/rand" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "encoding/pem" + "errors" + "fmt" + "log" + "net/url" + "os" + "strconv" + "strings" + "time" + + "sort" + + "github.com/hashicorp/errwrap" + "github.com/hashicorp/terraform/helper/pathorcontents" + "github.com/hashicorp/terraform/helper/schema" + "golang.org/x/oauth2/google" + "golang.org/x/oauth2/jwt" +) + +const gcsBaseUrl = "https://storage.googleapis.com" +const googleCredentialsEnvVar = "GOOGLE_APPLICATION_CREDENTIALS" + +func dataSourceGoogleSignedUrl() *schema.Resource { + return &schema.Resource{ + Read: dataSourceGoogleSignedUrlRead, + + Schema: map[string]*schema.Schema{ + "bucket": &schema.Schema{ + Type: schema.TypeString, + Required: true, + }, + "content_md5": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "", + }, + "content_type": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "", + }, + "credentials": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "duration": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "1h", + }, + "extension_headers": &schema.Schema{ + Type: schema.TypeMap, + Optional: true, + Elem: schema.TypeString, + ValidateFunc: validateExtensionHeaders, + }, + "http_method": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "GET", + ValidateFunc: validateHttpMethod, + }, + "path": &schema.Schema{ + Type: schema.TypeString, + Required: true, + }, + "signed_url": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + }, + }, + } +} + +func validateExtensionHeaders(v interface{}, k string) (ws []string, errors []error) { + hdrMap := v.(map[string]interface{}) + for k, _ := range hdrMap { + if !strings.HasPrefix(strings.ToLower(k), "x-goog-") { + errors = append(errors, fmt.Errorf( + "extension_header (%s) not valid, header name must begin with 'x-goog-'", k)) + } + } + return +} + +func validateHttpMethod(v interface{}, k string) (ws []string, errs []error) { + value := v.(string) + value = strings.ToUpper(value) + if value != "GET" && value != "HEAD" && value != "PUT" && value != "DELETE" { + errs = append(errs, errors.New("http_method must be one of [GET|HEAD|PUT|DELETE]")) + } + return +} + +func dataSourceGoogleSignedUrlRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + // Build UrlData object from data source attributes + urlData := &UrlData{} + + // HTTP Method + if method, ok := d.GetOk("http_method"); ok { + urlData.HttpMethod = method.(string) + } + + // convert duration to an expiration datetime (unix time in seconds) + durationString := "1h" + if v, ok := d.GetOk("duration"); ok { + durationString = v.(string) + } + duration, err := time.ParseDuration(durationString) + if err != nil { + return errwrap.Wrapf("could not parse duration: {{err}}", err) + } + expires := time.Now().Unix() + int64(duration.Seconds()) + urlData.Expires = int(expires) + + // content_md5 is optional + if v, ok := d.GetOk("content_md5"); ok { + urlData.ContentMd5 = v.(string) + } + + // content_type is optional + if v, ok := d.GetOk("content_type"); ok { + urlData.ContentType = v.(string) + } + + // extension_headers (x-goog-* HTTP headers) are optional + if v, ok := d.GetOk("extension_headers"); ok { + hdrMap := v.(map[string]interface{}) + + if len(hdrMap) > 0 { + urlData.HttpHeaders = make(map[string]string, len(hdrMap)) + for k, v := range hdrMap { + urlData.HttpHeaders[k] = v.(string) + } + } + } + + urlData.Path = fmt.Sprintf("/%s/%s", d.Get("bucket").(string), d.Get("path").(string)) + + // Load JWT Config from Google Credentials + jwtConfig, err := loadJwtConfig(d, config) + if err != nil { + return err + } + urlData.JwtConfig = jwtConfig + + // Construct URL + signedUrl, err := urlData.SignedUrl() + if err != nil { + return err + } + + // Success + d.Set("signed_url", signedUrl) + + encodedSig, err := urlData.EncodedSignature() + if err != nil { + return err + } + d.SetId(encodedSig) + + return nil +} + +// loadJwtConfig looks for credentials json in the following places, +// in order of preference: +// 1. `credentials` attribute of the datasource +// 2. `credentials` attribute in the provider definition. +// 3. A JSON file whose path is specified by the +// GOOGLE_APPLICATION_CREDENTIALS environment variable. +func loadJwtConfig(d *schema.ResourceData, meta interface{}) (*jwt.Config, error) { + config := meta.(*Config) + + credentials := "" + if v, ok := d.GetOk("credentials"); ok { + log.Println("[DEBUG] using data source credentials to sign URL") + credentials = v.(string) + + } else if config.Credentials != "" { + log.Println("[DEBUG] using provider credentials to sign URL") + credentials = config.Credentials + + } else if filename := os.Getenv(googleCredentialsEnvVar); filename != "" { + log.Println("[DEBUG] using env GOOGLE_APPLICATION_CREDENTIALS credentials to sign URL") + credentials = filename + + } + + if strings.TrimSpace(credentials) != "" { + contents, _, err := pathorcontents.Read(credentials) + if err != nil { + return nil, errwrap.Wrapf("Error loading credentials: {{err}}", err) + } + + cfg, err := google.JWTConfigFromJSON([]byte(contents), "") + if err != nil { + return nil, errwrap.Wrapf("Error parsing credentials: {{err}}", err) + } + return cfg, nil + } + + return nil, errors.New("Credentials not found in datasource, provider configuration or GOOGLE_APPLICATION_CREDENTIALS environment variable.") +} + +// parsePrivateKey converts the binary contents of a private key file +// to an *rsa.PrivateKey. It detects whether the private key is in a +// PEM container or not. If so, it extracts the the private key +// from PEM container before conversion. It only supports PEM +// containers with no passphrase. +// copied from golang.org/x/oauth2/internal +func parsePrivateKey(key []byte) (*rsa.PrivateKey, error) { + block, _ := pem.Decode(key) + if block != nil { + key = block.Bytes + } + parsedKey, err := x509.ParsePKCS8PrivateKey(key) + if err != nil { + parsedKey, err = x509.ParsePKCS1PrivateKey(key) + if err != nil { + return nil, errwrap.Wrapf("private key should be a PEM or plain PKSC1 or PKCS8; parse error: {{err}}", err) + } + } + parsed, ok := parsedKey.(*rsa.PrivateKey) + if !ok { + return nil, errors.New("private key is invalid") + } + return parsed, nil +} + +// UrlData stores the values required to create a Signed Url +type UrlData struct { + JwtConfig *jwt.Config + ContentMd5 string + ContentType string + HttpMethod string + Expires int + HttpHeaders map[string]string + Path string +} + +// SigningString creates a string representation of the UrlData in a form ready for signing: +// see https://cloud.google.com/storage/docs/access-control/create-signed-urls-program +// Example output: +// ------------------- +// GET +// +// +// 1388534400 +// bucket/objectname +// ------------------- +func (u *UrlData) SigningString() []byte { + var buf bytes.Buffer + + // HTTP Verb + buf.WriteString(u.HttpMethod) + buf.WriteString("\n") + + // Content MD5 (optional, always add new line) + buf.WriteString(u.ContentMd5) + buf.WriteString("\n") + + // Content Type (optional, always add new line) + buf.WriteString(u.ContentType) + buf.WriteString("\n") + + // Expiration + buf.WriteString(strconv.Itoa(u.Expires)) + buf.WriteString("\n") + + // Extra HTTP headers (optional) + // Must be sorted in lexigraphical order + var keys []string + for k := range u.HttpHeaders { + keys = append(keys, strings.ToLower(k)) + } + sort.Strings(keys) + // Write sorted headers to signing string buffer + for _, k := range keys { + buf.WriteString(fmt.Sprintf("%s:%s\n", k, u.HttpHeaders[k])) + } + + // Storate Object path (includes bucketname) + buf.WriteString(u.Path) + + return buf.Bytes() +} + +func (u *UrlData) Signature() ([]byte, error) { + // Sign url data + signature, err := SignString(u.SigningString(), u.JwtConfig) + if err != nil { + return nil, err + + } + + return signature, nil +} + +// EncodedSignature returns the Signature() after base64 encoding and url escaping +func (u *UrlData) EncodedSignature() (string, error) { + signature, err := u.Signature() + if err != nil { + return "", err + } + + // base64 encode signature + encoded := base64.StdEncoding.EncodeToString(signature) + // encoded signature may include /, = characters that need escaping + encoded = url.QueryEscape(encoded) + + return encoded, nil +} + +// SignedUrl constructs the final signed URL a client can use to retrieve storage object +func (u *UrlData) SignedUrl() (string, error) { + + encodedSig, err := u.EncodedSignature() + if err != nil { + return "", err + } + + // build url + // https://cloud.google.com/storage/docs/access-control/create-signed-urls-program + var urlBuffer bytes.Buffer + urlBuffer.WriteString(gcsBaseUrl) + urlBuffer.WriteString(u.Path) + urlBuffer.WriteString("?GoogleAccessId=") + urlBuffer.WriteString(u.JwtConfig.Email) + urlBuffer.WriteString("&Expires=") + urlBuffer.WriteString(strconv.Itoa(u.Expires)) + urlBuffer.WriteString("&Signature=") + urlBuffer.WriteString(encodedSig) + + return urlBuffer.String(), nil +} + +// SignString calculates the SHA256 signature of the input string +func SignString(toSign []byte, cfg *jwt.Config) ([]byte, error) { + // Parse private key + pk, err := parsePrivateKey(cfg.PrivateKey) + if err != nil { + return nil, errwrap.Wrapf("failed to sign string, could not parse key: {{err}}", err) + } + + // Hash string + hasher := sha256.New() + hasher.Write(toSign) + + // Sign string + signed, err := rsa.SignPKCS1v15(rand.Reader, pk, crypto.SHA256, hasher.Sum(nil)) + if err != nil { + return nil, errwrap.Wrapf("failed to sign string, an error occurred: {{err}}", err) + } + + return signed, nil +} diff --git a/builtin/providers/google/data_source_storage_object_signed_url_test.go b/builtin/providers/google/data_source_storage_object_signed_url_test.go new file mode 100644 index 000000000..03912216c --- /dev/null +++ b/builtin/providers/google/data_source_storage_object_signed_url_test.go @@ -0,0 +1,263 @@ +package google + +import ( + "testing" + + "bytes" + "encoding/base64" + "fmt" + "io/ioutil" + "net/http" + "net/url" + + "github.com/hashicorp/go-cleanhttp" + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" + "golang.org/x/oauth2/google" +) + +const fakeCredentials = `{ + "type": "service_account", + "project_id": "gcp-project", + "private_key_id": "29a54056cee3d6886d9e8515a959af538ab5add9", + "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAsGHDAdHZfi81LgVeeMHXYLgNDpcFYhoBykYtTDdNyA5AixID\n8JdKlCmZ6qLNnZrbs4JlBJfmzw6rjUC5bVBFg5NwYVBu3+3Msa4rgLsTGsjPH9rt\nC+QFnFhcmzg3zz8eeXBqJdhw7wmn1Xa9SsC3h6YWveBk98ecyE7yGe8J8xGphjk7\nEQ/KBmRK/EJD0ZwuYW1W4Bv5f5fca7qvi9rCprEmL8//uy0qCwoJj2jU3zc5p72M\npkSZb1XlYxxTEo/h9WCEvWS9pGhy6fJ0sA2RsBHqU4Y5O7MJEei9yu5fVSZUi05f\n/ggfUID+cFEq0Z/A98whKPEBBJ/STdEaqEEkBwIDAQABAoIBAED6EsvF0dihbXbh\ntXbI+h4AT5cTXYFRUV2B0sgkC3xqe65/2YG1Sl0gojoE9bhcxxjvLWWuy/F1Vw93\nS5gQnTsmgpzm86F8yg6euhn3UMdqOJtknDToMITzLFJmOHEZsJFOL1x3ysrUhMan\nsn4qVrIbJn+WfbumBoToSFnzbHflacOh06ZRbYa2bpSPMfGGFtwqQjRadn5+pync\nlCjaupcg209sM0qEk/BDSzHvWL1VgLMdiKBx574TSwS0o569+7vPNt92Ydi7kARo\nreOzkkF4L3xNhKZnmls2eGH6A8cp1KZXoMLFuO+IwvBMA0O29LsUlKJU4PjBrf+7\nwaslnMECgYEA5bJv0L6DKZQD3RCBLue4/mDg0GHZqAhJBS6IcaXeaWeH6PgGZggV\nMGkWnULltJIYFwtaueTfjWqciAeocKx+rqoRjuDMOGgcrEf6Y+b5AqF+IjQM66Ll\nIYPUt3FCIc69z5LNEtyP4DSWsFPJ5UhAoG4QRlDTqT5q0gKHFjeLdeECgYEAxJRk\nkrsWmdmUs5NH9pyhTdEDIc59EuJ8iOqOLzU8xUw6/s2GSClopEFJeeEoIWhLuPY3\nX3bFt4ppl/ksLh05thRs4wXRxqhnokjD3IcGu3l6Gb5QZTYwb0VfN+q2tWVEE8Qc\nPQURheUsM2aP/gpJVQvNsWVmkT0Ijc3J8bR2hucCgYEAjOF4e0ueHu5NwFTTJvWx\nHTRGLwkU+l66ipcT0MCvPW7miRk2s3XZqSuLV0Ekqi/A3sF0D/g0tQPipfwsb48c\n0/wzcLKoDyCsFW7AQG315IswVcIe+peaeYfl++1XZmzrNlkPtrXY+ObIVbXOavZ5\nzOw0xyvj5jYGRnCOci33N4ECgYA91EKx2ABq0YGw3aEj0u31MMlgZ7b1KqFq2wNv\nm7oKgEiJ/hC/P673AsXefNAHeetfOKn/77aOXQ2LTEb2FiEhwNjiquDpL+ywoVxh\nT2LxsmqSEEbvHpUrWlFxn/Rpp3k7ElKjaqWxTHyTii2+BHQ+OKEwq6kQA3deSpy6\n1jz1fwKBgQDLqbdq5FA63PWqApfNVykXukg9MASIcg/0fjADFaHTPDvJjhFutxRP\nppI5Q95P12CQ/eRBZKJnRlkhkL8tfPaWPzzOpCTjID7avRhx2oLmstmYuXx0HluE\ncqXLbAV9WDpIJ3Bpa/S8tWujWhLDmixn2JeAdurWS+naH9U9e4I6Rw==\n-----END RSA PRIVATE KEY-----\n", + "client_email": "user@gcp-project.iam.gserviceaccount.com", + "client_id": "103198861025845558729", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/user%40gcp-project.iam.gserviceaccount.com" +}` + +// The following values are derived from the output of the `gsutil signurl` command. +// i.e. +// gsutil signurl fake_creds.json gs://tf-test-bucket-6159205297736845881/path/to/file +// URL HTTP Method Expiration Signed URL +// gs://tf-test-bucket-6159205297736845881/path/to/file GET 2016-08-12 14:03:30 https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/file?GoogleAccessId=user@gcp-project.iam.gserviceaccount.com&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D + +const testUrlPath = "/tf-test-bucket-6159205297736845881/path/to/file" +const testUrlExpires = 1470967410 +const testUrlExpectedSignatureBase64Encoded = "JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D" +const testUrlExpectedUrl = "https://storage.googleapis.com/tf-test-bucket-6159205297736845881/path/to/file?GoogleAccessId=user@gcp-project.iam.gserviceaccount.com&Expires=1470967410&Signature=JJvE2Jc%2BeoagyS1qRACKBGUkgLkKjw7cGymHhtB4IzzN3nbXDqr0acRWGy0%2BEpZ3HYNDalEYsK0lR9Q0WCgty5I0JKmPIuo9hOYa1xTNH%2B22xiWsekxGV%2FcA9FXgWpi%2BFt7fBmMk4dhDe%2BuuYc7N79hd0FYuSBNW1Wp32Bluoe4SNkNAB%2BuIDd9KqPzqs09UAbBoz2y4WxXOQnRyR8GAfb8B%2FDtv62gYjtmp%2F6%2Fyr6xj7byWKZdQt8kEftQLTQmP%2F17Efjp6p%2BXo71Q0F9IhAFiqWfp3Ij8hHDSebLcVb2ULXyHNNQpHBOhFgALrFW3I6Uc3WciLEOsBS9Ej3EGdTg%3D%3D" + +func TestUrlData_Signing(t *testing.T) { + urlData := &UrlData{ + HttpMethod: "GET", + Expires: testUrlExpires, + Path: testUrlPath, + } + // unescape and decode the expected signature + expectedSig, err := url.QueryUnescape(testUrlExpectedSignatureBase64Encoded) + if err != nil { + t.Error(err) + } + expected, err := base64.StdEncoding.DecodeString(expectedSig) + if err != nil { + t.Error(err) + } + + // load fake service account credentials + cfg, err := google.JWTConfigFromJSON([]byte(fakeCredentials), "") + if err != nil { + t.Error(err) + } + + // create url data signature + toSign := urlData.SigningString() + result, err := SignString(toSign, cfg) + if err != nil { + t.Error(err) + } + + // compare to expected value + if !bytes.Equal(result, expected) { + t.Errorf("Signatures do not match:\n%x\n%x\n", expected, result) + } + +} + +func TestUrlData_SignedUrl(t *testing.T) { + // load fake service account credentials + cfg, err := google.JWTConfigFromJSON([]byte(fakeCredentials), "") + if err != nil { + t.Error(err) + } + + urlData := &UrlData{ + HttpMethod: "GET", + Expires: testUrlExpires, + Path: testUrlPath, + JwtConfig: cfg, + } + result, err := urlData.SignedUrl() + if err != nil { + t.Errorf("Could not generated signed url: %+v", err) + } + if result != testUrlExpectedUrl { + t.Errorf("URL does not match expected value:\n%s\n%s", testUrlExpectedUrl, result) + } +} + +func TestAccStorageSignedUrl_basic(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testGoogleSignedUrlConfig, + Check: resource.ComposeTestCheckFunc( + testAccGoogleSignedUrlExists("data.google_storage_object_signed_url.blerg"), + ), + }, + }, + }) +} + +func TestAccStorageSignedUrl_accTest(t *testing.T) { + bucketName := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt()) + + headers := map[string]string{ + "x-goog-test": "foo", + "x-goog-if-generation-match": "1", + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccTestGoogleStorageObjectSignedURL(bucketName), + Check: resource.ComposeTestCheckFunc( + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url", nil), + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_headers", headers), + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_content_type", nil), + testAccGoogleSignedUrlRetrieval("data.google_storage_object_signed_url.story_url_w_md5", nil), + ), + }, + }, + }) +} + +func testAccGoogleSignedUrlExists(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + + r := s.RootModule().Resources[n] + a := r.Primary.Attributes + + if a["signed_url"] == "" { + return fmt.Errorf("signed_url is empty: %v", a) + } + + return nil + } +} + +func testAccGoogleSignedUrlRetrieval(n string, headers map[string]string) resource.TestCheckFunc { + return func(s *terraform.State) error { + r := s.RootModule().Resources[n] + if r == nil { + return fmt.Errorf("Datasource not found") + } + a := r.Primary.Attributes + + if a["signed_url"] == "" { + return fmt.Errorf("signed_url is empty: %v", a) + } + + // create HTTP request + url := a["signed_url"] + method := a["http_method"] + req, err := http.NewRequest(method, url, nil) + if err != nil { + return err + } + + // Add extension headers to request, if provided + for k, v := range headers { + req.Header.Set(k, v) + } + + // content_type is optional, add to test query if provided in datasource config + contentType := a["content_type"] + if contentType != "" { + req.Header.Add("Content-Type", contentType) + } + + // content_md5 is optional, add to test query if provided in datasource config + contentMd5 := a["content_md5"] + if contentMd5 != "" { + req.Header.Add("Content-MD5", contentMd5) + } + + // send request using signed url + client := cleanhttp.DefaultClient() + response, err := client.Do(req) + if err != nil { + return err + } + defer response.Body.Close() + + // check content in response, should be our test string or XML with error + body, err := ioutil.ReadAll(response.Body) + if err != nil { + return err + } + if string(body) != "once upon a time..." { + return fmt.Errorf("Got unexpected object contents: %s\n\tURL: %s", string(body), url) + } + + return nil + } +} + +const testGoogleSignedUrlConfig = ` +data "google_storage_object_signed_url" "blerg" { + bucket = "friedchicken" + path = "path/to/file" + +} +` + +func testAccTestGoogleStorageObjectSignedURL(bucketName string) string { + return fmt.Sprintf(` +resource "google_storage_bucket" "bucket" { + name = "%s" +} + +resource "google_storage_bucket_object" "story" { + name = "path/to/file" + bucket = "${google_storage_bucket.bucket.name}" + + content = "once upon a time..." +} + +data "google_storage_object_signed_url" "story_url" { + bucket = "${google_storage_bucket.bucket.name}" + path = "${google_storage_bucket_object.story.name}" + +} + +data "google_storage_object_signed_url" "story_url_w_headers" { + bucket = "${google_storage_bucket.bucket.name}" + path = "${google_storage_bucket_object.story.name}" + extension_headers { + x-goog-test = "foo" + x-goog-if-generation-match = 1 + } +} + +data "google_storage_object_signed_url" "story_url_w_content_type" { + bucket = "${google_storage_bucket.bucket.name}" + path = "${google_storage_bucket_object.story.name}" + + content_type = "text/plain" +} + +data "google_storage_object_signed_url" "story_url_w_md5" { + bucket = "${google_storage_bucket.bucket.name}" + path = "${google_storage_bucket_object.story.name}" + + content_md5 = "${google_storage_bucket_object.story.md5hash}" +}`, bucketName) +} diff --git a/builtin/providers/google/provider.go b/builtin/providers/google/provider.go index 557450729..700042a11 100644 --- a/builtin/providers/google/provider.go +++ b/builtin/providers/google/provider.go @@ -54,6 +54,7 @@ func Provider() terraform.ResourceProvider { "google_compute_zones": dataSourceGoogleComputeZones(), "google_container_engine_versions": dataSourceGoogleContainerEngineVersions(), "google_iam_policy": dataSourceGoogleIamPolicy(), + "google_storage_object_signed_url": dataSourceGoogleSignedUrl(), }, ResourcesMap: map[string]*schema.Resource{ diff --git a/website/source/docs/providers/google/d/signed_url.html.markdown b/website/source/docs/providers/google/d/signed_url.html.markdown new file mode 100644 index 000000000..afb372b49 --- /dev/null +++ b/website/source/docs/providers/google/d/signed_url.html.markdown @@ -0,0 +1,81 @@ +--- +layout: "google" +page_title: "Google: google_storage_object_signed_url" +sidebar_current: "docs-google-datasource-signed_url" +description: |- + Provides signed URL to Google Cloud Storage object. +--- + +# google\_storage\_object\_signed_url + +The Google Cloud storage signed URL data source generates a signed URL for a given storage object. Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account. + +For more info about signed URL's is available [here](https://cloud.google.com/storage/docs/access-control/signed-urls). + +## Example Usage + +```hcl +data "google_storage_object_signed_url" "artifact" { + bucket = "install_binaries" + path = "path/to/install_file.bin" + +} + +resource "google_compute_instance" "vm" { + name = "vm" + ... + + provisioner "remote-exec" { + inline = [ + "wget '${data.google_storage_object_signed_url.artifact.signed_url}' -O install_file.bin", + "chmod +x install_file.bin", + "./install_file.bin" + ] + } +} +``` + +## Full Example + +```hcl +data "google_storage_object_signed_url" "get_url" { + bucket = "fried_chicken" + path = "path/to/file" + content_md5 = "pRviqwS4c4OTJRTe03FD1w==" + content_type = "text/plain" + duration = "2d" + credentials = "${file("path/to/credentials.json")}" + + extension_headers { + x-goog-if-generation-match = 1 + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `bucket` - (Required) The name of the bucket to read the object from +* `path` - (Required) The full path to the object inside the bucket +* `http_method` - (Optional) What HTTP Method will the signed URL allow (defaults to `GET`) +* `duration` - (Optional) For how long shall the signed URL be valid (defaults to 1 hour - i.e. `1h`). + See [here](https://golang.org/pkg/time/#ParseDuration) for info on valid duration formats. +* `credentials` - (Optional) What Google service account credentials json should be used to sign the URL. + This data source checks the following locations for credentials, in order of preference: data source `credentials` attribute, provider `credentials` attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable. + +> **NOTE** the default google credentials configured by `gcloud` sdk or the service account associated with a compute instance cannot be used, because these do not include the private key required to sign the URL. A valid `json` service account credentials key file must be used, as generated via Google cloud console. + +* `content_type` - (Optional) If you specify this in the datasource, the client must provide the `Content-Type` HTTP header with the same value in its request. +* `content_md5` - (Optional) The [MD5 digest](https://cloud.google.com/storage/docs/hashes-etags#_MD5) value in Base64. + Typically retrieved from `google_storage_bucket_object.object.md5hash` attribute. + If you provide this in the datasource, the client (e.g. browser, curl) must provide the `Content-MD5` HTTP header with this same value in its request. +* `extension_headers` - (Optional) As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. + Any header starting with `x-goog-` is accepted but see the [Google Docs](https://cloud.google.com/storage/docs/xml-api/reference-headers) for list of headers that are supported by Google. + + +## Attributes Reference + +The following attributes are exported: + +* `signed_url` - The signed URL that can be used to access the storage object without authentication. diff --git a/website/source/layouts/google.erb b/website/source/layouts/google.erb index e800a5548..ff51551f3 100644 --- a/website/source/layouts/google.erb +++ b/website/source/layouts/google.erb @@ -39,6 +39,9 @@ > google_iam_policy + > + google_storage_object_signed_url +