mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-13 09:32:24 -06:00
oss backend: flattern assume_role block
This commit is contained in:
parent
2f152f1139
commit
9d5f1752c8
@ -146,8 +146,6 @@ func New() backend.Backend {
|
|||||||
return nil, nil
|
return nil, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
"assume_role": assumeRoleSchema(),
|
|
||||||
"shared_credentials_file": {
|
"shared_credentials_file": {
|
||||||
Type: schema.TypeString,
|
Type: schema.TypeString,
|
||||||
Optional: true,
|
Optional: true,
|
||||||
@ -160,6 +158,42 @@ func New() backend.Backend {
|
|||||||
Description: "This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.",
|
Description: "This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.",
|
||||||
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_PROFILE", ""),
|
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_PROFILE", ""),
|
||||||
},
|
},
|
||||||
|
"assume_role_role_arn": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Required: true,
|
||||||
|
Description: "The ARN of a RAM role to assume prior to making API calls.",
|
||||||
|
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""),
|
||||||
|
},
|
||||||
|
"assume_role_session_name": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
Description: "The session name to use when assuming the role.",
|
||||||
|
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", ""),
|
||||||
|
},
|
||||||
|
"assume_role_policy": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.",
|
||||||
|
},
|
||||||
|
"assume_role_session_expiration": {
|
||||||
|
Type: schema.TypeInt,
|
||||||
|
Optional: true,
|
||||||
|
Description: "The time after which the established session for assuming role expires.",
|
||||||
|
ValidateFunc: func(v interface{}, k string) ([]string, []error) {
|
||||||
|
min := 900
|
||||||
|
max := 3600
|
||||||
|
value, ok := v.(int)
|
||||||
|
if !ok {
|
||||||
|
return nil, []error{fmt.Errorf("expected type of %s to be int", k)}
|
||||||
|
}
|
||||||
|
|
||||||
|
if value < min || value > max {
|
||||||
|
return nil, []error{fmt.Errorf("expected %s to be in the range (%d - %d), got %d", k, min, max, v)}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, nil
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -168,54 +202,6 @@ func New() backend.Backend {
|
|||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
|
||||||
func assumeRoleSchema() *schema.Schema {
|
|
||||||
return &schema.Schema{
|
|
||||||
Type: schema.TypeSet,
|
|
||||||
Optional: true,
|
|
||||||
MaxItems: 1,
|
|
||||||
Elem: &schema.Resource{
|
|
||||||
Schema: map[string]*schema.Schema{
|
|
||||||
"role_arn": {
|
|
||||||
Type: schema.TypeString,
|
|
||||||
Required: true,
|
|
||||||
Description: "The ARN of a RAM role to assume prior to making API calls.",
|
|
||||||
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""),
|
|
||||||
},
|
|
||||||
"session_name": {
|
|
||||||
Type: schema.TypeString,
|
|
||||||
Optional: true,
|
|
||||||
Description: "The session name to use when assuming the role.",
|
|
||||||
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", ""),
|
|
||||||
},
|
|
||||||
"policy": {
|
|
||||||
Type: schema.TypeString,
|
|
||||||
Optional: true,
|
|
||||||
Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.",
|
|
||||||
},
|
|
||||||
"session_expiration": {
|
|
||||||
Type: schema.TypeInt,
|
|
||||||
Optional: true,
|
|
||||||
Description: "The time after which the established session for assuming role expires.",
|
|
||||||
ValidateFunc: func(v interface{}, k string) ([]string, []error) {
|
|
||||||
min := 900
|
|
||||||
max := 3600
|
|
||||||
value, ok := v.(int)
|
|
||||||
if !ok {
|
|
||||||
return nil, []error{fmt.Errorf("expected type of %s to be int", k)}
|
|
||||||
}
|
|
||||||
|
|
||||||
if value < min || value > max {
|
|
||||||
return nil, []error{fmt.Errorf("expected %s to be in the range (%d - %d), got %d", k, min, max, v)}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil, nil
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type Backend struct {
|
type Backend struct {
|
||||||
*schema.Backend
|
*schema.Backend
|
||||||
|
|
||||||
@ -274,31 +260,22 @@ func (b *Backend) configure(ctx context.Context) error {
|
|||||||
sessionExpiration = (int)(expiredSeconds.(float64))
|
sessionExpiration = (int)(expiredSeconds.(float64))
|
||||||
}
|
}
|
||||||
|
|
||||||
if v, ok := d.GetOk("assume_role"); ok {
|
roleArn = d.Get("assume_role_role_arn").(string)
|
||||||
for _, v := range v.(*schema.Set).List() {
|
sessionName = d.Get("assume_role_session_name").(string)
|
||||||
assumeRole := v.(map[string]interface{})
|
if sessionName == "" {
|
||||||
if assumeRole["role_arn"].(string) != "" {
|
sessionName = "terraform"
|
||||||
roleArn = assumeRole["role_arn"].(string)
|
}
|
||||||
}
|
policy = d.Get("assume_role_policy").(string)
|
||||||
if assumeRole["session_name"].(string) != "" {
|
sessionExpiration = d.Get("assume_role_session_expiration").(int)
|
||||||
sessionName = assumeRole["session_name"].(string)
|
if sessionExpiration == 0 {
|
||||||
}
|
if v := os.Getenv("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION"); v != "" {
|
||||||
if sessionName == "" {
|
if expiredSeconds, err := strconv.Atoi(v); err == nil {
|
||||||
sessionName = "terraform"
|
sessionExpiration = expiredSeconds
|
||||||
}
|
|
||||||
policy = assumeRole["policy"].(string)
|
|
||||||
sessionExpiration = assumeRole["session_expiration"].(int)
|
|
||||||
if sessionExpiration == 0 {
|
|
||||||
if v := os.Getenv("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION"); v != "" {
|
|
||||||
if expiredSeconds, err := strconv.Atoi(v); err == nil {
|
|
||||||
sessionExpiration = expiredSeconds
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if sessionExpiration == 0 {
|
|
||||||
sessionExpiration = 3600
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if sessionExpiration == 0 {
|
||||||
|
sessionExpiration = 3600
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if accessKey == "" {
|
if accessKey == "" {
|
||||||
|
@ -95,18 +95,11 @@ The following configuration options or environment variables are supported:
|
|||||||
to be applied to the state file.
|
to be applied to the state file.
|
||||||
* `shared_credentials_file` - (Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the `ALICLOUD_SHARED_CREDENTIALS_FILE` environment variable. If this is not set and a profile is specified, `~/.aliyun/config.json` will be used.
|
* `shared_credentials_file` - (Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the `ALICLOUD_SHARED_CREDENTIALS_FILE` environment variable. If this is not set and a profile is specified, `~/.aliyun/config.json` will be used.
|
||||||
* `profile` - (Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.
|
* `profile` - (Optional, Available in 0.12.8+) This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.
|
||||||
* `assume_role` - (Optional, Available in 0.12.6+) If provided with a role ARN, will attempt to assume this role using the supplied credentials.
|
* `assume_role_role_arn` - (Optional, Available in 0.12.6+) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`.
|
||||||
|
|
||||||
The nested `assume_role` block supports the following:
|
|
||||||
|
|
||||||
* `role_arn` - (Required) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`.
|
|
||||||
Terraform executes configuration on account with provided credentials.
|
Terraform executes configuration on account with provided credentials.
|
||||||
|
* `assume_role_policy` - (Optional, Available in 0.12.6+) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary
|
||||||
* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary
|
|
||||||
security credentials. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.
|
security credentials. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.
|
||||||
|
* `assume_role_session_name` - (Optional, Available in 0.12.6+) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`.
|
||||||
* `session_name` - (Optional) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`.
|
* `assume_role_session_expiration` - (Optional, Available in 0.12.6+) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`.
|
||||||
|
|
||||||
* `session_expiration` - (Optional) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`.
|
|
||||||
|
|
||||||
-> **Note:** If you want to store state in the custom OSS endpoint, you can specify a environment variable `OSS_ENDPOINT`, like "oss-cn-beijing-internal.aliyuncs.com"
|
-> **Note:** If you want to store state in the custom OSS endpoint, you can specify a environment variable `OSS_ENDPOINT`, like "oss-cn-beijing-internal.aliyuncs.com"
|
||||||
|
Loading…
Reference in New Issue
Block a user