-
Notifications
You must be signed in to change notification settings - Fork 4.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Use latest tombuildsstuff/giovanni which has switched to the go-azure-sdk base layer - Support for sdk-level retries for known eventually consistent scenarios - Support for AAD authentication for all data plane APIs (where the API supports it) - `azurerm_storage_share_directory`: deprecate `share_name` and `storage_account_name` in favor of `storage_share_id` - Refactor data plane client helpers to be operation-aware, so that supported authentication methods can be determined not just by endpoint but also by the operation (enables more granular support for preferred authentication methods). - Some tidying of `provider` package - move helper functions into own source file - Some tidying of `services/storage/client` package - move data plane client helpers into own source file
- Loading branch information
1 parent
d4e7dea
commit ab0d29a
Showing
57 changed files
with
1,622 additions
and
1,359 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
package provider | ||
|
||
import ( | ||
"encoding/base64" | ||
"fmt" | ||
"os" | ||
"strings" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
) | ||
|
||
func decodeCertificate(clientCertificate string) ([]byte, error) { | ||
var pfx []byte | ||
if clientCertificate != "" { | ||
out := make([]byte, base64.StdEncoding.DecodedLen(len(clientCertificate))) | ||
n, err := base64.StdEncoding.Decode(out, []byte(clientCertificate)) | ||
if err != nil { | ||
return pfx, fmt.Errorf("could not decode client certificate data: %v", err) | ||
} | ||
pfx = out[:n] | ||
} | ||
return pfx, nil | ||
} | ||
|
||
func getOidcToken(d *schema.ResourceData) (*string, error) { | ||
idToken := strings.TrimSpace(d.Get("oidc_token").(string)) | ||
|
||
if path := d.Get("oidc_token_file_path").(string); path != "" { | ||
fileTokenRaw, err := os.ReadFile(path) | ||
|
||
if err != nil { | ||
return nil, fmt.Errorf("reading OIDC Token from file %q: %v", path, err) | ||
} | ||
|
||
fileToken := strings.TrimSpace(string(fileTokenRaw)) | ||
|
||
if idToken != "" && idToken != fileToken { | ||
return nil, fmt.Errorf("mismatch between supplied OIDC token and supplied OIDC token file contents - please either remove one or ensure they match") | ||
} | ||
|
||
idToken = fileToken | ||
} | ||
|
||
if d.Get("use_aks_workload_identity").(bool) && os.Getenv("AZURE_FEDERATED_TOKEN_FILE") != "" { | ||
path := os.Getenv("AZURE_FEDERATED_TOKEN_FILE") | ||
fileTokenRaw, err := os.ReadFile(os.Getenv("AZURE_FEDERATED_TOKEN_FILE")) | ||
|
||
if err != nil { | ||
return nil, fmt.Errorf("reading OIDC Token from file %q provided by AKS Workload Identity: %v", path, err) | ||
} | ||
|
||
fileToken := strings.TrimSpace(string(fileTokenRaw)) | ||
|
||
if idToken != "" && idToken != fileToken { | ||
return nil, fmt.Errorf("mismatch between supplied OIDC token and OIDC token file contents provided by AKS Workload Identity - please either remove one, ensure they match, or disable use_aks_workload_identity") | ||
} | ||
|
||
idToken = fileToken | ||
} | ||
|
||
return &idToken, nil | ||
} | ||
|
||
func getClientId(d *schema.ResourceData) (*string, error) { | ||
clientId := strings.TrimSpace(d.Get("client_id").(string)) | ||
|
||
if path := d.Get("client_id_file_path").(string); path != "" { | ||
fileClientIdRaw, err := os.ReadFile(path) | ||
|
||
if err != nil { | ||
return nil, fmt.Errorf("reading Client ID from file %q: %v", path, err) | ||
} | ||
|
||
fileClientId := strings.TrimSpace(string(fileClientIdRaw)) | ||
|
||
if clientId != "" && clientId != fileClientId { | ||
return nil, fmt.Errorf("mismatch between supplied Client ID and supplied Client ID file contents - please either remove one or ensure they match") | ||
} | ||
|
||
clientId = fileClientId | ||
} | ||
|
||
if d.Get("use_aks_workload_identity").(bool) && os.Getenv("AZURE_CLIENT_ID") != "" { | ||
aksClientId := os.Getenv("AZURE_CLIENT_ID") | ||
if clientId != "" && clientId != aksClientId { | ||
return nil, fmt.Errorf("mismatch between supplied Client ID and that provided by AKS Workload Identity - please remove, ensure they match, or disable use_aks_workload_identity") | ||
} | ||
clientId = aksClientId | ||
} | ||
|
||
return &clientId, nil | ||
} | ||
|
||
func getClientSecret(d *schema.ResourceData) (*string, error) { | ||
clientSecret := strings.TrimSpace(d.Get("client_secret").(string)) | ||
|
||
if path := d.Get("client_secret_file_path").(string); path != "" { | ||
fileSecretRaw, err := os.ReadFile(path) | ||
|
||
if err != nil { | ||
return nil, fmt.Errorf("reading Client Secret from file %q: %v", path, err) | ||
} | ||
|
||
fileSecret := strings.TrimSpace(string(fileSecretRaw)) | ||
|
||
if clientSecret != "" && clientSecret != fileSecret { | ||
return nil, fmt.Errorf("mismatch between supplied Client Secret and supplied Client Secret file contents - please either remove one or ensure they match") | ||
} | ||
|
||
clientSecret = fileSecret | ||
} | ||
|
||
return &clientSecret, nil | ||
} | ||
|
||
func getTenantId(d *schema.ResourceData) (*string, error) { | ||
tenantId := strings.TrimSpace(d.Get("tenant_id").(string)) | ||
|
||
if d.Get("use_aks_workload_identity").(bool) && os.Getenv("AZURE_TENANT_ID") != "" { | ||
aksTenantId := os.Getenv("AZURE_TENANT_ID") | ||
if tenantId != "" && tenantId != aksTenantId { | ||
return nil, fmt.Errorf("mismatch between supplied Tenant ID and that provided by AKS Workload Identity - please remove, ensure they match, or disable use_aks_workload_identity") | ||
} | ||
tenantId = aksTenantId | ||
} | ||
|
||
return &tenantId, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.