Log identities executing changes in terraform (#4620) (#3266)

Co-authored-by: upodroid <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Co-authored-by: upodroid <[email protected]>

Author: modular-magician

.changelog/4620.txt

@@ -0,0 +1,2 @@
+```release-note:none
+```

google-beta/config.go

@@ -271,7 +271,7 @@ func (c *Config) LoadAndValidate(ctx context.Context) error {
 
 	c.context = ctx
 
-	tokenSource, err := c.getTokenSource(c.Scopes)
+	tokenSource, err := c.getTokenSource(c.Scopes, false)
 	if err != nil {
 		return err
 	}
@@ -283,6 +283,12 @@ func (c *Config) LoadAndValidate(ctx context.Context) error {
 	// 1. OAUTH2 TRANSPORT/CLIENT - sets up proper auth headers
 	client := oauth2.NewClient(cleanCtx, tokenSource)
 
+	// Userinfo is fetched before request logging is enabled to reduce additional noise.
+	err = c.logGoogleIdentities()
+	if err != nil {
+		return err
+	}
+
 	// 2. Logging Transport - ensure we log HTTP requests to GCP APIs.
 	loggingTransport := logging.NewTransport("Google", client.Transport)
 
@@ -359,8 +365,57 @@ func (c *Config) synchronousTimeout() time.Duration {
 	return c.RequestTimeout
 }
 
-func (c *Config) getTokenSource(clientScopes []string) (oauth2.TokenSource, error) {
-	creds, err := c.GetCredentials(clientScopes)
+// Print Identities executing terraform API Calls.
+func (c *Config) logGoogleIdentities() error {
+	if c.ImpersonateServiceAccount == "" {
+
+		tokenSource, err := c.getTokenSource(c.Scopes, true)
+		if err != nil {
+			return err
+		}
+		c.client = oauth2.NewClient(c.context, tokenSource) // c.client isn't initialised fully when this code is called.
+
+		email, err := GetCurrentUserEmail(c, c.userAgent)
+		if err != nil {
+			log.Printf("[INFO] error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err)
+		}
+
+		log.Printf("[INFO] Terraform is using this identity: %s", email)
+
+		return nil
+
+	}
+
+	// Drop Impersonated ClientOption from OAuth2 TokenSource to infer original identity
+
+	tokenSource, err := c.getTokenSource(c.Scopes, true)
+	if err != nil {
+		return err
+	}
+	c.client = oauth2.NewClient(c.context, tokenSource) // c.client isn't initialised fully when this code is called.
+
+	email, err := GetCurrentUserEmail(c, c.userAgent)
+	if err != nil {
+		log.Printf("[INFO] error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err)
+	}
+
+	log.Printf("[INFO] Terraform is configured with service account impersonation, original identity: %s, impersonated identity: %s", email, c.ImpersonateServiceAccount)
+
+	// Add the Impersonated ClientOption back in to the OAuth2 TokenSource
+
+	tokenSource, err = c.getTokenSource(c.Scopes, false)
+	if err != nil {
+		return err
+	}
+	c.client = oauth2.NewClient(c.context, tokenSource) // c.client isn't initialised fully when this code is called.
+
+	return nil
+}
+
+// Get a TokenSource based on the Google Credentials configured.
+// If initialCredentialsOnly is true, don't follow the impersonation settings and return the initial set of creds.
+func (c *Config) getTokenSource(clientScopes []string, initialCredentialsOnly bool) (oauth2.TokenSource, error) {
+	creds, err := c.GetCredentials(clientScopes, initialCredentialsOnly)
 	if err != nil {
 		return nil, fmt.Errorf("%s", err)
 	}
@@ -877,7 +932,10 @@ type staticTokenSource struct {
 	oauth2.TokenSource
 }
 
-func (c *Config) GetCredentials(clientScopes []string) (googleoauth.Credentials, error) {
+// Get a set of credentials with a given scope (clientScopes) based on the Config object.
+// If initialCredentialsOnly is true, don't follow the impersonation settings and return the initial set of creds
+// instead.
+func (c *Config) GetCredentials(clientScopes []string, initialCredentialsOnly bool) (googleoauth.Credentials, error) {
 
 	if c.AccessToken != "" {
 		contents, _, err := pathOrContents(c.AccessToken)
@@ -886,7 +944,7 @@ func (c *Config) GetCredentials(clientScopes []string) (googleoauth.Credentials,
 		}
 		token := &oauth2.Token{AccessToken: contents}
 
-		if c.ImpersonateServiceAccount != "" {
+		if c.ImpersonateServiceAccount != "" && !initialCredentialsOnly {
 			opts := []option.ClientOption{option.WithTokenSource(oauth2.StaticTokenSource(token)), option.ImpersonateCredentials(c.ImpersonateServiceAccount, c.ImpersonateServiceAccountDelegates...), option.WithScopes(clientScopes...)}
 			creds, err := transport.Creds(context.TODO(), opts...)
 			if err != nil {
@@ -908,7 +966,7 @@ func (c *Config) GetCredentials(clientScopes []string) (googleoauth.Credentials,
 		if err != nil {
 			return googleoauth.Credentials{}, fmt.Errorf("error loading credentials: %s", err)
 		}
-		if c.ImpersonateServiceAccount != "" {
+		if c.ImpersonateServiceAccount != "" && !initialCredentialsOnly {
 			opts := []option.ClientOption{option.WithCredentialsJSON([]byte(contents)), option.ImpersonateCredentials(c.ImpersonateServiceAccount, c.ImpersonateServiceAccountDelegates...), option.WithScopes(clientScopes...)}
 			creds, err := transport.Creds(context.TODO(), opts...)
 			if err != nil {
@@ -926,7 +984,7 @@ func (c *Config) GetCredentials(clientScopes []string) (googleoauth.Credentials,
 		return *creds, nil
 	}
 
-	if c.ImpersonateServiceAccount != "" {
+	if c.ImpersonateServiceAccount != "" && !initialCredentialsOnly {
 		opts := option.ImpersonateCredentials(c.ImpersonateServiceAccount, c.ImpersonateServiceAccountDelegates...)
 		creds, err := transport.Creds(context.TODO(), opts, option.WithScopes(clientScopes...))
 		if err != nil {

google-beta/data_source_google_service_account_id_token.go

@@ -69,7 +69,7 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte
 	}
 
 	targetAudience := d.Get("target_audience").(string)
-	creds, err := config.GetCredentials([]string{userInfoScope})
+	creds, err := config.GetCredentials([]string{userInfoScope}, false)
 	if err != nil {
 		return fmt.Errorf("error calling getCredentials(): %v", err)
 	}

google-beta/userinfo.go

@@ -491,6 +491,16 @@ func multiEnvSearch(ks []string) string {
 	return ""
 }
 
+func GetCurrentUserEmail(config *Config, userAgent string) (string, error) {
+	// See https://github.com/golang/oauth2/issues/306 for a recommendation to do this from a Go maintainer
+	// URL retrieved from https://accounts.google.com/.well-known/openid-configuration
+	res, err := sendRequest(config, "GET", "", "https://openidconnect.googleapis.com/v1/userinfo", userAgent, nil)
+	if err != nil {
+		return "", fmt.Errorf("error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err)
+	}
+	return res["email"].(string), nil
+}
+
 func checkStringMap(v interface{}) map[string]string {
 	m, ok := v.(map[string]string)
 	if ok {