Prevent User, Group and Compartment from resolving the wrong TenancyOCID with InstancePrincipal auth

Author: ccushing

oci/identity_compartment_resource.go

@@ -96,6 +96,7 @@ func createCompartment(d *schema.ResourceData, m interface{}) error {
 	sync := &CompartmentResourceCrud{}
 	sync.D = d
 	sync.Client = m.(*OracleClients).identityClient
+	sync.Configuration = m.(*OracleClients).configuration
 
 	return CreateResource(d, sync)
 }
@@ -132,6 +133,7 @@ func deleteCompartment(d *schema.ResourceData, m interface{}) error {
 type CompartmentResourceCrud struct {
 	BaseCrud
 	Client                 *oci_identity.IdentityClient
+	Configuration          map[string]string
 	Res                    *oci_identity.Compartment
 	DisableNotFoundRetries bool
 }
@@ -171,6 +173,10 @@ func (s *CompartmentResourceCrud) Create() error {
 		tmp := compartmentId.(string)
 		request.CompartmentId = &tmp
 	} else { // @next-break: remove
+		// Prevent potentially inferring wrong TenancyOCID from InstancePrincipal
+		if auth := s.Configuration["auth"]; strings.ToLower(auth) == strings.ToLower(authInstancePrincipalSetting) {
+			return fmt.Errorf("compartment_id must be specified for this resource")
+		}
 		// Maintain legacy contract of compartment_id defaulting to tenancy ocid if not specified
 		c := *s.Client.ConfigurationProvider()
 		if c == nil {

oci/identity_group_resource.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/hashicorp/terraform/helper/schema"
@@ -86,6 +87,7 @@ func createGroup(d *schema.ResourceData, m interface{}) error {
 	sync := &GroupResourceCrud{}
 	sync.D = d
 	sync.Client = m.(*OracleClients).identityClient
+	sync.Configuration = m.(*OracleClients).configuration
 
 	return CreateResource(d, sync)
 }
@@ -118,6 +120,7 @@ func deleteGroup(d *schema.ResourceData, m interface{}) error {
 type GroupResourceCrud struct {
 	BaseCrud
 	Client                 *oci_identity.IdentityClient
+	Configuration          map[string]string
 	Res                    *oci_identity.Group
 	DisableNotFoundRetries bool
 }
@@ -156,7 +159,12 @@ func (s *GroupResourceCrud) Create() error {
 	if compartmentId, ok := s.D.GetOkExists("compartment_id"); ok {
 		tmp := compartmentId.(string)
 		request.CompartmentId = &tmp
-	} else {
+	} else { // @next-break: remove
+		// Prevent potentially inferring wrong TenancyOCID from InstancePrincipal
+		if auth := s.Configuration["auth"]; strings.ToLower(auth) == strings.ToLower(authInstancePrincipalSetting) {
+			return fmt.Errorf("compartment_id must be specified for this resource")
+		}
+		// Maintain legacy contract of compartment_id defaulting to tenancy ocid if not specified
 		c := *s.Client.ConfigurationProvider()
 		if c == nil {
 			return fmt.Errorf("cannot access tenancyOCID")

oci/identity_user_resource.go

@@ -5,11 +5,11 @@ package provider
 import (
 	"context"
 	"fmt"
+	"strconv"
+	"strings"
 
 	"github.com/hashicorp/terraform/helper/schema"
 
-	"strconv"
-
 	oci_identity "github.com/oracle/oci-go-sdk/identity"
 )
 
@@ -86,6 +86,7 @@ func createUser(d *schema.ResourceData, m interface{}) error {
 	sync := &UserResourceCrud{}
 	sync.D = d
 	sync.Client = m.(*OracleClients).identityClient
+	sync.Configuration = m.(*OracleClients).configuration
 
 	return CreateResource(d, sync)
 }
@@ -118,6 +119,7 @@ func deleteUser(d *schema.ResourceData, m interface{}) error {
 type UserResourceCrud struct {
 	BaseCrud
 	Client                 *oci_identity.IdentityClient
+	Configuration          map[string]string
 	Res                    *oci_identity.User
 	DisableNotFoundRetries bool
 }
@@ -156,7 +158,12 @@ func (s *UserResourceCrud) Create() error {
 	if compartmentId, ok := s.D.GetOkExists("compartment_id"); ok {
 		tmp := compartmentId.(string)
 		request.CompartmentId = &tmp
-	} else {
+	} else { // @next-break: remove
+		// Prevent potentially inferring wrong TenancyOCID from InstancePrincipal
+		if auth := s.Configuration["auth"]; strings.ToLower(auth) == strings.ToLower(authInstancePrincipalSetting) {
+			return fmt.Errorf("compartment_id must be specified for this resource")
+		}
+		// Maintain legacy contract of compartment_id defaulting to tenancy ocid if not specified
 		c := *s.Client.ConfigurationProvider()
 		if c == nil {
 			return fmt.Errorf("cannot access tenancyOCID")

oci/provider.go

@@ -473,9 +473,10 @@ func validateConfigForAPIKeyAuth(d *schema.ResourceData) error {
 }
 
 func ProviderConfig(d *schema.ResourceData) (clients interface{}, err error) {
-	clients = &OracleClients{}
+	clients = &OracleClients{configuration: map[string]string{}}
 	disableAutoRetries = d.Get("disable_auto_retries").(bool)
 	auth := strings.ToLower(d.Get("auth").(string))
+	clients.(*OracleClients).configuration["auth"] = auth
 
 	userAgentProviderName := getEnvSettingWithDefault(userAgentProviderNameEnv, defaultUserAgentProviderName)
 	userAgent := fmt.Sprintf(userAgentFormatter, oci_common.Version(), runtime.Version(), runtime.GOOS, runtime.GOARCH, terraform.VersionString(), userAgentProviderName, Version)

oci/provider_clients.go

@@ -279,6 +279,7 @@ type OracleClients struct {
 	loadBalancerClient      *oci_load_balancer.LoadBalancerClient
 	objectStorageClient     *oci_object_storage.ObjectStorageClient
 	virtualNetworkClient    *oci_core.VirtualNetworkClient
+	configuration           map[string]string
 }
 
 func (m *OracleClients) KmsCryptoClient(endpoint string) (*oci_kms.KmsCryptoClient, error) {