Added - Support for Resource Principle Auth

Maxrovr · jotruon · commit eaead1079893 · 2022-03-18T12:55:54.000-07:00
diff --git a/internal/acctest/provider_test.go b/internal/acctest/provider_test.go
@@ -648,3 +648,36 @@ func TestUnitSecurityToken_basic(t *testing.T) {
 	_, err = client.ListRegions(context.Background())
 	assert.NoError(t, err)
 }
+
+// issue-routing-tag: terraform/default
+func TestUnitResourcePrincipal_basic(t *testing.T) {
+	t.Skip("Run manually with a valid Resource Principle Session Token.")
+	httpreplay.SetScenario("TestUnitResourcePrincipal_basic")
+	defer httpreplay.SaveScenario()
+
+	r := &schema.Resource{
+		Schema: provider.SchemaMap(),
+	}
+	d := r.Data(nil)
+	d.Set("auth", globalvar.ResourcePrincipal)
+
+	// Run CLI command "oci session authenticate" to get token and profile
+	clients := &tf_client.OracleClients{
+		SdkClientMap:  make(map[string]interface{}, len(tf_client.OracleClientRegistrationsVar.RegisteredClients)),
+		Configuration: make(map[string]string),
+	}
+	sdkConfigProvider, err := provider.GetSdkConfigProvider(d, clients)
+
+	// Assert creation of IdentityClient With ConfigurationProvider
+	client, err := oci_identity.NewIdentityClientWithConfigurationProvider(sdkConfigProvider)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, client.Host)
+
+	// Assert that Authorization header KeyId contains ST$
+	keyId, _ := sdkConfigProvider.KeyID()
+	assert.True(t, strings.HasPrefix(keyId, "ST$"))
+
+	// Assert that this auth type can successfully authenticate and authorize list regions
+	_, err = client.ListRegions(context.Background())
+	assert.NoError(t, err)
+}
diff --git a/internal/globalvar/constants.go b/internal/globalvar/constants.go
@@ -7,6 +7,7 @@ const (
 	AuthInstancePrincipalSetting          = "InstancePrincipal"
 	AuthInstancePrincipalWithCertsSetting = "InstancePrincipalWithCerts"
 	AuthSecurityToken                     = "SecurityToken"
+	ResourcePrincipal                     = "ResourcePrincipal"
 	RequestHeaderOpcOboToken              = "opc-obo-token"
 	RequestHeaderOpcHostSerial            = "opc-host-serial"
 	DefaultRequestTimeout                 = 0
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -93,7 +93,7 @@ func ociVarName(attrName string) string {
 
 func init() {
 	descriptions = map[string]string{
-		globalvar.AuthAttrName:        fmt.Sprintf("(Optional) The type of auth to use. Options are '%s', '%s' and '%s'. By default, '%s' will be used.", globalvar.AuthAPIKeySetting, globalvar.AuthSecurityToken, globalvar.AuthInstancePrincipalSetting, globalvar.AuthAPIKeySetting),
+		globalvar.AuthAttrName:        fmt.Sprintf("(Optional) The type of auth to use. Options are '%s', '%s' and '%s' and '%s'. By default, '%s' will be used.", globalvar.AuthAPIKeySetting, globalvar.AuthSecurityToken, globalvar.AuthInstancePrincipalSetting, globalvar.ResourcePrincipal, globalvar.AuthAPIKeySetting),
 		globalvar.TenancyOcidAttrName: fmt.Sprintf("(Optional) The tenancy OCID for a user. The tenancy OCID can be found at the bottom of user settings in the Oracle Cloud Infrastructure console. Required if auth is set to '%s', ignored otherwise.", globalvar.AuthAPIKeySetting),
 		globalvar.UserOcidAttrName:    fmt.Sprintf("(Optional) The user OCID. This can be found in user settings in the Oracle Cloud Infrastructure console. Required if auth is set to '%s', ignored otherwise.", globalvar.AuthAPIKeySetting),
 		globalvar.FingerprintAttrName: fmt.Sprintf("(Optional) The fingerprint for the user's RSA key. This can be found in user settings in the Oracle Cloud Infrastructure console. Required if auth is set to '%s', ignored otherwise.", globalvar.AuthAPIKeySetting),
@@ -129,7 +129,7 @@ func SchemaMap() map[string]*schema.Schema {
 			Optional:     true,
 			Description:  descriptions[globalvar.AuthAttrName],
 			DefaultFunc:  schema.MultiEnvDefaultFunc([]string{tfVarName(globalvar.AuthAttrName), ociVarName(globalvar.AuthAttrName)}, globalvar.AuthAPIKeySetting),
-			ValidateFunc: validation.StringInSlice([]string{globalvar.AuthAPIKeySetting, globalvar.AuthInstancePrincipalSetting, globalvar.AuthInstancePrincipalWithCertsSetting, globalvar.AuthSecurityToken}, true),
+			ValidateFunc: validation.StringInSlice([]string{globalvar.AuthAPIKeySetting, globalvar.AuthInstancePrincipalSetting, globalvar.AuthInstancePrincipalWithCertsSetting, globalvar.AuthSecurityToken, globalvar.ResourcePrincipal}, true),
 		},
 		globalvar.TenancyOcidAttrName: {
 			Type:        schema.TypeString,
@@ -412,7 +412,6 @@ func getConfigProviders(d *schema.ResourceData, auth string) ([]oci_common.Confi
 		log.Printf("[DEBUG] Configuration provided by: %s", cfg)
 
 		configProviders = append(configProviders, cfg)
-
 	case strings.ToLower(globalvar.AuthSecurityToken):
 		_, ok := utils.CheckIncompatibleAttrsForApiKeyAuth(d, ApiKeyConfigAttributes)
 		if !ok {
@@ -443,8 +442,14 @@ func getConfigProviders(d *schema.ResourceData, auth string) ([]oci_common.Confi
 			return nil, fmt.Errorf("Security token is invalid ")
 		}
 		configProviders = append(configProviders, securityTokenBasedAuthConfigProvider)
+	case strings.ToLower(globalvar.ResourcePrincipal):
+		resourcePrincipalAuthConfigProvider, err := oci_common_auth.ResourcePrincipalConfigurationProvider()
+		if err != nil {
+			return nil, err
+		}
+		configProviders = append(configProviders, resourcePrincipalAuthConfigProvider)
 	default:
-		return nil, fmt.Errorf("auth must be one of '%s' or '%s' or '%s' or '%s'", globalvar.AuthAPIKeySetting, globalvar.AuthInstancePrincipalSetting, globalvar.AuthInstancePrincipalWithCertsSetting, globalvar.AuthSecurityToken)
+		return nil, fmt.Errorf("auth must be one of '%s' or '%s' or '%s' or '%s' or '%s'", globalvar.AuthAPIKeySetting, globalvar.AuthInstancePrincipalSetting, globalvar.AuthInstancePrincipalWithCertsSetting, globalvar.AuthSecurityToken, globalvar.ResourcePrincipal)
 	}
 
 	return configProviders, nil
