Merge pull request #20824 from hashicorp/bugfix/auth

Bugfix: fix missing use of `oidc_token_file_path`, CLI auth with Cloud Shell
hashicorp · Mar 9, 2023 · e48ec9a · e48ec9a
2 parents b5b3d16 + 07accf5
commit e48ec9a
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 12 deletions.
diff --git a/.github/workflows/provider-test.yml b/.github/workflows/provider-test.yml
@@ -35,13 +35,6 @@ jobs:
     needs: [secrets-check]
     if: needs.secrets-check.outputs.available == 'true'
     steps:
-      - name: Azure CLI login
-        run: az login --output none --username="${{ secrets.AZCLI_USERNAME }}" --password="${{ secrets.AZCLI_PASSWORD }}"
-
-      - name: Set OIDC Token
-        run: |
-          echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')"  >>${GITHUB_ENV}
-
       - name: Checkout
         uses: actions/checkout@v3
 
@@ -50,6 +43,16 @@ jobs:
         with:
           go-version-file: ./.go-version
 
+      - name: Azure CLI login
+        run: az login --output none --username="${{ secrets.AZCLI_USERNAME }}" --password="${{ secrets.AZCLI_PASSWORD }}"
+
+      - name: Set OIDC Token
+        run: |
+          echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')" >>${GITHUB_ENV}
+
+      - name: Set OIDC Token File Path
+        run: echo "${ARM_OIDC_TOKEN}" >"${RUNNER_TEMP}/oidc-token.jwt" && echo "ARM_OIDC_TOKEN_FILE_PATH=${RUNNER_TEMP}/oidc-token.jwt" >>${GITHUB_ENV}
+
       - name: Run provider tests
         run: make testacc TEST=./internal/provider TESTARGS="-run '^TestAcc'"
         env:
@@ -60,4 +63,8 @@ jobs:
           ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
           ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
 
+      - name: Clean Up OIDC Token File Path
+        run: rm -f "${RUNNER_TEMP}/oidc-token.jwt"
+        if: always()
+
 # vim: set ts=2 sts=2 sw=2 et:
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -366,9 +366,13 @@ func providerConfigure(p *schema.Provider) schema.ConfigureContextFunc {
 			}
 		}
 
+		oidcToken, err := getOidcToken(d)
+		if err != nil {
+			return nil, diag.FromErr(err)
+		}
+
 		var (
 			env *environments.Environment
-			err error
 
 			envName      = d.Get("environment").(string)
 			metadataHost = d.Get("metadata_host").(string)
@@ -399,7 +403,7 @@ func providerConfigure(p *schema.Provider) schema.ConfigureContextFunc {
 			ClientCertificatePassword: d.Get("client_certificate_password").(string),
 			ClientSecret:              d.Get("client_secret").(string),
 
-			OIDCAssertionToken:          d.Get("oidc_token").(string),
+			OIDCAssertionToken:          *oidcToken,
 			GitHubOIDCTokenRequestURL:   d.Get("oidc_request_url").(string),
 			GitHubOIDCTokenRequestToken: d.Get("oidc_request_token").(string),
 
@@ -484,6 +488,28 @@ func decodeCertificate(clientCertificate string) ([]byte, error) {
 	return pfx, nil
 }
 
+func getOidcToken(d *schema.ResourceData) (*string, error) {
+	idToken := strings.TrimSpace(d.Get("oidc_token").(string))
+
+	if path := d.Get("oidc_token_file_path").(string); path != "" {
+		fileTokenRaw, err := os.ReadFile(path)
+
+		if err != nil {
+			return nil, fmt.Errorf("reading OIDC Token from file %q: %v", path, err)
+		}
+
+		fileToken := strings.TrimSpace(string(fileTokenRaw))
+
+		if idToken != "" && idToken != fileToken {
+			return nil, fmt.Errorf("mismatch between supplied OIDC token and supplied OIDC token file contents - please either remove one or ensure they match")
+		}
+
+		idToken = fileToken
+	}
+
+	return &idToken, nil
+}
+
 const resourceProviderRegistrationErrorFmt = `Error ensuring Resource Providers are registered.
 
 Terraform automatically attempts to register the Resource Providers it supports to

diff --git a/internal/provider/provider_test.go b/internal/provider/provider_test.go
@@ -271,8 +271,8 @@ func TestAccProvider_genericOidcAuth(t *testing.T) {
 	if os.Getenv("TF_ACC") == "" {
 		t.Skip("TF_ACC not set")
 	}
-	if os.Getenv("ARM_OIDC_TOKEN") == "" {
-		t.Skip("ARM_OIDC_TOKEN not set")
+	if os.Getenv("ARM_OIDC_TOKEN") == "" && os.Getenv("ARM_OIDC_TOKEN_FILE_PATH") == "" {
+		t.Skip("ARM_OIDC_TOKEN or ARM_OIDC_TOKEN_FILE_PATH not set")
 	}
 
 	logging.SetOutput(t)
@@ -289,12 +289,17 @@ func TestAccProvider_genericOidcAuth(t *testing.T) {
 			t.Fatalf("configuring environment %q: %v", envName, err)
 		}
 
+		oidcToken, err := getOidcToken(d)
+		if err != nil {
+			return nil, diag.FromErr(err)
+		}
+
 		authConfig := &auth.Credentials{
 			Environment:                   *env,
 			TenantID:                      d.Get("tenant_id").(string),
 			ClientID:                      d.Get("client_id").(string),
 			EnableAuthenticationUsingOIDC: true,
-			OIDCAssertionToken:            d.Get("oidc_token").(string),
+			OIDCAssertionToken:            *oidcToken,
 		}
 
 		return buildClient(ctx, provider, d, authConfig)