Skip to content

Commit

Permalink
Merge pull request #257 from jfrog/add-multiple-tfc-workload-identity…
Browse files Browse the repository at this point in the history 
…-tokens-support

Add multiple tfc workload identity tokens support
  • Loading branch information
@alexhung
alexhung authored Oct 17, 2024
2 parents 3c193f2 + bd769af commit 457d33f
Show file tree
Hide file tree
Showing 13 changed files with 111 additions and 87 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
## 2.13.0 (October 17, 2024). Tested on Artifactory 7.90.14 and Xray 3.104.18 with Terraform 1.9.8 and OpenTofu 1.8.3

IMPROVEMENTS:

* provider: Add `tfc_credential_tag_name` configuration attribute to support use of different/[multiple Workload Identity Token in Terraform Cloud Platform](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens). Issue: [#68](https://github.com/jfrog/terraform-provider-shared/issues/68) PR: [#257](https://github.com/jfrog/terraform-provider-xray/issues/257)

## 2.12.0 (October 4, 2024). Tested on Artifactory 7.90.13 and Xray 3.104.15 with Terraform 1.9.7 and OpenTofu 1.8.2

BUG FIXES:
Expand Down
4 changes: 4 additions & 0 deletions docs/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,8 @@ In your workspace, add an environment variable `TFC_WORKLOAD_IDENTITY_AUDIENCE`

When a run starts on Terraform Cloud, it will create a workload identity token with the specified audience and assigns it to the environment variable `TFC_WORKLOAD_IDENTITY_TOKEN` for the provider to consume.

See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details on using different tokens.

#### Setup Terraform Cloud in your configuration

Add `cloud` block to `terraform` block, and add `oidc_provider_name` attribute (from JFrog OIDC integration) to provider block:
Expand All @@ -523,6 +525,7 @@ terraform {
provider "xray" {
url = "https://myinstance.jfrog.io"
oidc_provider_name = "terraform-cloud"
tfc_credential_tag_name = "JFROG"
}
```

Expand All @@ -536,4 +539,5 @@ provider "xray" {
- `access_token` (String, Sensitive) This is a bearer token that can be given to you by your admin under `Identity and Access`
- `check_license` (Boolean, Deprecated) Toggle for pre-flight checking of Artifactory Pro and Enterprise license. Default to `true`.
- `oidc_provider_name` (String) OIDC provider name. See [Configure an OIDC Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration) for more details.
- `tfc_credential_tag_name` (String) Terraform Cloud Workload Identity Token tag name. Use for generating multiple TFC workload identity tokens. When set, the provider will attempt to use env var with this tag name as suffix. **Note:** this is case sensitive, so if set to `JFROG`, then env var `TFC_WORKLOAD_IDENTITY_TOKEN_JFROG` is used instead of `TFC_WORKLOAD_IDENTITY_TOKEN`. See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details.
- `url` (String) URL of Xray. This can also be sourced from the `XRAY_URL` or `JFROG_URL` environment variable. Default to 'http://localhost:8081' if not set.
16 changes: 8 additions & 8 deletions docs/resources/license_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,13 +96,13 @@ resource "xray_license_policy" "banned_licenses" {
### Required

- `name` (String) Name of the policy (must be unique)
- `rule` (Block Set, Min: 1) A list of user-defined rules allowing you to trigger violations for specific vulnerability or license breaches by setting a license or security criteria, with a corresponding set of automatic actions according to your needs. Rules are processed according to the ascending order in which they are placed in the Rules list on the Policy. If a rule is met, the subsequent rules in the list will not be applied. (see [below for nested schema](#nestedblock--rule))
- `type` (String) Type of the policy

### Optional

- `description` (String) More verbose description of the policy
- `project_key` (String) Project key for assigning this resource to. Must be 2 - 10 lowercase alphanumeric and hyphen characters.
- `rule` (Block Set) A list of user-defined rules allowing you to trigger violations for specific vulnerability or license breaches by setting a license or security criteria, with a corresponding set of automatic actions according to your needs. Rules are processed according to the ascending order in which they are placed in the Rules list on the Policy. If a rule is met, the subsequent rules in the list will not be applied. (see [below for nested schema](#nestedblock--rule))

### Read-Only

Expand All @@ -116,20 +116,20 @@ resource "xray_license_policy" "banned_licenses" {

Required:

- `actions` (Block Set, Min: 1, Max: 1) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `criteria` (Block Set, Min: 1, Max: 1) The set of security conditions to examine when an scanned artifact is scanned. (see [below for nested schema](#nestedblock--rule--criteria))
- `name` (String) Name of the rule
- `priority` (Number) Integer describing the rule priority. Must be at least 1

<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`
Optional:

Required:
- `actions` (Block Set) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `criteria` (Block Set) The set of security conditions to examine when an scanned artifact is scanned. (see [below for nested schema](#nestedblock--rule--criteria))

- `block_download` (Block Set, Min: 1, Max: 1) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`

Optional:

- `block_download` (Block Set) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
- `block_release_bundle_promotion` (Boolean) Blocks Release Bundle promotion if a violation is found. Default value is `false`.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
Expand Down Expand Up @@ -159,7 +159,7 @@ Optional:
- `allow_unknown` (Boolean) A violation will be generated for artifacts with unknown licenses (`true` or `false`).
- `allowed_licenses` (Set of String) A list of OSS license names that may be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
- `banned_licenses` (Set of String) A list of OSS license names that may not be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
- `multi_license_permissive` (Boolean) Do not generate a violation if at least one license is valid in cases whereby multiple licenses were detected on the component
- `multi_license_permissive` (Boolean) Do not generate a violation if at least one license is valid in cases whereby multiple licenses were detected on the component.

## Import

Expand Down
20 changes: 10 additions & 10 deletions docs/resources/licenses_report.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,18 +48,18 @@ resource "xray_licenses_report" "report" {

### Required

- `filters` (Block Set, Min: 1) Advanced filters. (see [below for nested schema](#nestedblock--filters))
- `name` (String) Name of the report.
- `resources` (Block Set, Min: 1, Max: 1) The list of resources to include into the report. (see [below for nested schema](#nestedblock--resources))

### Optional

- `filters` (Block Set) Advanced filters. (see [below for nested schema](#nestedblock--filters))
- `project_key` (String) Project key for assigning this resource to. Must be 2 - 10 lowercase alphanumeric and hyphen characters.
- `report_id` (Number) Report ID
- `resources` (Block Set) The list of resources to include into the report. (see [below for nested schema](#nestedblock--resources))

### Read-Only

- `id` (String) The ID of this resource.
- `report_id` (Number) Report ID

<a id="nestedblock--filters"></a>
### Nested Schema for `filters`
Expand All @@ -70,7 +70,7 @@ Optional:
- `component` (String) Artifact's component.
- `license_names` (Set of String) Filter licenses by names. Only one of 'license_names' or 'license_patterns' can be set.
- `license_patterns` (Set of String) Filter licenses by patterns. Only one of 'license_names' or 'license_patterns' can be set.
- `scan_date` (Block Set, Max: 1) (see [below for nested schema](#nestedblock--filters--scan_date))
- `scan_date` (Block Set) (see [below for nested schema](#nestedblock--filters--scan_date))
- `unknown` (Boolean) Unknown displays the components that Xray could not discover any licenses for.
- `unrecognized` (Boolean) Unrecognized displays the components that Xray found licenses for, but these licenses are not Xray recognized licenses.

Expand All @@ -79,8 +79,8 @@ Optional:

Optional:

- `end` (String) Scan end date.
- `start` (String) Scan start date.
- `end` (String) Scanned end date.
- `start` (String) Scanned start date.



Expand All @@ -89,9 +89,9 @@ Optional:

Optional:

- `builds` (Block Set, Max: 1) The builds to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--builds))
- `projects` (Block Set, Max: 1) The projects to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--projects))
- `release_bundles` (Block Set, Max: 1) The release bundles to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--release_bundles))
- `builds` (Block Set) The builds to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--builds))
- `projects` (Block Set) The projects to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--projects))
- `release_bundles` (Block Set) The release bundles to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--release_bundles))
- `repository` (Block Set) The list of repositories for the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--repository))

<a id="nestedblock--resources--builds"></a>
Expand All @@ -110,7 +110,7 @@ Optional:

Optional:

- `include_key_patterns` (Set of String) The list of include patterns.
- `include_key_patterns` (Set of String) The list of include patterns
- `names` (Set of String) The list of project names.
- `number_of_latest_versions` (Number) The number of latest release bundle versions to include to the report.

Expand Down
20 changes: 10 additions & 10 deletions docs/resources/operational_risk_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,13 +92,13 @@ resource "xray_operational_risk_policy" "custom_criteria" {
### Required

- `name` (String) Name of the policy (must be unique)
- `rule` (Block Set, Min: 1) A list of user-defined rules allowing you to trigger violations for specific vulnerability or license breaches by setting a license or security criteria, with a corresponding set of automatic actions according to your needs. Rules are processed according to the ascending order in which they are placed in the Rules list on the Policy. If a rule is met, the subsequent rules in the list will not be applied. (see [below for nested schema](#nestedblock--rule))
- `type` (String) Type of the policy

### Optional

- `description` (String) More verbose description of the policy
- `project_key` (String) Project key for assigning this resource to. Must be 2 - 10 lowercase alphanumeric and hyphen characters.
- `rule` (Block Set) A list of user-defined rules allowing you to trigger violations for specific vulnerability or license breaches by setting a license or security criteria, with a corresponding set of automatic actions according to your needs. Rules are processed according to the ascending order in which they are placed in the Rules list on the Policy. If a rule is met, the subsequent rules in the list will not be applied. (see [below for nested schema](#nestedblock--rule))

### Read-Only

Expand All @@ -112,20 +112,20 @@ resource "xray_operational_risk_policy" "custom_criteria" {

Required:

- `actions` (Block Set, Min: 1, Max: 1) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `criteria` (Block Set, Min: 1, Max: 1) The set of security conditions to examine when an scanned artifact is scanned. (see [below for nested schema](#nestedblock--rule--criteria))
- `name` (String) Name of the rule
- `priority` (Number) Integer describing the rule priority. Must be at least 1

<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`
Optional:

Required:
- `actions` (Block Set) Specifies the actions to take once a security policy violation has been triggered. (see [below for nested schema](#nestedblock--rule--actions))
- `criteria` (Block Set) The set of security conditions to examine when an scanned artifact is scanned. (see [below for nested schema](#nestedblock--rule--criteria))

- `block_download` (Block Set, Min: 1, Max: 1) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
<a id="nestedblock--rule--actions"></a>
### Nested Schema for `rule.actions`

Optional:

- `block_download` (Block Set) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
- `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
- `block_release_bundle_promotion` (Boolean) Blocks Release Bundle promotion if a violation is found. Default value is `false`.
- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
Expand All @@ -151,15 +151,15 @@ Optional:

Optional:

- `op_risk_custom` (Block List, Max: 1) Custom Condition (see [below for nested schema](#nestedblock--rule--criteria--op_risk_custom))
- `op_risk_custom` (Block List) Custom Condition (see [below for nested schema](#nestedblock--rule--criteria--op_risk_custom))
- `op_risk_min_risk` (String) The minimum operational risk that will be impacted by the policy: High, Medium, Low

<a id="nestedblock--rule--criteria--op_risk_custom"></a>
### Nested Schema for `rule.criteria.op_risk_custom`

Required:

- `use_and_condition` (Boolean) Use 'AND' between conditions (true) or 'OR' condition (false)
- `use_and_condition` (Boolean) Use `AND` between conditions (true) or `OR` condition (false)

Optional:

Expand All @@ -169,7 +169,7 @@ Optional:
- `newer_versions_greater_than` (Number) Number of releases since greater than: 1, 2, 3, 4, or 5
- `release_cadence_per_year_less_than` (Number) Release cadence less than per year: 1, 2, 3, 4, or 5
- `release_date_greater_than_months` (Number) Release age greater than (in months): 6, 12, 18, 24, 30, or 36
- `risk` (String) Risk severity: low, medium, high
- `risk` (String) Risk severity: Low, Medium, High

## Import

Expand Down
16 changes: 8 additions & 8 deletions docs/resources/operational_risks_report.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,18 +46,18 @@ resource "xray_operational_risks_report" "report" {

### Required

- `filters` (Block Set, Min: 1) Advanced filters. (see [below for nested schema](#nestedblock--filters))
- `name` (String) Name of the report.
- `resources` (Block Set, Min: 1, Max: 1) The list of resources to include into the report. (see [below for nested schema](#nestedblock--resources))

### Optional

- `filters` (Block Set) Advanced filters. (see [below for nested schema](#nestedblock--filters))
- `project_key` (String) Project key for assigning this resource to. Must be 2 - 10 lowercase alphanumeric and hyphen characters.
- `report_id` (Number) Report ID
- `resources` (Block Set) The list of resources to include into the report. (see [below for nested schema](#nestedblock--resources))

### Read-Only

- `id` (String) The ID of this resource.
- `report_id` (Number) Report ID

<a id="nestedblock--filters"></a>
### Nested Schema for `filters`
Expand All @@ -67,7 +67,7 @@ Optional:
- `artifact` (String) Artifact name.
- `component` (String) Artifact's component.
- `risks` (Set of String) Operational risk level. Allowed values: 'None', 'Low', 'Medium', 'High'.
- `scan_date` (Block Set, Max: 1) (see [below for nested schema](#nestedblock--filters--scan_date))
- `scan_date` (Block Set) (see [below for nested schema](#nestedblock--filters--scan_date))

<a id="nestedblock--filters--scan_date"></a>
### Nested Schema for `filters.scan_date`
Expand All @@ -84,9 +84,9 @@ Optional:

Optional:

- `builds` (Block Set, Max: 1) The builds to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--builds))
- `projects` (Block Set, Max: 1) The projects to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--projects))
- `release_bundles` (Block Set, Max: 1) The release bundles to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--release_bundles))
- `builds` (Block Set) The builds to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--builds))
- `projects` (Block Set) The projects to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--projects))
- `release_bundles` (Block Set) The release bundles to include into the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--release_bundles))
- `repository` (Block Set) The list of repositories for the report. Only one type of resource can be set per report. (see [below for nested schema](#nestedblock--resources--repository))

<a id="nestedblock--resources--builds"></a>
Expand All @@ -105,7 +105,7 @@ Optional:

Optional:

- `include_key_patterns` (Set of String) The list of include patterns.
- `include_key_patterns` (Set of String) The list of include patterns
- `names` (Set of String) The list of project names.
- `number_of_latest_versions` (Number) The number of latest release bundle versions to include to the report.

Expand Down
Loading

0 comments on commit 457d33f

Please sign in to comment.