Merge pull request #21772 from luis-silva/21680/GCS_OAUTH
Add OAuth2 token support for GCS backend
This commit is contained in:
commit
9b24ef7870
|
@ -14,6 +14,7 @@ import (
|
||||||
"github.com/hashicorp/terraform/helper/pathorcontents"
|
"github.com/hashicorp/terraform/helper/pathorcontents"
|
||||||
"github.com/hashicorp/terraform/helper/schema"
|
"github.com/hashicorp/terraform/helper/schema"
|
||||||
"github.com/hashicorp/terraform/httpclient"
|
"github.com/hashicorp/terraform/httpclient"
|
||||||
|
"golang.org/x/oauth2"
|
||||||
"golang.org/x/oauth2/jwt"
|
"golang.org/x/oauth2/jwt"
|
||||||
"google.golang.org/api/option"
|
"google.golang.org/api/option"
|
||||||
)
|
)
|
||||||
|
@ -65,6 +66,15 @@ func New() backend.Backend {
|
||||||
Default: "",
|
Default: "",
|
||||||
},
|
},
|
||||||
|
|
||||||
|
"access_token": {
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
DefaultFunc: schema.MultiEnvDefaultFunc([]string{
|
||||||
|
"GOOGLE_OAUTH_ACCESS_TOKEN",
|
||||||
|
}, nil),
|
||||||
|
Description: "An OAuth2 token used for GCP authentication",
|
||||||
|
},
|
||||||
|
|
||||||
"encryption_key": {
|
"encryption_key": {
|
||||||
Type: schema.TypeString,
|
Type: schema.TypeString,
|
||||||
Optional: true,
|
Optional: true,
|
||||||
|
@ -116,12 +126,23 @@ func (b *Backend) configure(ctx context.Context) error {
|
||||||
|
|
||||||
var opts []option.ClientOption
|
var opts []option.ClientOption
|
||||||
|
|
||||||
creds := data.Get("credentials").(string)
|
// Add credential source
|
||||||
if creds == "" {
|
var creds string
|
||||||
|
var tokenSource oauth2.TokenSource
|
||||||
|
|
||||||
|
if v, ok := data.GetOk("access_token"); ok {
|
||||||
|
tokenSource = oauth2.StaticTokenSource(&oauth2.Token{
|
||||||
|
AccessToken: v.(string),
|
||||||
|
})
|
||||||
|
} else if v, ok := data.GetOk("credentials"); ok {
|
||||||
|
creds = v.(string)
|
||||||
|
} else {
|
||||||
creds = os.Getenv("GOOGLE_CREDENTIALS")
|
creds = os.Getenv("GOOGLE_CREDENTIALS")
|
||||||
}
|
}
|
||||||
|
|
||||||
if creds != "" {
|
if tokenSource != nil {
|
||||||
|
opts = append(opts, option.WithTokenSource(tokenSource))
|
||||||
|
} else if creds != "" {
|
||||||
var account accountFile
|
var account accountFile
|
||||||
|
|
||||||
// to mirror how the provider works, we accept the file path or the contents
|
// to mirror how the provider works, we accept the file path or the contents
|
||||||
|
|
|
@ -58,6 +58,9 @@ The following configuration options are supported:
|
||||||
* `credentials` / `GOOGLE_CREDENTIALS` - (Optional) Local path to Google Cloud Platform account credentials in JSON format.
|
* `credentials` / `GOOGLE_CREDENTIALS` - (Optional) Local path to Google Cloud Platform account credentials in JSON format.
|
||||||
If unset, [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials) are used.
|
If unset, [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials) are used.
|
||||||
The provided credentials need to have the `devstorage.read_write` scope and `WRITER` permissions on the bucket.
|
The provided credentials need to have the `devstorage.read_write` scope and `WRITER` permissions on the bucket.
|
||||||
|
* `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained from
|
||||||
|
the Google Authorization server, i.e. the `Authorization: Bearer` token used to
|
||||||
|
authenticate HTTP requests to GCP APIs. This is an alternative to `credentials`. If both are specified, `access_token` will be used over the `credentials` field.
|
||||||
* `prefix` - (Optional) GCS prefix inside the bucket. Named states for workspaces are stored in an object called `<prefix>/<name>.tfstate`.
|
* `prefix` - (Optional) GCS prefix inside the bucket. Named states for workspaces are stored in an object called `<prefix>/<name>.tfstate`.
|
||||||
* `path` - (Deprecated) GCS path to the state file of the default state. For backwards compatibility only, use `prefix` instead.
|
* `path` - (Deprecated) GCS path to the state file of the default state. For backwards compatibility only, use `prefix` instead.
|
||||||
* `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state. For more information see [Customer Supplied Encryption Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).
|
* `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state. For more information see [Customer Supplied Encryption Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).
|
||||||
|
|
Loading…
Reference in New Issue