Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for OIDC bearer tokens to auth TFP against Octopus API #810

Merged
merged 2 commits into from
Nov 11, 2024
Merged

feat: add support for OIDC bearer tokens to auth TFP against Octopus API #810

merged 2 commits into from
Nov 11, 2024

Conversation

mjhilton
Copy link
Contributor

@mjhilton mjhilton commented Nov 8, 2024
edited
Loading

This PR adds some small improvements to the auth experience of the Terraform Provider:

  • Initialises the internal Go Client with an identifier of "TerraformProvider", which allows us to disambiguate requests are coming from use of the Terraform Provider versus other Go Client consumers in API logs
  • Adds fall-through support for the more standard OCTOPUS_API_KEY environment variable, which gets set by things like the GitHub Actions Octopus Login action when using an API Key. The existing OCTOPUS_APIKEY environment variable is still preferred when present.
  • Adds support for OIDC Bearer Tokens to be used, either directly configured on the provider, or with the OCTOPUS_ACCESS_TOKEN environment variables (which the GitHub Actions Octopus login action sets when using OIDC auth)
  • Updates the docs to detail the additions/changes to the auth approach, and expand upon explanation of environment variable precedence and interaction with pipeline steps

Fixes #579
Internal story [sc-91345]

@mjhilton mjhilton force-pushed the matth/support-oidc-bearer-tokens branch from 34f70e7 to bdad825 Compare November 8, 2024 02:31
@mjhilton mjhilton marked this pull request as ready for review November 8, 2024 02:43
@mjhilton mjhilton requested a review from domenicsim1 November 10, 2024 22:44
@mjhilton
Copy link
Contributor Author

I've done some testing in GitHub Actions and confirmed that:

  • The UserAgent is now distinguishable in request logging, with the string TerraformProvider inserted as expected
  • The OIDC integration works out-of-the-box with the GitHub Login action, based on the conventional environment variables that action sets (OCTOPUS_URL; OCTOPUS_ACCESS_TOKEN)
  • API Key auth is preferenced over OIDC when both are available (for back-compat)
  • API Key auth now pulls from either OCTOPUS_APIKEY or OCTOPUS_API_KEY env variables, and is as such now compatible with the GitHub Login action when it uses API Key mode

@mjhilton mjhilton enabled auto-merge (squash) November 11, 2024 02:16
domenicsim1
domenicsim1 approved these changes Nov 11, 2024
View reviewed changes
Copy link
Contributor

@domenicsim1 domenicsim1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!
Good stuff on the Docs 👍

docs/guides/2-provider-configuration.md
Comment on lines +31 to +34
OIDC Access Tokens are short-lived and typically generated per-run of an automated pipeline, such as GitHub Actions.
If you use the Access Token approach, we recommend sourcing the token from environment variable.

The environment variable fallback values that the Terraform Provider search for correspond to the values that pipeline steps like our [GitHub Login action](https://github.com/OctopusDeploy/login?tab=readme-ov-file#outputs) set in the pipeline context, so the provider will automatically pick up the value from environment variable.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@mjhilton mjhilton merged commit cce0c64 into main Nov 11, 2024
23 checks passed
@mjhilton mjhilton deleted the matth/support-oidc-bearer-tokens branch November 11, 2024 23:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domenicsim1 domenicsim1 domenicsim1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for authenticating with OpenID Connect
2 participants
@mjhilton @domenicsim1