Merge pull request #72 from philips-labs/feature/iam-injectable-crede…

…ntials Support injecting IAM OAuth2 credentials
philips-labs · Oct 17, 2022 · 0f7e59b · 0f7e59b
2 parents 3d908ee + 0b7c56e
commit 0f7e59b
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 10 deletions.
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -13,7 +13,7 @@ jobs:
     name: Verify module
     strategy:
       matrix:
-        terraform: [1.0.0]
+        terraform: [1.3.2, latest]
     runs-on: ubuntu-latest
     container:
       image: hashicorp/terraform:${{ matrix.terraform }}
@@ -29,7 +29,7 @@ jobs:
     name: Verify examples
     strategy:
       matrix:
-        terraform: [0.14.5, latest]
+        terraform: [1.3.2, latest]
         example: ["default"]
     defaults:
       run:
@@ -41,8 +41,5 @@ jobs:
       - uses: actions/checkout@v3
       - name: init terraform example 
         run: terraform init -get -backend=false -input=false
-      - name: check formatting
-        if: ${{ matrix.terraform == '0.14.5' }}
-        run: terraform fmt -recursive -check=true -write=false
       - name: validate terraform
         run: terraform validate
diff --git a/README.md b/README.md
@@ -72,6 +72,8 @@ No modules.
 | <a name="input_memory"></a> [memory](#input\_memory) | The amount of RAM to allocate for Grafana (MB) | `number` | `512` | no |
 | <a name="input_name_postfix"></a> [name\_postfix](#input\_name\_postfix) | The postfix string to append to the hostname, prevents namespace clashes | `string` | n/a | yes |
 | <a name="input_network_policies"></a> [network\_policies](#input\_network\_policies) | The container-to-container network policies to create with Grafana as the source app | <pre>list(object({<br>    destination_app = string<br>    protocol        = string<br>    port            = string<br>  }))</pre> | `[]` | no |
+| <a name="input_oauth2_client_id"></a> [oauth2\_client\_id](#input\_oauth2\_client\_id) | The OAuth2 client ID to use for Grafana integration with IAM | `string` | `""` | no |
+| <a name="input_oauth2_client_password"></a> [oauth2\_client\_password](#input\_oauth2\_client\_password) | The OAuth2 client password to use for Grafana integration with IAM | `string` | `""` | no |
 | <a name="input_oauth_allow_signup"></a> [oauth\_allow\_signup](#input\_oauth\_allow\_signup) | Allow automatic signup when OAuth2 is enabled | `bool` | `false` | no |
 | <a name="input_pg_exporter_image"></a> [pg\_exporter\_image](#input\_pg\_exporter\_image) | n/a | `string` | `"quay.io/prometheuscommunity/postgres-exporter:latest"` | no |
 

diff --git a/iam.tf b/iam.tf
@@ -1,9 +1,12 @@
 locals {
-  iam_integration = var.iam_application_id != ""
+  iam_integration        = var.iam_application_id != "" || (var.oauth2_client_id != "" && var.oauth2_client_password != "")
+  self_managed_client    = var.iam_application_id != ""
+  oauth2_client_id       = local.self_managed_client ? hsdp_iam_client.grafana[0].client_id : var.oauth2_client_id
+  oauth2_client_password = local.self_managed_client ? random_password.client_password[0].result : var.oauth2_client_password
 }
 
 resource "random_password" "client_password" {
-  count            = local.iam_integration ? 1 : 0
+  count            = local.self_managed_client ? 1 : 0
   length           = 16
   special          = true
   min_upper        = 1
@@ -17,7 +20,7 @@ resource "random_uuid" "client_uuid" {
 }
 
 resource "hsdp_iam_client" "grafana" {
-  count               = local.iam_integration ? 1 : 0
+  count               = local.self_managed_client ? 1 : 0
   type                = "Confidential"
   name                = "TF_GRAFANA_${local.name}"
   description         = "Grafana OAuth2 Client"

diff --git a/main.tf b/main.tf
@@ -55,8 +55,8 @@ resource "cloudfoundry_app" "grafana" {
       GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS          = join(",", var.email_domains)
       GF_AUTH_GENERIC_OAUTH_API_URL                  = "${data.hsdp_config.iam.url}/authorize/oauth2/userinfo?api-version=2"
       GF_AUTH_GENERIC_OAUTH_AUTH_URL                 = "${data.hsdp_config.iam.url}/authorize/oauth2/authorize?api-version=2"
-      GF_AUTH_GENERIC_OAUTH_CLIENT_ID                = hsdp_iam_client.grafana[0].client_id
-      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET            = hsdp_iam_client.grafana[0].password
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID                = local.oauth2_client_id
+      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET            = local.oauth2_client_password
       GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES             = "false"
       GF_AUTH_GENERIC_OAUTH_ENABLED                  = "true"
       GF_AUTH_GENERIC_OAUTH_SCOPES                   = "openid mail email"

diff --git a/variables.tf b/variables.tf
@@ -89,6 +89,19 @@ variable "iam_application_id" {
   default     = ""
 }
 
+variable "oauth2_client_id" {
+  type        = string
+  description = "The OAuth2 client ID to use for Grafana integration with IAM"
+  default     = ""
+}
+
+variable "oauth2_client_password" {
+  type        = string
+  sensitive   = true
+  description = "The OAuth2 client password to use for Grafana integration with IAM"
+  default     = ""
+}
+
 variable "email_domains" {
   type        = list(string)
   description = "Allowed email domains for accessing Grafana"