Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add google_impersonated_credential datasource #3211

Closed
wants to merge 9 commits into from
Closed

Add google_impersonated_credential datasource #3211

wants to merge 9 commits into from

Conversation

salrashid123
Copy link
Contributor

google_impersonated_credential provides an access_token for resources the original caller may not have immediate access to.
That is, you can run .tf as serviceA and then access resources serviceB has access to.

An administrator for serviceB can potentially just give 'just in time' access to impersonate.

@chrisst chrisst self-requested a review March 11, 2019 18:15
@salrashid123 salrashid123 mentioned this pull request Mar 11, 2019
Closed
@salrashid123
Copy link
Contributor Author

ok, seems to still not adding in google.golang.org/api/iamcredentials/v1 to CI...any thoughts about how to add that in.

i ran tests locally and they worked; i'm just not sure how CI will run it since to do this, you need to setup the IAM permissions on a real project/serviceaccount.

anyway

Build:

$ echo $GOPATH
/apps/go/go_path

$ pwd
/apps/go/go_path/src/github.com/terraform-providers/terraform-provider-google

GO111MODULES=on go get google.golang.org/api/iamcredentials/v1

TEST:

export GOOGLE_SERVICE_ACCOUNT=impersonated-account@fabled-ray-104117.iam.gserviceaccount.com
export GOOGLE_PROJECT=mineral-minutia-820
export GOOGLE_CLOUD_KEYFILE_JSON=/path/to/cert.json
export GOOGLE_REGION=us-central1
export GOOGLE_ZONE=us-central1-a

$ make testacc TEST=./google TESTARGS='-run=TestAccDataSourceGoogleImpersonatedCredential_basic'
==> Checking source code against gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 TF_SCHEMA_PANIC_ON_ERROR=1 go test ./google -v -run=TestAccDataSourceGoogleImpersonatedCredential_basic -timeout 240m -ldflags="-X=github.com/terraform-providers/terraform-provider-google/version.ProviderVersion=acc"
=== RUN   TestAccDataSourceGoogleImpersonatedCredential_basic
=== PAUSE TestAccDataSourceGoogleImpersonatedCredential_basic
=== CONT  TestAccDataSourceGoogleImpersonatedCredential_basic
--- PASS: TestAccDataSourceGoogleImpersonatedCredential_basic (5.16s)
PASS
ok  	github.com/terraform-providers/terraform-provider-google/google	5.445s

RUN:

provider "google" {}
data "google_client_config" "default" {
  provider = "google"
}
data "google_impersonated_credential" "default" {
 provider = "google"
 target_service_account = "[email protected]"
 scopes = ["storage-ro", "cloud-platform"]
 lifetime = "300s"
}
provider "google" {
   alias  = "impersonated"
   access_token = "${data.google_impersonated_credential.default.access_token}"
}
data "google_project" "project" {
  provider = "google.impersonated"
  project_id = "mineral-minutia-820"
}
$ ../terraform apply
data.google_impersonated_credential.default: Refreshing state...
data.google_client_config.default: Refreshing state...
data.google_project.project: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

access_token = ya29.c.EooCzgZnF<redacted>
project_number = 1071284184436

@ghost ghost added dependencies size/xxl and removed size/l labels Mar 19, 2019
chrisst
chrisst suggested changes Mar 19, 2019
View reviewed changes
Copy link
Contributor

@chrisst chrisst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First pass of review. I'll take a look at the vendoring in a little bit, but it's likely I'll pull it into another PR that can be merged ahead of this.

google/validation.go Outdated Show resolved Hide resolved
google/provider.go Outdated Show resolved Hide resolved
google/data_source_google_impersonated_credential.go Outdated Show resolved Hide resolved
google/data_source_google_impersonated_credential.go Outdated Show resolved Hide resolved
website/docs/d/google_impersonated_credential.html.markdown Outdated Show resolved Hide resolved
website/docs/d/google_impersonated_credential.html.markdown Outdated Show resolved Hide resolved
website/docs/d/google_impersonated_credential.html.markdown Outdated Show resolved Hide resolved
website/docs/d/google_impersonated_credential.html.markdown Outdated Show resolved Hide resolved
website/docs/d/google_impersonated_credential.html.markdown Outdated Show resolved Hide resolved
website/docs/d/google_impersonated_credential.html.markdown Outdated Show resolved Hide resolved
@salrashid123
Copy link
Contributor Author

Note, one issue to point out with the way i've got the acceptence tests setup:

  1. first create a new service account
  2. then apply an iam policy such that the background/env acceptence tests service account can impersonate this new one.
  3. apply google_impersonated_credential and then attempt to get the impersonated user's emai.

the prolbme is step 2 is eventually consistent...it may take ~30->40s to complete so the whole test fails since step 3 fails.

I'm not sure how to solve this (i'm pretty new to terraform). i tried setting up multi step flow like this
https://gist.github.com/salrashid123/a6a3cff9b9d309bb85d5886e6a24eda7#file-iamcredentials_tf-go-L31

but i'm just guessing (it didn't work)

even after i get past that, i don't know how to add in a dynamic, aliased provider (eg, alias=google.impersonated into the test

https://www.terraform.io/docs/extend/testing/acceptance-tests/testcase.html#providers

@rileykarson
Copy link
Collaborator

See https://github.com/terraform-providers/terraform-provider-google/blob/master/google/data_source_google_client_openid_userinfo_test.go#L27 for using a dynamic aliased provider in tests.

chrisst
chrisst approved these changes Mar 29, 2019
View reviewed changes
Copy link
Contributor

@chrisst chrisst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 small correction, but otherwise looks good!

When you've corrected that I'll pull this upstream into our code generator and add the docs to the website.

website/docs/d/datasource_google_service_account_access_token.html.markdown Outdated Show resolved Hide resolved
@salrashid123
Copy link
Contributor Author

@chrisst Done. added in that final change.

@chrisst chrisst mentioned this pull request Apr 1, 2019
Merged
This was referenced Apr 2, 2019
Merged
Merged
@chrisst chrisst closed this Apr 2, 2019
@salrashid123 salrashid123 deleted the add-impersonated-credential branch April 2, 2019 15:19
@chrisst chrisst mentioned this pull request Apr 3, 2019
Merged
@ghost
Copy link

ghost commented May 2, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators May 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sethvargo sethvargo sethvargo left review comments

@rileykarson rileykarson rileykarson left review comments

@chrisst chrisst chrisst approved these changes

Assignees
No one assigned
Labels
documentation size/xxl
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@salrashid123 @rileykarson @sethvargo @chrisst