add external_credentials support in provider block (GoogleCloudPlatform#12714)

Co-authored-by: Riley Karson <[email protected]>

Author: 2 people

mmv1/third_party/terraform/fwmodels/provider_model.go.tmpl

@@ -5,10 +5,18 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/types"
 )
 
+// ExternalCredentialsModel contains the information necessary to retrieve external credentials (like Workload Identity Federation credentials) using the user-defined function retrieval method (https://pkg.go.dev/golang.org/x/oauth2/google/externalaccount)
+type ExternalCredentialsModel struct {
+	Audience            types.String `tfsdk:"audience"`
+	ServiceAccountEmail types.String `tfsdk:"service_account_email"`
+	IdentityToken       types.String `tfsdk:"identity_token"`
+}
+
 // ProviderModel maps provider schema data to a Go type.
 // When the plugin-framework provider is configured, the Configure function receives data about
 // the provider block in the configuration. That data is used to populate this struct.
 type ProviderModel struct {
+	ExternalCredentials                       []ExternalCredentialsModel `tfsdk:"external_credentials"`
 	Credentials                               types.String `tfsdk:"credentials"`
 	AccessToken                               types.String `tfsdk:"access_token"`
 	ImpersonateServiceAccount                 types.String `tfsdk:"impersonate_service_account"`

mmv1/third_party/terraform/fwprovider/framework_provider.go.tmpl

@@ -21,7 +21,7 @@ import (
     "github.com/hashicorp/terraform-provider-google/google/functions"
     "github.com/hashicorp/terraform-provider-google/google/fwmodels"
     "github.com/hashicorp/terraform-provider-google/google/services/resourcemanager"
-	"github.com/hashicorp/terraform-provider-google/version"
+    "github.com/hashicorp/terraform-provider-google/version"
     {{- if ne $.TargetVersionName "ga" }}
     "github.com/hashicorp/terraform-provider-google/google/services/firebase"
     {{- end }}
@@ -252,6 +252,30 @@ func (p *FrameworkProvider) Schema(_ context.Context, _ provider.SchemaRequest,
                     },
                 },
             },
+            "external_credentials": schema.ListNestedBlock{
+                NestedObject: schema.NestedBlockObject{
+                    Attributes: map[string]schema.Attribute{
+                        "audience": schema.StringAttribute{
+                            Required: true,
+                            Validators: []validator.String{
+                                fwvalidators.NonEmptyStringValidator(),
+                            },
+                        },
+                        "service_account_email": schema.StringAttribute{
+                            Required: true,
+                            Validators: []validator.String{
+                                fwvalidators.ServiceAccountEmailValidator{},
+                            },
+                        },
+                        "identity_token": schema.StringAttribute{
+                            Required: true,
+                            Validators: []validator.String{
+                                fwvalidators.JWTValidator(),
+                            },
+                        },
+                    },
+                },
+            },
         },
     }
 

mmv1/third_party/terraform/fwvalidators/framework_validators.go

@@ -2,9 +2,11 @@ package fwvalidators
 
 import (
 	"context"
+	"encoding/base64"
 	"fmt"
 	"os"
 	"regexp"
+	"strings"
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
@@ -206,3 +208,57 @@ func (v BoundedDuration) ValidateString(ctx context.Context, req validator.Strin
 		)
 	}
 }
+
+type jwtValidator struct {
+}
+
+func (v jwtValidator) Description(_ context.Context) string {
+	return "value must be a valid JWT token"
+}
+
+func (v jwtValidator) MarkdownDescription(ctx context.Context) string {
+	return v.Description(ctx)
+}
+
+func (v jwtValidator) ValidateString(ctx context.Context, request validator.StringRequest, response *validator.StringResponse) {
+	if request.ConfigValue.IsNull() || request.ConfigValue.IsUnknown() {
+		return
+	}
+
+	value := request.ConfigValue.ValueString()
+
+	if value == "" {
+		response.Diagnostics.AddAttributeError(
+			request.Path,
+			"Invalid JWT Token",
+			"JWT token must not be empty",
+		)
+		return
+	}
+
+	// JWT consists of 3 parts separated by dots: header.payload.signature
+	parts := strings.Split(value, ".")
+	if len(parts) != 3 {
+		response.Diagnostics.AddAttributeError(
+			request.Path,
+			"Invalid JWT Format",
+			"JWT token must have 3 parts separated by dots (header.payload.signature)",
+		)
+		return
+	}
+
+	// Check that each part is base64 encoded
+	for i, part := range parts {
+		if _, err := base64.RawURLEncoding.DecodeString(part); err != nil {
+			response.Diagnostics.AddAttributeError(
+				request.Path,
+				"Invalid JWT Encoding",
+				fmt.Sprintf("Part %d of JWT is not valid base64: %v", i+1, err),
+			)
+		}
+	}
+}
+
+func JWTValidator() validator.String {
+	return jwtValidator{}
+}

mmv1/third_party/terraform/provider/provider.go.tmpl

@@ -37,14 +37,40 @@ func Provider() *schema.Provider {
 				Type:          schema.TypeString,
 				Optional:      true,
 				ValidateFunc:  ValidateCredentials,
-				ConflictsWith: []string{"access_token"},
+				ConflictsWith: []string{"access_token", "external_credentials"},
 			},
 
 			"access_token": {
 				Type:          schema.TypeString,
 				Optional:      true,
 				ValidateFunc:  ValidateEmptyStrings,
-				ConflictsWith: []string{"credentials"},
+				ConflictsWith: []string{"credentials", "external_credentials"},
+			},
+
+			"external_credentials": {
+				Type:          schema.TypeList,
+				MaxItems:      1,
+				Optional:      true,
+				ConflictsWith: []string{"credentials", "access_token"},
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"audience": {
+							Type:     schema.TypeString,
+							Required: true,
+							ValidateFunc: ValidateEmptyStrings,
+						},
+						"service_account_email": {
+							Type:     schema.TypeString,
+							Required: true,
+							ValidateFunc: ValidateServiceAccountEmail,
+						},
+						"identity_token": {
+							Type:     schema.TypeString,
+							Required: true,
+							ValidateFunc: ValidateJWT,
+						},
+					},
+				},
 			},
 
 			"impersonate_service_account": {
@@ -257,19 +283,27 @@ func ProviderConfigure(ctx context.Context, d *schema.ResourceData, p *schema.Pr
 		config.RequestReason = v.(string)
 	}
 
-	// Check for primary credentials in config. Note that if neither is set, ADCs
+	// Check for primary credentials in config. Note that if none of these values are set, ADCs
 	// will be used if available.
-	if v, ok := d.GetOk("access_token"); ok {
-		config.AccessToken = v.(string)
-	}
+	if v, ok := d.GetOk("external_credentials"); ok {
+		external, err := transport_tpg.ExpandExternalCredentialsConfig(v)
+		if err != nil {
+			return nil, diag.FromErr(err)
+		}
+		config.ExternalCredentials = external
+	} else {
+		if v, ok := d.GetOk("access_token"); ok {
+			config.AccessToken = v.(string)
+		}
 
-	if v, ok := d.GetOk("credentials"); ok {
-		config.Credentials = v.(string)
+		if v, ok := d.GetOk("credentials"); ok {
+			config.Credentials = v.(string)
+		}
 	}
 
-	// only check environment variables if neither value was set in config- this
+	// only check environment variables if none of these values are set in config- this
 	// means config beats env var in all cases.
-	if config.AccessToken == "" && config.Credentials == "" {
+	if config.ExternalCredentials == nil && config.AccessToken == "" && config.Credentials == "" {
 		config.Credentials = transport_tpg.MultiEnvSearch([]string{
 			"GOOGLE_CREDENTIALS",
 			"GOOGLE_CLOUD_KEYFILE_JSON",

mmv1/third_party/terraform/provider/provider_internal_test.go

@@ -85,6 +85,71 @@ func TestProvider_ValidateCredentials(t *testing.T) {
 	}
 }
 
+func TestProvider_ValidateJWT(t *testing.T) {
+	cases := map[string]struct {
+		ConfigValue      interface{}
+		ValueNotProvided bool
+		ExpectedWarnings []string
+		ExpectedErrors   []error
+	}{
+		"a valid JWT is accepted": {
+			ConfigValue: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+		},
+		"an empty JWT is rejected": {
+			ConfigValue: "",
+			ExpectedErrors: []error{
+				errors.New("\"\" cannot be empty"),
+			},
+		},
+		"a JWT with invalid base64 parts is rejected": {
+			ConfigValue: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.invalid-signature",
+			ExpectedErrors: []error{
+				errors.New("part 3 of JWT is not valid base64: illegal base64 data at input byte 16"),
+			},
+		},
+		"a JWT with incorrect format (not 3 parts) is rejected": {
+			ConfigValue: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ",
+			ExpectedErrors: []error{
+				errors.New("\"\" is not a valid JWT format"),
+			},
+		},
+		"unconfigured value is not valid": {
+			ValueNotProvided: true,
+			ExpectedErrors: []error{
+				errors.New("\"\" cannot be empty"),
+			},
+		},
+	}
+
+	for tn, tc := range cases {
+		t.Run(tn, func(t *testing.T) {
+
+			// Arrange
+			var configValue interface{}
+			if !tc.ValueNotProvided {
+				configValue = tc.ConfigValue
+			}
+
+			// Act
+			ws, es := provider.ValidateJWT(configValue, "")
+
+			// Assert
+			if len(ws) != len(tc.ExpectedWarnings) {
+				t.Fatalf("Expected %d warnings, got %d: %v", len(tc.ExpectedWarnings), len(ws), ws)
+			}
+			if len(es) != len(tc.ExpectedErrors) {
+				t.Fatalf("Expected %d errors, got %d: %v", len(tc.ExpectedErrors), len(es), es)
+			}
+
+			for i := 0; i < len(tc.ExpectedErrors) && i < len(es); i++ {
+				if es[i].Error() != tc.ExpectedErrors[i].Error() {
+					t.Fatalf("Expected error %d to be \"%s\", got \"%s\"", i+1, tc.ExpectedErrors[i], es[i])
+				}
+			}
+		})
+	}
+}
+
 func TestProvider_ValidateEmptyStrings(t *testing.T) {
 	cases := map[string]struct {
 		ConfigValue      interface{}