├── .github └── workflows │ ├── build_test.yml │ └── release.yml ├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── backend.go ├── cmd └── vault-plugin-auth-tfe │ └── main.go ├── go.mod ├── go.sum ├── images └── vault_plugin_workflow.png ├── path_config.go ├── path_login.go ├── path_role.go └── terraform ├── api-testing ├── .gitignore ├── .terraform.lock.hcl ├── api_test.tf ├── backend.tf ├── outputs.tf ├── tfe_data │ ├── account_details.json │ ├── env.vars │ ├── run_details.json │ └── workspace_details.json └── variables.tf └── demo ├── .terraform.lock.hcl ├── 01.setup_vault.sh ├── 02.setup_vault_aws.sh ├── aws.tf ├── backend.tf ├── helper.sh ├── login_env.tf.example ├── login_file.tf ├── outputs.tf ├── variables.tf └── vault_login.sh /.github/workflows/build_test.yml: -------------------------------------------------------------------------------- 1 | name: Build and test 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | branches: [ main ] 8 | 9 | jobs: 10 | 11 | build: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/checkout@v2 15 | 16 | - name: Set up Go 17 | uses: actions/setup-go@v2 18 | with: 19 | go-version: 1.24 20 | 21 | - name: Build 22 | run: go build -v ./... 23 | 24 | - name: Test 25 | run: go test -v ./... 26 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Create release 2 | 3 | on: 4 | release: 5 | types: [created] 6 | 7 | jobs: 8 | releases-matrix: 9 | name: Release Go Binary 10 | runs-on: ubuntu-latest 11 | strategy: 12 | matrix: 13 | # build and publish in parallel: linux/386, linux/amd64, windows/386, windows/amd64, darwin/386, darwin/amd64 14 | goos: [linux, windows, darwin] 15 | goarch: [amd64] 16 | steps: 17 | - uses: actions/checkout@v2 18 | - uses: wangyoucao577/go-release-action@v1.53 19 | with: 20 | github_token: ${{ secrets.GITHUB_TOKEN }} 21 | goos: ${{ matrix.goos }} 22 | goarch: ${{ matrix.goarch }} 23 | goversion: "https://golang.org/dl/go1.24.1.linux-amd64.tar.gz" 24 | project_path: "./cmd/vault-plugin-auth-tfe" 25 | binary_name: "vault-plugin-auth-tfe" 26 | sha256sum: TRUE 27 | extra_files: LICENSE 28 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | vault/plugins/vault-plugin-auth-tfe 3 | terraform/api-testing/.terraform/ 4 | terraform/demo/.terraform/ 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | GOARCH = amd64 2 | 3 | UNAME = $(shell uname -s) 4 | 5 | ifndef OS 6 | ifeq ($(UNAME), Linux) 7 | OS = linux 8 | else ifeq ($(UNAME), Darwin) 9 | OS = darwin 10 | endif 11 | endif 12 | 13 | .DEFAULT_GOAL := all 14 | 15 | all: fmt build start 16 | 17 | build: fmt 18 | GOOS=$(OS) GOARCH="$(GOARCH)" go build -o vault/plugins/vault-plugin-auth-tfe cmd/vault-plugin-auth-tfe/main.go 19 | 20 | start: 21 | # run this first -->>> eval $(doormat aws --account se_demos_dev) 22 | vault server -dev -dev-root-token-id=root \ 23 | -dev-plugin-dir=./vault/plugins -log-level=debug \ 24 | -dev-listen-address=192.168.178.40:8200 25 | 26 | enable: 27 | # fad4d28b6f57ca6a1acd49b948e0a279d805280c461bb29fcb8781e57c1c3562 28 | # vault plugin register -sha256=fad4d28b6f57ca6a1acd49b948e0a279d805280c461bb29fcb8781e57c1c3562 auth vault-plugin-auth-tfe 29 | vault auth enable -path=tfe-auth vault-plugin-auth-tfe 30 | 31 | clean: 32 | rm -f ./vault/plugins/vault-plugin-auth-tfe 33 | 34 | fmt: 35 | go fmt $$(go list ./...) 36 | 37 | test: 38 | # vault write -force auth/tfe-auth/config 39 | vault write auth/tfe-auth/config organization=org2 terraform_host=tfe.ric.gcp.hashidemos.io 40 | vault read auth/tfe-auth/config 41 | vault write auth/tfe-auth/role/role1 workspaces=123,456 42 | vault write auth/tfe-auth/role/role2 workspaces=* policies=default 43 | vault list auth/tfe-auth/role 44 | vault read auth/tfe-auth/role/role1 45 | 46 | # vault write auth/tfe-auth/login role=role2 workspace=aaa run-id=aa atlas-token=aa 47 | vault write auth/tfe-auth/login role=role2 \ 48 | workspace=tfe-gcp-test-network \ 49 | run-id=run-U7VpRnrDSGhyk8Ff \ 50 | atlas-token=eJ1fkmbxGLtbNg.atlasv1.GGpvS5FwHsYTBLze9S4Pqsx2ahPc67Ypv8d5XlgHptWQ06dwHRrtnXWb2tyTzIp0860 51 | 52 | 53 | .PHONY: build clean fmt start enable test 54 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | > [!WARNING] 2 | > You should no longer need this plugin, now that TFC/E has released workspace identity. 3 | > Please refer to the guides available on HashiCorp's website: 4 | > * [Dynamic Credentials with the Vault Provider 5 | ](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/vault-configuration) 6 | > * [Vault-Backed Dynamic Credentials 7 | ](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/vault-backed) 8 | 9 | 10 | 11 | # Vault TFE Auth Plugin 12 | 13 | The aim of this Vault authentication plugin is to provide Terraform Cloud or Enterprise with a "window of trust", that can use to retrieve secrets from Vault. 14 | 15 | This means you will not need to configure any kind of static secret material for your terraform execution to be able to use Vault. 16 | 17 | *TFE Auth* is an authentication plugin for [HashiCorp Vault](https://www.vaultproject.io/), but do not assume some kind of official support from HashiCorp. You should make your own decision whether it is safe or not to use this plugin in your environment. 18 | 19 | ## Workflow overview 20 | ![Workflow overview](images/vault_plugin_workflow.png?raw=true "Workflow overview") 21 | 22 | ## TFE/TFC assumptions 23 | 24 | - TFE/TFC generates a RUN ID that is unique for that TFE Workspace. 25 | 26 | - Plans or applies are always executed within TFE/TFC (i.e. remote operations) 27 | - These can also be using terraform remote agents. 28 | 29 | - TFE/TFC generates a different token during plan and the apply stages 30 | 31 | - The following environment variables are available: 32 | - TF_VAR_TFE_RUN_ID 33 | - TF_VAR_TFC_WORKSPACE_NAME 34 | 35 | - The TFE/TFC token must have permissions to: 36 | - [Get the current run ID details](https://www.terraform.io/docs/cloud/api/run.html#get-run-details) 37 | - [Get the current workspace details](https://www.terraform.io/docs/cloud/api/workspaces.html#show-workspace) 38 | - [Get the token account details](https://www.terraform.io/docs/cloud/api/account.html#get-your-account-details) 39 | 40 | ### Retrieving the TFE/TFC token 41 | The TFE/TFC token lives in more than one place. I recommend using the credentials file location. 42 | 43 | The credentials file within the TFE/TFC worker lives one of these places, depending if you are using Terraform Agents: 44 | - `/tmp/cli.tfrc` for code run within TFC/TFE 45 | - `${path.cwd}/../.terraformrc` for code running in TFC Agents 46 | 47 | The TFE/TFC token also exists as an environment variable *ATLAS_TOKEN*. See [terraform/demo/login_env.tf.example](terraform/demo/login_env.tf.example) for an example of that. 48 | 49 | ## Vault Authentication 50 | ### Conditions 51 | This plugin will issue a token then the following criteria are met: 52 | 53 | - The TFE/TFC Token provided has the above mentioned permissions 54 | - The TFE/TFC Token is a *Service account* token 55 | - The Run ID belongs to the Workspace that is being sent. 56 | - The Workspace name is in the list of the allowed workspaces for that Role. 57 | - The Workspace belongs to the TFC/E Organisation configured in the auth backend 58 | 59 | _TFE/C tokens are revoked at the end of a Run_ 60 | 61 | ### Vault clients / identity 62 | This authentication backend can be configured to use/create different entities depending on the run status: `planning` or `applying`. 63 | 64 | This means there is an entity metadata entry key `RunStatus` and the display name is changed to `//` 65 | 66 | To achieve this behaviour, you need to set `use_run_status` to `true` 67 | ``` bash 68 | vault write auth/tfe-auth/config organization= use_run_status=true 69 | ``` 70 | 71 | With this you can issue **read-only** policies/credentials to entities in `planning` mode and higher priveleged credentials for `applying` mode. 72 | _This is particularly useful when using VCS backed workspaces with speculative plans_. 73 | 74 | #### Note 75 | > This setting may increase your pipeline security, but it will also double up on the number of Vault Clients required per TFC/E Workspace 76 | 77 | 78 | ## Usage / Demo 79 | 80 | All commands can be run using the provided [Makefile](./Makefile). However, it may be educational to look at the commands to gain a greater understanding of how Vault registers plugins. Using the Makefile will result in running the Vault server in `dev` mode. Do not run Vault in `dev` mode in production. The `dev` server allows you to configure the plugin directory as a flag, and automatically registers plugin binaries in that directory. In production, plugin binaries must be manually registered. 81 | 82 | > For the AWS demo, please ensure your AWS credentials have been added to the environment. 83 | 84 | This will build the plugin binary and start the Vault dev server: 85 | ```bash 86 | # Build TFE Auth plugin and start Vault dev server with plugin automatically registered 87 | $ make 88 | ``` 89 | 90 | A binary can also be downloaded from [the releases page](https://github.com/gitrgoliveira/vault-plugin-auth-tfe/releases). 91 | 92 | If instead you are installing this plugin in your Vault environment, then please do this first 93 | ```bash 94 | chmod +x /etc/vault.d/plugins/vault-plugin-auth-tfe 95 | # if your vault is using mlock (which it does by default) 96 | setcap cap_ipc_lock=+ep /etc/vault.d/plugins/vault-plugin-auth-tfe 97 | vault plugin register -sha256=84ff2af144de37792d546207e42b618cef027a692bf0d32c324555ba28ca301e auth vault-plugin-auth-tfe 98 | ``` 99 | The sha256 sum available from [the releases page](https://github.com/gitrgoliveira/vault-plugin-auth-tfe/releases) only validates the zip file. 100 | To get the sha256 sum, please run the following command: 101 | ```bash 102 | shasum -a 256 /etc/vault.d/plugins/vault-plugin-auth-tfe > /tmp/vault-plugin-auth-tfe.sha256 103 | ``` 104 | 105 | Now open a new terminal window and run the following commands: 106 | 107 | ```bash 108 | # Open a new terminal window and export Vault dev server http address 109 | $ export VAULT_ADDR='http://127.0.0.1:8200' 110 | 111 | # Enable the TFE plugin 112 | $ vault auth enable -path=tfe-auth vault-plugin-auth-tfe 113 | 114 | # Configure the Authentication backend. By default it points to app.terraform.io 115 | $ vault write auth/tfe-auth/config organization=tfc_org 116 | 117 | # Add login roles 118 | $ vault write auth/tfe-auth/role/workspace_role workspaces=* policies=default 119 | 120 | ``` 121 | 122 | An example of the above can be seen in [terraform/demo/01.setup_vault.sh](terraform/demo/01.setup_vault.sh) 123 | 124 | To login using the tfe auth method, this is the command, but it will not work unless it's run within TFC/E. 125 | 126 | ```bash 127 | $ vault write auth/tfe-auth/login role=workspace_role \ 128 | workspace=$TFC_WORKSPACE_NAME \ 129 | run-id=$TFC_RUN_ID \ 130 | tfe-token=$ATLAS_TOKEN 131 | 132 | ``` 133 | 134 | With terraform, use the code in [terraform/demo/login_file.tf](terraform/demo/login_file.tf) 135 | ``` 136 | provider "vault" { 137 | address = "http://vault_address:8200" 138 | token_name = "terraform-${var.TFE_RUN_ID}" 139 | auth_login { 140 | path = "auth/tfe-auth/login" 141 | parameters = { 142 | role = "workspace_role" 143 | workspace = var.TFC_WORKSPACE_NAME 144 | run-id = var.TFE_RUN_ID 145 | # For code that is running within TFC/TFE or using an external agent 146 | tfe-credentials-file = try(filebase64("${path.cwd}/../../../.terraformrc"), 147 | filebase64("/tmp/cli.tfrc")) 148 | } 149 | } 150 | } 151 | ``` 152 | 153 | ### AWS demo 154 | 155 | For the AWS demo, vault needs to be setup with [terraform/demo/02.setup_vault_aws.sh](terraform/demo/02.setup_vault_aws.sh) and the code in here is fairly simple [terraform/demo/aws.tf](terraform/demo/aws.tf) 156 | -------------------------------------------------------------------------------- /backend.go: -------------------------------------------------------------------------------- 1 | package tfeauth 2 | 3 | import ( 4 | "context" 5 | "encoding/json" 6 | "fmt" 7 | "strings" 8 | "sync" 9 | 10 | "github.com/hashicorp/vault/sdk/framework" 11 | "github.com/hashicorp/vault/sdk/logical" 12 | ) 13 | 14 | const ( 15 | configPath string = "config" 16 | rolePrefix string = "role/" 17 | ) 18 | 19 | // backend wraps the backend framework and adds a map for storing key value pairs. 20 | type tfeAuthBackend struct { 21 | *framework.Backend 22 | 23 | l sync.RWMutex 24 | } 25 | 26 | var _ logical.Factory = Factory 27 | 28 | // Factory configures and returns Mock backends 29 | func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) { 30 | b := Backend() 31 | 32 | if conf == nil { 33 | return nil, fmt.Errorf("configuration passed into backend is nil") 34 | } 35 | 36 | if err := b.Setup(ctx, conf); err != nil { 37 | return nil, err 38 | } 39 | 40 | return b, nil 41 | } 42 | 43 | func Backend() *tfeAuthBackend { 44 | b := &tfeAuthBackend{} 45 | 46 | b.Backend = &framework.Backend{ 47 | Help: strings.TrimSpace(backendHelp), 48 | BackendType: logical.TypeCredential, 49 | AuthRenew: nil, // tokens should not be renewable 50 | PathsSpecial: &logical.Paths{ 51 | Unauthenticated: []string{ 52 | "login", 53 | }, 54 | SealWrapStorage: []string{ 55 | configPath, 56 | }, 57 | }, 58 | Paths: framework.PathAppend( 59 | []*framework.Path{ 60 | pathLogin(b), 61 | b.pathConfig(), 62 | }, 63 | b.pathsRole(), 64 | ), 65 | } 66 | 67 | return b 68 | } 69 | 70 | // role takes a storage backend and the name and returns the role's storage 71 | // entry 72 | func (b *tfeAuthBackend) role(ctx context.Context, s logical.Storage, name string) (*roleStorageEntry, error) { 73 | raw, err := s.Get(ctx, fmt.Sprintf("%s%s", rolePrefix, strings.ToLower(name))) 74 | if err != nil { 75 | return nil, err 76 | } 77 | if raw == nil { 78 | return nil, nil 79 | } 80 | 81 | role := &roleStorageEntry{} 82 | if err := json.Unmarshal(raw.Value, role); err != nil { 83 | return nil, err 84 | } 85 | 86 | if role.TokenTTL == 0 && role.TTL > 0 { 87 | role.TokenTTL = role.TTL 88 | } 89 | if role.TokenMaxTTL == 0 && role.MaxTTL > 0 { 90 | role.TokenMaxTTL = role.MaxTTL 91 | } 92 | if role.TokenPeriod == 0 && role.Period > 0 { 93 | role.TokenPeriod = role.Period 94 | } 95 | if role.TokenNumUses == 0 && role.NumUses > 0 { 96 | role.TokenNumUses = role.NumUses 97 | } 98 | if len(role.TokenPolicies) == 0 && len(role.Policies) > 0 { 99 | role.TokenPolicies = role.Policies 100 | } 101 | if len(role.TokenBoundCIDRs) == 0 && len(role.BoundCIDRs) > 0 { 102 | role.TokenBoundCIDRs = role.BoundCIDRs 103 | } 104 | 105 | return role, nil 106 | } 107 | 108 | func (b *tfeAuthBackend) config(ctx context.Context, s logical.Storage) (*tfeAuthConfig, error) { 109 | raw, err := s.Get(ctx, configPath) 110 | if err != nil { 111 | return nil, err 112 | } 113 | if raw == nil { 114 | return nil, nil 115 | } 116 | 117 | conf := &tfeAuthConfig{} 118 | if err := json.Unmarshal(raw.Value, conf); err != nil { 119 | return nil, err 120 | } 121 | 122 | return conf, nil 123 | } 124 | 125 | const backendHelp = ` 126 | The backend is an auth backend that returns a Vault token upon 127 | successful login of a TFC worker 128 | ` 129 | -------------------------------------------------------------------------------- /cmd/vault-plugin-auth-tfe/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "os" 5 | 6 | tfeauth "github.com/gitrgoliveira/vault-plugin-auth-tfe" 7 | "github.com/hashicorp/go-hclog" 8 | "github.com/hashicorp/vault/api" 9 | "github.com/hashicorp/vault/sdk/plugin" 10 | ) 11 | 12 | func main() { 13 | apiClientMeta := &api.PluginAPIClientMeta{} 14 | flags := apiClientMeta.FlagSet() 15 | flags.Parse(os.Args[1:]) 16 | 17 | tlsConfig := apiClientMeta.GetTLSConfig() 18 | tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig) 19 | 20 | err := plugin.Serve(&plugin.ServeOpts{ 21 | BackendFactoryFunc: tfeauth.Factory, 22 | TLSProviderFunc: tlsProviderFunc, 23 | }) 24 | if err != nil { 25 | logger := hclog.New(&hclog.LoggerOptions{}) 26 | 27 | logger.Error("plugin shutting down", "error", err) 28 | os.Exit(1) 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/gitrgoliveira/vault-plugin-auth-tfe 2 | 3 | go 1.23.3 4 | 5 | toolchain go1.24.1 6 | 7 | require ( 8 | github.com/hashicorp/go-hclog v1.6.3 9 | github.com/hashicorp/go-sockaddr v1.0.6 10 | github.com/hashicorp/go-tfe v0.13.0 11 | github.com/hashicorp/hcl v1.0.1-vault-5 12 | github.com/hashicorp/vault/api v1.16.0 13 | github.com/hashicorp/vault/sdk v0.15.2 14 | ) 15 | 16 | require ( 17 | github.com/Microsoft/go-winio v0.6.2 // indirect 18 | github.com/armon/go-metrics v0.4.1 // indirect 19 | github.com/armon/go-radix v1.0.0 // indirect 20 | github.com/cenkalti/backoff/v4 v4.3.0 // indirect 21 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 22 | github.com/distribution/reference v0.6.0 // indirect 23 | github.com/docker/docker v27.2.1+incompatible // indirect 24 | github.com/docker/go-connections v0.5.0 // indirect 25 | github.com/docker/go-units v0.5.0 // indirect 26 | github.com/evanphx/json-patch/v5 v5.6.0 // indirect 27 | github.com/fatih/color v1.17.0 // indirect 28 | github.com/felixge/httpsnoop v1.0.4 // indirect 29 | github.com/go-jose/go-jose/v4 v4.0.4 // indirect 30 | github.com/go-logr/logr v1.4.2 // indirect 31 | github.com/go-logr/stdr v1.2.2 // indirect 32 | github.com/gogo/protobuf v1.3.2 // indirect 33 | github.com/golang/protobuf v1.5.4 // indirect 34 | github.com/golang/snappy v0.0.4 // indirect 35 | github.com/google/certificate-transparency-go v1.3.1 // indirect 36 | github.com/google/go-querystring v1.0.0 // indirect 37 | github.com/hashicorp/errwrap v1.1.0 // indirect 38 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 39 | github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 // indirect 40 | github.com/hashicorp/go-immutable-radix v1.3.1 // indirect 41 | github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1 // indirect 42 | github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 // indirect 43 | github.com/hashicorp/go-multierror v1.1.1 // indirect 44 | github.com/hashicorp/go-plugin v1.6.1 // indirect 45 | github.com/hashicorp/go-retryablehttp v0.7.7 // indirect 46 | github.com/hashicorp/go-rootcerts v1.0.2 // indirect 47 | github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.1 // indirect 48 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 // indirect 49 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 // indirect 50 | github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0 // indirect 51 | github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.1 // indirect 52 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect 53 | github.com/hashicorp/go-slug v0.7.0 // indirect 54 | github.com/hashicorp/go-uuid v1.0.3 // indirect 55 | github.com/hashicorp/go-version v1.7.0 // indirect 56 | github.com/hashicorp/golang-lru v1.0.2 // indirect 57 | github.com/hashicorp/yamux v0.1.1 // indirect 58 | github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 // indirect 59 | github.com/mattn/go-colorable v0.1.13 // indirect 60 | github.com/mattn/go-isatty v0.0.20 // indirect 61 | github.com/mitchellh/copystructure v1.2.0 // indirect 62 | github.com/mitchellh/go-homedir v1.1.0 // indirect 63 | github.com/mitchellh/go-testing-interface v1.14.1 // indirect 64 | github.com/mitchellh/mapstructure v1.5.0 // indirect 65 | github.com/mitchellh/reflectwalk v1.0.2 // indirect 66 | github.com/moby/docker-image-spec v1.3.1 // indirect 67 | github.com/oklog/run v1.1.0 // indirect 68 | github.com/opencontainers/go-digest v1.0.0 // indirect 69 | github.com/opencontainers/image-spec v1.1.0 // indirect 70 | github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 // indirect 71 | github.com/pierrec/lz4 v2.6.1+incompatible // indirect 72 | github.com/pkg/errors v0.9.1 // indirect 73 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 74 | github.com/robfig/cron/v3 v3.0.1 // indirect 75 | github.com/ryanuber/go-glob v1.0.0 // indirect 76 | github.com/sasha-s/go-deadlock v0.3.5 // indirect 77 | github.com/stretchr/testify v1.10.0 // indirect 78 | github.com/svanharmelen/jsonapi v0.0.0-20180618144545-0c0828c3f16d // indirect 79 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect 80 | go.opentelemetry.io/otel v1.31.0 // indirect 81 | go.opentelemetry.io/otel/metric v1.31.0 // indirect 82 | go.opentelemetry.io/otel/trace v1.31.0 // indirect 83 | go.uber.org/atomic v1.11.0 // indirect 84 | golang.org/x/crypto v0.32.0 // indirect 85 | golang.org/x/net v0.34.0 // indirect 86 | golang.org/x/sys v0.29.0 // indirect 87 | golang.org/x/text v0.21.0 // indirect 88 | golang.org/x/time v0.9.0 // indirect 89 | google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect 90 | google.golang.org/grpc v1.69.4 // indirect 91 | google.golang.org/protobuf v1.36.3 // indirect 92 | gopkg.in/yaml.v3 v3.0.1 // indirect 93 | ) 94 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= 2 | github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= 3 | github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= 4 | github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= 5 | github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= 6 | github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= 7 | github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= 8 | github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= 9 | github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= 10 | github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= 11 | github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= 12 | github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= 13 | github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= 14 | github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= 15 | github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= 16 | github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= 17 | github.com/bufbuild/protocompile v0.10.0 h1:+jW/wnLMLxaCEG8AX9lD0bQ5v9h1RUiMKOBOT5ll9dM= 18 | github.com/bufbuild/protocompile v0.10.0/go.mod h1:G9qQIQo0xZ6Uyj6CMNz0saGmx2so+KONo8/KrELABiY= 19 | github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= 20 | github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= 21 | github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 22 | github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= 23 | github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= 24 | github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= 25 | github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= 26 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 27 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 28 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= 29 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 30 | github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= 31 | github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= 32 | github.com/docker/docker v27.2.1+incompatible h1:fQdiLfW7VLscyoeYEBz7/J8soYFDZV1u6VW6gJEjNMI= 33 | github.com/docker/docker v27.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= 34 | github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= 35 | github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= 36 | github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= 37 | github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= 38 | github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= 39 | github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= 40 | github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= 41 | github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= 42 | github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= 43 | github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= 44 | github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= 45 | github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= 46 | github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= 47 | github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss= 48 | github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og= 49 | github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E= 50 | github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc= 51 | github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= 52 | github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= 53 | github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= 54 | github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= 55 | github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= 56 | github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= 57 | github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= 58 | github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= 59 | github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= 60 | github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= 61 | github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= 62 | github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= 63 | github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= 64 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 65 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 66 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 67 | github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 68 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 69 | github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= 70 | github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= 71 | github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= 72 | github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= 73 | github.com/google/certificate-transparency-go v1.3.1 h1:akbcTfQg0iZlANZLn0L9xOeWtyCIdeoYhKrqi5iH3Go= 74 | github.com/google/certificate-transparency-go v1.3.1/go.mod h1:gg+UQlx6caKEDQ9EElFOujyxEQEfOiQzAt6782Bvi8k= 75 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 76 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 77 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= 78 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 79 | github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk= 80 | github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= 81 | github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 82 | github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= 83 | github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 84 | github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= 85 | github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is= 86 | github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM= 87 | github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= 88 | github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= 89 | github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= 90 | github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= 91 | github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= 92 | github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= 93 | github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= 94 | github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= 95 | github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6 h1:kBoJV4Xl5FLtBfnBjDvBxeNSy2IRITSGs73HQsFUEjY= 96 | github.com/hashicorp/go-hmac-drbg v0.0.0-20210916214228-a6e5a68489f6/go.mod h1:y+HSOcOGB48PkUxNyLAiCiY6rEENu+E+Ss4LG8QHwf4= 97 | github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= 98 | github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= 99 | github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= 100 | github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1 h1:KIge4FHZEDb2/xjaWgmBheCTgRL6HV4sgTfDsH876L8= 101 | github.com/hashicorp/go-kms-wrapping/entropy/v2 v2.0.1/go.mod h1:aHO1EoFD0kBYLBedqxXgalfFT8lrWfP7kpuSoaqGjH0= 102 | github.com/hashicorp/go-kms-wrapping/v2 v2.0.18 h1:DLfC677GfKEpSAFpEWvl1vXsGpEcSHmbhBaPLrdDQHc= 103 | github.com/hashicorp/go-kms-wrapping/v2 v2.0.18/go.mod h1:t/eaR/mi2mw3klfl1WEAuiLKrlZ/Q8cosmsT+RIPLu0= 104 | github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= 105 | github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= 106 | github.com/hashicorp/go-plugin v1.6.1 h1:P7MR2UP6gNKGPp+y7EZw2kOiq4IR9WiqLvp0XOsVdwI= 107 | github.com/hashicorp/go-plugin v1.6.1/go.mod h1:XPHFku2tFo3o3QKFgSYo+cghcUhw1NA1hZyMK0PWAw0= 108 | github.com/hashicorp/go-retryablehttp v0.5.2/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= 109 | github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= 110 | github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= 111 | github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= 112 | github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= 113 | github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= 114 | github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.1 h1:VaLXp47MqD1Y2K6QVrA9RooQiPyCgAbnfeJg44wKuJk= 115 | github.com/hashicorp/go-secure-stdlib/cryptoutil v0.1.1/go.mod h1:hH8rgXHh9fPSDPerG6WzABHsHF+9ZpLhRI1LPk4JZ8c= 116 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 h1:kH3Rhiht36xhAfhuHyWJDgdXXEx9IIZhDGRk24CDhzg= 117 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.3/go.mod h1:ov1Q0oEDjC3+A4BwsG2YdKltrmEw8sf9Pau4V9JQ4Vo= 118 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9 h1:FW0YttEnUNDJ2WL9XcrrfteS1xW8u+sh4ggM8pN5isQ= 119 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.9/go.mod h1:Ll013mhdmsVDuoIXVfBtvgGJsXDYkTw1kooNcoCXuE0= 120 | github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0 h1:U6y5MXGiDVOOtkWJ6o/tu1TxABnI0yKTQWJr7z6BpNk= 121 | github.com/hashicorp/go-secure-stdlib/permitpool v1.0.0/go.mod h1:ecDb3o+8D4xtP0nTCufJaAVawHavy5M2eZ64Nq/8/LM= 122 | github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.1 h1:JY+zGg8gOmslwif1fiCqT5Hu1SikLZQcHkmQhCoA9gY= 123 | github.com/hashicorp/go-secure-stdlib/plugincontainer v0.4.1/go.mod h1:jW3KCTvdPyAdVecOUwiiO2XaYgUJ/isigt++ISkszkY= 124 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= 125 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= 126 | github.com/hashicorp/go-slug v0.4.1/go.mod h1:I5tq5Lv0E2xcNXNkmx7BSfzi1PsJ2cNjs3cC3LwyhK8= 127 | github.com/hashicorp/go-slug v0.7.0 h1:8HIi6oreWPtnhpYd8lIGQBgp4rXzDWQTOhfILZm+nok= 128 | github.com/hashicorp/go-slug v0.7.0/go.mod h1:Ib+IWBYfEfJGI1ZyXMGNbu2BU+aa3Dzu41RKLH301v4= 129 | github.com/hashicorp/go-sockaddr v1.0.6 h1:RSG8rKU28VTUTvEKghe5gIhIQpv8evvNpnDEyqO4u9I= 130 | github.com/hashicorp/go-sockaddr v1.0.6/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= 131 | github.com/hashicorp/go-tfe v0.13.0 h1:cYeZpvo2zFIg0zICFrGUEyaMQbgcnLWX8pg9krlVr4w= 132 | github.com/hashicorp/go-tfe v0.13.0/go.mod h1:oT0AG5u/ROzWiw8JZFLDY6FLh6AZnJIG0Ahhvp10txg= 133 | github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= 134 | github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= 135 | github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= 136 | github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= 137 | github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= 138 | github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= 139 | github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= 140 | github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= 141 | github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= 142 | github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= 143 | github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= 144 | github.com/hashicorp/vault/api v1.16.0 h1:nbEYGJiAPGzT9U4oWgaaB0g+Rj8E59QuHKyA5LhwQN4= 145 | github.com/hashicorp/vault/api v1.16.0/go.mod h1:KhuUhzOD8lDSk29AtzNjgAu2kxRA9jL9NAbkFlqvkBA= 146 | github.com/hashicorp/vault/sdk v0.15.2 h1:Rp5Yp4lyBhlWgq24ZVb2n/YN47RKOAvmx/jlMfS9ku4= 147 | github.com/hashicorp/vault/sdk v0.15.2/go.mod h1:2Wj2tHIgfz0gNWgEPWBbCXFIiPrq96E8FTjPNV9J1Bc= 148 | github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= 149 | github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= 150 | github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= 151 | github.com/jhump/protoreflect v1.16.0 h1:54fZg+49widqXYQ0b+usAFHbMkBGR4PpXrsHc8+TBDg= 152 | github.com/jhump/protoreflect v1.16.0/go.mod h1:oYPd7nPvcBw/5wlDfm/AVmU9zH9BgqGCI469pGxfj/8= 153 | github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 h1:hgVxRoDDPtQE68PT4LFvNlPz2nBKd3OMlGKIQ69OmR4= 154 | github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531/go.mod h1:fqTUQpVYBvhCNIsMXGl2GE9q6z94DIP6NtFKXCSTVbg= 155 | github.com/joshlf/testutil v0.0.0-20170608050642-b5d8aa79d93d h1:J8tJzRyiddAFF65YVgxli+TyWBi0f79Sld6rJP6CBcY= 156 | github.com/joshlf/testutil v0.0.0-20170608050642-b5d8aa79d93d/go.mod h1:b+Q3v8Yrg5o15d71PSUraUzYb+jWl6wQMSBXSGS/hv0= 157 | github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= 158 | github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= 159 | github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= 160 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 161 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 162 | github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= 163 | github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= 164 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 165 | github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= 166 | github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= 167 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 168 | github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= 169 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 170 | github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= 171 | github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= 172 | github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= 173 | github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= 174 | github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= 175 | github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= 176 | github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= 177 | github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= 178 | github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= 179 | github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= 180 | github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= 181 | github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= 182 | github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= 183 | github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= 184 | github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= 185 | github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= 186 | github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= 187 | github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= 188 | github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= 189 | github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= 190 | github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= 191 | github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= 192 | github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= 193 | github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= 194 | github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 195 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= 196 | github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 197 | github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= 198 | github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= 199 | github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= 200 | github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= 201 | github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA= 202 | github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= 203 | github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= 204 | github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= 205 | github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= 206 | github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= 207 | github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= 208 | github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= 209 | github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 h1:Dx7Ovyv/SFnMFw3fD4oEoeorXc6saIiQ23LrGLth0Gw= 210 | github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4= 211 | github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM= 212 | github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= 213 | github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 214 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 215 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 216 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 217 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 218 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= 219 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 220 | github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= 221 | github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= 222 | github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= 223 | github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= 224 | github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 225 | github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 226 | github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= 227 | github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= 228 | github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= 229 | github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= 230 | github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= 231 | github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= 232 | github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= 233 | github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= 234 | github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= 235 | github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= 236 | github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= 237 | github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU= 238 | github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U= 239 | github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= 240 | github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= 241 | github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= 242 | github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= 243 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 244 | github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 245 | github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= 246 | github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= 247 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 248 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 249 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 250 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 251 | github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= 252 | github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= 253 | github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= 254 | github.com/svanharmelen/jsonapi v0.0.0-20180618144545-0c0828c3f16d h1:Z4EH+5EffvBEhh37F0C0DnpklTMh00JOkjW5zK3ofBI= 255 | github.com/svanharmelen/jsonapi v0.0.0-20180618144545-0c0828c3f16d/go.mod h1:BSTlc8jOjh0niykqEGVXOLXdi9o0r0kR8tCYiMvjFgw= 256 | github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= 257 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 258 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 259 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= 260 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= 261 | go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= 262 | go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= 263 | go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 h1:t6wl9SPayj+c7lEIFgm4ooDBZVb01IhLB4InpomhRw8= 264 | go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0/go.mod h1:iSDOcsnSA5INXzZtwaBPrKp/lWu/V14Dd+llD0oI2EA= 265 | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 h1:umZgi92IyxfXd/l4kaDhnKgY8rnN/cZcF1LKc6I8OQ8= 266 | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0/go.mod h1:4lVs6obhSVRb1EW5FhOuBTyiQhtRtAnnva9vD3yRfq8= 267 | go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= 268 | go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= 269 | go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= 270 | go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= 271 | go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= 272 | go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= 273 | go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= 274 | go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= 275 | go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI= 276 | go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY= 277 | go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= 278 | go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= 279 | golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= 280 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 281 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 282 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 283 | golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc= 284 | golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc= 285 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 286 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 287 | golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 288 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 289 | golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 290 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 291 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 292 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 293 | golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0= 294 | golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= 295 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 296 | golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 297 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 298 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 299 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 300 | golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 301 | golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 302 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 303 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 304 | golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 305 | golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 306 | golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 307 | golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 308 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 309 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 310 | golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 311 | golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 312 | golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 313 | golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 314 | golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 315 | golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= 316 | golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 317 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 318 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 319 | golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= 320 | golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= 321 | golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= 322 | golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= 323 | golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= 324 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 325 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 326 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 327 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 328 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 329 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 330 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 331 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 332 | google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= 333 | google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f h1:M65LEviCfuZTfrfzwwEoxVtgvfkFkBUbFnRbxCXuXhU= 334 | google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f/go.mod h1:Yo94eF2nj7igQt+TiJ49KxjIH8ndLYPZMIRSiRcEbg0= 335 | google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= 336 | google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= 337 | google.golang.org/grpc v1.69.4 h1:MF5TftSMkd8GLw/m0KM6V8CMOCY6NZ1NQDPGFgbTt4A= 338 | google.golang.org/grpc v1.69.4/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= 339 | google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU= 340 | google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= 341 | gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= 342 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 343 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= 344 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 345 | gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 346 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 347 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 348 | gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 349 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 350 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 351 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 352 | gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= 353 | gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= 354 | -------------------------------------------------------------------------------- /images/vault_plugin_workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitrgoliveira/vault-plugin-auth-tfe/5d43f557a4fb4b083cb3edee6ec95d022aadf159/images/vault_plugin_workflow.png -------------------------------------------------------------------------------- /path_config.go: -------------------------------------------------------------------------------- 1 | package tfeauth 2 | 3 | import ( 4 | "context" 5 | 6 | "github.com/hashicorp/vault/sdk/framework" 7 | "github.com/hashicorp/vault/sdk/logical" 8 | ) 9 | 10 | func (b *tfeAuthBackend) pathConfig() *framework.Path { 11 | return &framework.Path{ 12 | Pattern: "config$", 13 | Fields: map[string]*framework.FieldSchema{ 14 | "terraform_host": { 15 | Type: framework.TypeString, 16 | Description: "TFE host. Defaults to https://app.terraform.io", 17 | Default: "https://app.terraform.io", 18 | }, 19 | "organization": { 20 | Type: framework.TypeString, 21 | Description: "TFE organization allowed to use this backend", 22 | }, 23 | "use_run_status": { 24 | Type: framework.TypeBool, 25 | Description: `If True, the backend will create different entities for plan and apply. 26 | These will be have a suffix of "planning" or "applying" accordingly 27 | Be aware that this will increase your Vault client count.`, 28 | Default: false, 29 | }, 30 | }, 31 | Operations: map[logical.Operation]framework.OperationHandler{ 32 | logical.ReadOperation: &framework.PathOperation{ 33 | Callback: b.pathConfigRead, 34 | Summary: "Read the current authentication backend configuration.", 35 | }, 36 | logical.UpdateOperation: &framework.PathOperation{ 37 | Callback: b.pathConfigWrite, 38 | Summary: "configure the auth backend", 39 | }, 40 | }, 41 | } 42 | } 43 | 44 | func (b *tfeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { 45 | org := data.Get("organization").(string) 46 | if org == "" { 47 | return logical.ErrorResponse("no organization provided"), nil 48 | } 49 | host := data.Get("terraform_host").(string) 50 | if host == "" { 51 | return logical.ErrorResponse("no host provided"), nil 52 | } 53 | 54 | config := &tfeAuthConfig{ 55 | Host: host, 56 | Organization: org, 57 | UseRunStatus: data.Get("use_run_status").(bool), 58 | } 59 | 60 | entry, err := logical.StorageEntryJSON(configPath, config) 61 | if err != nil { 62 | return nil, err 63 | } 64 | 65 | if err := req.Storage.Put(ctx, entry); err != nil { 66 | return nil, err 67 | } 68 | return nil, nil 69 | } 70 | 71 | type tfeAuthConfig struct { 72 | // Host is the url string for the TFE API 73 | Host string `json:"host"` 74 | // The organization authorised to use this backend 75 | Organization string `json:"organization"` 76 | // to append the run status to the created alias and entity 77 | UseRunStatus bool `json:"use_run_status"` 78 | } 79 | 80 | func (b *tfeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { 81 | if config, err := b.config(ctx, req.Storage); err != nil { 82 | return nil, err 83 | } else if config == nil { 84 | return nil, nil 85 | } else { 86 | resp := &logical.Response{ 87 | Data: map[string]interface{}{ 88 | "terraform_host": config.Host, 89 | "organization": config.Organization, 90 | "use_run_status": config.UseRunStatus, 91 | }, 92 | } 93 | return resp, nil 94 | } 95 | } 96 | -------------------------------------------------------------------------------- /path_login.go: -------------------------------------------------------------------------------- 1 | package tfeauth 2 | 3 | import ( 4 | "context" 5 | "encoding/base64" 6 | "errors" 7 | "fmt" 8 | 9 | log "github.com/hashicorp/go-hclog" 10 | tfe "github.com/hashicorp/go-tfe" 11 | "github.com/hashicorp/hcl" 12 | "github.com/hashicorp/vault/sdk/framework" 13 | "github.com/hashicorp/vault/sdk/helper/cidrutil" 14 | "github.com/hashicorp/vault/sdk/helper/strutil" 15 | "github.com/hashicorp/vault/sdk/logical" 16 | ) 17 | 18 | func pathLogin(b *tfeAuthBackend) *framework.Path { 19 | return &framework.Path{ 20 | Pattern: "login$", 21 | Fields: map[string]*framework.FieldSchema{ 22 | "role": { 23 | Type: framework.TypeString, 24 | Description: `Name of the role against which the login is being attempted. This field is required`, 25 | }, 26 | "workspace": { 27 | Type: framework.TypeString, 28 | Description: "Name of the workspace that is loging in", 29 | }, 30 | "run-id": { 31 | Type: framework.TypeString, 32 | Description: "TFC_RUN_ID or ATLAS_RUN_ID of the current active run", 33 | }, 34 | "tfe-token": { 35 | Type: framework.TypeString, 36 | Description: "The ATLAS_TOKEN environment variable or a TFE access token from the worker service account", 37 | }, 38 | "tfe-credentials-file": { 39 | Type: framework.TypeString, 40 | Description: "TFE/TFC credentials file in TERRAFORM_CONFIG, provided base64 encoded. This is usually in /tmp/cli.tfrc, unless you are using a TFC agent.", 41 | }, 42 | }, 43 | 44 | Callbacks: map[logical.Operation]framework.OperationFunc{ 45 | logical.UpdateOperation: b.pathLogin, 46 | logical.AliasLookaheadOperation: b.aliasLookahead, 47 | }, 48 | 49 | HelpSynopsis: pathLoginHelpSyn, 50 | HelpDescription: pathLoginHelpDesc, 51 | } 52 | } 53 | 54 | func (b *tfeAuthBackend) pathLogin(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { 55 | roleName := data.Get("role").(string) 56 | if len(roleName) == 0 { 57 | return logical.ErrorResponse("missing role"), nil 58 | } 59 | 60 | workspaceStr := data.Get("workspace").(string) 61 | if len(workspaceStr) == 0 { 62 | return logical.ErrorResponse("missing workspace"), nil 63 | } 64 | 65 | runIDStr := data.Get("run-id").(string) 66 | if len(runIDStr) == 0 { 67 | return logical.ErrorResponse("missing run-id"), nil 68 | } 69 | 70 | tfeTokenStr := data.Get("tfe-token").(string) 71 | credentialsFileStr := data.Get("tfe-credentials-file").(string) 72 | if len(tfeTokenStr) == 0 && len(credentialsFileStr) == 0 { 73 | return logical.ErrorResponse("missing TFE token or credentials file"), nil 74 | } 75 | if len(tfeTokenStr) > 0 && len(credentialsFileStr) > 0 { 76 | return logical.ErrorResponse("Only TFE token or credentials file may be provided. Not both."), nil 77 | } 78 | 79 | b.l.RLock() 80 | defer b.l.RUnlock() 81 | 82 | role, err := b.role(ctx, req.Storage, roleName) 83 | if err != nil { 84 | return nil, err 85 | } 86 | if role == nil { 87 | return logical.ErrorResponse(fmt.Sprintf("invalid role name \"%s\"", roleName)), nil 88 | } 89 | 90 | // Check for a CIDR match. 91 | if len(role.TokenBoundCIDRs) > 0 { 92 | if req.Connection == nil { 93 | b.Logger().Warn("token bound CIDRs found but no connection information available for validation") 94 | return nil, logical.ErrPermissionDenied 95 | } 96 | if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, role.TokenBoundCIDRs) { 97 | return nil, logical.ErrPermissionDenied 98 | } 99 | } 100 | 101 | config, err := b.config(ctx, req.Storage) 102 | if err != nil { 103 | return nil, err 104 | } 105 | if config == nil { 106 | return nil, errors.New("could not load backend configuration") 107 | } 108 | 109 | tfeLogin, err := b.parseAndValidateLogin(role, config, 110 | workspaceStr, runIDStr, tfeTokenStr, credentialsFileStr) 111 | if err != nil { 112 | return nil, err 113 | } 114 | 115 | run_status, err := tfeLogin.lookup(role, config) 116 | if err != nil { 117 | b.Logger().Error(`login unauthorized due to: ` + err.Error()) 118 | return nil, logical.ErrPermissionDenied 119 | } 120 | metadata := map[string]string{ 121 | "Workspace": tfeLogin.Workspace, 122 | "Organization": config.Organization, 123 | "role": roleName, 124 | "RunStatus": run_status, 125 | } 126 | name := fmt.Sprintf("%s/%s/%s", config.Organization, tfeLogin.Workspace, run_status) 127 | 128 | if config.UseRunStatus == false { // keeping previous behaviour 129 | metadata = map[string]string{ 130 | "Workspace": tfeLogin.Workspace, 131 | "Organization": config.Organization, 132 | "role": roleName, 133 | "RunStatus": "", 134 | } 135 | name = fmt.Sprintf("%s/%s", config.Organization, tfeLogin.Workspace) 136 | } 137 | 138 | auth := &logical.Auth{ 139 | Alias: &logical.Alias{ 140 | Name: name, 141 | Metadata: metadata, 142 | }, 143 | InternalData: map[string]interface{}{}, 144 | Metadata: metadata, 145 | DisplayName: name, 146 | } 147 | 148 | role.PopulateTokenAuth(auth) 149 | 150 | return &logical.Response{ 151 | Auth: auth, 152 | }, nil 153 | } 154 | 155 | func (b *tfeAuthBackend) aliasLookahead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { 156 | 157 | workspaceStr := data.Get("workspace").(string) 158 | if len(workspaceStr) == 0 { 159 | return logical.ErrorResponse("missing workspace"), nil 160 | } 161 | 162 | config, err := b.config(ctx, req.Storage) 163 | if err != nil { 164 | return nil, err 165 | } 166 | if config == nil { 167 | return nil, errors.New("could not load backend configuration") 168 | } 169 | 170 | return &logical.Response{ 171 | Auth: &logical.Auth{ 172 | Alias: &logical.Alias{ 173 | Name: fmt.Sprintf("%s/%s", config.Organization, workspaceStr), 174 | }, 175 | }, 176 | }, nil 177 | } 178 | 179 | type TerraformConfig struct { 180 | Credentials []CredentialsConfig `hcl:"credentials,block"` 181 | } 182 | 183 | type CredentialsConfig struct { 184 | Host string `hcl:"host,label"` 185 | Token string `hcl:"token"` 186 | } 187 | 188 | func (b *tfeAuthBackend) parseAndValidateLogin(role *roleStorageEntry, config *tfeAuthConfig, 189 | workspace string, runID string, tfeToken string, credentialsFileStr string) (*tfeLogin, error) { 190 | 191 | if len(role.Workspaces) > 1 || role.Workspaces[0] != "*" { 192 | if !strutil.StrListContainsGlob(role.Workspaces, workspace) { 193 | b.Logger().Error(`workspace %s not authorized`, workspace) 194 | return nil, errors.New("workspace not authorized") 195 | } 196 | } 197 | 198 | login := &tfeLogin{} 199 | login.Workspace = workspace 200 | login.RunID = runID 201 | 202 | if len(credentialsFileStr) > 0 { 203 | // _, err := base64.StdEncoding.DecodeString(credentialsFileStr) 204 | credentialsFileDecoded, err := base64.StdEncoding.DecodeString(credentialsFileStr) 205 | if err != nil { 206 | b.Logger().Error(`unable to decode credentials file`) 207 | return nil, logical.ErrPermissionDenied 208 | } 209 | var tfConfig TerraformConfig 210 | err = hcl.Decode(&tfConfig, string(credentialsFileDecoded)) 211 | if err != nil { 212 | b.Logger().Error(`unable to parse credentials file`) 213 | return nil, logical.ErrPermissionDenied 214 | } 215 | login.TFEToken = tfConfig.Credentials[0].Token 216 | } else { 217 | login.TFEToken = tfeToken 218 | } 219 | 220 | return login, nil 221 | } 222 | 223 | type tfeLogin struct { 224 | Workspace string `mapstructure:"workspace"` 225 | RunID string `mapstructure:"run-id"` 226 | TFEToken string `mapstructure:"tfe-token"` 227 | } 228 | 229 | func (t *tfeLogin) lookup(role *roleStorageEntry, config *tfeAuthConfig) (string, error) { 230 | 231 | clientConfig := &tfe.Config{ 232 | Address: config.Host, 233 | Token: t.TFEToken, 234 | } 235 | 236 | ctx := context.Background() 237 | 238 | client, err := tfe.NewClient(clientConfig) 239 | if err != nil { 240 | msg := fmt.Sprintf("Error creating client for host %s with token %s -> %s", config.Host, t.TFEToken, string(err.Error())) 241 | return "", fmt.Errorf(msg) 242 | } 243 | 244 | run, err := client.Runs.Read(ctx, t.RunID) 245 | if err != nil { 246 | msg := fmt.Sprintf("Error fetching RunID %s Info: %s", t.RunID, string(err.Error())) 247 | return "", fmt.Errorf(msg) 248 | } 249 | 250 | workspace, err := client.Workspaces.Read(ctx, config.Organization, t.Workspace) 251 | if err != nil { 252 | msg := fmt.Sprintf("Error fetching Workspace %s Info -> %s", t.Workspace, string(err.Error())) 253 | return "", fmt.Errorf(msg) 254 | } 255 | 256 | account, err := client.Users.ReadCurrent(ctx) 257 | if err != nil { 258 | msg := fmt.Sprintf("Error fetching Account Info for token %s -> %s", t.TFEToken, string(err.Error())) 259 | return "", fmt.Errorf(msg) 260 | } 261 | 262 | msg := fmt.Sprintf("Run status is %s", run.Status) 263 | log.L().Debug(msg, "debug", nil) 264 | 265 | // The Run must be related to the specified workspace 266 | if run.Workspace.ID != workspace.ID { 267 | msg := fmt.Sprintf("Workspace ID in Run (%s) and workspace ID (%s) mismatch", run.ID, workspace.ID) 268 | return "", fmt.Errorf(msg) 269 | } 270 | 271 | // The account must be a service account. 272 | if account.IsServiceAccount == false { 273 | msg := fmt.Sprintf("TFE Token must belong to a service account") 274 | return "", fmt.Errorf(msg) 275 | } 276 | 277 | log.L().Info(string(run.ID), "info", nil) 278 | log.L().Info(string(workspace.ID), "info", nil) 279 | log.L().Info(string(account.ID), "info", nil) 280 | 281 | return fmt.Sprintf("%s", run.Status), nil 282 | } 283 | 284 | const pathLoginHelpSyn = `Authenticates the current workspace run ID with Vault.` 285 | const pathLoginHelpDesc = ` 286 | Authenticate current workspace run ID. 287 | ` 288 | -------------------------------------------------------------------------------- /path_role.go: -------------------------------------------------------------------------------- 1 | package tfeauth 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "strings" 7 | "time" 8 | 9 | "github.com/hashicorp/go-sockaddr" 10 | "github.com/hashicorp/vault/sdk/framework" 11 | "github.com/hashicorp/vault/sdk/helper/strutil" 12 | "github.com/hashicorp/vault/sdk/helper/tokenutil" 13 | "github.com/hashicorp/vault/sdk/logical" 14 | ) 15 | 16 | // pathsRole returns the path configurations for the CRUD operations on roles 17 | func (b *tfeAuthBackend) pathsRole() []*framework.Path { 18 | p := []*framework.Path{ 19 | { 20 | Pattern: "role/?", 21 | Callbacks: map[logical.Operation]framework.OperationFunc{ 22 | logical.ListOperation: b.pathRoleList, 23 | }, 24 | HelpSynopsis: strings.TrimSpace(roleHelp["role-list"][0]), 25 | HelpDescription: strings.TrimSpace(roleHelp["role-list"][1]), 26 | DisplayAttrs: &framework.DisplayAttributes{ 27 | Navigation: true, 28 | }, 29 | }, 30 | { 31 | Pattern: "role/" + framework.GenericNameRegex("name"), 32 | Fields: map[string]*framework.FieldSchema{ 33 | "name": { 34 | Type: framework.TypeString, 35 | Description: "Name of the role.", 36 | }, 37 | "workspaces": { 38 | Type: framework.TypeCommaStringSlice, 39 | Description: `Workspaces name`, 40 | }, 41 | "policies": { 42 | Type: framework.TypeCommaStringSlice, 43 | Description: tokenutil.DeprecationText("token_policies"), 44 | Deprecated: true, 45 | }, 46 | "num_uses": { 47 | Type: framework.TypeInt, 48 | Description: tokenutil.DeprecationText("token_num_uses"), 49 | Deprecated: true, 50 | }, 51 | "ttl": { 52 | Type: framework.TypeDurationSecond, 53 | Description: tokenutil.DeprecationText("token_ttl"), 54 | Deprecated: true, 55 | }, 56 | "max_ttl": { 57 | Type: framework.TypeDurationSecond, 58 | Description: tokenutil.DeprecationText("token_max_ttl"), 59 | Deprecated: true, 60 | }, 61 | "period": { 62 | Type: framework.TypeDurationSecond, 63 | Description: tokenutil.DeprecationText("token_period"), 64 | Deprecated: true, 65 | }, 66 | "bound_cidrs": { 67 | Type: framework.TypeCommaStringSlice, 68 | Description: tokenutil.DeprecationText("token_bound_cidrs"), 69 | Deprecated: true, 70 | }, 71 | }, 72 | ExistenceCheck: b.pathRoleExistenceCheck, 73 | Callbacks: map[logical.Operation]framework.OperationFunc{ 74 | logical.CreateOperation: b.pathRoleCreateUpdate, 75 | logical.UpdateOperation: b.pathRoleCreateUpdate, 76 | logical.ReadOperation: b.pathRoleRead, 77 | logical.DeleteOperation: b.pathRoleDelete, 78 | }, 79 | HelpSynopsis: strings.TrimSpace(roleHelp["role"][0]), 80 | HelpDescription: strings.TrimSpace(roleHelp["role"][1]), 81 | DisplayAttrs: &framework.DisplayAttributes{ 82 | Action: "Create", 83 | }, 84 | }, 85 | } 86 | 87 | tokenutil.AddTokenFields(p[1].Fields) 88 | return p 89 | } 90 | 91 | // pathRoleExistenceCheck returns whether the role with the given name exists or not. 92 | func (b *tfeAuthBackend) pathRoleExistenceCheck(ctx context.Context, req *logical.Request, data *framework.FieldData) (bool, error) { 93 | b.l.RLock() 94 | defer b.l.RUnlock() 95 | 96 | role, err := b.role(ctx, req.Storage, data.Get("name").(string)) 97 | if err != nil { 98 | return false, err 99 | } 100 | return role != nil, nil 101 | } 102 | 103 | // pathRoleList is used to list all the Roles registered with the backend. 104 | func (b *tfeAuthBackend) pathRoleList(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { 105 | b.l.RLock() 106 | defer b.l.RUnlock() 107 | 108 | roles, err := req.Storage.List(ctx, "role/") 109 | if err != nil { 110 | return nil, err 111 | } 112 | return logical.ListResponse(roles), nil 113 | } 114 | 115 | // pathRoleRead grabs a read lock and reads the options set on the role from the storage 116 | func (b *tfeAuthBackend) pathRoleRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { 117 | roleName := data.Get("name").(string) 118 | if roleName == "" { 119 | return logical.ErrorResponse("missing name"), nil 120 | } 121 | 122 | b.l.RLock() 123 | defer b.l.RUnlock() 124 | 125 | role, err := b.role(ctx, req.Storage, roleName) 126 | if err != nil { 127 | return nil, err 128 | } 129 | if role == nil { 130 | return nil, nil 131 | } 132 | 133 | // Create a map of data to be returned 134 | d := map[string]interface{}{ 135 | "workspaces": role.Workspaces, 136 | } 137 | 138 | role.PopulateTokenData(d) 139 | 140 | if len(role.Policies) > 0 { 141 | d["policies"] = d["token_policies"] 142 | } 143 | if len(role.BoundCIDRs) > 0 { 144 | d["bound_cidrs"] = d["token_bound_cidrs"] 145 | } 146 | if role.TTL > 0 { 147 | d["ttl"] = int64(role.TTL.Seconds()) 148 | } 149 | if role.MaxTTL > 0 { 150 | d["max_ttl"] = int64(role.MaxTTL.Seconds()) 151 | } 152 | if role.Period > 0 { 153 | d["period"] = int64(role.Period.Seconds()) 154 | } 155 | if role.NumUses > 0 { 156 | d["num_uses"] = role.NumUses 157 | } 158 | 159 | return &logical.Response{ 160 | Data: d, 161 | }, nil 162 | } 163 | 164 | // pathRoleDelete removes the role from storage 165 | func (b *tfeAuthBackend) pathRoleDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { 166 | roleName := data.Get("name").(string) 167 | if roleName == "" { 168 | return logical.ErrorResponse("missing role name"), nil 169 | } 170 | 171 | // Acquire the lock before deleting the role. 172 | b.l.Lock() 173 | defer b.l.Unlock() 174 | 175 | // Delete the role itself 176 | if err := req.Storage.Delete(ctx, "role/"+strings.ToLower(roleName)); err != nil { 177 | return nil, err 178 | } 179 | 180 | return nil, nil 181 | } 182 | 183 | // pathRoleCreateUpdate registers a new role with the backend or updates the options 184 | // of an existing role 185 | func (b *tfeAuthBackend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { 186 | roleName := data.Get("name").(string) 187 | if roleName == "" { 188 | return logical.ErrorResponse("missing role name"), nil 189 | } 190 | 191 | b.l.Lock() 192 | defer b.l.Unlock() 193 | 194 | // Check if the role already exists 195 | role, err := b.role(ctx, req.Storage, roleName) 196 | if err != nil { 197 | return nil, err 198 | } 199 | 200 | // Create a new entry object if this is a CreateOperation 201 | if role == nil && req.Operation == logical.CreateOperation { 202 | role = &roleStorageEntry{} 203 | } else if role == nil { 204 | return nil, fmt.Errorf("role entry not found during update operation") 205 | } 206 | 207 | if err := role.ParseTokenFields(req, data); err != nil { 208 | return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest 209 | } 210 | 211 | // Handle upgrade cases 212 | { 213 | if err := tokenutil.UpgradeValue(data, "policies", "token_policies", &role.Policies, &role.TokenPolicies); err != nil { 214 | return logical.ErrorResponse(err.Error()), nil 215 | } 216 | 217 | if err := tokenutil.UpgradeValue(data, "bound_cidrs", "token_bound_cidrs", &role.BoundCIDRs, &role.TokenBoundCIDRs); err != nil { 218 | return logical.ErrorResponse(err.Error()), nil 219 | } 220 | 221 | if err := tokenutil.UpgradeValue(data, "num_uses", "token_num_uses", &role.NumUses, &role.TokenNumUses); err != nil { 222 | return logical.ErrorResponse(err.Error()), nil 223 | } 224 | 225 | if err := tokenutil.UpgradeValue(data, "ttl", "token_ttl", &role.TTL, &role.TokenTTL); err != nil { 226 | return logical.ErrorResponse(err.Error()), nil 227 | } 228 | 229 | if err := tokenutil.UpgradeValue(data, "max_ttl", "token_max_ttl", &role.MaxTTL, &role.TokenMaxTTL); err != nil { 230 | return logical.ErrorResponse(err.Error()), nil 231 | } 232 | 233 | if err := tokenutil.UpgradeValue(data, "period", "token_period", &role.Period, &role.TokenPeriod); err != nil { 234 | return logical.ErrorResponse(err.Error()), nil 235 | } 236 | } 237 | 238 | if role.TokenPeriod > b.System().MaxLeaseTTL() { 239 | return logical.ErrorResponse(fmt.Sprintf("token period of '%q' is greater than the backend's maximum lease TTL of '%q'", role.TokenPeriod.String(), b.System().MaxLeaseTTL().String())), nil 240 | } 241 | 242 | // Check that the TTL value provided is less than the MaxTTL. 243 | // Sanitizing the TTL and MaxTTL is not required now and can be performed 244 | // at credential issue time. 245 | if role.TokenMaxTTL > time.Duration(0) && role.TokenTTL > role.TokenMaxTTL { 246 | return logical.ErrorResponse("token ttl should not be greater than token max ttl"), nil 247 | } 248 | 249 | var resp *logical.Response 250 | if role.TokenMaxTTL > b.System().MaxLeaseTTL() { 251 | resp = &logical.Response{} 252 | resp.AddWarning("max_ttl is greater than the system or backend mount's maximum TTL value; issued tokens' max TTL value will be truncated") 253 | } 254 | 255 | if workspaces, ok := data.GetOk("workspaces"); ok { 256 | role.Workspaces = workspaces.([]string) 257 | } else if req.Operation == logical.CreateOperation { 258 | role.Workspaces = data.Get("workspaces").([]string) 259 | } 260 | // Verify namespaces is not empty 261 | if len(role.Workspaces) == 0 { 262 | return logical.ErrorResponse("\"workspaces\" can not be empty"), nil 263 | } 264 | // Verify * was not set with other data 265 | if len(role.Workspaces) > 1 && strutil.StrListContains(role.Workspaces, "*") { 266 | return logical.ErrorResponse("can not mix \"*\" with values"), nil 267 | } 268 | 269 | // Store the entry. 270 | entry, err := logical.StorageEntryJSON("role/"+strings.ToLower(roleName), role) 271 | if err != nil { 272 | return nil, err 273 | } 274 | if entry == nil { 275 | return nil, fmt.Errorf("failed to create storage entry for role %s", roleName) 276 | } 277 | if err = req.Storage.Put(ctx, entry); err != nil { 278 | return nil, err 279 | } 280 | 281 | return resp, nil 282 | } 283 | 284 | // roleStorageEntry stores all the options that are set on an role 285 | type roleStorageEntry struct { 286 | tokenutil.TokenParams 287 | 288 | // Workspaces is the array of workspaces able to access this 289 | // role. 290 | Workspaces []string `json:"workspaces" mapstructure:"workspaces" structs:"workspaces"` 291 | 292 | // Deprecated by TokenParams 293 | Policies []string `json:"policies" structs:"policies" mapstructure:"policies"` 294 | NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"` 295 | TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl"` 296 | MaxTTL time.Duration `json:"max_ttl" structs:"max_ttl" mapstructure:"max_ttl"` 297 | Period time.Duration `json:"period" mapstructure:"period" structs:"period"` 298 | BoundCIDRs []*sockaddr.SockAddrMarshaler 299 | } 300 | 301 | var roleHelp = map[string][2]string{ 302 | "role-list": { 303 | "Lists all the roles registered with the backend.", 304 | "The list will contain the names of the roles.", 305 | }, 306 | "role": { 307 | "Register an role with the backend.", 308 | `A role is required to authenticate with this backend. The role binds 309 | the workspace with token policies and settings. 310 | The bindings, token polices and token settings can all be configured 311 | using this endpoint`, 312 | }, 313 | } 314 | -------------------------------------------------------------------------------- /terraform/api-testing/.gitignore: -------------------------------------------------------------------------------- 1 | .terraform -------------------------------------------------------------------------------- /terraform/api-testing/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/null" { 5 | version = "3.0.0" 6 | constraints = "3.0.0" 7 | hashes = [ 8 | "h1:V1tzrSG6t3e7zWvUwRbGbhsWU2Jd/anrJpOl9XM+R/8=", 9 | "zh:05fb7eab469324c97e9b73a61d2ece6f91de4e9b493e573bfeda0f2077bc3a4c", 10 | "zh:1688aa91885a395c4ae67636d411475d0b831e422e005dcf02eedacaafac3bb4", 11 | "zh:24a0b1292e3a474f57c483a7a4512d797e041bc9c2fbaac42fe12e86a7fb5a3c", 12 | "zh:2fc951bd0d1b9b23427acc93be09b6909d72871e464088171da60fbee4fdde03", 13 | "zh:6db825759425599a326385a68acc6be2d9ba0d7d6ef587191d0cdc6daef9ac63", 14 | "zh:85985763d02618993c32c294072cc6ec51f1692b803cb506fcfedca9d40eaec9", 15 | "zh:a53186599c57058be1509f904da512342cfdc5d808efdaf02dec15f0f3cb039a", 16 | "zh:c2e07b49b6efa676bdc7b00c06333ea1792a983a5720f9e2233db27323d2707c", 17 | "zh:cdc8fe1096103cf5374751e2e8408ec4abd2eb67d5a1c5151fe2c7ecfd525bef", 18 | "zh:dbdef21df0c012b0d08776f3d4f34eb0f2f229adfde07ff252a119e52c0f65b7", 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /terraform/api-testing/api_test.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | null = { 4 | source = "hashicorp/null" 5 | version = "3.0.0" 6 | } 7 | } 8 | } 9 | 10 | locals { 11 | workspace = split("/",var.TFC_WORKSPACE_SLUG)[1] 12 | organization = split("/",var.TFC_WORKSPACE_SLUG)[0] 13 | } 14 | 15 | provider "null" { 16 | # Configuration options 17 | } 18 | resource "null_resource" "run_info" { 19 | provisioner "local-exec" { 20 | command = "curl --header \"Authorization: Bearer $ATLAS_TOKEN\" --header \"Content-Type: application/vnd.api+json\" $TF_VAR_ATLAS_ADDRESS/api/v2/runs/$ATLAS_RUN_ID" 21 | } 22 | triggers = { 23 | always_run = timestamp() 24 | } 25 | 26 | } 27 | 28 | resource "null_resource" "workspace_info" { 29 | provisioner "local-exec" { 30 | command = "curl --header \"Authorization: Bearer $ATLAS_TOKEN\" --header \"Content-Type: application/vnd.api+json\" $TF_VAR_ATLAS_ADDRESS/api/v2/organizations/${local.organization}/workspaces/${local.workspace}" 31 | } 32 | triggers = { 33 | always_run = timestamp() 34 | } 35 | 36 | } 37 | resource "null_resource" "account_details" { 38 | provisioner "local-exec" { 39 | command = "curl --header \"Authorization: Bearer $ATLAS_TOKEN\" --header \"Content-Type: application/vnd.api+json\" --request GET $TF_VAR_ATLAS_ADDRESS/api/v2/account/details" 40 | } 41 | triggers = { 42 | always_run = timestamp() 43 | } 44 | } 45 | 46 | 47 | resource "null_resource" "sleep" { 48 | provisioner "local-exec" { 49 | command = "env && sleep 300" 50 | } 51 | triggers = { 52 | always_run = timestamp() 53 | } 54 | depends_on = [null_resource.account_details, 55 | null_resource.run_info, 56 | null_resource.workspace_info] 57 | 58 | } 59 | 60 | -------------------------------------------------------------------------------- /terraform/api-testing/backend.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | hostname = "tfe.ric.gcp.hashidemos.io" 4 | organization = "org2" 5 | workspaces { 6 | name = "tfe-gcp-test-network" 7 | } 8 | } 9 | } -------------------------------------------------------------------------------- /terraform/api-testing/outputs.tf: -------------------------------------------------------------------------------- 1 | # output "output" { 2 | # description = "module outputs" 3 | # value = module.network 4 | # } 5 | -------------------------------------------------------------------------------- /terraform/api-testing/tfe_data/account_details.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "id": "user-YeDY3vZi4NrTrsdT", 4 | "type": "users", 5 | "attributes": { 6 | "username": "api-org-org2-GUUO6S93ME", 7 | "is-service-account": true, 8 | "avatar-url": "https://www.gravatar.com/avatar/05b4f3f874765365f6abd184c0015968?s=100&d=mm", 9 | "password": null, 10 | "enterprise-support": true, 11 | "is-site-admin": false, 12 | "is-sso-login": false, 13 | "two-factor": { 14 | "enabled": false, 15 | "verified": false 16 | }, 17 | "email": "api-org-org2-guuo6s93me@hashicorp.com", 18 | "unconfirmed-email": null, 19 | "has-git-hub-app-token": false, 20 | "is-confirmed": true, 21 | "is-sudo": false, 22 | "permissions": { 23 | "can-create-organizations": false, 24 | "can-change-email": true, 25 | "can-change-username": true, 26 | "can-manage-user-tokens": false 27 | } 28 | }, 29 | "relationships": { 30 | "authentication-tokens": { 31 | "links": { 32 | "related": "/api/v2/users/user-YeDY3vZi4NrTrsdT/authentication-tokens" 33 | } 34 | } 35 | }, 36 | "links": { 37 | "self": "/api/v2/users/user-YeDY3vZi4NrTrsdT" 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /terraform/api-testing/tfe_data/env.vars: -------------------------------------------------------------------------------- 1 | ATLAS_RUN_ID=run-U7VpRnrDSGhyk8Ff 2 | TF_VAR_ATLAS_CONFIGURATION_SLUG=org2/tfe-gcp-test-network 3 | TFC_WORKSPACE_NAME=tfe-gcp-test-network 4 | HOSTNAME=9565a63d9931 5 | TF_INPUT=0 6 | ATLAS_WORKSPACE_NAME=tfe-gcp-test-network 7 | HOME=/root 8 | OLDPWD=/ 9 | TF_X_SHADOW=0 10 | TF_REGISTRY_DISCOVERY_RETRY=2 11 | TF_VAR_ATLAS_CONFIGURATION_NAME=tfe-gcp-test-network 12 | TF_VAR_ATLAS_WORKSPACE_SLUG=org2/tfe-gcp-test-network 13 | ATLAS_CONFIGURATION_SLUG=org2/tfe-gcp-test-network 14 | TF_VAR_TFC_WORKSPACE_SLUG=org2/tfe-gcp-test-network 15 | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 16 | ATLAS_TOKEN=eJ1fkmbxGLtbNg.atlasv1.GGpvS5FwHsYTBLze9S4Pqsx2ahPc67Ypv8d5XlgHptWQ06dwHRrtnXWb2tyTzIp0860 17 | TF_VAR_ATLAS_ADDRESS=https://tfe.ric.gcp.hashidemos.io 18 | TF_APPEND_USER_AGENT=TFE/v202101-1 19 | TF_VAR_ATLAS_RUN_ID=run-U7VpRnrDSGhyk8Ff 20 | TFC_WORKSPACE_SLUG=org2/tfe-gcp-test-network 21 | TF_VAR_TFC_RUN_ID=run-U7VpRnrDSGhyk8Ff 22 | TF_VAR_ATLAS_WORKSPACE_NAME=tfe-gcp-test-network 23 | ATLAS_CONFIGURATION_NAME=tfe-gcp-test-network 24 | TF_VAR_TFE_RUN_ID=run-U7VpRnrDSGhyk8Ff 25 | PLUGIN_MIN_PORT=10000 26 | ATLAS_WORKSPACE_SLUG=org2/tfe-gcp-test-network 27 | PLUGIN_MAX_PORT=25000 28 | CHECKPOINT_DISABLE=1 29 | TERRAFORM_CONFIG=/tmp/cli.tfrc 30 | TF_VAR_TFC_WORKSPACE_NAME=tfe-gcp-test-network 31 | PWD=/terraform 32 | PLUGIN_PROTOCOL_VERSIONS=5 33 | TF_IN_AUTOMATION=1 34 | TFC_RUN_ID=run-U7VpRnrDSGhyk8Ff 35 | ATLAS_ADDRESS=https://tfe.ric.gcp.hashidemos.io 36 | TFE_RUN_ID=run-U7VpRnrDSGhyk8Ff 37 | TF_FORCE_LOCAL_BACKEND=1 38 | TF_PLUGIN_MAGIC_COOKIE=d602bf8f470bc67ca7faa0386276bbdd4330efaf76d1a219cb4d6991ca9872b2 -------------------------------------------------------------------------------- /terraform/api-testing/tfe_data/run_details.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "id": "run-U7VpRnrDSGhyk8Ff", 4 | "type": "runs", 5 | "attributes": { 6 | "actions": { 7 | "is-cancelable": true, 8 | "is-confirmable": false, 9 | "is-discardable": false, 10 | "is-force-cancelable": false 11 | }, 12 | "canceled-at": null, 13 | "created-at": "2021-01-31T17:32:29.389Z", 14 | "has-changes": true, 15 | "is-destroy": false, 16 | "message": "Queued manually using Terraform", 17 | "plan-only": false, 18 | "source": "terraform", 19 | "status-timestamps": { 20 | "planned-at": "2021-01-31T17:32:41+00:00", 21 | "applying-at": "2021-01-31T17:32:43+00:00", 22 | "planning-at": "2021-01-31T17:32:30+00:00", 23 | "confirmed-at": "2021-01-31T17:32:42+00:00", 24 | "plan-queued-at": "2021-01-31T17:32:29+00:00", 25 | "apply-queued-at": "2021-01-31T17:32:42+00:00", 26 | "plan-queueable-at": "2021-01-31T17:32:29+00:00" 27 | }, 28 | "status": "applying", 29 | "trigger-reason": "manual", 30 | "target-addrs": null, 31 | "permissions": { 32 | "can-apply": false, 33 | "can-cancel": false, 34 | "can-comment": false, 35 | "can-discard": false, 36 | "can-force-execute": false, 37 | "can-force-cancel": false, 38 | "can-override-policy-check": false 39 | } 40 | }, 41 | "relationships": { 42 | "comments": { 43 | "data": [], 44 | "links": { 45 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff/comments" 46 | } 47 | }, 48 | "workspace": { 49 | "data": { 50 | "id": "ws-iabb32pCqyGmB4Xf", 51 | "type": "workspaces" 52 | } 53 | }, 54 | "apply": { 55 | "data": { 56 | "id": "apply-NuukDBMg4TXsuMZr", 57 | "type": "applies" 58 | }, 59 | "links": { 60 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff/apply" 61 | } 62 | }, 63 | "configuration-version": { 64 | "data": { 65 | "id": "cv-CwngByBqisLp4P2Y", 66 | "type": "configuration-versions" 67 | }, 68 | "links": { 69 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff/configuration-version" 70 | } 71 | }, 72 | "confirmed-by": { 73 | "data": { 74 | "id": "user-DvF7XriFBxta9VqW", 75 | "type": "users" 76 | }, 77 | "links": { 78 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff/confirmed-by" 79 | } 80 | }, 81 | "created-by": { 82 | "data": { 83 | "id": "user-DvF7XriFBxta9VqW", 84 | "type": "users" 85 | }, 86 | "links": { 87 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff/created-by" 88 | } 89 | }, 90 | "plan": { 91 | "data": { 92 | "id": "plan-mvieMYhg9pPSaxoB", 93 | "type": "plans" 94 | }, 95 | "links": { 96 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff/plan" 97 | } 98 | }, 99 | "run-events": { 100 | "data": [ 101 | { 102 | "id": "re-89TXE6oeuJoSirCd", 103 | "type": "run-events" 104 | }, 105 | { 106 | "id": "re-UysrpMj9SKAjSHPn", 107 | "type": "run-events" 108 | }, 109 | { 110 | "id": "re-rVmf6JjjYaDCv5tv", 111 | "type": "run-events" 112 | }, 113 | { 114 | "id": "re-R8zVp4J7BtnPkryc", 115 | "type": "run-events" 116 | }, 117 | { 118 | "id": "re-xArQSKG7QUuLSB1i", 119 | "type": "run-events" 120 | }, 121 | { 122 | "id": "re-XKdUCmqFnwRbv9RP", 123 | "type": "run-events" 124 | }, 125 | { 126 | "id": "re-1zPmE8eggEY3dZbb", 127 | "type": "run-events" 128 | } 129 | ], 130 | "links": { 131 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff/run-events" 132 | } 133 | }, 134 | "policy-checks": { 135 | "data": [], 136 | "links": { 137 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff/policy-checks" 138 | } 139 | } 140 | }, 141 | "links": { 142 | "self": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff" 143 | } 144 | } 145 | } 146 | -------------------------------------------------------------------------------- /terraform/api-testing/tfe_data/workspace_details.json: -------------------------------------------------------------------------------- 1 | { 2 | "data": { 3 | "id": "ws-iabb32pCqyGmB4Xf", 4 | "type": "workspaces", 5 | "attributes": { 6 | "name": "tfe-gcp-test-network", 7 | "auto-apply": false, 8 | "created-at": "2021-01-29T10:25:13.711Z", 9 | "environment": "default", 10 | "locked": true, 11 | "queue-all-runs": false, 12 | "terraform-version": "0.14.5", 13 | "working-directory": null, 14 | "speculative-enabled": true, 15 | "allow-destroy-plan": true, 16 | "auto-destroy-at": null, 17 | "latest-change-at": "2021-01-31T17:31:07.862Z", 18 | "operations": true, 19 | "execution-mode": "remote", 20 | "vcs-repo": null, 21 | "vcs-repo-identifier": null, 22 | "permissions": { 23 | "can-update": false, 24 | "can-destroy": false, 25 | "can-queue-destroy": false, 26 | "can-queue-run": false, 27 | "can-queue-apply": false, 28 | "can-read-state-versions": true, 29 | "can-create-state-versions": true, 30 | "can-read-variable": false, 31 | "can-update-variable": false, 32 | "can-lock": false, 33 | "can-unlock": false, 34 | "can-force-unlock": false, 35 | "can-read-settings": false 36 | }, 37 | "actions": { 38 | "is-destroyable": true 39 | }, 40 | "description": null, 41 | "file-triggers-enabled": true, 42 | "trigger-prefixes": [], 43 | "source": "terraform", 44 | "source-name": null, 45 | "source-url": null 46 | }, 47 | "relationships": { 48 | "organization": { 49 | "data": { 50 | "id": "org2", 51 | "type": "organizations" 52 | } 53 | }, 54 | "locked-by": { 55 | "data": { 56 | "id": "run-U7VpRnrDSGhyk8Ff", 57 | "type": "runs" 58 | }, 59 | "links": { 60 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff" 61 | } 62 | }, 63 | "current-run": { 64 | "data": { 65 | "id": "run-U7VpRnrDSGhyk8Ff", 66 | "type": "runs" 67 | }, 68 | "links": { 69 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff" 70 | } 71 | }, 72 | "latest-run": { 73 | "data": { 74 | "id": "run-U7VpRnrDSGhyk8Ff", 75 | "type": "runs" 76 | }, 77 | "links": { 78 | "related": "/api/v2/runs/run-U7VpRnrDSGhyk8Ff" 79 | } 80 | }, 81 | "current-state-version": { 82 | "data": { 83 | "id": "sv-y3ivDifqgw74Kpgs", 84 | "type": "state-versions" 85 | }, 86 | "links": { 87 | "related": "/api/v2/workspaces/ws-iabb32pCqyGmB4Xf/current-state-version" 88 | } 89 | } 90 | }, 91 | "links": { 92 | "self": "/api/v2/organizations/org2/workspaces/tfe-gcp-test-network" 93 | } 94 | } 95 | } 96 | -------------------------------------------------------------------------------- /terraform/api-testing/variables.tf: -------------------------------------------------------------------------------- 1 | # variable "project" { 2 | # description = "project name" 3 | # } 4 | 5 | # variable "region" { 6 | # description = "org id" 7 | # default = "us-west1" 8 | # } 9 | 10 | variable "TFC_WORKSPACE_SLUG" { 11 | description = "default variable defined in TFC/E environment" 12 | } -------------------------------------------------------------------------------- /terraform/demo/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/aws" { 5 | version = "3.56.0" 6 | hashes = [ 7 | "h1:XuiEcFvwm+GkRpt4MqfwJpfdU2BssSjpyqMkqrI3Pjs=", 8 | "zh:001373be6fbc5738bf8c3aa8688b248ba5f99b04174310c0efcbbf23e6c4dc29", 9 | "zh:0d4af59266668089790f5a7bdeb25642ba750fb5dc7934fe28d1cc36310ba495", 10 | "zh:1413ff4d445678c096d46e8957e27320df94561354955d7bc5d8054b6df7b299", 11 | "zh:19d614259f7ce16b50ec07868404b58749702baaf86bcd14fbaea2756e1c9f25", 12 | "zh:2d148ff632da25852622b06b5be9f5a0b6d509621a002a47338f96509021945b", 13 | "zh:3959a1d989c99f3e7cdd5de07eb3e7df7a85e19677488278c77ab753dd7127e6", 14 | "zh:5d8d65b458a8934dc67d22904da368b5bc3a77fb9c900ac89c54e736a221b76f", 15 | "zh:94d5660e56118fcaa40fccaff960a9bf4166b7b0e7fedeb21b2402c8fc7b4cb1", 16 | "zh:a6002ecc23ebc468ccac6f36c0ed7cc95de3223ef6b100e6c81762d22cc14077", 17 | "zh:b0880c82bc2ad395ef3dbf5a592a23e65bf943df8995d5d4238740f96a02f529", 18 | "zh:ee65f3d2c13653e0828222a63fb832f98e9835b84443eeca00ce36ae39783c08", 19 | ] 20 | } 21 | 22 | provider "registry.terraform.io/hashicorp/vault" { 23 | version = "2.23.0" 24 | hashes = [ 25 | "h1:Y59jKh4TKuQIitajzs6TV8UJKfnCbb84B0M/e0L6Xms=", 26 | "zh:02517cc26a459983154aef6b838e8a04d26d043e90293bc1fda411fcee618836", 27 | "zh:0e71e789b73b31a0ac68015e93a2dc8584c0ec8f4554ec153e2f9cafb79e88e0", 28 | "zh:20152fc35a1d1162a6756d8cc6d4a98b2d6d4de83718aa169a3292a5f79363dd", 29 | "zh:26122c4b137e9a9747760aa66453af00563e777c806ff1156696db5defada4b0", 30 | "zh:2b2dc20eb2447e7c5032a1689ffd90d2e5107d842ded9973e85d4b8b22da2c47", 31 | "zh:5860bd0594df0ecbc3c3ebc9676b1547f193bb1b993c9dc661e198742175cbc1", 32 | "zh:660cf3a54a1a34a54fde3c7511905939981cb9352582c5c7f8a12755338bbc98", 33 | "zh:7348e43000ac78b216543e31e2531654d47c88d707962650ddd66ad488c657a2", 34 | "zh:89cfc9ee60872367c56d4043c2f6bc90c36ea775c81339b2647315f1496be89e", 35 | "zh:a0ef291a506a19221d61298862209361defffbef11321e1a4b716e9531f03f9e", 36 | "zh:dea35c90a840ac79dc1ae16d2e7c6478400743474e6aced602869078537c118a", 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /terraform/demo/01.setup_vault.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | source helper.sh 3 | 4 | vault policy write terraform-policy - << EOF 5 | path "auth/token/create" { 6 | capabilities = ["update"] 7 | } 8 | 9 | path "secret/data/*" { 10 | capabilities = ["read","create", "delete", "update"] 11 | } 12 | path "secret/*" { 13 | capabilities = ["read", "create", "delete", "update"] 14 | } 15 | 16 | path "aws/sts/deploy" { 17 | capabilities = ["read"] 18 | } 19 | 20 | EOF 21 | 22 | vault auth enable -path=tfe-auth vault-plugin-auth-tfe 23 | vault write auth/tfe-auth/config organization=hc-emea-sentinel-demo use_run_status=true 24 | # vault write auth/tfe-auth/config organization=org2 \ 25 | # terraform_host=https://tfe.ric.gcp.hashidemos.io 26 | 27 | vault read auth/tfe-auth/config 28 | vault write auth/tfe-auth/role/workspace_role workspaces=* \ 29 | policies=default,terraform-policy 30 | 31 | vault read auth/tfe-auth/role/workspace_role 32 | -------------------------------------------------------------------------------- /terraform/demo/02.setup_vault_aws.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | # 3 | source helper.sh 4 | 5 | vault secrets enable \ 6 | -default-lease-ttl=120s \ 7 | -max-lease-ttl=240s \ 8 | aws || true 9 | 10 | vault write aws/config/root \ 11 | region=us-east-1 12 | 13 | vault write aws/roles/deploy \ 14 | role_arns=arn:aws:iam::711129375688:role/ricardo_se_demo \ 15 | credential_type=assumed_role \ 16 | default_sts_ttl=1800 \ 17 | max_sts_ttl=3600 18 | 19 | # vault read aws/creds/deploy 20 | -------------------------------------------------------------------------------- /terraform/demo/aws.tf: -------------------------------------------------------------------------------- 1 | // Now fetching the AWS ephemeral credentials for some AWS work 2 | variable "region" { default = "eu-west-2" } 3 | variable "name" { default = "dynamic-aws-creds-operator" } 4 | variable "ttl" { default = "1" } 5 | 6 | data "vault_aws_access_credentials" "creds" { 7 | backend = "aws" 8 | role = "deploy" 9 | type = "sts" 10 | } 11 | 12 | provider "aws" { 13 | region = var.region 14 | access_key = data.vault_aws_access_credentials.creds.access_key 15 | secret_key = data.vault_aws_access_credentials.creds.secret_key 16 | token = data.vault_aws_access_credentials.creds.security_token 17 | } 18 | 19 | data "aws_ami" "ubuntu" { 20 | most_recent = true 21 | 22 | filter { 23 | name = "name" 24 | values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"] 25 | } 26 | 27 | filter { 28 | name = "virtualization-type" 29 | values = ["hvm"] 30 | } 31 | 32 | owners = ["099720109477"] # Canonical 33 | } 34 | 35 | # Create AWS EC2 Instance 36 | resource "aws_instance" "main" { 37 | ami = data.aws_ami.ubuntu.id 38 | instance_type = "t2.nano" 39 | 40 | tags = { 41 | Name = var.name 42 | TTL = var.ttl 43 | owner = "${var.name}-guide" 44 | } 45 | } -------------------------------------------------------------------------------- /terraform/demo/backend.tf: -------------------------------------------------------------------------------- 1 | # terraform { 2 | # backend "remote" { 3 | # hostname = "tfe.ric.gcp.hashidemos.io" 4 | # organization = "org2" 5 | # workspaces { 6 | # name = "vault-login-demo" 7 | # } 8 | # } 9 | # } 10 | 11 | terraform { 12 | backend "remote" { 13 | organization = "hc-emea-sentinel-demo" 14 | workspaces { 15 | name = "vault-login-demo" 16 | } 17 | } 18 | 19 | required_providers { 20 | vault = { 21 | source = "hashicorp/vault" 22 | } 23 | 24 | } 25 | } -------------------------------------------------------------------------------- /terraform/demo/helper.sh: -------------------------------------------------------------------------------- 1 | export VAULT_ADDR='http://88.97.2.109:8200' 2 | -------------------------------------------------------------------------------- /terraform/demo/login_env.tf.example: -------------------------------------------------------------------------------- 1 | // Vault auth during Planning time - can only have static query elements 2 | data "external" "vault_login_plan" { 3 | program = ["bash", "${path.module}/vault_login.sh"] 4 | query = { 5 | role = "workspace_role" 6 | VAULT_ADDR = var.VAULT_ADDR 7 | VAULT_LOGIN_PATH = "v1/auth/tfe-auth/login" 8 | } 9 | } 10 | 11 | // Vault auth during Apply time - must have a dynamic element 12 | data "external" "vault_login_apply" { 13 | program = ["bash", "${path.module}/vault_login.sh"] 14 | query = { 15 | role = "workspace_role" 16 | VAULT_ADDR = var.VAULT_ADDR 17 | VAULT_LOGIN_PATH = "v1/auth/tfe-auth/login" 18 | always_run = timestamp() 19 | } 20 | } 21 | 22 | provider "vault" { 23 | address = var.VAULT_ADDR 24 | token = data.external.vault_login_apply == null ? data.external.vault_login_plan.result.VAULT_TOKEN : data.external.vault_login_apply.result.VAULT_TOKEN 25 | token_name = "terraform-${var.TFE_RUN_ID}" 26 | } 27 | 28 | // just a test. 29 | resource "vault_generic_secret" "example" { 30 | path = "secret/hello" 31 | 32 | data_json = < ~/.vault-token 16 | # ./jq --compact-output -n $VAULT_TOKEN 17 | echo "{\"VAULT_TOKEN\": \"${VAULT_TOKEN-unauthorized}\"}" 18 | --------------------------------------------------------------------------------