feat(access-token): add ephemeral access-token resource #1068
Conversation
stackit/internal/services/access_token/ephemeral_access_token.go
Outdated
Show resolved
Hide resolved
stackit/internal/services/access_token/ephemeral_access_token.go
Outdated
Show resolved
Hide resolved
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
from
7ffc785 to
23bb334
Compare
| } | ||
|
|
||
| // Type assert to access token functionality | ||
| client, ok := rt.(*clients.KeyFlow) |
There was a problem hiding this comment.
Implementing all the service account key and environment variable logic might not have been the best idea in hindsight. What do you think about leveraging the existing auth.KeyAuth method and type asserting to *client.KeyFlow instead?
Right now, the Go SDK only returns an http.RoundTripper, but since the underlying type is KeyFlow, we could safely assert it and access the full client. This would significantly simplify and clean up the entire resource implementation.
There was a problem hiding this comment.
After taking a deeper look at auth.KeyAuth from the SDK: lgtm
There was a problem hiding this comment.
But: Could we please have a unit tests which mocks the API call(s) and tests the whole process? To make sure the type assertion doesn't break on future updates of the SDK core module?
It might help to extract the logic for the access token into a seperate func beforehand which might look like this:
func (e *accessTokenEphemeralResource) Open(ctx context.Context, req ephemeral.OpenRequest, resp *ephemeral.OpenResponse) {
var model ephemeralTokenModel
resp.Diagnostics.Append(req.Config.Get(ctx, &model)...)
if resp.Diagnostics.HasError() {
return
}
accessToken, err := getAccessToken(ctx, &e.keyAuthConfig)
if err != nil {
core.LogAndAddError(ctx, &resp.Diagnostics, "Access token generation failed", err.Error())
return
}
model.AccessToken = types.StringValue(accessToken)
resp.Diagnostics.Append(resp.Result.Set(ctx, model)...)
}
func getAccessToken(ctx context.Context, keyAuthConfig *config.Configuration) (string, error) {
rt, err := auth.KeyAuth(keyAuthConfig)
if err != nil {
return "", fmt.Errorf("failed to initialize authentication: %v", err)
}
// Type assert to access token functionality
client, ok := rt.(*clients.KeyFlow)
if !ok {
return "", fmt.Errorf("internal error: expected *clients.KeyFlow, but received a different implementation of http.RoundTripper")
}
// Retrieve the access token
accessToken, err := client.GetAccessToken()
if err != nil {
return "", fmt.Errorf("error obtaining access token: %v", err)
}
return accessToken, nil
}There was a problem hiding this comment.
Good idea. Just pushed something which goes into that direction.
examples/ephemeral-resources/stackit_access_token/ephemeral-resource.tf
Outdated
Show resolved
Hide resolved
| setStringField(providerConfig.ServiceAccountKeyPath, func(v string) { ephemeralProviderData.ServiceAccountKeyPath = v }) | ||
| setStringField(providerConfig.PrivateKey, func(v string) { ephemeralProviderData.PrivateKey = v }) | ||
| setStringField(providerConfig.PrivateKeyPath, func(v string) { ephemeralProviderData.PrivateKeyPath = v }) | ||
| setStringField(providerConfig.TokenCustomEndpoint, func(v string) { ephemeralProviderData.TokenCustomEndpoint = v }) |
There was a problem hiding this comment.
either you remove the ProviderData type embedding from the EphemeralProviderData because you don't seem to need it or you set the values here. Currently this is pretty useless.
There was a problem hiding this comment.
@h3adex this is still not resolved. The following line is missing here:
ephemeralProviderData.ProviderData = providerData
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
8 times, most recently
from
14df9c7 to
73eaf2d
Compare
rubenhoenle
left a comment
rubenhoenle
left a comment
There was a problem hiding this comment.
One general question I still have: What happens when the user authenticates via token flow?
provider "stackit" {
default_region = "eu01"
service_account_token = var.service_account_token
}| } | ||
|
|
||
| // Type assert to access token functionality | ||
| client, ok := rt.(*clients.KeyFlow) |
There was a problem hiding this comment.
After taking a deeper look at auth.KeyAuth from the SDK: lgtm
| } | ||
|
|
||
| // Type assert to access token functionality | ||
| client, ok := rt.(*clients.KeyFlow) |
There was a problem hiding this comment.
But: Could we please have a unit tests which mocks the API call(s) and tests the whole process? To make sure the type assertion doesn't break on future updates of the SDK core module?
It might help to extract the logic for the access token into a seperate func beforehand which might look like this:
func (e *accessTokenEphemeralResource) Open(ctx context.Context, req ephemeral.OpenRequest, resp *ephemeral.OpenResponse) {
var model ephemeralTokenModel
resp.Diagnostics.Append(req.Config.Get(ctx, &model)...)
if resp.Diagnostics.HasError() {
return
}
accessToken, err := getAccessToken(ctx, &e.keyAuthConfig)
if err != nil {
core.LogAndAddError(ctx, &resp.Diagnostics, "Access token generation failed", err.Error())
return
}
model.AccessToken = types.StringValue(accessToken)
resp.Diagnostics.Append(resp.Result.Set(ctx, model)...)
}
func getAccessToken(ctx context.Context, keyAuthConfig *config.Configuration) (string, error) {
rt, err := auth.KeyAuth(keyAuthConfig)
if err != nil {
return "", fmt.Errorf("failed to initialize authentication: %v", err)
}
// Type assert to access token functionality
client, ok := rt.(*clients.KeyFlow)
if !ok {
return "", fmt.Errorf("internal error: expected *clients.KeyFlow, but received a different implementation of http.RoundTripper")
}
// Retrieve the access token
accessToken, err := client.GetAccessToken()
if err != nil {
return "", fmt.Errorf("error obtaining access token: %v", err)
}
return accessToken, nil
}
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
from
73eaf2d to
6134249
Compare
Will look into that tomorrow. |
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
2 times, most recently
from
da532bf to
f8cbfbc
Compare
|
Error message when you try to generate a access token without a valid config 
|
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
from
b50a665 to
aebda00
Compare
stackit/internal/services/access_token/ephemeral_resource_test.go
Outdated
Show resolved
Hide resolved
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
from
3163216 to
fcb84a8
Compare
For me it must be at least stated in the docs which requirements exist to use this resource: User must use keyflow for authentication. Or am I wrong here? |
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
from
d354333 to
4171d2c
Compare
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
from
4171d2c to
c30f6a0
Compare
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
|
E2E Tests |
Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
h3adex
force-pushed
the
feat/add-ephemeral-access-token-resource
branch
from
6b4f10c to
8522cb4
Compare
3 participants
Description
Internal Issue: STACKITTPR-353
Checklist
make fmtexamples/directory)make generate-docs(will be checked by CI)make test(will be checked by CI)make lint(will be checked by CI)