feat: [PL-58641]: add oidc support for aws kms (#1154)

* feat: [PL-58641]: add oidc support for aws kms * feat: [PL-58641]: add oidc support for aws kms * feat: [PL-58641]: add oidc support for aws kms * feat: [PL-58641]: add oidc support for aws kms * feat: [PL-58641]: add oidc for aws kms * go.sum update
harness · Feb 5, 2025 · d166dfb · d166dfb
1 parent 9a121d3
commit d166dfb
Show file tree

Hide file tree

Showing 7 changed files with 2,103 additions and 30 deletions.
diff --git a/docs/data-sources/platform_connector_awskms.md b/docs/data-sources/platform_connector_awskms.md
@@ -40,8 +40,10 @@ data "harness_platform_connector_awskms" "example" {
 
 - `arn_ref` (String) A reference to the Harness secret containing the ARN of the AWS KMS. To reference a secret at the organization scope, prefix 'org' to the expression: org.{identifier}. To reference a secret at the account scope, prefix 'account` to the expression: account.{identifier}.
 - `credentials` (List of Object) Credentials to connect to AWS. (see [below for nested schema](#nestedatt--credentials))
+- `default` (Boolean) Whether this is the default connector.
 - `delegate_selectors` (Set of String) Tags to filter delegates for connection.
 - `description` (String) Description of the resource.
+- `execute_on_delegate` (Boolean) The delegate to execute the action on.
 - `id` (String) The ID of this resource.
 - `region` (String) The AWS region where the AWS Secret Manager is.
 - `tags` (Set of String) Tags to associate with the resource.
@@ -54,6 +56,7 @@ Read-Only:
 - `assume_role` (List of Object) (see [below for nested schema](#nestedobjatt--credentials--assume_role))
 - `inherit_from_delegate` (Boolean)
 - `manual` (List of Object) (see [below for nested schema](#nestedobjatt--credentials--manual))
+- `oidc_authentication` (List of Object) (see [below for nested schema](#nestedobjatt--credentials--oidc_authentication))
 
 <a id="nestedobjatt--credentials--assume_role"></a>
 ### Nested Schema for `credentials.assume_role`
@@ -74,3 +77,9 @@ Read-Only:
 - `secret_key_ref` (String)
 
 
+<a id="nestedobjatt--credentials--oidc_authentication"></a>
+### Nested Schema for `credentials.oidc_authentication`
+
+Read-Only:
+
+- `iam_role_arn` (String)
diff --git a/docs/resources/platform_connector_awskms.md b/docs/resources/platform_connector_awskms.md
@@ -56,6 +56,26 @@ resource "harness_platform_connector_awskms" "test" {
   }
 }
 
+# Credentials manual as Default Secret Manager
+resource "harness_platform_connector_awskms" "test" {
+  identifier  = "identifer"
+  name        = "name"
+  description = "test"
+  tags        = ["foo:bar"]
+
+
+  arn_ref            = "account.secret_id"
+  region             = "us-east-1"
+  delegate_selectors = ["harness-delegate"]
+  default            = true
+  credentials {
+    manual {
+      secret_key_ref = "account.secret_id"
+      access_key_ref = "account.secret_id"
+    }
+  }
+}
+
 # Credentials inherit_from_delegate
 resource "harness_platform_connector_awskms" "test" {
   identifier  = "identifer"
@@ -70,6 +90,38 @@ resource "harness_platform_connector_awskms" "test" {
     inherit_from_delegate = true
   }
 }
+
+# Credentials OIDC using Harness Platform
+resource "harness_platform_connector_awskms" "test" {
+  identifier          = "%[1]s"
+  name                = "%[1]s"
+  description         = "test"
+  tags                = ["foo:bar"]
+  arn_ref             = "account.secret_id"
+  region              = "us-east-1"
+  execute_on_delegate = false
+  credentials {
+    oidc_authentication {
+      iam_role_arn = "somerolearn"
+    }
+  }
+}
+
+# Credentials OIDC using Delegate
+resource "harness_platform_connector_awskms" "test" {
+  identifier         = "%[1]s"
+  name               = "%[1]s"
+  description        = "test"
+  tags               = ["foo:bar"]
+  arn_ref            = "account.secret_id"
+  region             = "us-east-1"
+  delegate_selectors = ["harness-delegate"]
+  credentials {
+    oidc_authentication {
+      iam_role_arn = "somerolearn"
+    }
+  }
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -85,8 +137,10 @@ resource "harness_platform_connector_awskms" "test" {
 
 ### Optional
 
+- `default` (Boolean) Set this connector as the default for all the services.
 - `delegate_selectors` (Set of String) Tags to filter delegates for connection.
 - `description` (String) Description of the resource.
+- `execute_on_delegate` (Boolean) Execute the command on the delegate.
 - `org_id` (String) Unique identifier of the organization.
 - `project_id` (String) Unique identifier of the project.
 - `tags` (Set of String) Tags to associate with the resource.
@@ -103,6 +157,7 @@ Optional:
 - `assume_role` (Block List, Max: 1) Connect using STS assume role. (see [below for nested schema](#nestedblock--credentials--assume_role))
 - `inherit_from_delegate` (Boolean) Inherit the credentials from from the delegate.
 - `manual` (Block List, Max: 1) Specify the AWS key and secret used for authenticating. (see [below for nested schema](#nestedblock--credentials--manual))
+- `oidc_authentication` (Block List, Max: 1) Connect using OIDC authentication. (see [below for nested schema](#nestedblock--credentials--oidc_authentication))
 
 <a id="nestedblock--credentials--assume_role"></a>
 ### Nested Schema for `credentials.assume_role`
@@ -125,6 +180,14 @@ Required:
 - `access_key_ref` (String) The reference to the Harness secret containing the AWS access key. To reference a secret at the organization scope, prefix 'org' to the expression: org.{identifier}. To reference a secret at the account scope, prefix 'account` to the expression: account.{identifier}.
 - `secret_key_ref` (String) The reference to the Harness secret containing the AWS secret key. To reference a secret at the organization scope, prefix 'org' to the expression: org.{identifier}. To reference a secret at the account scope, prefix 'account` to the expression: account.{identifier}.
 
+
+<a id="nestedblock--credentials--oidc_authentication"></a>
+### Nested Schema for `credentials.oidc_authentication`
+
+Required:
+
+- `iam_role_arn` (String) The ARN of the IAM role to assume.
+
 ## Import
 
 Import is supported using the following syntax:

diff --git a/examples/resources/harness_platform_connector_awskms/resource.tf b/examples/resources/harness_platform_connector_awskms/resource.tf
@@ -36,6 +36,26 @@ resource "harness_platform_connector_awskms" "test" {
   }
 }
 
+# Credentials manual as Default Secret Manager
+resource "harness_platform_connector_awskms" "test" {
+  identifier  = "identifer"
+  name        = "name"
+  description = "test"
+  tags        = ["foo:bar"]
+
+
+  arn_ref            = "account.secret_id"
+  region             = "us-east-1"
+  delegate_selectors = ["harness-delegate"]
+  default            = true
+  credentials {
+    manual {
+      secret_key_ref = "account.secret_id"
+      access_key_ref = "account.secret_id"
+    }
+  }
+}
+
 # Credentials inherit_from_delegate
 resource "harness_platform_connector_awskms" "test" {
   identifier  = "identifer"
@@ -50,3 +70,35 @@ resource "harness_platform_connector_awskms" "test" {
     inherit_from_delegate = true
   }
 }
+
+# Credentials OIDC using Harness Platform
+resource "harness_platform_connector_awskms" "test" {
+  identifier          = "%[1]s"
+  name                = "%[1]s"
+  description         = "test"
+  tags                = ["foo:bar"]
+  arn_ref             = "account.secret_id"
+  region              = "us-east-1"
+  execute_on_delegate = false
+  credentials {
+    oidc_authentication {
+      iam_role_arn = "somerolearn"
+    }
+  }
+}
+
+# Credentials OIDC using Delegate
+resource "harness_platform_connector_awskms" "test" {
+  identifier         = "%[1]s"
+  name               = "%[1]s"
+  description        = "test"
+  tags               = ["foo:bar"]
+  arn_ref            = "account.secret_id"
+  region             = "us-east-1"
+  delegate_selectors = ["harness-delegate"]
+  credentials {
+    oidc_authentication {
+      iam_role_arn = "somerolearn"
+    }
+  }
+}
diff --git a/internal/service/platform/connector/secretManagers/aws_kms.go b/internal/service/platform/connector/secretManagers/aws_kms.go
@@ -37,6 +37,18 @@ func ResourceConnectorAwsKms() *schema.Resource {
 				Optional:    true,
 				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
+			"default": {
+				Description: "Set this connector as the default for all the services.",
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+			},
+			"execute_on_delegate": {
+				Description: "Execute the command on the delegate.",
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     true,
+			},
 			"credentials": {
 				Description: "Credentials to connect to AWS.",
 				Type:        schema.TypeList,
@@ -50,7 +62,8 @@ func ResourceConnectorAwsKms() *schema.Resource {
 							MaxItems:      1,
 							Optional:      true,
 							ConflictsWith: []string{"credentials.0.assume_role", "credentials.0.inherit_from_delegate"},
-							AtLeastOneOf:  []string{"credentials.0.manual", "credentials.0.assume_role", "credentials.0.inherit_from_delegate"},
+							AtLeastOneOf:  []string{"credentials.0.manual", "credentials.0.assume_role", "credentials.0.inherit_from_delegate", "credentials.0.oidc_authentication"},
+							RequiredWith:  []string{"delegate_selectors"},
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"access_key_ref": {
@@ -71,7 +84,7 @@ func ResourceConnectorAwsKms() *schema.Resource {
 							Type:          schema.TypeBool,
 							Optional:      true,
 							ConflictsWith: []string{"credentials.0.manual", "credentials.0.assume_role"},
-							AtLeastOneOf:  []string{"credentials.0.manual", "credentials.0.assume_role", "credentials.0.inherit_from_delegate"},
+							AtLeastOneOf:  []string{"credentials.0.manual", "credentials.0.assume_role", "credentials.0.inherit_from_delegate", "credentials.0.oidc_authentication"},
 							RequiredWith:  []string{"delegate_selectors"},
 						},
 						"assume_role": {
@@ -80,7 +93,7 @@ func ResourceConnectorAwsKms() *schema.Resource {
 							Optional:      true,
 							MaxItems:      1,
 							ConflictsWith: []string{"credentials.0.manual", "credentials.0.inherit_from_delegate"},
-							AtLeastOneOf:  []string{"credentials.0.manual", "credentials.0.assume_role", "credentials.0.inherit_from_delegate"},
+							AtLeastOneOf:  []string{"credentials.0.manual", "credentials.0.assume_role", "credentials.0.inherit_from_delegate", "credentials.0.oidc_authentication"},
 							RequiredWith:  []string{"delegate_selectors"},
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
@@ -109,6 +122,23 @@ func ResourceConnectorAwsKms() *schema.Resource {
 								},
 							},
 						},
+						"oidc_authentication": {
+							Description:   "Connect using OIDC authentication.",
+							Type:          schema.TypeList,
+							Optional:      true,
+							MaxItems:      1,
+							ConflictsWith: []string{"credentials.0.manual", "credentials.0.assume_role", "credentials.0.inherit_from_delegate"},
+							AtLeastOneOf:  []string{"credentials.0.manual", "credentials.0.assume_role", "credentials.0.inherit_from_delegate", "credentials.0.oidc_authentication"},
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"iam_role_arn": {
+										Description: "The ARN of the IAM role to assume.",
+										Type:        schema.TypeString,
+										Required:    true,
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -170,6 +200,14 @@ func buildConnectorAwsKms(d *schema.ResourceData) *nextgen.ConnectorInfo {
 		connector.AwsKms.DelegateSelectors = utils.InterfaceSliceToStringSlice(attr.(*schema.Set).List())
 	}
 
+	if attr, ok := d.GetOk("default"); ok {
+		connector.AwsKms.Default_ = attr.(bool)
+	}
+
+	if attr, ok := d.GetOk("execute_on_delegate"); ok {
+		connector.AwsKms.ExecuteOnDelegate = attr.(bool)
+	}
+
 	if attr, ok := d.GetOk("credentials"); ok {
 		config := attr.([]interface{})[0].(map[string]interface{})
 		connector.AwsKms.Credential = &nextgen.AwsKmsConnectorCredential{}
@@ -184,7 +222,9 @@ func buildConnectorAwsKms(d *schema.ResourceData) *nextgen.ConnectorInfo {
 		if attr := config["manual"].([]interface{}); len(attr) > 0 {
 			config := attr[0].(map[string]interface{})
 			connector.AwsKms.Credential.Type_ = nextgen.AwsKmsAuthTypes.ManualConfig
-			connector.AwsKms.Credential.ManualConfig = &nextgen.AwsKmsCredentialSpecManualConfig{}
+			connector.AwsKms.Credential.ManualConfig = &nextgen.AwsKmsCredentialSpecManualConfig{
+				DelegateSelectors: connector.AwsKms.DelegateSelectors,
+			}
 
 			if attr, ok := config["access_key_ref"]; ok {
 				connector.AwsKms.Credential.ManualConfig.AccessKey = attr.(string)
@@ -214,6 +254,18 @@ func buildConnectorAwsKms(d *schema.ResourceData) *nextgen.ConnectorInfo {
 				connector.AwsKms.Credential.AssumeStsRole.AssumeStsRoleDuration = int32(attr.(int))
 			}
 		}
+
+		if attr := config["oidc_authentication"].([]interface{}); len(attr) > 0 {
+			config := attr[0].(map[string]interface{})
+			connector.AwsKms.Credential.Type_ = nextgen.AwsKmsAuthTypes.OidcAuthentication
+			connector.AwsKms.Credential.OidcConfig = &nextgen.AwsSmCredentialSpecOidcConfig{
+				DelegateSelectors: connector.AwsKms.DelegateSelectors,
+			}
+
+			if attr, ok := config["iam_role_arn"]; ok {
+				connector.AwsKms.Credential.OidcConfig.IamRoleArn = attr.(string)
+			}
+		}
 	}
 
 	return connector
@@ -223,6 +275,8 @@ func readConnectorAwsKms(d *schema.ResourceData, connector *nextgen.ConnectorInf
 	d.Set("arn_ref", connector.AwsKms.KmsArn)
 	d.Set("region", connector.AwsKms.Region)
 	d.Set("delegate_selectors", connector.AwsKms.DelegateSelectors)
+	d.Set("default", connector.AwsKms.Default_)
+	d.Set("execute_on_delegate", connector.AwsKms.ExecuteOnDelegate)
 
 	switch connector.AwsKms.Credential.Type_ {
 	case nextgen.AwsKmsAuthTypes.AssumeIAMRole:
@@ -254,6 +308,16 @@ func readConnectorAwsKms(d *schema.ResourceData, connector *nextgen.ConnectorInf
 				},
 			},
 		})
+	case nextgen.AwsKmsAuthTypes.OidcAuthentication:
+		d.Set("credentials", []interface{}{
+			map[string]interface{}{
+				"oidc_authentication": []interface{}{
+					map[string]interface{}{
+						"iam_role_arn": connector.AwsKms.Credential.OidcConfig.IamRoleArn,
+					},
+				},
+			},
+		})
 	default:
 		return fmt.Errorf("unsupported aws kms auth type: %s", connector.AwsKms.Credential.Type_)
 	}

diff --git a/internal/service/platform/connector/secretManagers/aws_kms_data_source.go b/internal/service/platform/connector/secretManagers/aws_kms_data_source.go
@@ -27,6 +27,16 @@ func DatasourceConnectorAwsKms() *schema.Resource {
 				Computed:    true,
 				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
+			"execute_on_delegate": {
+				Description: "The delegate to execute the action on.",
+				Type:        schema.TypeBool,
+				Computed:    true,
+			},
+			"default": {
+				Description: "Whether this is the default connector.",
+				Type:        schema.TypeBool,
+				Computed:    true,
+			},
 			"credentials": {
 				Description: "Credentials to connect to AWS.",
 				Type:        schema.TypeList,
@@ -81,6 +91,20 @@ func DatasourceConnectorAwsKms() *schema.Resource {
 								},
 							},
 						},
+						"oidc_authentication": {
+							Description: "Authentication using OIDC.",
+							Type:        schema.TypeList,
+							Computed:    true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"iam_role_arn": {
+										Description: "The IAM role ARN to assume.",
+										Type:        schema.TypeString,
+										Computed:    true,
+									},
+								},
+							},
+						},
 					},
 				},
 			},