fix(provider): [121324945] Update provider auth (#3039)

* add

* add

* add

* add

* add

* add

* add

Author: SevenEarth

.changelog/3039.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+provider: update provider auth
+```

tencentcloud/provider.go

@@ -3,7 +3,6 @@ package tencentcloud
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"runtime"
@@ -272,13 +271,13 @@ func Provider() *schema.Provider {
 							Type:        schema.TypeString,
 							Required:    true,
 							DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SAML_ASSERTION, nil),
-							Description: "SAML assertion information encoded in base64. It can be sourced from the `PROVIDER_ASSUME_ROLE_SAML_ASSERTION`.",
+							Description: "SAML assertion information encoded in base64. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`.",
 						},
 						"principal_arn": {
 							Type:        schema.TypeString,
 							Required:    true,
 							DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN, nil),
-							Description: "Player Access Description Name. It can be sourced from the `PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN`.",
+							Description: "Player Access Description Name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`.",
 						},
 						"role_arn": {
 							Type:        schema.TypeString,
@@ -324,7 +323,7 @@ func Provider() *schema.Provider {
 							Type:        schema.TypeString,
 							Required:    true,
 							DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN, nil),
-							Description: "OIDC token issued by IdP. It can be sourced from the `PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.",
+							Description: "OIDC token issued by IdP. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.",
 						},
 						"role_arn": {
 							Type:        schema.TypeString,
@@ -2245,6 +2244,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		forbiddenAccountIds []string
 		needSecret          = true
 		needAccountFilter   = false
+		err                 error
 	)
 
 	if v, ok := d.GetOk("secret_id"); ok {
@@ -2325,7 +2325,10 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	// get auth from CAM role name
 	if camRoleName != "" {
 		needSecret = false
-		_ = genClientWithCAM(&tcClient, camRoleName)
+		err = genClientWithCAM(&tcClient, camRoleName)
+		if err != nil {
+			return nil, fmt.Errorf("Get auth from CAM role name failed. Reason: %s", err.Error())
+		}
 	}
 
 	var (
@@ -2337,17 +2340,20 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	)
 
 	// get assume role from credential
-	if providerConfig["role-arn"] != nil {
-		assumeRoleArn = providerConfig["role-arn"].(string)
+	if v, ok := providerConfig["role-arn"].(string); ok && v != "" {
+		assumeRoleArn = v
 	}
 
-	if providerConfig["role-session-name"] != nil {
-		assumeRoleSessionName = providerConfig["role-session-name"].(string)
+	if v, ok := providerConfig["role-session-name"].(string); ok && v != "" {
+		assumeRoleSessionName = v
 	}
 
 	if assumeRoleArn != "" && assumeRoleSessionName != "" {
 		assumeRoleSessionDuration = 7200
-		_ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId)
+		err = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId)
+		if err != nil {
+			return nil, fmt.Errorf("Get auth from assume role by credential failed. Reason: %s", err.Error())
+		}
 	}
 
 	// get assume role from env
@@ -2376,19 +2382,30 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 
 		if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" {
 			// use assume role
-			_ = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "", assumeRoleExternalId)
+			err = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "", assumeRoleExternalId)
+			if err != nil {
+				return nil, fmt.Errorf("Get auth from assume role by env failed. Reason: %s", err.Error())
+			}
 		} else if envSamlAssertion != "" && envPrincipalArn != "" && envWebIdentityToken != "" {
-			return nil, fmt.Errorf("can not set `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`, `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`, `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` at the same time.\n")
+			return nil, fmt.Errorf("Can not set `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`, `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`, `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` at the same time.\n")
 		} else if envSamlAssertion != "" && envPrincipalArn != "" {
 			// use assume role with saml
-			_ = genClientWithSamlSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envSamlAssertion, envPrincipalArn)
+			err = genClientWithSamlSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envSamlAssertion, envPrincipalArn)
+			if err != nil {
+				return nil, fmt.Errorf("Get auth from assume role with SAML by env failed. Reason: %s", err.Error())
+			}
+
 			needSecret = false
 		} else if envWebIdentityToken != "" {
 			// use assume role with oidc
-			_ = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken)
+			err = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken)
+			if err != nil {
+				return nil, fmt.Errorf("Get auth from assume role with OIDC by env failed. Reason: %s", err.Error())
+			}
+
 			needSecret = false
 		} else {
-			return nil, fmt.Errorf("get `assume_role` from env error.\n")
+			return nil, fmt.Errorf("Get `assume_role` from env error.\n")
 		}
 	}
 
@@ -2403,7 +2420,11 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 			assumeRolePolicy = assumeRole["policy"].(string)
 			assumeRoleExternalId = assumeRole["external_id"].(string)
 
-			_ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId)
+			err = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy, assumeRoleExternalId)
+			if err != nil {
+				return nil, fmt.Errorf("Get auth from assume role failed. Reason: %s", err.Error())
+			}
+
 			if camRoleName != "" {
 				needSecret = false
 			} else {
@@ -2429,7 +2450,11 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 			assumeRoleSessionName = assumeRoleWithSaml["session_name"].(string)
 			assumeRoleSessionDuration = assumeRoleWithSaml["session_duration"].(int)
 
-			_ = genClientWithSamlSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleSamlAssertion, assumeRolePrincipalArn)
+			err = genClientWithSamlSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleSamlAssertion, assumeRolePrincipalArn)
+			if err != nil {
+				return nil, fmt.Errorf("Get auth from assume role with SAML failed. Reason: %s", err.Error())
+			}
+
 			needSecret = false
 		}
 	}
@@ -2444,7 +2469,11 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 			assumeRoleSessionName = assumeRoleWithWebIdentity["session_name"].(string)
 			assumeRoleSessionDuration = assumeRoleWithWebIdentity["session_duration"].(int)
 
-			_ = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken)
+			err = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken)
+			if err != nil {
+				return nil, fmt.Errorf("Get auth from assume role with OIDC failed. Reason: %s", err.Error())
+			}
+
 			needSecret = false
 		}
 	}
@@ -2453,8 +2482,9 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		if os.Getenv(POD_OIDC_TKE_REGION) != "" && os.Getenv(POD_OIDC_TKE_WEB_IDENTITY_TOKEN_FILE) != "" && os.Getenv(POD_OIDC_TKE_PROVIDER_ID) != "" && os.Getenv(POD_OIDC_TKE_ROLE_ARN) != "" {
 			err := genClientWithPodOidc(&tcClient)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("Get auth from enable pod OIDC failed. Reason: %s", err.Error())
 			}
+
 			needSecret = false
 		} else {
 			return nil, fmt.Errorf("Can not get `TKE_REGION`, `TKE_WEB_IDENTITY_TOKEN_FILE`, `TKE_PROVIDER_ID`, `TKE_ROLE_ARN`. Must config serviceAccountName for pod.\n")
@@ -2623,7 +2653,7 @@ func getConfigFromProfile(d *schema.ResourceData, ProfileKey string) (interface{
 		providerConfig = make(map[string]interface{})
 		_, err = os.Stat(credentialPath)
 		if !os.IsNotExist(err) {
-			data, err := ioutil.ReadFile(credentialPath)
+			data, err := os.ReadFile(credentialPath)
 			if err != nil {
 				return nil, err
 			}
@@ -2643,7 +2673,7 @@ func getConfigFromProfile(d *schema.ResourceData, ProfileKey string) (interface{
 
 		_, err = os.Stat(configurePath)
 		if !os.IsNotExist(err) {
-			data, err := ioutil.ReadFile(configurePath)
+			data, err := os.ReadFile(configurePath)
 			if err != nil {
 				return nil, err
 			}
@@ -2707,7 +2737,7 @@ func getCallerIdentity(tcClient *TencentCloudClient) (indentity *sdksts.GetCalle
 	}
 
 	if response == nil || response.Response == nil {
-		return nil, fmt.Errorf("get GetCallerIdentity failed")
+		return nil, fmt.Errorf("Get GetCallerIdentity failed, Response is nil.")
 	}
 
 	indentity = response.Response

website/docs/index.html.markdown

@@ -395,11 +395,11 @@ The nested `assume_role_with_saml` block supports the following:
 * `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable.
 * `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable.
 * `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable.
-* `saml_assertion` - (Required) SAML assertion information encoded in base64. It can be sourced from the `PROVIDER_ASSUME_ROLE_SAML_ASSERTION`.
-* `principal_arn` - (Required) Player Access Description Name. It can be sourced from the `PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN`.
+* `saml_assertion` - (Required) SAML assertion information encoded in base64. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`.
+* `principal_arn` - (Required) Player Access Description Name. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`.
 
 The nested `assume_role_with_web_identity` block supports the following:
 * `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable.
 * `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable.
 * `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable.
-* `web_identity_token` - (Required) OIDC token issued by IdP. It can be sourced from the `PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.
+* `web_identity_token` - (Required) OIDC token issued by IdP. It can be sourced from the  `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.