Merge pull request #668 from 0x416e746f6e/feat/enable-access-token-auth

feat: implement `access_token` auth method

Author: amstuta

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/hashicorp/terraform-plugin-mux v0.15.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0
 	github.com/hashicorp/terraform-plugin-testing v1.7.0
-	github.com/ovh/go-ovh v1.5.1
+	github.com/ovh/go-ovh v1.6.0
 	github.com/ybriffa/rfc3339 v0.0.0-20220203155318-1789e3fd6e70
 	golang.org/x/exp v0.0.0-20230809150735-7b3493d9a819
 	gopkg.in/yaml.v3 v3.0.1

go.sum

@@ -134,8 +134,8 @@ github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zx
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/ovh/go-ovh v1.5.1 h1:P8O+7H+NQuFK9P/j4sFW5C0fvSS2DnHYGPwdVCp45wI=
-github.com/ovh/go-ovh v1.5.1/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
+github.com/ovh/go-ovh v1.6.0 h1:ixLOwxQdzYDx296sXcgS35TOPEahJkpjMGtzPadCjQI=
+github.com/ovh/go-ovh v1.6.0/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
 github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

ovh/config.go

@@ -17,6 +17,9 @@ type Config struct {
 	Plate    string
 	Endpoint string
 
+	// Access token
+	AccessToken string
+
 	// AK / AS / CK authentication information
 	ApplicationKey    string
 	ApplicationSecret string
@@ -38,13 +41,19 @@ func clientDefault(c *Config) (*ovh.Client, error) {
 		err    error
 	)
 
-	if c.ClientID != "" {
+	switch {
+	case c.AccessToken != "":
+		client, err = ovh.NewAccessTokenClient(
+			c.Endpoint,
+			c.AccessToken,
+		)
+	case c.ClientID != "":
 		client, err = ovh.NewOAuth2Client(
 			c.Endpoint,
 			c.ClientID,
 			c.ClientSecret,
 		)
-	} else {
+	default:
 		client, err = ovh.NewClient(
 			c.Endpoint,
 			c.ApplicationKey,

ovh/provider.go

@@ -19,7 +19,10 @@ var (
 	descriptions = map[string]string{
 		"endpoint": "The OVH API endpoint to target (ex: \"ovh-eu\")",
 
-		// Authentication via app key / app secret / comsumer key
+		// Authentication via short-lived access token
+		"access_token": "The OVH API Access Token",
+
+		// Authentication via app key / app secret / consumer key
 		"application_key":    "The OVH API Application Key",
 		"application_secret": "The OVH API Application Secret",
 		"consumer_key":       "The OVH API Consumer Key",
@@ -39,6 +42,11 @@ func Provider() *schema.Provider {
 				Optional:    true,
 				Description: descriptions["endpoint"],
 			},
+			"access_token": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: descriptions["access_token"],
+			},
 			"application_key": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -272,6 +280,9 @@ func ConfigureContextFunc(context context.Context, d *schema.ResourceData) (inte
 	if v, ok := d.GetOk("endpoint"); ok {
 		config.Endpoint = v.(string)
 	}
+	if v, ok := d.GetOk("access_token"); ok {
+		config.AccessToken = v.(string)
+	}
 	if v, ok := d.GetOk("application_key"); ok {
 		config.ApplicationKey = v.(string)
 	}

ovh/provider_new.go

@@ -39,6 +39,10 @@ func (p *OvhProvider) Schema(_ context.Context, _ provider.SchemaRequest, resp *
 				Optional:    true,
 				Description: descriptions["endpoint"],
 			},
+			"access_token": schema.StringAttribute{
+				Optional:    true,
+				Description: descriptions["access_token"],
+			},
 			"application_key": schema.StringAttribute{
 				Optional:    true,
 				Description: descriptions["application_key"],
@@ -82,6 +86,16 @@ func (p *OvhProvider) Configure(ctx context.Context, req provider.ConfigureReque
 		)
 	}
 
+	if config.AccessToken.IsUnknown() {
+		resp.Diagnostics.AddAttributeError(
+			path.Root("access_token"),
+			"Unknown OVH API access_token",
+			"The provider cannot create the OVH API client as there is a missing or empty value for the API access token."+
+				"Set the access token value in the configuration or use the OVH_ACCESS_TOKEN environment variable."+
+				"If either is already set, ensure the value is not empty.",
+		)
+	}
+
 	if config.ApplicationKey.IsUnknown() {
 		resp.Diagnostics.AddAttributeError(
 			path.Root("application_key"),
@@ -144,6 +158,9 @@ func (p *OvhProvider) Configure(ctx context.Context, req provider.ConfigureReque
 	if !config.Endpoint.IsNull() {
 		clientConfig.Endpoint = config.Endpoint.ValueString()
 	}
+	if !config.AccessToken.IsNull() {
+		clientConfig.AccessToken = config.AccessToken.ValueString()
+	}
 	if !config.ApplicationKey.IsNull() {
 		clientConfig.ApplicationKey = config.ApplicationKey.ValueString()
 	}
@@ -202,6 +219,7 @@ func (p *OvhProvider) Resources(_ context.Context) []func() resource.Resource {
 
 type ovhProviderModel struct {
 	Endpoint          types.String `tfsdk:"endpoint"`
+	AccessToken       types.String `tfsdk:"access_token"`
 	ApplicationKey    types.String `tfsdk:"application_key"`
 	ApplicationSecret types.String `tfsdk:"application_secret"`
 	ConsumerKey       types.String `tfsdk:"consumer_key"`

vendor/github.com/ovh/go-ovh/ovh/configuration.go

@@ -276,7 +276,7 @@ github.com/mitchellh/reflectwalk
 # github.com/oklog/run v1.0.0
 ## explicit
 github.com/oklog/run
-# github.com/ovh/go-ovh v1.5.1
+# github.com/ovh/go-ovh v1.6.0
 ## explicit; go 1.18
 github.com/ovh/go-ovh/ovh
 # github.com/vmihailenco/msgpack v4.0.4+incompatible

vendor/github.com/ovh/go-ovh/ovh/ovh.go

@@ -8,19 +8,23 @@ description: |-
 
 # OVH Provider
 
-The OVH provider is the entry point to interact with the resources provided by OVHcloud. 
+The OVH provider is the entry point to interact with the resources provided by OVHcloud.
 
--> __NOTE__ According on your needs, you may need to use additional providers. This [documentation page](https://help.ovhcloud.com/csm/en-gb-terraform-at-ovhcloud?id=kb_article_view&sysparm_article=KB0054612) provides the mapping between the control panel concepts and the terraform providers / ressources.
+-> __NOTE__ According on your needs, you may need to use additional providers. This [documentation page](https://help.ovhcloud.com/csm/en-gb-terraform-at-ovhcloud?id=kb_article_view&sysparm_article=KB0054612) provides the mapping between the control panel concepts and the terraform providers / resources.
 
 Use the navigation to the left to read about the available resources.
 
 ## Provider configuration
 
 The provider needs to be configured with the proper credentials before it can be used. Requests to OVHcloud APIs require a set of secrets keys and the definition of the API end point. See [First Steps with the API](https://docs.ovh.com/gb/en/customer/first-steps-with-ovh-api/) (or the French version, [Premiers pas avec les API OVHcloud](https://docs.ovh.com/fr/api/api-premiers-pas/)) for a detailed explanation.
 
-Two forms of authentication are supported by the provider:
-- OAuth2, using scopped service accounts, and compatible with OVHcloud IAM
-- application key & application secret & consumer key
+Three forms of authentication are supported by the provider:
+- OAuth2, using scoped service accounts, and compatible with OVHcloud IAM
+- Short-lived access token received from
+  [OVH API](https://support.us.ovhcloud.com/hc/en-us/articles/19901571606547-Using-Service-Accounts-to-Connect-to-OVHcloud-APIs)
+  (for example with aid of Hashicorp Vault OAuth2 secret engine configured to
+  work with OVH auth api).
+- Application key & application secret & consumer key
 
 ### OAuth2
 
@@ -51,7 +55,7 @@ Alternatively it is suggested to use configuration files or environment
 variables so that the same code may run seamlessly in multiple environments.
 Production and development for instance.
 
-The provider will first look for direct instanciation parameters then
+The provider will first look for direct instantiation parameters then
 ``OVH_ENDPOINT``, ``OVH_CLIENT_ID`` and ``OVH_CLIENT_SECRET`` environment variables.
 If either of these parameter is not provided, it will look for a configuration file of the form:
 
@@ -83,10 +87,18 @@ project or user.
 
 You can find more details about the configuration parsing on repository [go-ovh](https://github.com/ovh/go-ovh).
 
+### Access token
+
+The provider will look for the token either at ``OVH_ACCESS_TOKEN`` environment
+variable, or get it via ``access_token`` argument in the provider's stanza.
+
+Similarly to OAuth2 method, the endpoint must be configured (either via
+``endpoint`` argument, or with ``OVH_ENDPOINT`` environment variable).
+
 ### Application Key/Application Secret
 
 The required keys are the `application_key`, the `application_secret`, and the `consumer_key`.
-These keys can be generated via the [OVHcloud token generation page](https://api.ovh.com/createToken/?GET=/*&POST=/*&PUT=/*&DELETE=/*). 
+These keys can be generated via the [OVHcloud token generation page](https://api.ovh.com/createToken/?GET=/*&POST=/*&PUT=/*&DELETE=/*).
 
 These parameters can be configured directly in the provider block as shown hereafter.
 
@@ -113,7 +125,7 @@ Alternatively it is suggested to use configuration files or environment
 variables so that the same code may run seamlessly in multiple environments.
 Production and development for instance.
 
-The provider will first look for direct instanciation parameters then
+The provider will first look for direct instantiation parameters then
 ``OVH_ENDPOINT``, ``OVH_APPLICATION_KEY``, ``OVH_APPLICATION_SECRET`` and
 ``OVH_CONSUMER_KEY`` environment variables. If either of these parameter is not
 provided, it will look for a configuration file of the form:
@@ -246,12 +258,12 @@ variables must also be set:
 
 * `OVH_CLOUD_PROJECT_FAILOVER_IP_ROUTED_TO_1_TEST` - The GUID of an instance to which failover IP addresses can be attached
 
-* `OVH_CLOUD_PROJECT_FAILOVER_IP_ROUTED_TO_2_TEST` - The GUID of a secondary instance to which failover IP addresses can be attached. There must be 2 as associations can only be updated not removed. To test effectively, the failover ip address must be moved between instances 
+* `OVH_CLOUD_PROJECT_FAILOVER_IP_ROUTED_TO_2_TEST` - The GUID of a secondary instance to which failover IP addresses can be attached. There must be 2 as associations can only be updated not removed. To test effectively, the failover ip address must be moved between instances
 
 * `OVH_CLOUD_PROJECT_KUBE_REGION_TEST` - The region of your public cloud kubernetes project.
 
 * `OVH_CLOUD_PROJECT_KUBE_VERSION_TEST` - The version of your public cloud kubernetes project.
-* `OVH_CLOUD_PROJECT_KUBE_PREV_VERSION_TEST` - The previous version of your public cloud kubernetes project. This is used to test upgrade. 
+* `OVH_CLOUD_PROJECT_KUBE_PREV_VERSION_TEST` - The previous version of your public cloud kubernetes project. This is used to test upgrade.
 
 * `OVH_DEDICATED_SERVER` - The name of the dedicated server to test dedicated_server_networking resource.
 
@@ -260,7 +272,7 @@ variables must also be set:
 * `OVH_ZONE_TEST` - The domain you own to test the domain_zone resource.
 
 * `OVH_IP_TEST`, `OVH_IP_BLOCK_TEST`, `OVH_IP_REVERSE_TEST` - The values you have to set for testing ip reverse resources.
- 
+
 * `OVH_IP_MOVE_SERVICE_NAME_TEST` - The value you have to set for testing ip move resources.
 
 * `OVH_DBAAS_LOGS_SERVICE_TEST` - The name of your Dbaas logs service.