From e8350f62570b7b1935c94c75c98e3e453a255a5b Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Fri, 15 Nov 2024 10:07:31 +0000 Subject: [PATCH] Update terraform shizz --- .../data-sources/provision_token.mdx | 1 + .../resources/provision_token.mdx | 1 + .../tfschema/token/types_terraform.go | 44 +++++++++++++++++++ 3 files changed, 46 insertions(+) diff --git a/docs/pages/reference/terraform-provider/data-sources/provision_token.mdx b/docs/pages/reference/terraform-provider/data-sources/provision_token.mdx index 5bd8d596bcfda..4a66253417c86 100644 --- a/docs/pages/reference/terraform-provider/data-sources/provision_token.mdx +++ b/docs/pages/reference/terraform-provider/data-sources/provision_token.mdx @@ -111,6 +111,7 @@ Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specgithuballow)) - `enterprise_server_host` (String) EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service. - `enterprise_slug` (String) EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. +- `static_jwks` (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Server. ### Nested Schema for `spec.github.allow` diff --git a/docs/pages/reference/terraform-provider/resources/provision_token.mdx b/docs/pages/reference/terraform-provider/resources/provision_token.mdx index 8d14d82ee2da7..4646674b4cbb1 100644 --- a/docs/pages/reference/terraform-provider/resources/provision_token.mdx +++ b/docs/pages/reference/terraform-provider/resources/provision_token.mdx @@ -145,6 +145,7 @@ Optional: - `allow` (Attributes List) Allow is a list of TokenRules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specgithuballow)) - `enterprise_server_host` (String) EnterpriseServerHost allows joining from runners associated with a GitHub Enterprise Server instance. When unconfigured, tokens will be validated against github.com, but when configured to the host of a GHES instance, then the tokens will be validated against host. This value should be the hostname of the GHES instance, and should not include the scheme or a path. The instance must be accessible over HTTPS at this hostname and the certificate must be trusted by the Auth Service. - `enterprise_slug` (String) EnterpriseSlug allows the slug of a GitHub Enterprise organisation to be included in the expected issuer of the OIDC tokens. This is for compatibility with the `include_enterprise_slug` option in GHE. This field should be set to the slug of your enterprise if this is enabled. If this is not enabled, then this field must be left empty. This field cannot be specified if `enterprise_server_host` is specified. See https://docs.github.com/en/enterprise-cloud@latest/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-issuer-value-for-an-enterprise for more information about customized issuer values. +- `static_jwks` (String) StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Server. ### Nested Schema for `spec.github.allow` diff --git a/integrations/terraform/tfschema/token/types_terraform.go b/integrations/terraform/tfschema/token/types_terraform.go index 662ef0320199c..6bceb6515909a 100644 --- a/integrations/terraform/tfschema/token/types_terraform.go +++ b/integrations/terraform/tfschema/token/types_terraform.go @@ -274,6 +274,11 @@ func GenSchemaProvisionTokenV2(ctx context.Context) (github_com_hashicorp_terraf Optional: true, Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, }, + "static_jwks": { + Description: "StaticJWKS disables fetching of the GHES signing keys via the JWKS/OIDC endpoints, and allows them to be directly specified. This allows joining from GitHub Actions in GHES instances that are not reachable by the Teleport Auth Server.", + Optional: true, + Type: github_com_hashicorp_terraform_plugin_framework_types.StringType, + }, }), Description: "GitHub allows the configuration of options specific to the \"github\" join method.", Optional: true, @@ -1166,6 +1171,23 @@ func CopyProvisionTokenV2FromTerraform(_ context.Context, tf github_com_hashicor } } } + { + a, ok := tf.Attrs["static_jwks"] + if !ok { + diags.Append(attrReadMissingDiag{"ProvisionTokenV2.Spec.GitHub.StaticJWKS"}) + } else { + v, ok := a.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrReadConversionFailureDiag{"ProvisionTokenV2.Spec.GitHub.StaticJWKS", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } else { + var t string + if !v.Null && !v.Unknown { + t = string(v.Value) + } + obj.StaticJWKS = t + } + } + } } } } @@ -3292,6 +3314,28 @@ func CopyProvisionTokenV2ToTerraform(ctx context.Context, obj *github_com_gravit tf.Attrs["enterprise_slug"] = v } } + { + t, ok := tf.AttrTypes["static_jwks"] + if !ok { + diags.Append(attrWriteMissingDiag{"ProvisionTokenV2.Spec.GitHub.StaticJWKS"}) + } else { + v, ok := tf.Attrs["static_jwks"].(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + i, err := t.ValueFromTerraform(ctx, github_com_hashicorp_terraform_plugin_go_tftypes.NewValue(t.TerraformType(ctx), nil)) + if err != nil { + diags.Append(attrWriteGeneralError{"ProvisionTokenV2.Spec.GitHub.StaticJWKS", err}) + } + v, ok = i.(github_com_hashicorp_terraform_plugin_framework_types.String) + if !ok { + diags.Append(attrWriteConversionFailureDiag{"ProvisionTokenV2.Spec.GitHub.StaticJWKS", "github.com/hashicorp/terraform-plugin-framework/types.String"}) + } + v.Null = string(obj.StaticJWKS) == "" + } + v.Value = string(obj.StaticJWKS) + v.Unknown = false + tf.Attrs["static_jwks"] = v + } + } } v.Unknown = false tf.Attrs["github"] = v