| layout | page_title | description |
|---|---|---|
JFrog Platform Provider |
The JFrog Platform provider provides resources to interact with features from JFrog platform. |
The JFrog Platform provider is used to interact with the features from JFrog Platform REST API. The provider needs to be configured with the proper credentials before it can be used.
Links to documentation for specific resources can be found in the table of contents to the left.
This provider requires access to JFrog Platform APIs, which are only available in the licensed pro and enterprise editions. You can determine which license you have by accessing the following URL ${host}/artifactory/api/system/licenses/
You can either access it via API, or web browser - it requires admin level credentials.
curl -sL ${host}/artifactory/api/system/licenses/ | jq .
{
"type" : "Enterprise Plus Trial",
"validThrough" : "Jan 29, 2022",
"licensedTo" : "JFrog Ltd"
}terraform {
required_providers {
artifactory = {
source = "jfrog/artifactory"
version = "12.7.1"
}
platform = {
source = "jfrog/platform"
version = "2.2.0"
}
}
}
variable "jfrog_url" {
type = string
default = "http://localhost:8081"
}
provider "artifactory" {
url = "${var.jfrog_url}"
// supply JFROG_ACCESS_TOKEN as env var
}
provider "platform" {
url = "${var.jfrog_url}"
// supply JFROG_ACCESS_TOKEN as env var
}
resource "platform_global_role" "my-global-role" {
name = "my-global-role"
description = "Test description"
type = "CUSTOM_GLOBAL"
environments = ["DEV"]
actions = ["READ_REPOSITORY", "READ_BUILD"]
}
resource "artifactory_local_generic_repository" "my-generic-local" {
key = "my-generic-local"
}
resource "platform_workers_service" "my-workers-service" {
key = "my-workers-service"
enabled = true
description = "My workers service"
source_code = "export default async (context: PlatformContext, data: BeforeDownloadRequest): Promise<BeforeDownloadResponse> => { console.log(await context.clients.platformHttp.get('/artifactory/api/system/ping')); console.log(await axios.get('https://my.external.resource')); return { status: 'DOWNLOAD_PROCEED', message: 'proceed', } }"
action = "BEFORE_DOWNLOAD"
filter_criteria = {
artifact_filter_criteria = {
repo_keys = [artifactory_local_generic_repository.my-generic-local.key]
}
}
secrets = [
{
key = "my-secret-key-1"
value = "my-secret-value-1"
},
{
key = "my-secret-key-2"
value = "my-secret-value-2"
}
]
}The JFrog Platform provider supports for the following types of authentication:
- Scoped token
- Terraform Cloud OIDC provider
JFrog scoped tokens may be used via the HTTP Authorization header by providing the access_token field to the provider block. Getting this value from the environment is supported with the JFROG_ACCESS_TOKEN environment variable.
Usage:
provider "platform" {
url = "my.jfrog.io"
access_token = "abc...xy"
}If you are using this provider on Terraform Cloud and wish to use dynamic credentials instead of static access token for authentication with JFrog platform, you can leverage Terraform as the OIDC provider.
To setup dynamic credentials, follow these steps:
- Configure Terraform Cloud as a generic OIDC provider
- Set environment variable in your Terraform Workspace
- Setup Terraform Cloud in your configuration
During the provider start up, if it finds env var TFC_WORKLOAD_IDENTITY_TOKEN it will use this token with your JFrog instance to exchange for a short-live access token. If that is successful, the provider will the access token for all subsequent API requests with the JFrog instance.
Follow confgure an OIDC integration. Enter a name for the provider, e.g. terraform-cloud. Use https://app.terraform.io for "Provider URL". Choose your own value for "Audience", e.g. jfrog-terraform-cloud.
Then configure an identity mapping with appropriate "Claims JSON" (e.g. aud, sub at minimum. See Terraform Workload Identity - Configuring Trust with your Cloud Platform), and select the "Token scope", "User", and "Service" as desired.
In your workspace, add an environment variable TFC_WORKLOAD_IDENTITY_AUDIENCE with audience value (e.g. jfrog-terraform-cloud) from JFrog OIDC integration above. See Manually Generating Workload Identity Tokens for more details.
When a run starts on Terraform Cloud, it will create a workload identity token with the specified audience and assigns it to the environment variable TFC_WORKLOAD_IDENTITY_TOKEN for the provider to consume.
See Generating Multiple Tokens on HCP Terraform for more details on using different tokens.
Add cloud block to terraform block, and add oidc_provider_name attribute (from JFrog OIDC integration) to provider block:
terraform {
cloud {
organization = "my-org"
workspaces {
name = "my-workspace"
}
}
required_providers {
platform = {
source = "jfrog/platform"
version = "1.6.1"
}
}
}
provider "platform" {
url = "https://myinstance.jfrog.io"
oidc_provider_name = "terraform-cloud"
tfc_credential_tag_name = "JFROG"
}Note: Ensure access_token attribute is not set
access_token(String, Sensitive) This is a access token that can be given to you by your admin underPlatform Configuration -> User Management -> Access Tokens. This can also be sourced from theJFROG_ACCESS_TOKENenvironment variable.oidc_provider_name(String) OIDC provider name. See Configure an OIDC Integration for more details.tfc_credential_tag_name(String) Terraform Cloud Workload Identity Token tag name. Use for generating multiple TFC workload identity tokens. When set, the provider will attempt to use env var with this tag name as suffix. Note: this is case sensitive, so if set toJFROG, then env varTFC_WORKLOAD_IDENTITY_TOKEN_JFROGis used instead ofTFC_WORKLOAD_IDENTITY_TOKEN. See Generating Multiple Tokens on HCP Terraform for more details.url(String) JFrog Platform URL. This can also be sourced from theJFROG_URLenvironment variable.