forked from GoogleCloudPlatform/magic-modules
/
data_source_google_service_account_id_token.go
126 lines (111 loc) · 3.71 KB
/
data_source_google_service_account_id_token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package resourcemanager
import (
"fmt"
"strings"
"github.com/hashicorp/terraform-provider-google/google/tpgresource"
transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
"github.com/hashicorp/terraform-provider-google/google/verify"
iamcredentials "google.golang.org/api/iamcredentials/v1"
"google.golang.org/api/idtoken"
"google.golang.org/api/option"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"golang.org/x/net/context"
)
const (
userInfoScope = "https://www.googleapis.com/auth/userinfo.email"
)
func DataSourceGoogleServiceAccountIdToken() *schema.Resource {
return &schema.Resource{
Read: dataSourceGoogleServiceAccountIdTokenRead,
Schema: map[string]*schema.Schema{
"target_audience": {
Type: schema.TypeString,
Required: true,
},
"target_service_account": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: verify.ValidateRegexp("(" + strings.Join(verify.PossibleServiceAccountNames, "|") + ")"),
},
"delegates": {
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: verify.ValidateRegexp(verify.ServiceAccountLinkRegex),
},
},
"include_email": {
Type: schema.TypeBool,
Optional: true,
Default: false,
},
// Not used currently
// https://github.com/googleapis/google-api-go-client/issues/542
// "format": {
// Type: schema.TypeString,
// Optional: true,
// ValidateFunc: validation.StringInSlice([]string{
// "FULL", "STANDARD"}, true),
// Default: "STANDARD",
// },
"id_token": {
Type: schema.TypeString,
Sensitive: true,
Computed: true,
},
},
}
}
func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta interface{}) error {
config := meta.(*transport_tpg.Config)
userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
if err != nil {
return err
}
targetAudience := d.Get("target_audience").(string)
creds, err := config.GetCredentials([]string{userInfoScope}, false)
if err != nil {
return fmt.Errorf("error calling getCredentials(): %v", err)
}
targetServiceAccount := d.Get("target_service_account").(string)
// If a target service account is provided, use the API to generate the idToken
if targetServiceAccount != "" {
// Use
// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
service := config.NewIamCredentialsClient(userAgent)
name := fmt.Sprintf("projects/-/serviceAccounts/%s", targetServiceAccount)
tokenRequest := &iamcredentials.GenerateIdTokenRequest{
Audience: targetAudience,
IncludeEmail: d.Get("include_email").(bool),
Delegates: tpgresource.ConvertStringSet(d.Get("delegates").(*schema.Set)),
}
at, err := service.Projects.ServiceAccounts.GenerateIdToken(name, tokenRequest).Do()
if err != nil {
return fmt.Errorf("error calling iamcredentials.GenerateIdToken: %v", err)
}
d.SetId(targetServiceAccount)
if err := d.Set("id_token", at.Token); err != nil {
return fmt.Errorf("Error setting id_token: %s", err)
}
return nil
}
ctx := context.Background()
co := []option.ClientOption{}
if creds.JSON != nil {
co = append(co, idtoken.WithCredentialsJSON(creds.JSON))
}
idTokenSource, err := idtoken.NewTokenSource(ctx, targetAudience, co...)
if err != nil {
return fmt.Errorf("unable to retrieve TokenSource: %v", err)
}
idToken, err := idTokenSource.Token()
if err != nil {
return fmt.Errorf("unable to retrieve Token: %v", err)
}
d.SetId(targetAudience)
if err := d.Set("id_token", idToken.AccessToken); err != nil {
return fmt.Errorf("Error setting id_token: %s", err)
}
return nil
}