Integration tests: Use oauth client instead of API token (#162)

* Integration tests: Use oauth scopes instead of API token

* Add new configuration options to README

* Change workflows to include new keys

* update Python README

* secrets configuration for python test

* add missing import

* Rename test to tailnet-key to reflect the resource we are testing. Add required tags.

.github/workflows/command-dispatch.yml

@@ -24,7 +24,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

.github/workflows/main.yml

@@ -24,7 +24,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

.github/workflows/master.yml

@@ -24,7 +24,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

.github/workflows/prerelease.yml

@@ -25,7 +25,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

.github/workflows/pull-request.yml

@@ -24,7 +24,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

.github/workflows/release.yml

@@ -24,7 +24,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

.github/workflows/resync-build.yml

@@ -26,7 +26,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

.github/workflows/run-acceptance-tests.yml

@@ -25,7 +25,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

.github/workflows/update-upstream-provider.yml

@@ -26,7 +26,8 @@ env:
   SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
   SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-  TAILSCALE_API_KEY: ${{ secrets.TAILSCALE_API_KEY }}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}
+  TAILSCALE_OAUTH_CLIENT_ID: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
   TAILSCALE_TAILNET: ${{ secrets.TAILSCALE_TAILNET }}
   TF_APPEND_USER_AGENT: pulumi
   TRAVIS_OS_NAME: linux

README.md

@@ -51,6 +51,9 @@ The following configuration points are available:
 - `tailscale:tailnet` - (Required) Tailscale tailnet to manage resources for. It must be provided, but it can also be
   sourced from the `TAILSCALE_TAILNET` variable. A tailnet is the name of your Tailscale network. You can find it in 
   the top left corner of the Admin Panel beside the Tailscale logo.
+- `tailscale:oauthClientId` - The OAuth application's ID when using OAuth client credentials. Can be set via the OAUTH_CLIENT_ID environment variable. Both 'oauthClientId' and 'oauthClientSecret' must be set. Conflicts with 'apiKey'.
+- `oauthClientSecret` - The OAuth application's secret when using OAuth client credentials. Can be set via the OAUTH_CLIENT_SECRET environment variable. Both 'oauthClientId' and 'oauthClientSecret' must be set. Conflicts with 'apiKey'.
+- `scopes` - The OAuth 2.0 scopes to request when for the access token generated using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauthClientId' and 'oauthClientSecret' are set.
 
 ## Reference
 

examples/examples_nodejs_test.go

@@ -4,16 +4,22 @@
 package examples
 
 import (
+	"os"
 	"path/filepath"
 	"testing"
 
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 )
 
 func TestAccDnsTs(t *testing.T) {
+	checkTokens(t)
 	test := getJSBaseOptions(t).
 		With(integration.ProgramTestOptions{
 			Dir: filepath.Join(getCwd(t), "dns-ts"),
+			Secrets: map[string]string{
+				"tailscale:oauthClientSecret": os.Getenv("TAILSCALE_OAUTH_CLIENT_SECRET"),
+				"tailscale:oauthClientId":     os.Getenv("TAILSCALE_OAUTH_CLIENT_ID"),
+			},
 		})
 
 	integration.ProgramTest(t, &test)

examples/examples_py_test.go

@@ -4,16 +4,22 @@
 package examples
 
 import (
+	"os"
 	"path/filepath"
 	"testing"
 
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 )
 
-func TestAccAclPy(t *testing.T) {
+func TestAccKeyPy(t *testing.T) {
+	checkTokens(t)
 	test := getPythonBaseOptions(t).
 		With(integration.ProgramTestOptions{
-			Dir: filepath.Join(getCwd(t), "py-acl"),
+			Dir: filepath.Join(getCwd(t), "py-tailnet-key"),
+			Secrets: map[string]string{
+				"tailscale:oauthClientSecret": os.Getenv("TAILSCALE_OAUTH_CLIENT_SECRET"),
+				"tailscale:oauthClientId":     os.Getenv("TAILSCALE_OAUTH_CLIENT_ID"),
+			},
 		})
 
 	integration.ProgramTest(t, &test)

examples/examples_test.go

@@ -16,6 +16,20 @@ func getCwd(t *testing.T) string {
 	return cwd
 }
 
+func checkTokens(t *testing.T) {
+	clientSecret := os.Getenv("TAILSCALE_OAUTH_CLIENT_SECRET")
+	if clientSecret == "" {
+		t.Log("Failing due to missing TAILSCALE_OAUTH_CLIENT_SECRET variable")
+		t.FailNow()
+
+	}
+	clientId := os.Getenv("TAILSCALE_OAUTH_CLIENT_ID")
+	if clientId == "" {
+		t.Log("Failing due to missing TAILSCALE_OAUTH_CLIENT_ID variable")
+		t.FailNow()
+	}
+}
+
 func getBaseOptions() integration.ProgramTestOptions {
 	return integration.ProgramTestOptions{
 		RunUpdateTest:        false,

examples/py-acl/__main__.py → examples/py-tailnet-key/__main__.py

@@ -2,4 +2,4 @@
 
 import pulumi_tailscale as tailscale
 
-tailscale.TailnetKey("demo-py")
+tailscale.TailnetKey("demo-py", tags=["tag:server"])

sdk/python/README.md

@@ -51,6 +51,9 @@ The following configuration points are available:
 - `tailscale:tailnet` - (Required) Tailscale tailnet to manage resources for. It must be provided, but it can also be
   sourced from the `TAILSCALE_TAILNET` variable. A tailnet is the name of your Tailscale network. You can find it in 
   the top left corner of the Admin Panel beside the Tailscale logo.
+- `tailscale:oauthClientId` - The OAuth application's ID when using OAuth client credentials. Can be set via the OAUTH_CLIENT_ID environment variable. Both 'oauthClientId' and 'oauthClientSecret' must be set. Conflicts with 'apiKey'.
+- `oauthClientSecret` - The OAuth application's secret when using OAuth client credentials. Can be set via the OAUTH_CLIENT_SECRET environment variable. Both 'oauthClientId' and 'oauthClientSecret' must be set. Conflicts with 'apiKey'.
+- `scopes` - The OAuth 2.0 scopes to request when for the access token generated using the supplied OAuth client credentials. See https://tailscale.com/kb/1215/oauth-clients/#scopes for available scopes. Only valid when both 'oauthClientId' and 'oauthClientSecret' are set.
 
 ## Reference