From 24c0ddb77f48b10a2cc72212371084da00fbb3b6 Mon Sep 17 00:00:00 2001
From: nickyinluo <nickyinluo@tencent.com>
Date: Tue, 11 Oct 2022 18:47:46 +0800
Subject: [PATCH 1/2] support env for SESSION_DURATION

---
 tencentcloud/provider.go         | 11 ++++++++---
 website/docs/index.html.markdown | 12 +++++++++++-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go
index c5dff158ea..6f09c54a56 100644
--- a/tencentcloud/provider.go
+++ b/tencentcloud/provider.go
@@ -789,9 +789,14 @@ func Provider() terraform.ResourceProvider {
 							Description: "The session name to use when making the AssumeRole call. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`.",
 						},
 						"session_duration": {
-							Type:         schema.TypeInt,
-							Required:     true,
-							InputDefault: "7200",
+							Type:     schema.TypeInt,
+							Required: true,
+							DefaultFunc: func() (interface{}, error) {
+								if v := os.Getenv(PROVIDER_ASSUME_ROLE_SESSION_DURATION); v != "" {
+									return strconv.Atoi(v)
+								}
+								return 7200, nil
+							},
 							ValidateFunc: validateIntegerInRange(0, 43200),
 							Description:  "The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`.",
 						},
diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
index 78f5644fa8..079cb13bc6 100644
--- a/website/docs/index.html.markdown
+++ b/website/docs/index.html.markdown
@@ -157,10 +157,20 @@ provider "tencentcloud" {
 }
 ```
 
-The `assume_role_arn`, `assume_role_session_name`, `assume_role_session_duration` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` and `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variables.
+The `assume_role_arn`, `assume_role_session_name`, `assume_role_session_duration` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` and `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variables with a empty `assume_role` block.
 
 Usage:
 
+```hcl
+provider "tencentcloud" {
+  secret_id  = "my-secret-id"
+  secret_key = "my-secret-key"
+  region     = "ap-guangzhou"
+
+  assume_role {}
+}
+```
+
 ```shell
 $ export TENCENTCLOUD_SECRET_ID="my-secret-id"
 $ export TENCENTCLOUD_SECRET_KEY="my-secret-key"

From b78e3c5cd55ec68b6ec39179cefe57f288ef161b Mon Sep 17 00:00:00 2001
From: nickyinluo <nickyinluo@tencent.com>
Date: Mon, 17 Oct 2022 12:23:36 +0800
Subject: [PATCH 2/2] adjust providerConfigure logic

---
 tencentcloud/provider.go         | 78 +++++++++++++++++++-------------
 website/docs/index.html.markdown | 12 +----
 2 files changed, 47 insertions(+), 43 deletions(-)

diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go
index 6f09c54a56..d1d7d95aeb 100644
--- a/tencentcloud/provider.go
+++ b/tencentcloud/provider.go
@@ -1278,7 +1278,27 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		Domain:   domain,
 	}
 
-	// assume role client
+	envRoleArn := os.Getenv(PROVIDER_ASSUME_ROLE_ARN)
+	envSessionName := os.Getenv(PROVIDER_ASSUME_ROLE_SESSION_NAME)
+
+	// get assume role from env
+	if envRoleArn != "" && envSessionName != "" {
+		var assumeRoleSessionDuration int
+		if envSessionDuration := os.Getenv(PROVIDER_ASSUME_ROLE_SESSION_DURATION); envSessionDuration != "" {
+			var err error
+			assumeRoleSessionDuration, err = strconv.Atoi(envSessionDuration)
+			if err != nil {
+				return nil, err
+			}
+		}
+		if assumeRoleSessionDuration == 0 {
+			assumeRoleSessionDuration = 7200
+		}
+
+		genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "")
+	}
+
+	// get assume role from tf config
 	assumeRoleList := d.Get("assume_role").(*schema.Set).List()
 	if len(assumeRoleList) == 1 {
 		assumeRole := assumeRoleList[0].(map[string]interface{})
@@ -1286,37 +1306,31 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		assumeRoleSessionName := assumeRole["session_name"].(string)
 		assumeRoleSessionDuration := assumeRole["session_duration"].(int)
 		assumeRolePolicy := assumeRole["policy"].(string)
-		if assumeRoleSessionDuration == 0 {
-			var err error
-			if duration := os.Getenv(PROVIDER_ASSUME_ROLE_SESSION_DURATION); duration != "" {
-				assumeRoleSessionDuration, err = strconv.Atoi(duration)
-				if err != nil {
-					return nil, err
-				}
-				if assumeRoleSessionDuration == 0 {
-					assumeRoleSessionDuration = 7200
-				}
-			}
-		}
-		// applying STS credentials
-		request := sts.NewAssumeRoleRequest()
-		request.RoleArn = helper.String(assumeRoleArn)
-		request.RoleSessionName = helper.String(assumeRoleSessionName)
-		request.DurationSeconds = helper.IntUint64(assumeRoleSessionDuration)
-		if assumeRolePolicy != "" {
-			request.Policy = helper.String(url.QueryEscape(assumeRolePolicy))
-		}
-		ratelimit.Check(request.GetAction())
-		response, err := tcClient.apiV3Conn.UseStsClient().AssumeRole(request)
-		if err != nil {
-			return nil, err
-		}
-		// using STS credentials
-		tcClient.apiV3Conn.Credential = common.NewTokenCredential(
-			*response.Response.Credentials.TmpSecretId,
-			*response.Response.Credentials.TmpSecretKey,
-			*response.Response.Credentials.Token,
-		)
+
+		genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy)
 	}
 	return &tcClient, nil
 }
+
+func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error {
+	// applying STS credentials
+	request := sts.NewAssumeRoleRequest()
+	request.RoleArn = helper.String(assumeRoleArn)
+	request.RoleSessionName = helper.String(assumeRoleSessionName)
+	request.DurationSeconds = helper.IntUint64(assumeRoleSessionDuration)
+	if assumeRolePolicy != "" {
+		request.Policy = helper.String(url.QueryEscape(assumeRolePolicy))
+	}
+	ratelimit.Check(request.GetAction())
+	response, err := tcClient.apiV3Conn.UseStsClient().AssumeRole(request)
+	if err != nil {
+		return err
+	}
+	// using STS credentials
+	tcClient.apiV3Conn.Credential = common.NewTokenCredential(
+		*response.Response.Credentials.TmpSecretId,
+		*response.Response.Credentials.TmpSecretKey,
+		*response.Response.Credentials.Token,
+	)
+	return nil
+}
diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
index 079cb13bc6..78f5644fa8 100644
--- a/website/docs/index.html.markdown
+++ b/website/docs/index.html.markdown
@@ -157,20 +157,10 @@ provider "tencentcloud" {
 }
 ```
 
-The `assume_role_arn`, `assume_role_session_name`, `assume_role_session_duration` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` and `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variables with a empty `assume_role` block.
+The `assume_role_arn`, `assume_role_session_name`, `assume_role_session_duration` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` and `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variables.
 
 Usage:
 
-```hcl
-provider "tencentcloud" {
-  secret_id  = "my-secret-id"
-  secret_key = "my-secret-key"
-  region     = "ap-guangzhou"
-
-  assume_role {}
-}
-```
-
 ```shell
 $ export TENCENTCLOUD_SECRET_ID="my-secret-id"
 $ export TENCENTCLOUD_SECRET_KEY="my-secret-key"