Merge pull request #348 from aquasecurity/api_authentication

feat: Add API key authentication support

Author: semyonmor

DEVELOPMENT.md

@@ -32,7 +32,7 @@ git clone https://github.com/aquasecurity/terraform-provider-aquasec.git
 
 cd terraform-provider-aquasec
 
-git checkout v0.10.0
+git checkout v0.11.0
 ```
 
 **Build and install the provider**

GNUmakefile

@@ -2,11 +2,11 @@
 # This ensures docker volumes are mounted from within provider directory instead.
 PROVIDER_DIR := $(abspath $(lastword $(dir $(MAKEFILE_LIST))))
 TEST         := "$(PROVIDER_DIR)/aquasec"
-HOSTNAME	 := github.com
+HOSTNAME	 := registry.terraform.io
 NAMESPACE	 := aquasec
 NAME 		 := aquasec
 BINARY		 := terraform-provider-${NAME}
-VERSION      := 0.10.0
+VERSION      := 0.11.0
 OS_ARCH      := $(shell go env GOOS)_$(shell go env GOARCH)
 
 default: build

README.md

@@ -43,7 +43,7 @@ To quickly get started using the Aquasec provider for Terraform, configure the p
 terraform {
   required_providers {
     aquasec = {
-      version = "0.10.0"
+      version = "0.11.0"
       source  = "aquasecurity/aquasec"
     }
   }
@@ -54,6 +54,15 @@ provider "aquasec" {
   aqua_url = "https://aquaurl.com"
   password = "@password"
 }
+
+//Alternative API Based authentication
+provider "aquasec" {
+  aqua_api_key      = var.aquasec_api_key
+  aqua_api_secret   = var.aquasec_api_secret
+  validity          = 240
+  allowed_endpoints = ["ANY"]
+  csp_roles         = ["Admin"]
+}
 ```
 ## Using the Aquasec provider SaaS solution
 

aquasec/init_test.go

@@ -12,31 +12,49 @@ import (
 func init() {
 	log.Println("setup suite")
 	var (
-		present, verifyTLS                                       bool
-		username, password, aquaURL, verifyTLSString, caCertPath string
-		err                                                      error
-		caCertByte                                               []byte
+		present                                          bool
+		username, password, aquaURL                      string
+		verifyTLS, useAPIKey                             bool
+		verifyTLSString, apiKey, secretKey, useAPIKeyStr string
+		caCertPath                                       string
+		err                                              error
+		caCertByte                                       []byte
 	)
 
-	username, present = os.LookupEnv("AQUA_USER")
+	aquaURL, present = os.LookupEnv("AQUA_URL")
 	if !present {
-		panic("AQUA_USER env is missing, please set it")
+		panic("AQUA_URL env is missing, please set it")
 	}
 
-	password, present = os.LookupEnv("AQUA_PASSWORD")
-	if !present {
-		panic("AQUA_PASSWORD env is missing, please set it")
+	apiKey = os.Getenv("AQUA_API_KEY")
+	secretKey = os.Getenv("AQUA_API_SECRET")
+	useAPIKeyStr = os.Getenv("AQUA_USE_API_KEY")
+	useAPIKey = false
+	if useAPIKeyStr != "" {
+		var err error
+		useAPIKey, err = strconv.ParseBool(useAPIKeyStr)
+		if err != nil {
+			panic(fmt.Sprintf("Invalid boolen for AQUA_USE_API_KEY: %v", err))
+		}
 	}
 
-	aquaURL, present = os.LookupEnv("AQUA_URL")
-	if !present {
-		panic("AQUA_URL env is missing, please set it")
+	if !useAPIKey {
+		username, present = os.LookupEnv("AQUA_USER")
+		if !present {
+			panic("AQUA_USER env is missing, please set it")
+		}
+
+		password, present = os.LookupEnv("AQUA_PASSWORD")
+		if !present {
+			panic("AQUA_PASSWORD env is missing, please set it")
+		}
 	}
 
 	verifyTLSString, present = os.LookupEnv("AQUA_TLS_VERIFY")
 	if !present {
 		verifyTLSString = "true"
 	}
+	verifyTLS, _ = strconv.ParseBool(verifyTLSString)
 
 	caCertPath, present = os.LookupEnv("AQUA_CA_CERT_PATH")
 	if present {
@@ -46,12 +64,14 @@ func init() {
 				panic("Unable to read CA certificates")
 			}
 		}
-		panic("AQUA_CA_CERT_PATH env is missing, please set it")
 	}
 
-	verifyTLS, _ = strconv.ParseBool(verifyTLSString)
-
-	aquaClient := client.NewClient(aquaURL, username, password, verifyTLS, caCertByte)
+	var aquaClient *client.Client
+	if useAPIKey {
+		aquaClient = client.NewClientWithAPIKey(aquaURL, apiKey, secretKey, verifyTLS, caCertByte)
+	} else {
+		aquaClient = client.NewClientWithTokenAuth(aquaURL, username, password, verifyTLS, caCertByte)
+	}
 	token, url, err := aquaClient.GetAuthToken()
 
 	if err != nil {

aquasec/provider.go

@@ -16,9 +16,14 @@ import (
 
 // Config - godoc
 type Config struct {
-	Username string `json:"tenant"`
-	Password string `json:"token"`
-	AquaURL  string `json:"aqua_url"`
+	Username         string   `json:"tenant"`
+	Password         string   `json:"token"`
+	AquaURL          string   `json:"aqua_url"`
+	APIKey           string   `json:"aqua_api_key"`
+	SecretKey        string   `json:"aqua_api_secret"`
+	Validity         int      `json:"validity"`
+	AllowedEndpoints []string `json:"allowed_endpoints"`
+	CSPRoles         []string `json:"csp_roles"`
 }
 
 // Provider -
@@ -45,6 +50,20 @@ func Provider(v string) *schema.Provider {
 				DefaultFunc: schema.EnvDefaultFunc("AQUA_URL", nil),
 				Description: "This is the base URL of your Aqua instance. Can alternatively be sourced from the `AQUA_URL` environment variable.",
 			},
+			"aqua_api_key": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Sensitive:   true,
+				DefaultFunc: schema.EnvDefaultFunc("AQUA_API_KEY", nil),
+				Description: "API key for authentication. If set, API key mode is used instead of token-based auth.",
+			},
+			"aqua_api_secret": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Sensitive:   true,
+				DefaultFunc: schema.EnvDefaultFunc("AQUA_API_SECRET", nil),
+				Description: "Shared secret for API key HMAC signing.",
+			},
 			"verify_tls": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -69,6 +88,27 @@ func Provider(v string) *schema.Provider {
 				Default:     true,
 				Description: "Skip provider credential validation when set to false.",
 			},
+			"validity": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Default:     240,
+				Description: "Lifetime of the token, in minutes. Set between 1 and 1500. Once the token expires, need to generate a new one",
+			},
+			"allowed_endpoints": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "API methods the token has access to",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"csp_roles": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"aquasec_user":                        resourceUser(),
@@ -143,23 +183,23 @@ func Provider(v string) *schema.Provider {
 	}
 }
 
-func getProviderConfigurationFromFile(d *schema.ResourceData) (string, string, string, error) {
+func getProviderConfigurationFromFile(d *schema.ResourceData) (string, string, string, string, string, error) {
 	log.Print("[DEBUG] Trying to load configuration from file")
 	if configPath, ok := d.GetOk("config_path"); ok && configPath.(string) != "" {
 		path, err := homedir.Expand(configPath.(string))
 		if err != nil {
 			log.Printf("[DEBUG] Failed to expand config file path %s, error %s", configPath, err)
-			return "", "", "", nil
+			return "", "", "", "", "", nil
 		}
 		if _, err := os.Stat(path); os.IsNotExist(err) {
 			log.Printf("[DEBUG] Terraform config file %s does not exist, error %s", path, err)
-			return "", "", "", nil
+			return "", "", "", "", "", nil
 		}
 		log.Printf("[DEBUG] Terraform configuration file is: %s", path)
 		configFile, err := os.Open(path)
 		if err != nil {
 			log.Printf("[DEBUG] Unable to open Terraform configuration file %s", path)
-			return "", "", "", fmt.Errorf("Unable to open terraform configuration file. Error %v", err)
+			return "", "", "", "", "", fmt.Errorf("Unable to open terraform configuration file. Error %v", err)
 		}
 		defer configFile.Close()
 
@@ -168,11 +208,11 @@ func getProviderConfigurationFromFile(d *schema.ResourceData) (string, string, s
 		err = json.Unmarshal(configBytes, &config)
 		if err != nil {
 			log.Printf("[DEBUG] Failed to parse config file %s", path)
-			return "", "", "", fmt.Errorf("Invalid terraform configuration file format. Error %v", err)
+			return "", "", "", "", "", fmt.Errorf("Invalid terraform configuration file format. Error %v", err)
 		}
-		return config.Username, config.Password, config.AquaURL, nil
+		return config.Username, config.Password, config.AquaURL, config.APIKey, config.SecretKey, nil
 	}
-	return "", "", "", nil
+	return "", "", "", "", "", nil
 }
 
 func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}, diag.Diagnostics) {
@@ -183,32 +223,35 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 	username := d.Get("username").(string)
 	password := d.Get("password").(string)
 	aquaURL := d.Get("aqua_url").(string)
+	apiKey := d.Get("aqua_api_key").(string)
+	secretkey := d.Get("aqua_api_secret").(string)
 	verifyTLS := d.Get("verify_tls").(bool)
 	caCertPath := d.Get("ca_certificate_path").(string)
 	validate := d.Get("validate").(bool)
 
-	if username == "" && password == "" && aquaURL == "" {
-		username, password, aquaURL, err = getProviderConfigurationFromFile(d)
+	if username == "" && password == "" && aquaURL == "" && apiKey == "" && secretkey == "" {
+		username, password, aquaURL, apiKey, secretkey, err = getProviderConfigurationFromFile(d)
 		if err != nil && validate {
 			return nil, diag.FromErr(err)
 		}
 	}
 
 	if validate {
-		if username == "" {
-			diags = append(diags, diag.Diagnostic{
-				Severity: diag.Error,
-				Summary:  "Initializing provider, username parameter is missing.",
-			})
-		}
+		if apiKey == "" {
+			if username == "" {
+				diags = append(diags, diag.Diagnostic{
+					Severity: diag.Error,
+					Summary:  "Initializing provider, username parameter is missing.",
+				})
+			}
 
-		if password == "" {
-			diags = append(diags, diag.Diagnostic{
-				Severity: diag.Error,
-				Summary:  "Initializing provider, password parameter is missing.",
-			})
+			if password == "" {
+				diags = append(diags, diag.Diagnostic{
+					Severity: diag.Error,
+					Summary:  "Initializing provider, password parameter is missing.",
+				})
+			}
 		}
-
 		if aquaURL == "" {
 			diags = append(diags, diag.Diagnostic{
 				Severity: diag.Error,
@@ -235,7 +278,21 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
 		return nil, diags
 	}
 
-	aquaClient := client.NewClient(aquaURL, username, password, verifyTLS, caCertByte)
+	var aquaClient *client.Client
+	if apiKey != "" {
+		aquaClient = client.NewClientWithAPIKey(aquaURL, apiKey, secretkey, verifyTLS, caCertByte)
+		if v, ok := d.GetOk("validity"); ok {
+			aquaClient.Validity = v.(int)
+		}
+		if v, ok := d.GetOk("allowed_endpoints"); ok {
+			aquaClient.AllowedEndpoints = convertStringArr(v.([]interface{}))
+		}
+		if v, ok := d.GetOk("csp_roles"); ok {
+			aquaClient.CSPRoles = convertStringArr(v.([]interface{}))
+		}
+	} else {
+		aquaClient = client.NewClientWithTokenAuth(aquaURL, username, password, verifyTLS, caCertByte)
+	}
 
 	if validate {
 		token, tokenPresent := os.LookupEnv("TESTING_AUTH_TOKEN")

aquasec/provider_test.go

@@ -2,6 +2,7 @@ package aquasec
 
 import (
 	"os"
+	"strconv"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -36,16 +37,27 @@ func testAccPreCheck(t *testing.T) {
 	if _, err := os.Stat(configPath); !os.IsNotExist(err) {
 		return
 	}
-	if err := os.Getenv("AQUA_USER"); err == "" {
-		t.Fatal("AQUA_USER must be set for acceptance tests")
-	}
-
-	if err := os.Getenv("AQUA_PASSWORD"); err == "" {
-		t.Fatal("AQUA_PASSWORD must be set for acceptance tests")
-	}
+	useAPIKeyStr := os.Getenv("AQUA_USE_API_KEY")
+	useAPiKey, _ := strconv.ParseBool(useAPIKeyStr)
 
 	if err := os.Getenv("AQUA_URL"); err == "" {
 		t.Fatal("AQUA_URL must be set for acceptance tests")
 	}
 
+	if !useAPiKey {
+		if err := os.Getenv("AQUA_USER"); err == "" {
+			t.Fatal("AQUA_USER must be set for acceptance tests")
+		}
+
+		if err := os.Getenv("AQUA_PASSWORD"); err == "" {
+			t.Fatal("AQUA_PASSWORD must be set for acceptance tests")
+		}
+	} else {
+		if os.Getenv("AQUA_API_KEY") == "" {
+			t.Fatal("AQUA_API_KEY must be set for API key authentication")
+		}
+		if os.Getenv("AQUA_API_SECRET") == "" {
+			t.Fatal("AQUA_API_SECRET must be set for API key authentication")
+		}
+	}
 }