From: cel@kernel.org
To: <kdevops@lists.linux.dev>
Cc: Luis Chamberlain <mcgrof@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>
Subject: [RFC PATCH] terraform/OCI: Grab secrets from ~/.oci/config
Date: Thu, 3 Apr 2025 10:49:06 -0400 [thread overview]
Message-ID: <20250403144906.1186015-1-cel@kernel.org> (raw)
From: Chuck Lever <chuck.lever@oracle.com>
Instead of storing authentication secrets in the kdevops .config
file, pull them from the authentication profiles already set up
in ~/.oci/config. This arrangement is more secure.
terraform's API authentication is now managed outside of Kconfig,
as is done with AWS. An update to docs/kdevops-terraform.md to
follow.
Suggested-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
.../templates/oci/terraform.tfvars.j2 | 5 +---
scripts/terraform.Makefile | 4 ---
terraform/oci/kconfigs/Kconfig.identity | 27 +++++++------------
terraform/oci/provider.tf | 7 ++---
terraform/oci/vars.tf | 25 ++++-------------
5 files changed, 17 insertions(+), 51 deletions(-)
The tenancy OCID, user OCID, fingerprint, and private key path
Kconfig settings would no longer be needed. This patch fits
somewhere in the middle of the 00/31 series, replacing several of
those patches.
diff --git a/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2 b/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
index f7b9ffb48c64..73b963230882 100644
--- a/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
+++ b/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
@@ -1,8 +1,5 @@
oci_region = "{{ terraform_oci_region }}"
-oci_tenancy_ocid = "{{ terraform_oci_tenancy_ocid }}"
-oci_user_ocid = "{{ terraform_oci_user_ocid }}"
-oci_user_private_key_path = "{{ terraform_oci_user_private_key_path }}"
-oci_user_fingerprint = "{{ terraform_oci_user_fingerprint }}"
+oci_config_file_profile = "{{ terraform_oci_config_file_profile }}"
oci_availablity_domain = "{{ terraform_oci_availablity_domain }}"
oci_compartment_ocid = "{{ terraform_oci_compartment_ocid }}"
oci_shape = "{{ terraform_oci_shape }}"
diff --git a/scripts/terraform.Makefile b/scripts/terraform.Makefile
index 3235c1af84b9..75ba9b97b518 100644
--- a/scripts/terraform.Makefile
+++ b/scripts/terraform.Makefile
@@ -96,10 +96,6 @@ endif
ifeq (y,$(CONFIG_TERRAFORM_OCI))
TERRAFORM_EXTRA_VARS += terraform_oci_region=$(subst ",,$(CONFIG_TERRAFORM_OCI_REGION))
-TERRAFORM_EXTRA_VARS += terraform_oci_tenancy_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_TENANCY_OCID))
-TERRAFORM_EXTRA_VARS += terraform_oci_user_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_OCID))
-TERRAFORM_EXTRA_VARS += terraform_oci_user_private_key_path=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_PRIVATE_KEY_PATH))
-TERRAFORM_EXTRA_VARS += terraform_oci_user_fingerprint=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_FINGERPRINT))
TERRAFORM_EXTRA_VARS += terraform_oci_availablity_domain=$(subst ",,$(CONFIG_TERRAFORM_OCI_AVAILABLITY_DOMAIN))
TERRAFORM_EXTRA_VARS += terraform_oci_compartment_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_COMPARTMENT_OCID))
TERRAFORM_EXTRA_VARS += terraform_oci_shape=$(subst ",,$(CONFIG_TERRAFORM_OCI_SHAPE))
diff --git a/terraform/oci/kconfigs/Kconfig.identity b/terraform/oci/kconfigs/Kconfig.identity
index 928c700d9bd4..dce8f3bb54d9 100644
--- a/terraform/oci/kconfigs/Kconfig.identity
+++ b/terraform/oci/kconfigs/Kconfig.identity
@@ -5,23 +5,14 @@ config TERRAFORM_OCI_TENANCY_OCID
Read this:
https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
-config TERRAFORM_OCI_USER_OCID
- string "OCI user OCID"
+config TERRAFORM_OCI_CONFIG_FILE_PROFILE
+ string "Authentication profile entry"
+ output yaml
+ default "DEFAULT"
help
- The OCI ID of the user to use.
- Read this:
- https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
+ Authentication secrets are stored in ~/.oci/config. That
+ file may contain more than one entry/identity. Select the
+ entry in ~/.oci/config that kdevops uses to
+ authenticate to OCI. Examples:
-config TERRAFORM_OCI_USER_PRIVATE_KEY_PATH
- string "OCI user private key path"
- help
- Path to the file containing the private key of the user.
- Read this:
- https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
-
-config TERRAFORM_OCI_USER_FINGERPRINT
- string "OCI user fingerprint"
- help
- Fingerprint for the key pair being used.
- Read this:
- https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
+ https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm
diff --git a/terraform/oci/provider.tf b/terraform/oci/provider.tf
index 80361d3ac562..c4619e244d73 100644
--- a/terraform/oci/provider.tf
+++ b/terraform/oci/provider.tf
@@ -2,9 +2,6 @@ terraform {
}
provider "oci" {
- tenancy_ocid = var.oci_tenancy_ocid
- user_ocid = var.oci_user_ocid
- private_key_path = var.oci_user_private_key_path
- fingerprint = var.oci_user_fingerprint
- region = var.oci_region
+ config_file_profile = var.oci_config_file_profile
+ region = var.oci_region
}
diff --git a/terraform/oci/vars.tf b/terraform/oci/vars.tf
index 4c6383d9b231..9e67ee9a8959 100644
--- a/terraform/oci/vars.tf
+++ b/terraform/oci/vars.tf
@@ -1,28 +1,13 @@
+variable "oci_config_file_profile" {
+ description = "Entry in ~/.oci/config to use for API authentication"
+ type = string
+}
+
variable "oci_region" {
description = "An OCI region"
type = string
}
-variable "oci_tenancy_ocid" {
- description = "OCID of your tenancy"
- type = string
-}
-
-variable "oci_user_ocid" {
- description = "OCID of the user calling the API"
- type = string
-}
-
-variable "oci_user_private_key_path" {
- description = "The path of the private key stored on your computer"
- type = string
-}
-
-variable "oci_user_fingerprint" {
- description = "Fingerprint for the key pair being used"
- type = string
-}
-
variable "oci_availablity_domain" {
description = "Name of availability domain"
type = string
--
2.48.1
next reply other threads:[~2025-04-03 14:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 14:49 cel [this message]
2025-04-03 17:55 ` [RFC PATCH] terraform/OCI: Grab secrets from ~/.oci/config Chuck Lever
2025-04-04 15:52 ` Luis Chamberlain
2025-04-04 16:10 ` Chuck Lever
2025-04-04 18:06 ` Luis Chamberlain
2025-04-04 18:24 ` Chuck Lever
2025-04-04 18:28 ` Luis Chamberlain
2025-04-04 18:35 ` Chuck Lever
2025-04-04 19:19 ` Luis Chamberlain
2025-04-04 20:34 ` Chuck Lever
2025-04-04 15:49 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250403144906.1186015-1-cel@kernel.org \
--to=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=kdevops@lists.linux.dev \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.