From: cel@kernel.org
To: <kdevops@lists.linux.dev>
Cc: Luis Chamberlain <mcgrof@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>
Subject: [RFC PATCH] terraform/OCI: Grab secrets from ~/.oci/config
Date: Thu, 3 Apr 2025 10:49:06 -0400 [thread overview]
Message-ID: <20250403144906.1186015-1-cel@kernel.org> (raw)
From: Chuck Lever <chuck.lever@oracle.com>
Instead of storing authentication secrets in the kdevops .config
file, pull them from the authentication profiles already set up
in ~/.oci/config. This arrangement is more secure.
terraform's API authentication is now managed outside of Kconfig,
as is done with AWS. An update to docs/kdevops-terraform.md to
follow.
Suggested-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
.../templates/oci/terraform.tfvars.j2 | 5 +---
scripts/terraform.Makefile | 4 ---
terraform/oci/kconfigs/Kconfig.identity | 27 +++++++------------
terraform/oci/provider.tf | 7 ++---
terraform/oci/vars.tf | 25 ++++-------------
5 files changed, 17 insertions(+), 51 deletions(-)
The tenancy OCID, user OCID, fingerprint, and private key path
Kconfig settings would no longer be needed. This patch fits
somewhere in the middle of the 00/31 series, replacing several of
those patches.
diff --git a/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2 b/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
index f7b9ffb48c64..73b963230882 100644
--- a/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
+++ b/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2
@@ -1,8 +1,5 @@
oci_region = "{{ terraform_oci_region }}"
-oci_tenancy_ocid = "{{ terraform_oci_tenancy_ocid }}"
-oci_user_ocid = "{{ terraform_oci_user_ocid }}"
-oci_user_private_key_path = "{{ terraform_oci_user_private_key_path }}"
-oci_user_fingerprint = "{{ terraform_oci_user_fingerprint }}"
+oci_config_file_profile = "{{ terraform_oci_config_file_profile }}"
oci_availablity_domain = "{{ terraform_oci_availablity_domain }}"
oci_compartment_ocid = "{{ terraform_oci_compartment_ocid }}"
oci_shape = "{{ terraform_oci_shape }}"
diff --git a/scripts/terraform.Makefile b/scripts/terraform.Makefile
index 3235c1af84b9..75ba9b97b518 100644
--- a/scripts/terraform.Makefile
+++ b/scripts/terraform.Makefile
@@ -96,10 +96,6 @@ endif
ifeq (y,$(CONFIG_TERRAFORM_OCI))
TERRAFORM_EXTRA_VARS += terraform_oci_region=$(subst ",,$(CONFIG_TERRAFORM_OCI_REGION))
-TERRAFORM_EXTRA_VARS += terraform_oci_tenancy_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_TENANCY_OCID))
-TERRAFORM_EXTRA_VARS += terraform_oci_user_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_OCID))
-TERRAFORM_EXTRA_VARS += terraform_oci_user_private_key_path=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_PRIVATE_KEY_PATH))
-TERRAFORM_EXTRA_VARS += terraform_oci_user_fingerprint=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_FINGERPRINT))
TERRAFORM_EXTRA_VARS += terraform_oci_availablity_domain=$(subst ",,$(CONFIG_TERRAFORM_OCI_AVAILABLITY_DOMAIN))
TERRAFORM_EXTRA_VARS += terraform_oci_compartment_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_COMPARTMENT_OCID))
TERRAFORM_EXTRA_VARS += terraform_oci_shape=$(subst ",,$(CONFIG_TERRAFORM_OCI_SHAPE))
diff --git a/terraform/oci/kconfigs/Kconfig.identity b/terraform/oci/kconfigs/Kconfig.identity
index 928c700d9bd4..dce8f3bb54d9 100644
--- a/terraform/oci/kconfigs/Kconfig.identity
+++ b/terraform/oci/kconfigs/Kconfig.identity
@@ -5,23 +5,14 @@ config TERRAFORM_OCI_TENANCY_OCID
Read this:
https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
-config TERRAFORM_OCI_USER_OCID
- string "OCI user OCID"
+config TERRAFORM_OCI_CONFIG_FILE_PROFILE
+ string "Authentication profile entry"
+ output yaml
+ default "DEFAULT"
help
- The OCI ID of the user to use.
- Read this:
- https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
+ Authentication secrets are stored in ~/.oci/config. That
+ file may contain more than one entry/identity. Select the
+ entry in ~/.oci/config that kdevops uses to
+ authenticate to OCI. Examples:
-config TERRAFORM_OCI_USER_PRIVATE_KEY_PATH
- string "OCI user private key path"
- help
- Path to the file containing the private key of the user.
- Read this:
- https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
-
-config TERRAFORM_OCI_USER_FINGERPRINT
- string "OCI user fingerprint"
- help
- Fingerprint for the key pair being used.
- Read this:
- https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
+ https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm
diff --git a/terraform/oci/provider.tf b/terraform/oci/provider.tf
index 80361d3ac562..c4619e244d73 100644
--- a/terraform/oci/provider.tf
+++ b/terraform/oci/provider.tf
@@ -2,9 +2,6 @@ terraform {
}
provider "oci" {
- tenancy_ocid = var.oci_tenancy_ocid
- user_ocid = var.oci_user_ocid
- private_key_path = var.oci_user_private_key_path
- fingerprint = var.oci_user_fingerprint
- region = var.oci_region
+ config_file_profile = var.oci_config_file_profile
+ region = var.oci_region
}
diff --git a/terraform/oci/vars.tf b/terraform/oci/vars.tf
index 4c6383d9b231..9e67ee9a8959 100644
--- a/terraform/oci/vars.tf
+++ b/terraform/oci/vars.tf
@@ -1,28 +1,13 @@
+variable "oci_config_file_profile" {
+ description = "Entry in ~/.oci/config to use for API authentication"
+ type = string
+}
+
variable "oci_region" {
description = "An OCI region"
type = string
}
-variable "oci_tenancy_ocid" {
- description = "OCID of your tenancy"
- type = string
-}
-
-variable "oci_user_ocid" {
- description = "OCID of the user calling the API"
- type = string
-}
-
-variable "oci_user_private_key_path" {
- description = "The path of the private key stored on your computer"
- type = string
-}
-
-variable "oci_user_fingerprint" {
- description = "Fingerprint for the key pair being used"
- type = string
-}
-
variable "oci_availablity_domain" {
description = "Name of availability domain"
type = string
--
2.48.1
next reply other threads:[~2025-04-03 14:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 14:49 cel [this message]
2025-04-03 17:55 ` [RFC PATCH] terraform/OCI: Grab secrets from ~/.oci/config Chuck Lever
2025-04-04 15:52 ` Luis Chamberlain
2025-04-04 16:10 ` Chuck Lever
2025-04-04 18:06 ` Luis Chamberlain
2025-04-04 18:24 ` Chuck Lever
2025-04-04 18:28 ` Luis Chamberlain
2025-04-04 18:35 ` Chuck Lever
2025-04-04 19:19 ` Luis Chamberlain
2025-04-04 20:34 ` Chuck Lever
2025-04-04 15:49 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250403144906.1186015-1-cel@kernel.org \
--to=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=kdevops@lists.linux.dev \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox