From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7A2B24EF7F for ; Thu, 3 Apr 2025 14:49:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743691749; cv=none; b=I6dink99uPeuZO7OoT/3YQQUqXz1BvW0s7MeDmk2OP7imaC42cKf/3jgS0qaJoZ+9A8PXoSjBrM3fFTUYxj6Y81Piu9Zo5vkORVXcO3Ti6a/fQjPdoHalwqkDeMvSQ7NYJdv/VnSlx9hiCPYBcu0RrO6YrlQYc1Vs94g6FSmrpg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743691749; c=relaxed/simple; bh=x5tyCkkw9oEosjv0Bhzk1kjA2wyGeJhFKm8gQ58zbnU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=rZizjN5aoeaoWmN2x33NvOXTKJt1kQFj7p4kNZba1m0+ZzUw61ucjoazxxrgpMH+UhCaewRVM0TBjuan+r+Y8YBDT0rV5PrPfaphkyQlXwehik6EIUG64JbC42eb+GeM2ylC+S/YLgc7upGSQkzGlsv1XmIV9115Y2Qz3fnTVZc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fqUj4FlB; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fqUj4FlB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 22927C4CEE3; Thu, 3 Apr 2025 14:49:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1743691749; bh=x5tyCkkw9oEosjv0Bhzk1kjA2wyGeJhFKm8gQ58zbnU=; h=From:To:Cc:Subject:Date:From; b=fqUj4FlBwVaiMXmOuTDhSyWloUoUdh0wOWlJV+IfvFuXQ2pxvXv0M4cotWbY/yCcK ZAVbA4iISYBmSCieP5OwOiGxnkF1H1fSnIZsmdTZFclL6eNGu9cUjB/QmgfVcvQ/UD Sc+MYsnD9qKxwj5VN2Mh+4xtO0LqPQLn4AUvLhhnZdNVivungB1ipvwyg/Ua/Sb0y5 RvWjjyEajKEug6KHAeoWf0/RSHUZs1Ze+Ms/pWUgC57nfel0w5hbnLo7ps8Y/c3mDy sBR4PpZ19ORsifZOvBq5H2oHjXkRGFJvG/NCUwNVpzcSL2DWA0vRHbkUl6AVxwauDM QQ8XjA4oDLlgQ== From: cel@kernel.org To: Cc: Luis Chamberlain , Chuck Lever Subject: [RFC PATCH] terraform/OCI: Grab secrets from ~/.oci/config Date: Thu, 3 Apr 2025 10:49:06 -0400 Message-ID: <20250403144906.1186015-1-cel@kernel.org> X-Mailer: git-send-email 2.48.1 Precedence: bulk X-Mailing-List: kdevops@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Chuck Lever Instead of storing authentication secrets in the kdevops .config file, pull them from the authentication profiles already set up in ~/.oci/config. This arrangement is more secure. terraform's API authentication is now managed outside of Kconfig, as is done with AWS. An update to docs/kdevops-terraform.md to follow. Suggested-by: Luis Chamberlain Signed-off-by: Chuck Lever --- .../templates/oci/terraform.tfvars.j2 | 5 +--- scripts/terraform.Makefile | 4 --- terraform/oci/kconfigs/Kconfig.identity | 27 +++++++------------ terraform/oci/provider.tf | 7 ++--- terraform/oci/vars.tf | 25 ++++------------- 5 files changed, 17 insertions(+), 51 deletions(-) The tenancy OCID, user OCID, fingerprint, and private key path Kconfig settings would no longer be needed. This patch fits somewhere in the middle of the 00/31 series, replacing several of those patches. diff --git a/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2 b/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2 index f7b9ffb48c64..73b963230882 100644 --- a/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2 +++ b/playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2 @@ -1,8 +1,5 @@ oci_region = "{{ terraform_oci_region }}" -oci_tenancy_ocid = "{{ terraform_oci_tenancy_ocid }}" -oci_user_ocid = "{{ terraform_oci_user_ocid }}" -oci_user_private_key_path = "{{ terraform_oci_user_private_key_path }}" -oci_user_fingerprint = "{{ terraform_oci_user_fingerprint }}" +oci_config_file_profile = "{{ terraform_oci_config_file_profile }}" oci_availablity_domain = "{{ terraform_oci_availablity_domain }}" oci_compartment_ocid = "{{ terraform_oci_compartment_ocid }}" oci_shape = "{{ terraform_oci_shape }}" diff --git a/scripts/terraform.Makefile b/scripts/terraform.Makefile index 3235c1af84b9..75ba9b97b518 100644 --- a/scripts/terraform.Makefile +++ b/scripts/terraform.Makefile @@ -96,10 +96,6 @@ endif ifeq (y,$(CONFIG_TERRAFORM_OCI)) TERRAFORM_EXTRA_VARS += terraform_oci_region=$(subst ",,$(CONFIG_TERRAFORM_OCI_REGION)) -TERRAFORM_EXTRA_VARS += terraform_oci_tenancy_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_TENANCY_OCID)) -TERRAFORM_EXTRA_VARS += terraform_oci_user_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_OCID)) -TERRAFORM_EXTRA_VARS += terraform_oci_user_private_key_path=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_PRIVATE_KEY_PATH)) -TERRAFORM_EXTRA_VARS += terraform_oci_user_fingerprint=$(subst ",,$(CONFIG_TERRAFORM_OCI_USER_FINGERPRINT)) TERRAFORM_EXTRA_VARS += terraform_oci_availablity_domain=$(subst ",,$(CONFIG_TERRAFORM_OCI_AVAILABLITY_DOMAIN)) TERRAFORM_EXTRA_VARS += terraform_oci_compartment_ocid=$(subst ",,$(CONFIG_TERRAFORM_OCI_COMPARTMENT_OCID)) TERRAFORM_EXTRA_VARS += terraform_oci_shape=$(subst ",,$(CONFIG_TERRAFORM_OCI_SHAPE)) diff --git a/terraform/oci/kconfigs/Kconfig.identity b/terraform/oci/kconfigs/Kconfig.identity index 928c700d9bd4..dce8f3bb54d9 100644 --- a/terraform/oci/kconfigs/Kconfig.identity +++ b/terraform/oci/kconfigs/Kconfig.identity @@ -5,23 +5,14 @@ config TERRAFORM_OCI_TENANCY_OCID Read this: https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm -config TERRAFORM_OCI_USER_OCID - string "OCI user OCID" +config TERRAFORM_OCI_CONFIG_FILE_PROFILE + string "Authentication profile entry" + output yaml + default "DEFAULT" help - The OCI ID of the user to use. - Read this: - https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm + Authentication secrets are stored in ~/.oci/config. That + file may contain more than one entry/identity. Select the + entry in ~/.oci/config that kdevops uses to + authenticate to OCI. Examples: -config TERRAFORM_OCI_USER_PRIVATE_KEY_PATH - string "OCI user private key path" - help - Path to the file containing the private key of the user. - Read this: - https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm - -config TERRAFORM_OCI_USER_FINGERPRINT - string "OCI user fingerprint" - help - Fingerprint for the key pair being used. - Read this: - https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm + https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm diff --git a/terraform/oci/provider.tf b/terraform/oci/provider.tf index 80361d3ac562..c4619e244d73 100644 --- a/terraform/oci/provider.tf +++ b/terraform/oci/provider.tf @@ -2,9 +2,6 @@ terraform { } provider "oci" { - tenancy_ocid = var.oci_tenancy_ocid - user_ocid = var.oci_user_ocid - private_key_path = var.oci_user_private_key_path - fingerprint = var.oci_user_fingerprint - region = var.oci_region + config_file_profile = var.oci_config_file_profile + region = var.oci_region } diff --git a/terraform/oci/vars.tf b/terraform/oci/vars.tf index 4c6383d9b231..9e67ee9a8959 100644 --- a/terraform/oci/vars.tf +++ b/terraform/oci/vars.tf @@ -1,28 +1,13 @@ +variable "oci_config_file_profile" { + description = "Entry in ~/.oci/config to use for API authentication" + type = string +} + variable "oci_region" { description = "An OCI region" type = string } -variable "oci_tenancy_ocid" { - description = "OCID of your tenancy" - type = string -} - -variable "oci_user_ocid" { - description = "OCID of the user calling the API" - type = string -} - -variable "oci_user_private_key_path" { - description = "The path of the private key stored on your computer" - type = string -} - -variable "oci_user_fingerprint" { - description = "Fingerprint for the key pair being used" - type = string -} - variable "oci_availablity_domain" { description = "Name of availability domain" type = string -- 2.48.1