Skip to content

Commit eca3582

Browse files
SevenEarthSevenEarth
authored
fix(provider): [121419476] provider support STS auth retry (#3044)
* add * add
1 parent 65aa522 commit eca3582

File tree

2 files changed

+102
-15
lines changed

2 files changed

+102
-15
lines changed

.changelog/3044.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note:enhancement
2+
provider: STS auth support retry
3+
```

tencentcloud/provider.go

Lines changed: 99 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"strconv"
1010
"strings"
1111

12+
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
1213
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
1314
"github.com/mitchellh/go-homedir"
1415
sdkcommon "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
@@ -2513,7 +2514,21 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
25132514
}
25142515

25152516
func genClientWithCAM(tcClient *TencentCloudClient, roleName string) error {
2516-
camResp, err := tccommon.GetAuthFromCAM(roleName)
2517+
var camResp *tccommon.CAMResponse
2518+
err := resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
2519+
result, e := tccommon.GetAuthFromCAM(roleName)
2520+
if e != nil {
2521+
return tccommon.RetryError(e)
2522+
}
2523+
2524+
if result == nil {
2525+
return resource.NonRetryableError(fmt.Errorf("Get cam failed, Response is nil."))
2526+
}
2527+
2528+
camResp = result
2529+
return nil
2530+
})
2531+
25172532
if err != nil {
25182533
return err
25192534
}
@@ -2531,6 +2546,7 @@ func genClientWithCAM(tcClient *TencentCloudClient, roleName string) error {
25312546
func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string, assumeRoleExternalId string) error {
25322547
// applying STS credentials
25332548
request := sdksts.NewAssumeRoleRequest()
2549+
response := sdksts.NewAssumeRoleResponse()
25342550
request.RoleArn = helper.String(assumeRoleArn)
25352551
request.RoleSessionName = helper.String(assumeRoleSessionName)
25362552
request.DurationSeconds = helper.IntUint64(assumeRoleSessionDuration)
@@ -2542,12 +2558,29 @@ func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSes
25422558
request.ExternalId = helper.String(assumeRoleExternalId)
25432559
}
25442560

2545-
ratelimit.Check(request.GetAction())
2546-
response, err := tcClient.apiV3Conn.UseStsClient().AssumeRole(request)
2561+
err := resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
2562+
ratelimit.Check(request.GetAction())
2563+
result, e := tcClient.apiV3Conn.UseStsClient().AssumeRole(request)
2564+
if e != nil {
2565+
return tccommon.RetryError(e)
2566+
}
2567+
2568+
if result == nil || result.Response == nil || result.Response.Credentials == nil {
2569+
return resource.NonRetryableError(fmt.Errorf("Get Assume Role failed, Response is nil."))
2570+
}
2571+
2572+
response = result
2573+
return nil
2574+
})
2575+
25472576
if err != nil {
25482577
return err
25492578
}
25502579

2580+
if response.Response.Credentials.TmpSecretId == nil || response.Response.Credentials.TmpSecretKey == nil || response.Response.Credentials.Token == nil {
2581+
return fmt.Errorf("Get Assume Role failed, Credentials is nil.")
2582+
}
2583+
25512584
// using STS credentials
25522585
tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential(
25532586
*response.Response.Credentials.TmpSecretId,
@@ -2561,20 +2594,37 @@ func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSes
25612594
func genClientWithSamlSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRoleSamlAssertion, assumeRolePrincipalArn string) error {
25622595
// applying STS credentials
25632596
request := sdksts.NewAssumeRoleWithSAMLRequest()
2597+
response := sdksts.NewAssumeRoleWithSAMLResponse()
25642598
request.RoleArn = helper.String(assumeRoleArn)
25652599
request.RoleSessionName = helper.String(assumeRoleSessionName)
25662600
request.DurationSeconds = helper.IntUint64(assumeRoleSessionDuration)
25672601
request.SAMLAssertion = helper.String(assumeRoleSamlAssertion)
25682602
request.PrincipalArn = helper.String(assumeRolePrincipalArn)
2569-
2570-
ratelimit.Check(request.GetAction())
25712603
var stsExtInfo connectivity.StsExtInfo
25722604
stsExtInfo.Authorization = "SKIP"
2573-
response, err := tcClient.apiV3Conn.UseStsClient(stsExtInfo).AssumeRoleWithSAML(request)
2605+
err := resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
2606+
ratelimit.Check(request.GetAction())
2607+
result, e := tcClient.apiV3Conn.UseStsClient(stsExtInfo).AssumeRoleWithSAML(request)
2608+
if e != nil {
2609+
return tccommon.RetryError(e)
2610+
}
2611+
2612+
if result == nil || result.Response == nil || result.Response.Credentials == nil {
2613+
return resource.NonRetryableError(fmt.Errorf("Get Assume Role with SAML failed, Response is nil."))
2614+
}
2615+
2616+
response = result
2617+
return nil
2618+
})
2619+
25742620
if err != nil {
25752621
return err
25762622
}
25772623

2624+
if response.Response.Credentials.TmpSecretId == nil || response.Response.Credentials.TmpSecretKey == nil || response.Response.Credentials.Token == nil {
2625+
return fmt.Errorf("Get Assume Role failed, Credentials is nil.")
2626+
}
2627+
25782628
// using STS credentials
25792629
tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential(
25802630
*response.Response.Credentials.TmpSecretId,
@@ -2588,20 +2638,37 @@ func genClientWithSamlSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRol
25882638
func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error {
25892639
// applying STS credentials
25902640
request := sdksts.NewAssumeRoleWithWebIdentityRequest()
2641+
response := sdksts.NewAssumeRoleWithWebIdentityResponse()
25912642
request.ProviderId = helper.String("OIDC")
25922643
request.RoleArn = helper.String(assumeRoleArn)
25932644
request.RoleSessionName = helper.String(assumeRoleSessionName)
25942645
request.DurationSeconds = helper.IntInt64(assumeRoleSessionDuration)
25952646
request.WebIdentityToken = helper.String(assumeRolePolicy)
2596-
2597-
ratelimit.Check(request.GetAction())
25982647
var stsExtInfo connectivity.StsExtInfo
25992648
stsExtInfo.Authorization = "SKIP"
2600-
response, err := tcClient.apiV3Conn.UseStsClient(stsExtInfo).AssumeRoleWithWebIdentity(request)
2649+
err := resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
2650+
ratelimit.Check(request.GetAction())
2651+
result, e := tcClient.apiV3Conn.UseStsClient(stsExtInfo).AssumeRoleWithWebIdentity(request)
2652+
if e != nil {
2653+
return tccommon.RetryError(e)
2654+
}
2655+
2656+
if result == nil || result.Response == nil || result.Response.Credentials == nil {
2657+
return resource.NonRetryableError(fmt.Errorf("Get Assume Role with OIDC failed, Response is nil."))
2658+
}
2659+
2660+
response = result
2661+
return nil
2662+
})
2663+
26012664
if err != nil {
26022665
return err
26032666
}
26042667

2668+
if response.Response.Credentials.TmpSecretId == nil || response.Response.Credentials.TmpSecretKey == nil || response.Response.Credentials.Token == nil {
2669+
return fmt.Errorf("Get Assume Role failed, Credentials is nil.")
2670+
}
2671+
26052672
// using STS credentials
26062673
tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential(
26072674
*response.Response.Credentials.TmpSecretId,
@@ -2707,6 +2774,7 @@ func genClientWithPodOidc(tcClient *TencentCloudClient) error {
27072774
if err != nil {
27082775
return err
27092776
}
2777+
27102778
assumeResp, err := provider.GetCredential()
27112779
if err != nil {
27122780
return err
@@ -2731,21 +2799,37 @@ func getCallerIdentity(tcClient *TencentCloudClient) (indentity *sdksts.GetCalle
27312799
cpf.HttpProfile.Endpoint = "sts.tencentcloudapi.com"
27322800
client, _ := sdksts.NewClient(credential, region, cpf)
27332801
request := sdksts.NewGetCallerIdentityRequest()
2734-
response, err := client.GetCallerIdentity(request)
2802+
response := sdksts.NewGetCallerIdentityResponse()
2803+
err = resource.Retry(tccommon.ReadRetryTimeout, func() *resource.RetryError {
2804+
result, e := client.GetCallerIdentity(request)
2805+
if e != nil {
2806+
return tccommon.RetryError(e)
2807+
}
2808+
2809+
if result == nil || result.Response == nil {
2810+
return resource.NonRetryableError(fmt.Errorf("Get caller identity failed, Response is nil."))
2811+
}
2812+
2813+
response = result
2814+
return nil
2815+
})
2816+
27352817
if err != nil {
27362818
return
27372819
}
27382820

2739-
if response == nil || response.Response == nil {
2740-
return nil, fmt.Errorf("Get GetCallerIdentity failed, Response is nil.")
2741-
}
2742-
27432821
indentity = response.Response
27442822
return
27452823
}
27462824

27472825
func verifyAccountIDAllowed(indentity *sdksts.GetCallerIdentityResponseParams, allowedAccountIds, forbiddenAccountIds []string) error {
2748-
accountId := *indentity.AccountId
2826+
var accountId string
2827+
if indentity.AccountId != nil {
2828+
accountId = *indentity.AccountId
2829+
} else {
2830+
return fmt.Errorf("Caller identity accountId is illegal, The value is nil.")
2831+
}
2832+
27492833
if len(allowedAccountIds) > 0 {
27502834
found := false
27512835
for _, allowedAccountID := range allowedAccountIds {

0 commit comments

Comments
 (0)