oss backend: flattern assume_role block

5 years ago · 9d5f1752c8
parent 2f152f1139
commit 9d5f1752c8
2 changed files with 54 additions and 84 deletions
--- a/internal/backend/remote-state/oss/backend.go
+++ b/internal/backend/remote-state/oss/backend.go
@ -146,8 +146,6 @@ func New() backend.Backend {
 					return nil, nil
 				},
 			},
-
-			"assume_role": assumeRoleSchema(),
 			"shared_credentials_file": {
 				Type:        schema.TypeString,
 				Optional:    true,
@ -160,60 +158,48 @@ func New() backend.Backend {
 				Description: "This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.",
 				DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_PROFILE", ""),
 			},
-		},
-	}
-
-	result := &Backend{Backend: s}
-	result.Backend.ConfigureFunc = result.configure
-	return result
-}
-
-func assumeRoleSchema() *schema.Schema {
-	return &schema.Schema{
-		Type:     schema.TypeSet,
-		Optional: true,
-		MaxItems: 1,
-		Elem: &schema.Resource{
-			Schema: map[string]*schema.Schema{
-				"role_arn": {
-					Type:        schema.TypeString,
-					Required:    true,
-					Description: "The ARN of a RAM role to assume prior to making API calls.",
-					DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""),
-				},
-				"session_name": {
-					Type:        schema.TypeString,
-					Optional:    true,
-					Description: "The session name to use when assuming the role.",
-					DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", ""),
-				},
-				"policy": {
-					Type:        schema.TypeString,
-					Optional:    true,
-					Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.",
-				},
-				"session_expiration": {
-					Type:        schema.TypeInt,
-					Optional:    true,
-					Description: "The time after which the established session for assuming role expires.",
-					ValidateFunc: func(v interface{}, k string) ([]string, []error) {
-						min := 900
-						max := 3600
-						value, ok := v.(int)
-						if !ok {
-							return nil, []error{fmt.Errorf("expected type of %s to be int", k)}
-						}
+			"assume_role_role_arn": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The ARN of a RAM role to assume prior to making API calls.",
+				DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""),
+			},
+			"assume_role_session_name": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The session name to use when assuming the role.",
+				DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", ""),
+			},
+			"assume_role_policy": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.",
+			},
+			"assume_role_session_expiration": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Description: "The time after which the established session for assuming role expires.",
+				ValidateFunc: func(v interface{}, k string) ([]string, []error) {
+					min := 900
+					max := 3600
+					value, ok := v.(int)
+					if !ok {
+						return nil, []error{fmt.Errorf("expected type of %s to be int", k)}
+					}

-						if value < min || value > max {
-							return nil, []error{fmt.Errorf("expected %s to be in the range (%d - %d), got %d", k, min, max, v)}
-						}
+					if value < min || value > max {
+						return nil, []error{fmt.Errorf("expected %s to be in the range (%d - %d), got %d", k, min, max, v)}
+					}

-						return nil, nil
-					},
+					return nil, nil
 				},
 			},
 		},
 	}
+
+	result := &Backend{Backend: s}
+	result.Backend.ConfigureFunc = result.configure
+	return result
 }

 type Backend struct {
@ -274,31 +260,22 @@ func (b *Backend) configure(ctx context.Context) error {
 		sessionExpiration = (int)(expiredSeconds.(float64))
 	}

-	if v, ok := d.GetOk("assume_role"); ok {
-		for _, v := range v.(*schema.Set).List() {
-			assumeRole := v.(map[string]interface{})
-			if assumeRole["role_arn"].(string) != "" {
-				roleArn = assumeRole["role_arn"].(string)
-			}
-			if assumeRole["session_name"].(string) != "" {
-				sessionName = assumeRole["session_name"].(string)
-			}
-			if sessionName == "" {
-				sessionName = "terraform"
-			}
-			policy = assumeRole["policy"].(string)
-			sessionExpiration = assumeRole["session_expiration"].(int)
-			if sessionExpiration == 0 {
-				if v := os.Getenv("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION"); v != "" {
-					if expiredSeconds, err := strconv.Atoi(v); err == nil {
-						sessionExpiration = expiredSeconds
-					}
-				}
-				if sessionExpiration == 0 {
-					sessionExpiration = 3600
-				}
+	roleArn = d.Get("assume_role_role_arn").(string)
+	sessionName = d.Get("assume_role_session_name").(string)
+	if sessionName == "" {
+		sessionName = "terraform"
+	}
+	policy = d.Get("assume_role_policy").(string)
+	sessionExpiration = d.Get("assume_role_session_expiration").(int)
+	if sessionExpiration == 0 {
+		if v := os.Getenv("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION"); v != "" {
+			if expiredSeconds, err := strconv.Atoi(v); err == nil {
+				sessionExpiration = expiredSeconds
 			}
 		}
+		if sessionExpiration == 0 {
+			sessionExpiration = 3600
+		}
 	}

 	if accessKey == "" {
--- a/website/docs/language/settings/backends/oss.html.md
+++ b/website/docs/language/settings/backends/oss.html.md
@ -95,18 +95,11 @@ The following configuration options or environment variables are supported:
   to be applied to the state file.
 * `shared_credentials_file` - (Optional, Available in 0.12.8+) This is the path to the shared credentials file. It can also be sourced from the `ALICLOUD_SHARED_CREDENTIALS_FILE` environment variable. If this is not set and a profile is specified, `~/.aliyun/config.json` will be used.
 * `profile` - (Optional, Available in 0.12.8+)  This is the Alibaba Cloud profile name as set in the shared credentials file. It can also be sourced from the `ALICLOUD_PROFILE` environment variable.
- * `assume_role` - (Optional, Available in 0.12.6+) If provided with a role ARN, will attempt to assume this role using the supplied credentials.
-
-The nested `assume_role` block supports the following:
-
-* `role_arn` - (Required) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`.
+* `assume_role_role_arn` - (Optional, Available in 0.12.6+) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`.
  Terraform executes configuration on account with provided credentials.
-
-* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary
+* `assume_role_policy` - (Optional, Available in 0.12.6+) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary
  security credentials. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.
-
-* `session_name` - (Optional) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`.
-
-* `session_expiration` - (Optional) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`.
+* `assume_role_session_name` - (Optional, Available in 0.12.6+) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`.
+* `assume_role_session_expiration` - (Optional, Available in 0.12.6+) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`.

 -> **Note:** If you want to store state in the custom OSS endpoint, you can specify a environment variable `OSS_ENDPOINT`, like "oss-cn-beijing-internal.aliyuncs.com"