Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds API Token TTL #1792

Merged
merged 8 commits into from
Jul 20, 2022
Merged

Adds API Token TTL #1792

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
92ecca2
Add expires on and not before for API tokens
Cyb3r-Jak3 Jul 18, 2022
dbe6d22
Add not_before and expires_on to example
Cyb3r-Jak3 Jul 18, 2022
9b1204b
Use time.Parse to get *time.Time
Cyb3r-Jak3 Jul 20, 2022
e8d8c69
Add changelog
Cyb3r-Jak3 Jul 20, 2022
228c9f9
Fix lint
Cyb3r-Jak3 Jul 20, 2022
1b0ee4b
fix copy pasta
jacobbednarz Jul 20, 2022
762a636
conditionally set the ExpiresOn and NotBefore only if it is present
jacobbednarz Jul 20, 2022
7a20e21
token expiry needs to be in the future or it never exists
jacobbednarz Jul 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/1792.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/cloudflare_api_token: add support for `not_before` and `expires_on`
```
2 changes: 2 additions & 0 deletions examples/resources/cloudflare_api_token/resource.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ resource "cloudflare_api_token" "api_token_create" {
resources = {
"com.cloudflare.api.user.${var.user_id}" = "*"
}
not_before = "2018-07-01T05:20:00Z"
expires_on = "2020-01-01T00:00:00Z"
}

condition {
Expand Down
18 changes: 17 additions & 1 deletion internal/provider/resource_cloudflare_api_token.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,14 @@ func buildAPIToken(d *schema.ResourceData) cloudflare.APIToken {
token.Condition.RequestIP.NotIn = ipsNotIn
}
}
if before, ok := d.GetOk("not_before"); ok {
notBefore, _ := time.Parse(time.RFC3339Nano, before.(string))
token.NotBefore = &notBefore
}
if expires, ok := d.GetOk("expires_on"); ok {
expiresOn, _ := time.Parse(time.RFC3339Nano, expires.(string))
token.ExpiresOn = &expiresOn
}

return token
}
Expand Down Expand Up @@ -161,6 +169,14 @@ func resourceCloudflareApiTokenRead(ctx context.Context, d *schema.ResourceData,
d.Set("issued_on", t.IssuedOn.Format(time.RFC3339Nano))
d.Set("modified_on", t.ModifiedOn.Format(time.RFC3339Nano))

if t.ExpiresOn != nil {
d.Set("expires_on", t.ExpiresOn.Format(time.RFC3339Nano))
}

if t.NotBefore != nil {
d.Set("not_before", t.NotBefore.Format(time.RFC3339Nano))
}

var ipIn []string
var ipNotIn []string
if t.Condition != nil && t.Condition.RequestIP != nil && t.Condition.RequestIP.In != nil {
Expand Down Expand Up @@ -193,7 +209,7 @@ func resourceCloudflareApiTokenUpdate(ctx context.Context, d *schema.ResourceDat

tflog.Info(ctx, fmt.Sprintf("Updating Cloudflare API Token: name %s", name))

t, err := client.UpdateAPIToken(ctx, tokenID, t)
_, err := client.UpdateAPIToken(ctx, tokenID, t)
if err != nil {
return diag.FromErr(fmt.Errorf("error updating Cloudflare API Token %q: %w", name, err))
}
Expand Down
47 changes: 47 additions & 0 deletions internal/provider/resource_cloudflare_api_token_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,3 +251,50 @@ func testAPITokenConfigAllowDeny(resourceID, permissionID, zoneID string, allowA
}
`, resourceID, permissionID, add)
}

func TestAccAPIToken_TokenTTL(t *testing.T) {
// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the API token
// endpoint does not yet support the API tokens without an explicit scope.
if os.Getenv("CLOUDFLARE_API_TOKEN") != "" {
defer func(apiToken string) {
os.Setenv("CLOUDFLARE_API_TOKEN", apiToken)
}(os.Getenv("CLOUDFLARE_API_TOKEN"))
os.Setenv("CLOUDFLARE_API_TOKEN", "")
}

rnd := generateRandomResourceName()
name := "cloudflare_api_token." + rnd
permissionID := "82e64a83756745bbbb1c9c2701bf816b" // DNS read

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProviderFactories: providerFactories,
Steps: []resource.TestStep{
{
Config: testAccCloudflareAPITokenWithTTL(rnd, permissionID),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(name, "name", rnd),
resource.TestCheckResourceAttr(name, "not_before", "2018-07-01T05:20:00Z"),
resource.TestCheckResourceAttr(name, "expires_on", "2032-01-01T00:00:00Z"),
),
},
},
})
}

func testAccCloudflareAPITokenWithTTL(rnd string, permissionID string) string {
return fmt.Sprintf(`
resource "cloudflare_api_token" "%[1]s" {
name = "%[1]s"

policy {
effect = "allow"
permission_groups = [ "%[2]s" ]
resources = { "com.cloudflare.api.account.zone.*" = "*" }
}

not_before = "2018-07-01T05:20:00Z"
expires_on = "2032-01-01T00:00:00Z"
}
`, rnd, permissionID)
}
12 changes: 12 additions & 0 deletions internal/provider/schema_cloudflare_api_token.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,18 @@ func resourceCloudflareApiTokenSchema() map[string]*schema.Schema {
},
},
},
"not_before": {
Type: schema.TypeString,
ValidateFunc: validation.IsRFC3339Time,
Description: "The time before which the token MUST NOT be accepted for processing",
Optional: true,
},
"expires_on": {
Type: schema.TypeString,
ValidateFunc: validation.IsRFC3339Time,
Description: "The expiration time on or after which the token MUST NOT be accepted for processing",
Optional: true,
},
"value": {
Type: schema.TypeString,
Computed: true,
Expand Down