Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Username & password authentication to use Oauth instead of APIKey endpoint #105

Closed
antstacks opened this issue Apr 27, 2023 · 5 comments
Closed
Labels
enhancement New feature or request

Comments

@antstacks
Copy link

antstacks commented Apr 27, 2023

BUSINESS PROBLEM
Submitting on behalf of a customer:
As a part of the policies in place at the organization, they use short lived access tokens. With the recent deprecation of username and password functionality in the Venafi provider, it has made the process very difficult. Before, terraform handled the entire process of getting the token, but now that process has to be performed out of bounds. This has caused a significant impedance as the action of getting a token has to be performed daily as a manual process now.

Its worth mentioning as well that the field is deprecated, but doesn't mention from what TPP version it actually breaks. (If this message is coming from Venafi, than not sure how easy it would be to rectify that error handling.)

Deprecated User / Pass

Setup:

export VENAFI_USER="$(jq -cr '.username' ~/.keys/venafi/tpp/demo-1/admin.json)" VENAFI_PASS="$(jq -cr '.password' ~/.keys/venafi/tpp/demo-1/admin.json)"
> tf plan -out plan -refresh
╷
│ Warning: Argument is deprecated
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 10, in provider "venafi":
│   10: provider "venafi" {
│
│ , please use access_token instead
│
│ (and 3 more similar warnings elsewhere)
╵
╷
│ Error: Failed to initialize Venafi client
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 10, in provider "venafi":
│   10: provider "venafi" {
│
│ Failed to build config for Venafi issuer: : vcert error: your data contains problems: auth error: unexpected
│ status code on TPP Authorize. Status: 401 API keys are deprecated. Instead, you should be using an API
│ integration and a vedauth/Authorize endpoint. See the getting a token help topic.
╵

PROPOSED SOLUTION
Changing the integration to point to the Oauth endpoint to enable retrieving an access token in bounds.
Or could allow for access token and refresh token input to where terraform could utilize the refresh token functionality to automatically refresh the short lived tokens. Similar to #102

CURRENT ALTERNATIVES
I believe we could get a license from Venafi support to re-enable api key if absolutely necessary.

VENAFI EXPERIENCE
Customer that is well versed in TPP.

@antstacks antstacks added the enhancement New feature or request label Apr 27, 2023
@antstacks antstacks changed the title Username & Password authentication to use Oauth instead of APIKey endpoint Username & password authentication to use Oauth instead of APIKey endpoint Apr 27, 2023
@hawksight
Copy link

As noted by Venafi colleagues this issue is in the same spirit as:

I'd like to add that currently the documentation of the provider is not entirely clear. Yes username and password are deprecated but it doesn't make it clear what versions of Venafi Trust Protection Platform the API Key functionality is removed.

Screenshot from 2023-04-28 10-47-15

I think that the API Key functionality is removed in 22.2 from here.
image

Adding a note on this might just be helpful to give customers the full picture. I'll see if I can PR something to enhance that documentation.

@brental
Copy link

brental commented Feb 12, 2024

Similar to #25 this issue seems like it would be handled by the venafi-token provider and a venafi-token_credential resource. Could it also be closed?

@brental
Copy link

brental commented Feb 18, 2024

@luispresuelVenafi Can this be closed similar to #25 ?

@luispresuelVenafi
Copy link
Contributor

Thank you for the highlight here @brental , yeah we can close this issue as automation for Tokens can be handled by our other provider, Terraform Token Provider, along with this one.

@harshavmb
Copy link

Hi All,

If you are still looking for an alternate solution in addition to token-provider, please have a look at curl-provider-0.7.0.

This IMO works better than token provider as it's a data provider fetching token on each run. An example config ::

provider "curl" {}

data "curl_request" "create_token" {
  http_method = "POST"
  uri         = var.venafi_oauth_url
  data = jsonencode({
    username  = sensitive(var.venafi_username)
    password  = sensitive(var.venafi_password)
    client_id = var.venafi_client_id
    scope     = var.venafi_scope
  })
  headers = {
    Content-Type = "application/json"
  }
}

## then you wire the token here directly
provider "venafi" {
  url          = var.venafi_url
  access_token = jsondecode(data.curl_request.create_token.response_body).access_token
  zone         = var.venafi_zone
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants