Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Workload Identity Federation with TFC_WORKLOAD_IDENTITY_TOKEN fails #800

Open
kgibson-insight opened this issue Mar 25, 2024 · 0 comments
Open
Labels
bug Something isn't working

Comments

@kgibson-insight
Copy link

Terraform Version and Provider Version

Terraform version: v1.7.4
HCP provider version: 0.84.1

Affected Resource(s)

  • hcp_iam_workload_identity_provider

Terraform Configuration Files

terraform {
  cloud {
    organization = "my-org"
    hostname = "app.terraform.io" # Optional; defaults to app.terraform.io

    workspaces {
      name = "qt-poc-hcp-org"
    }
  }

  required_providers {
    hcp = {
      source  = "hashicorp/hcp"
      version = "~> 0.84.1"
    }
    environment = {
      source  = "EppO/environment"
      version = "~>1.0"
    }
  }
}


custom module, builds workspace vars
  tfc_workspace_variables = {
    "TFC_WORKLOAD_IDENTITY_AUDIENCE" = {
      value       = "qt-poc-tfc"
      category    = "env"
      description = "Terraform Cloud Workload Identity Token"
    }
  }

data "environment_variables" "all" {}

provider "hcp" {
  # client_id        = var.hcp_client_id
  # client_secret    = var.hcp_client_secret
  # project_id = "my-hcp-project-id"
  workload_identity {
    resource_name = "iam/project/my-hcp-project-id/service-principal/qt-poc-sp/workload-identity-provider/qt-poc-tfc"
    token_file = data.environment_variables.all.items["TFC_WORKLOAD_IDENTITY_TOKEN"]
  }
}

resource "hcp_service_principal" "qt_poc" {
  name   = "qt-poc-sp"
  parent = hcp_project.qt_poc.resource_name
}

resource "hcp_project_iam_binding" "qt_poc" {
  project_id   = hcp_project.qt_poc.resource_id
  principal_id = hcp_service_principal.qt_poc.resource_id
  role         = "roles/admin"
}

resource "hcp_iam_workload_identity_provider" "qt_poc_tfc" {
  name              = "qt-poc-tfc"
  service_principal = hcp_service_principal.qt_poc.resource_name
  description       = "Allow Terraform Cloud runs to authenticate as service principal"

  oidc = {
    issuer_uri        = "https://app.terraform.io"  // This is an example; the actual issuer URI may vary
    allowed_audiences = ["qt-poc-tfc"] 
  }

  // Example conditional access policy - adjust according to your security requirements
  conditional_access = "jwt_claims.sub == `organization:${local.tfc_organization}:project:${local.tfc_project}:workspace:*:run_phase:*`"
}

Debug Output

I'm posting this bug report because HCP WIF appears to be half baked. Unless I'm completely mistaken, there isn't any way to view this configuration in HCP console? Which make it very difficult to troubleshoot and debug having to switch between cloud and local state.

There are plenty of examples of configuring cloud providers here https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/iam_workload_identity_provider

But why not include Terraform Cloud? I've posted my attempt to reference the TFC workspace token and terraform outputs the token


│ Error: unable to create HCP api client: no valid credentials available: failed to get new token: failed to open credential file "eymyjwt"

│ with provider["registry.terraform.io/hashicorp/hcp"],
│ on providers.tf line 3, in provider "hcp":
│ 3: provider "hcp" {


Operation failed: failed running terraform plan (exit 1)

and I can confirm the audience and subjects match as configured. But I can't seem to understand how the TFC token isn't being accepted by HCP?

@kgibson-insight kgibson-insight added the bug Something isn't working label Mar 25, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant