Open ajaychoudhary-bcg opened 3 years ago
any update on this?
We can look at how azuread implements this functionality, see https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password. They also have a one time tokens, I assume this cannot be updated.
Cross posting from #495 where we had some use cases.
I wanted to give an example implementation,
terraform {
required_providers {
octopusdeploy = {
source = "OctopusDeployLabs/octopusdeploy"
version = "0.12.7"
}
}
}
provider "octopusdeploy" {
# Configuration options
}
resource "octopusdeploy_user" "example" {
display_name = "RoBob Smith"
email_address = "robob.smith@example.com"
is_active = true
is_service = true
password = "###########" # get from secure environment/store
username = "[username]"
identity {
...
}
}
# role permission to publish packages attached to sp or something
resource "octopusdeploy_api_key" "example" {
user_id = octopusdeploy_user.example.id
purpose = "My purpose for this API key"
expiry_date = "2024-09-28T14:00:00Z" # Optional, set to your desired expiry date
}
resource "github_actions_organization_secret" "example_secret" {
secret_name = "example_secret_name"
visibility = "private"
encrypted_value = octopusdeploy_api_key.example.some_encrypted_secret_string
}
This example, a key can be created and stored in github for pushing to octopus and replaced on rotation.
You could construct a variable with some string like "
@2good4hisowngood @ajaychoudhary-bcg Given we have released a more secure mechanism for configuring upstream CI servers to authenticate with Octopus Deploy via OIDC tokens, does this largely mitigate the need for generating API Tokens via TF?
OIDC provides a safer, "keyless" mechanism for authentication with removes the need for things like expiries or key rotations.
ApiKeys, by their create-but-not-read nature provide a bit of a non-standard TF semantic for us to try and wrap.
Is there some example of how to use that in conjunction with an Octopus Tentacle to communicate with Octopus? It does indeed look very interesting, but I'm not clear how to generalise from the Github example in the blog post?
Is your feature request related to a problem? Please describe. Provide resource to create API key or token through terraform for service account user to avoid manual step.
Describe the solution you'd like resource for api token with service account name or id.
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.
Additional context Add any other context or screenshots about the feature request here.