search

OctopusDeployLabs / terraform-provider-octopusdeploy

Terraform Provider for Octopus Deploy :octopus:
https://registry.terraform.io/providers/OctopusDeployLabs/octopusdeploy
Mozilla Public License 2.0
78 stars 65 forks source link

Service Account token for Octopus User #206

Open ajaychoudhary-bcg opened 3 years ago

ajaychoudhary-bcg commented 3 years ago

Is your feature request related to a problem? Please describe. Provide resource to create API key or token through terraform for service account user to avoid manual step.

Describe the solution you'd like resource for api token with service account name or id.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

ajaychoudhary-bcg commented 2 years ago

any update on this?

johnsimons commented 1 year ago

We can look at how azuread implements this functionality, see https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password. They also have a one time tokens, I assume this cannot be updated.

2good4hisowngood commented 9 months ago

Cross posting from #495 where we had some use cases.

I wanted to give an example implementation, 

terraform {
  required_providers {
    octopusdeploy = {
      source = "OctopusDeployLabs/octopusdeploy"
      version = "0.12.7"
    }
  }
}

provider "octopusdeploy" {
  # Configuration options
}

resource "octopusdeploy_user" "example" {
  display_name  = "RoBob Smith"
  email_address = "robob.smith@example.com"
  is_active     = true
  is_service    = true
  password      = "###########" # get from secure environment/store
  username      = "[username]"

  identity {
    ...
  }
}

# role permission to publish packages attached to sp or something

resource "octopusdeploy_api_key" "example" {
  user_id      = octopusdeploy_user.example.id
  purpose      = "My purpose for this API key"
  expiry_date  = "2024-09-28T14:00:00Z" # Optional, set to your desired expiry date
}

resource "github_actions_organization_secret" "example_secret" {
  secret_name     = "example_secret_name"
  visibility      = "private"
  encrypted_value = octopusdeploy_api_key.example.some_encrypted_secret_string
}

This example, a key can be created and stored in github for pushing to octopus and replaced on rotation.

You could construct a variable with some string like "--<tool, like terraform>-" and stamp who/what/where/when all over the resources being created, and pass it through all of the keys being used to automate key creation/management. Create a key as needed even.

zentron commented 8 months ago

@2good4hisowngood @ajaychoudhary-bcg Given we have released a more secure mechanism for configuring upstream CI servers to authenticate with Octopus Deploy via OIDC tokens, does this largely mitigate the need for generating API Tokens via TF?

OIDC provides a safer, "keyless" mechanism for authentication with removes the need for things like expiries or key rotations.

ApiKeys, by their create-but-not-read nature provide a bit of a non-standard TF semantic for us to try and wrap.

mgust commented 3 weeks ago

Is there some example of how to use that in conjunction with an Octopus Tentacle to communicate with Octopus? It does indeed look very interesting, but I'm not clear how to generalise from the Github example in the blog post?