search

pulumi / pulumi-pagerduty

A PagerDuty Pulumi resource package, providing multi-language access to PagerDuty
Apache License 2.0
8 stars 2 forks source link

oAuth App Authentication Support is missing #569

Open xSAVIKx opened 3 months ago

xSAVIKx commented 3 months ago

Describe what happened

I'm trying to set up PagerDuty using the provider and trying to authenticate using oAuth app clientID + secret + subdomain. Unfortunately when I try doing so I get the following error every time:

    error: Cannot obtain plugin client:
    No valid credentials found for PagerDuty provider.
    Please see https://www.terraform.io/docs/providers/pagerduty/index.html
    for more information on providing credentials for this provider.

If I switch to token-based v2 auth everything works as expected.

Sample program

Pulumi.yaml:

name: service-trains
runtime: yaml
description: PagerDuty bug
resources:
  pdProvider:
    type: pulumi:providers:pagerduty
    properties:
#      token: ${pagerduty:token}
      useAppOauthScopedToken:
        pdClientId: ${pagerduty:clientId}
        pdClientSecret: ${pagerduty:clientSecret}
        pdSubdomain: ${pagerduty:subdomain}
    options:
      version: 4.13.2
  devsUser:
    type: pagerduty:User
    properties:
      email: some-email@example.com
      name: Dev Team
      description: Development team
      jobTitle: Devs
      role: limited_user
    options:
      provider: ${pdProvider}

Pulumi.pagerduty.yaml:

config:
  pagerduty:clientId:
    secure: some-secret
  pagerduty:clientSecret:
    secure: some-secret
  pagerduty:subdomain: some-sub-domain
  pagerduty:token:
    secure: some-secret
  pulumi:disable-default-providers:
    - "*"

Log output

Diagnostics: pagerduty:index:User (devsUser): error: Cannot obtain plugin client: No valid credentials found for PagerDuty provider. Please see https://www.terraform.io/docs/providers/pagerduty/index.html for more information on providing credentials for this provider.

Affected Resource(s)

pagerduty:User

Output of pulumi about

pulumi about CLI
Version 3.122.0 Go Version go1.22.4 Go Compiler gc

Plugins KIND NAME VERSION language yaml unknown

Host
OS ubuntu Version 22.04 Arch x86_64

This project is written in yaml

Current Stack: CURRENT_STACK

TYPE URN

Found no pending operations associated with STACK Backend Name pulumi.com URL https://app.pulumi.com/xSAVIKx User xSAVIKx Organizations Token type personal No dependencies found Pulumi locates its logs in /tmp by default ### Additional context _No response_ ### Contributing Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
VenelinMartinov commented 3 months ago

Hey @xSAVIKx, thanks for reporting here and sorry you had issues with the provider.

Could you please verify that your client id secret and domain parameters are working by trying the pagerduty API directly: https://developer.pagerduty.com/docs/e518101fde5f3-obtaining-an-app-o-auth-token#about-app-oauth-tokens

It'd be helpful to know if this is an issue with the provider handling of the parameters or the API/ credentials.

It'd also be immensely helpful if you could try the terraform provider for pagerduty, which we use for the pulumi provider - do the Oauth App credentials work there?

xSAVIKx commented 3 months ago

Hey @VenelinMartinov.

I can confirm that I can execute the following request from the API docs:

curl -i --request POST \
  https://identity.pagerduty.com/oauth/token \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "client_id={CLIENT_ID}" \
  --data-urlencode "client_secret={CLIENT_SECRET}" \
  --data-urlencode "scope=as_account-us.companysubdomain incidents.read services.read"

And I do get a success response:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jul 2024 12:59:40 GMT
Content-Type: application/json
Content-Length: 160
Connection: keep-alive
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0, private, must-revalidate
content-security-policy: frame-ancestors 'none'
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: 52049af3f027b5ffd827b7aa99a455dd
X-XSS-Protection: 1; mode=block
Set-Cookie: x_pd_oauth_trace_id=F-EqD9cxe8untIQCjG_C; Expires=Thu, 11 Jul 2024 13:04:40 GMT; Max-Age=300; Domain=eu.pagerduty.com; Path=/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: no-referrer-when-downgrade
Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'

{"access_token":"<ACCESS_TOKEN>","scope":"as_account-us.<SUBDOMAIN> services.read","token_type":"bearer","expires_in":86400}

And I also can confirm that I can use returned scoped ACCESS TOKEN to e.g. read all available services using:

curl -i --request GET \
  --url https://api.pagerduty.com/services \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <ACCESS_TOKEN>' \
  --header 'Content-Type: application/json'

Unfortunately don't have a quick way to test terraform provider at the moment.

VenelinMartinov commented 3 months ago

Thanks! Could I ask you to provider logs of the failed run? Here's instructions how to get them: https://www.pulumi.com/docs/support/troubleshooting/#verbose-logging

Please, make sure to scrub any secrets from the logs.

zender-vivodyne commented 3 weeks ago

@VenelinMartinov I hit the same issue. My setup is a little different but trying to accomplish the same thing. Currently have the default provider for pagerduty disabled. Creating it via code (python) like so. 

pagerduty_provider = pagerduty.Provider("pagerduty",
                use_app_oauth_scoped_token=pagerduty.ProviderUseAppOauthScopedTokenArgs(
                    pd_client_id=os.environ["PAGERDUTY_CLIENT_ID"],
                    pd_client_secret=os.environ["PAGERDUTY_CLIENT_SECRET"],
                    pd_subdomain="vivodyne"
                ))
    opts = pulumi.ResourceOptions(provider=pagerduty_provider)

I was able to collect logs see attached using this command TF_LOG=TRACE poetry run pulumi up --logtostderr --logflow -v=10 2> out2.txt out2.txt

And spin up a terraform project using this very basic configuration

terraform {
  required_providers {
    pagerduty = {
      source  = "pagerduty/pagerduty"
      version = "3.15.6"
    }
  }
}

provider "pagerduty" {
  use_app_oauth_scoped_token {
    pd_client_id = "<my client id>"
    pd_subdomain = "<my subdomain>"
  }
}

resource "pagerduty_team" "team" {
  name        = "ZenderTestTeamTF"
  description = "This is a test team created using Terraform"
}

output "team_id" {
  value = pagerduty_team.team.id
}

It ran a plan and apply with no issues. Logs from that if it helps are also attached. tf-out.txt

zender-vivodyne commented 3 weeks ago

Looking at the pulumi log a little closer i do see this

I0927 11:34:09.445206   66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}>I0927 11:34:09.445191   66747 muxer.go:153] [muxer] CheckConfig results do not agree on the 'useAppOauthScopedToken' property:
<{%reset%}>)
I0927 11:34:09.445217   66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}>    server 0: "{\"pdClientId\":\"<my client id>\",\"pdClientSecret\":\"<my client secret>\",\"pdSubdomain\":\"<my subdomain>\"}"
<{%reset%}>)
I0927 11:34:09.445221   66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}>    server 1: "{\"pdClientId\": \"<my client id>\", \"pdClientSecret\": \"<my client secret>\", \"pdSubdomain\": \"<my subdomain>\"}"
<{%reset%}>)

but the only difference between these 2 lines is space 🤔

guineveresaenger commented 3 weeks ago

Thank you for the updates, @zender-vivodyne - we'll be taking a look as soon as we can. 🙏