Going back to auth token

Author: fmeheust

Diff for: config-repo.tf

@@ -17,32 +17,6 @@ resource "oci_devops_repository" "config_repo" {
   count = (local.use-image ? 0 : 1)
 }
 
-resource "tls_private_key" "rsa_api_key" {
-  algorithm = "RSA"
-  rsa_bits  = 2048
-  count = (local.use-image && !var.use_existing_api_key ? 0 : 1)
-}
-
-resource "oci_identity_api_key" "user_api_key" {
-  #Required
-  key_value = tls_private_key.rsa_api_key[0].public_key_pem
-  user_id = var.current_user_ocid
-  count = (local.use-image  || var.use_existing_api_key ? 0 : 1)
-}
-
-resource "local_file" "api_private_key" {
-  depends_on = [ tls_private_key.rsa_api_key ]
-  filename = "${path.module}/api-private-key.pem"
-  content = (var.use_existing_api_key ? base64decode(var.api_key) : tls_private_key.rsa_api_key[0].private_key_pem)
-  count = (local.use-image ? 0 : 1)
-}
-
-resource "local_file" "ssh_config" {
-  filename = "${path.module}/ssh_config"
-  content = data.template_file.ssh_config.rendered
-}
-
-
 # creates necessary files to configure Docker image
 # creates the Dockerfile
 resource "local_file" "dockerfile" {
@@ -98,39 +72,13 @@ resource "null_resource" "create_config_repo" {
     local_file.wallet,
     local_file.self_signed_certificate,
     local_file.oci_build_config,
-    local_file.ssh_config,
-    local_file.api_private_key,
+    oci_identity_auth_token.auth_token,
     random_password.wallet_password
   ]
 
-  # create .ssh directory
-  provisioner "local-exec" {
-    command = "mkdir ~/.ssh"
-    on_failure = fail
-    working_dir = "${path.module}"
-  }
-
-  # copy ssh-config
-  provisioner "local-exec" {
-    command = "mv ssh_config ~/.ssh/config"
-    on_failure = fail
-    working_dir = "${path.module}"
-  }
-  provisioner "local-exec" {
-    command = "chmod 600 ~/.ssh/config"
-    on_failure = fail
-    working_dir = "${path.module}"
-  }
-
-  # copy private key
-  provisioner "local-exec" {
-    command = "mv api-private-key.pem ~/.ssh/api-private-key.pem"
-    on_failure = fail
-    working_dir = "${path.module}"
-  }
-
+  # clone new repository
   provisioner "local-exec" {
-    command = "chmod 400 ~/.ssh/api-private-key.pem"
+    command = "git clone ${local.config_repo_url}"
     on_failure = fail
     working_dir = "${path.module}"
   }
@@ -149,13 +97,6 @@ resource "null_resource" "create_config_repo" {
     working_dir = "${path.module}"
   }
 
-  # clone new repository
-  provisioner "local-exec" {
-    command = "git -c core.sshCommand='ssh -o StrictHostKeyChecking=no' clone ${oci_devops_repository.config_repo[0].ssh_url}"
-    on_failure = fail
-    working_dir = "${path.module}"
-  }
-
   # copy config to app directory
   provisioner "local-exec" {
     command = "cp build_spec.yaml ./${local.config_repo_name}/build_spec.yaml"

Diff for: interface.yaml

@@ -31,8 +31,8 @@ variableGroups:
   ###APPLICATION_GROUP###
   - title: "Stack authentication"
     variables:
-      - use_existing_api_key
-      - api_key
+      - use_existing_token
+      - current_user_token
       - use_existing_vault
       - new_vault_display_name
       - vault_compartment_id
@@ -205,17 +205,6 @@ variables:
       and:
         - use_existing_database
   # Vault
-  use_existing_api_key:
-    type: boolean
-    title: Use an existing API key
-    required: true
-    default: false
-    description: The API key will be used to authenticate the user when using the OCI devops repository
-  api_key:
-    type: file
-    title: Private key
-    required: true
-    visible: use_existing_api_key
   use_existing_vault:
     type: boolean
     title: Use an existing key vault
@@ -260,6 +249,17 @@ variables:
     visible:
       and:
         - use_existing_vault
+  use_existing_token:
+    type: boolean
+    required: true
+    title: Use existing authentication token
+    description: This token will be used by the stack to authenticate the user when connecting to the code repository or container registry.
+    default: true
+  current_user_token:
+    type: password
+    required: true
+    title: User's authentication token
+    visible: use_existing_token
   ###APP_CONFIG###
   # FQDN
   create_fqdn:

Diff for: ssh_config.template

@@ -410,14 +410,16 @@ variable "reserved_ip_address" {
   default = ""
 }
 
-variable "use_existing_api_key" {
+variable "use_existing_token" {
   type = bool
+  description = "Create authentication token for current user"
   default = false
 }
 
-variable "api_key" {
+variable "current_user_token" {
   type = string
-  default = "none"
+  default = ""
+  sensitive = true
 }
 
 locals {
@@ -431,8 +433,10 @@ locals {
   service-username = data.oci_identity_user.current_user.name
   # login, tenancy + username (DevOps)
   login = "${data.oci_identity_tenancy.tenancy.name}/${local.service-username}"
-  # ssh login
-  ssh_login = "${local.service-username}@${data.oci_identity_tenancy.tenancy.name}"
+  # authentication token
+  app_auth_token = var.use_existing_token ? var.current_user_token : oci_identity_auth_token.auth_token[0].token
+  # Authentication token secret
+  auth_token_secret = oci_vault_secret.auth_token_secret.id  
   # login, namespace + username (Container Registry)
   login_container = "${local.namespace}/${local.service-username}"
   # Container registry url
@@ -467,13 +471,12 @@ locals {
         : var.image_path)
   # bucket name
   bucket_name = "${local.application_name}-bucket"
-  
-  # dbconnection_api_key_pem = (
-  #   length(data.oci_identity_api_keys.dbconnection_api_key.api_keys) == 0
-  #     ? oci_identity_api_key.dbconnection_api_key[0].key_value
-  #     : data.oci_identity_api_keys.dbconnection_api_key.api_keys[0].key_value
-  # )
+  # name of the config repository
   config_repo_name = "${local.application_name}-config"
+  # url of the config repository
+  config_repo_url = (local.use-image 
+    ? ""
+    : replace(oci_devops_repository.config_repo[0].http_url, "https://", "https://${urlencode(local.login)}:${urlencode(local.app_auth_token)}@"))
   # database OCID
   database_ocid = (var.use_existing_database ? var.autonomous_database : oci_database_autonomous_database.database[0].id)
   # database username

Diff for: variables.tf

@@ -19,6 +19,34 @@ resource "oci_kms_key" "app_key" {
   count = var.use_existing_vault ? 0 : 1
 }
 
+# Create an authentication token for user to connect to repositories
+resource "oci_identity_auth_token" "auth_token" {
+#  provider = oci.home-provider
+  description = "Authentication token for ${local.application_name}"
+  user_id = var.current_user_ocid
+  count = (var.use_existing_token ? 0 : 1)
+}
+
+# Secret containing the authentication token
+resource "oci_vault_secret" "auth_token_secret" {
+  depends_on = [ 
+    oci_kms_vault.app_vault,
+    oci_kms_key.app_key
+  ]
+  #Required
+  compartment_id = var.use_existing_vault ? var.vault_compartment_id : var.compartment_id
+  secret_content {
+      #Required
+      content_type = "BASE64"
+
+      #Optional
+      content = base64encode(local.app_auth_token)
+      name = "auth_token_content_${formatdate("MMDDhhmm", timestamp())}"
+  }
+  secret_name ="auth_token_secret_${formatdate("MMDDhhmm", timestamp())}"
+  vault_id = var.use_existing_vault ? var.vault_id : oci_kms_vault.app_vault[0].id
+  key_id = var.use_existing_vault ? var.key_id : oci_kms_key.app_key[0].id
+}
 
 # Secret containing the db user's password
 resource "oci_vault_secret" "db_user_password" {