terraform-provider-netapp-cloudmanager icon indicating copy to clipboard operation
terraform-provider-netapp-cloudmanager copied to clipboard

Published 20 hours ago verified publisher icon NetApp

Provider does not support id federation

Open selamanse opened this issue 1 year ago • 0 comments

Hi, I tried to use the netapp-cloudmanager provider within a corporate gcp account where the executing user needs to impersonate a service account that actually has the rights to deploy terraform stuff.

what am I trying to do?

installing connector resource from this provider via:


resource "netapp-cloudmanager_connector_gcp" "netapp-connector" {
  provider               = netapp-cloudmanager
  name                   = "netapp-bluexp-connector"
  zone                   = "${local.region}-b"
  company                = local.bluexp_company
  project_id             = local.project_id
  service_account_email  = local.bluexp_netapp_service_account
  account_id             = local.bluexp_account_id
  subnet_id              = "projects/${local.onprem_project_id}/regions/${local.region}/subnetworks/${local.project_id}-1-${local.region}"
  associate_public_ip    = false
  gcp_enable_os_login    = false
  gcp_enable_os_login_sk = false

  depends_on = [google_project_iam_binding.netapp-bluexp-deploy]
}

what is the problem

When I try to do the above with the current version of the provider (23.11.0) I get a "403 Permission Denied" when setting up the connector instance via my impersonated service account. Or following error via the credential type "external_account" (which is created by workload identity federation in combination with github orgs)

│ Error: cannot get credentials: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "external_account"
│ 
│   with netapp-cloudmanager_connector_gcp.netapp-connector,
│   on netapp-cloudmanager.tf line 2, in resource "netapp-cloudmanager_connector_gcp" "netapp-connector":
│    2: resource "netapp-cloudmanager_connector_gcp" "netapp-connector" {
│ 
╵

underlying issue / possible solution

I have found a similar issue that has been resolved by upgrading the underlying go module.

References:

  • https://github.com/hashicorp/terraform/pull/32203
  • https://github.com/hashicorp/terraform/issues/29656

My suggested change is documented here: #183 but currently only works for the normal impersonation, but still not for the external_account credential type.

Can you please take a look at this? Thanks in advance.

selamanse avatar Jan 23 '24 11:01 selamanse