tfe_oauth_client support oauth GHE/GH app

[mengesb]

It's great that tfe_oauth_client supports personal access tokens for helping configure the VCS settings in Orgs and for Repos in TF Cloud / pTFE, however it would be better if we could also support the Apps or OAuth Apps side for GHE/GH so that we can relieve personal access tokens from the workflow of plans/applies/etc.

Ex.

resource "tfe_oauth_client" "test" {
  organization     = "my-org-name"
  api_url          = "https://github.myorg.com/api/v3"
  http_url         = "https://github.myorg.com"
  oauth_token      = "my-vcs-provider-token"
  service_provider = "github_enterprise"
}

Would be great if that supported the app fields of like client_id and client_secret and populated the callback_url on the GH/GHE side. This would allow ORGs to own tokens and not individuals

[isaezfernandez]

Hello, I have a problem with that, this is my plan

Terraform will perform the following actions:

tfe_oauth_client.test_oauth_client will be created

• resource "tfe_oauth_client" "test_oauth_client" {
  • api_url = "https://xxx.xxx.xxx.xxx/api/v3" (IP Github)
  • http_url = "https://xxx.xxx.xxx.xxx" (IP Github)
  • id = (known after apply)
  • oauth_token = (sensitive value)
  • oauth_token_id = (known after apply)
  • organization = "my-org"
  • service_provider = "github_enterprise"

But when I apply, I receive the next error:

Error: Error creating OAuth client for organization my-org: resource not found

Someone could help me with the error?

I need tfe_oauth_client id to create after that, add modules of GitHub Enterprise, create tfe_registry_module.

[mengesb]

Error: Error creating OAuth client for organization my-org: resource not found

Someone could help me with the error?

I need tfe_oauth_client id to create after that, add modules of GitHub Enterprise, create tfe_registry_module.

Your issue is unrelated to the feature request. Likely your problem is that you don't have permission to do the operation. You have to be a GitHub org admin, and a terraform org owner to be allowed VCS setup

[isaezfernandez]

Good morning, I am a GitHub org admin, and a terraform org owner, the VCS is created, not problem with that.

The tfe_registry_module is the problem with the next error log:

2020-09-18T15:05:16.102+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: ----------------------------------------------------- 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: 2020/09/18 15:05:16 [DEBUG] TFE API Response Details: 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: ---[ RESPONSE ]-------------------------------------- 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: HTTP/1.1 500 Internal Server Error 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: Transfer-Encoding: chunked 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: Cache-Control: no-cache 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: Connection: keep-alive 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: Content-Type: application/vnd.api+json; charset=utf-8 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: Date: Fri, 18 Sep 2020 13:05:13 GMT 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: Server: nginx/1.17.1 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: Vary: Origin 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: X-Content-Type-Options: nosniff 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: X-Frame-Options: SAMEORIGIN 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: X-Ratelimit-Limit: 30 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: X-Ratelimit-Remaining: 29 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: X-Ratelimit-Reset: 0.588 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: X-Request-Id: 810b6d23-6175-489f-baf2-775d8b7b76a6 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: X-Xss-Protection: 1; mode=block 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: 3d 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: { 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: "errors": [ 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: { 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: "status": "500", 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: "title": "internal server error" 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: } 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: ] 2020-09-18T15:05:16.212+0200 [DEBUG] plugin.terraform-provider-tfe_v0.21.0_x4.exe: }

[mengesb]

Definitely unrelated then. Either another issue is a better match for your problem or you should open your own issue. What you've posted is beyond what this issue is about - setting up the VCS connection, specifically a non-client based oauth token exchange.

You have a token, but appears you're getting an 500/HTTP error with a valid client exchange.

[mengesb]

Thought I'd poke on this again to see if it could get some ❤️

[wchrisjohnson]

This provider is great; however the lack of support for the GH App underpinning VCS is a significant security gap. Our VCS connections should be owned by the GH App/Org, not a user with elevated privs. PLEASE address this feature request.

[wchrisjohnson]

Could we get some sort of response from Hashicorp on if/when this is going to be addressed?

[jodoscott]

This would be a great feature to add to reduce dependency on Github Personal Access Tokens.

[brandonc]

Hello, and sorry that the maintainers have not participated in this discussion so far.

This isn't actually a limitation of the provider, but of the special limitations of OAuth inside the terraform plan-apply workflow. I'm not an OAuth expert, but at first glance the way this would work is to accept a client id/secret for an existing OAuth Application (and creating it in GitHub presents its own challenges, such as providing an OAuth callback URL) and then somehow presenting an activation code before creating the oauth client during the apply phase, then continue polling GitHub until that activation code is typed into the github device activation page. I don't see how that can happen using terraform config.

I've reported the interest in this feature to another team more directly responsible. It seems like an API solution may be possible, but unless I have misunderstood, may not work within a plan/apply cycle.

[pksunkara]

We are unable to create/modify any workspaces at all without an actual fix for this issue if we don't want to use a custom oauth application.