coder/terraform-provider-coderPublic

NotificationsYou must be signed in to change notification settings
Fork22
Star46

Commit01334b6

authored

feat(agent): add api_key_scope to control agent token permissions (#391)

1 parentff49ef5 commit01334b6Copy full SHA for 01334b6

File tree

7 files changed

+121

-13

lines changed

.gitignore
docs/resources
- agent.md
examples/resources/coder_agent
- resource.tf
flake.lock
flake.nix
provider
- agent.go
- agent_test.go

7 files changed

+121

-13

lines changed

`‎.gitignore`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -36,3 +36,6 @@ website/vendor`
`36`	`36`
`37`	`37`	`# Binary`
`38`	`38`	`terraform-provider-coder`
	`39`	`+`
	`40`	`+# direnv`
	`41`	`+.direnv`

`‎docs/resources/agent.md`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,9 +17,10 @@ data "coder_workspace" "me" {`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`resource "coder_agent" "dev" {`
`20`		`- os = "linux"`
`21`		`- arch = "amd64"`
`22`		`- dir = "/workspace"`
	`20`	`+ os = "linux"`
	`21`	`+ arch = "amd64"`
	`22`	`+ dir = "/workspace"`
	`23`	`+ api_key_scope = "all"`
`23`	`24`	`display_apps {`
`24`	`25`	`vscode = true`
`25`	`26`	`vscode_insiders = false`
`@@ -71,6 +72,7 @@ resource "kubernetes_pod" "dev" {`
`71`	`72`
`72`	`73`	`###Optional`
`73`	`74`
	`75`	+-`api_key_scope` (String) Controls what API routes the agent token can access. Options: 'all' (full access) or 'no_user_data' (blocks /external-auth, /gitsshkey, and /gitauth routes)
`74`	`76`	-`auth` (String) The authentication type the agent will use. Must be one of:`"token"`,`"google-instance-identity"`,`"aws-instance-identity"`,`"azure-instance-identity"`.
`75`	`77`	-`connection_timeout` (Number) Time in seconds until the agent is marked as timed out when a connection with the server cannot be established. A value of zero never marks the agent as timed out.
`76`	`78`	-`dir` (String) The starting directory when a user creates a shell session. Defaults to`"$HOME"`.

`‎examples/resources/coder_agent/resource.tf`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,9 +2,10 @@ data "coder_workspace" "me" {`
`2`	`2`	`}`
`3`	`3`
`4`	`4`	`resource"coder_agent""dev" {`
`5`		`-os="linux"`
`6`		`-arch="amd64"`
`7`		`-dir="/workspace"`
	`5`	`+os="linux"`
	`6`	`+arch="amd64"`
	`7`	`+dir="/workspace"`
	`8`	`+api_key_scope="all"`
`8`	`9`	`display_apps {`
`9`	`10`	`vscode=true`
`10`	`11`	`vscode_insiders=false`

`‎flake.lock`

Lines changed: 4 additions & 4 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎flake.nix`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,11 +2,11 @@`
`2`	`2`	`description="Terraform provider for Coder";`
`3`	`3`
`4`	`4`	`inputs={`
`5`		`-nixpkgs.url="github:NixOS/nixpkgs/nixos-23.11";`
	`5`	`+nixpkgs.url="github:NixOS/nixpkgs/nixos-24.11";`
`6`	`6`	`flake-utils.url="github:numtide/flake-utils";`
`7`	`7`	`};`
`8`	`8`
`9`		`-outputs={self,nixpkgs,flake-utils, ...}:`
	`9`	`+outputs={nixpkgs,flake-utils, ...}:`
`10`	`10`	`flake-utils.lib.eachDefaultSystem(system:`
`11`	`11`	`let`
`12`	`12`	`pkgs=importnixpkgs{`
`@@ -21,7 +21,7 @@`
`21`	`21`	`name="devShell";`
`22`	`22`	`buildInputs=withpkgs;[`
`23`	`23`	`terraform`
`24`		`-go_1_20`
	`24`	`+go_1_24`
`25`	`25`	`];`
`26`	`26`	`};`
`27`	`27`	`}`

`‎provider/agent.go`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,17 @@ func agentResource() *schema.Resource {`
`80`	`80`	`returnnil`
`81`	`81`	`},`
`82`	`82`	`Schema:map[string]*schema.Schema{`
	`83`	`+"api_key_scope": {`
	`84`	`+Type:schema.TypeString,`
	`85`	`+Optional:true,`
	`86`	`+Default:"all",`
	`87`	`+ForceNew:true,`
	`88`	`+Description:"Controls what API routes the agent token can access. Options: 'all' (full access) or 'no_user_data' (blocks /external-auth, /gitsshkey, and /gitauth routes)",`
	`89`	`+ValidateFunc:validation.StringInSlice([]string{`
	`90`	`+"all",`
	`91`	`+"no_user_data",`
	`92`	`+},false),`
	`93`	`+},`
`83`	`94`	`"init_script": {`
`84`	`95`	`Type:schema.TypeString,`
`85`	`96`	`Computed:true,`

`‎provider/agent_test.go`

Lines changed: 91 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -709,5 +709,96 @@ func TestAgent_DisplayApps(t *testing.T) {`
`709`	`709`	`}},`
`710`	`710`	`})`
`711`	`711`	`})`
	`712`	`+}`
	`713`	`+`
	`714`	`+// TestAgent_APIKeyScope tests valid states/transitions and invalid values for api_key_scope.`
	`715`	`+funcTestAgent_APIKeyScope(t*testing.T) {`
	`716`	`+t.Parallel()`
	`717`	`+`
	`718`	`+t.Run("ValidTransitions",func(t*testing.T) {`
	`719`	`+t.Parallel()`
	`720`	`+`
	`721`	`+resourceName:="coder_agent.test_scope_valid"`
`712`	`722`
	`723`	`+resource.Test(t, resource.TestCase{`
	`724`	`+ProviderFactories:coderFactory(),`
	`725`	`+IsUnitTest:true,`
	`726`	`+Steps: []resource.TestStep{`
	`727`	`+// Step 1: Default value`
	`728`	`+{`
	`729`	+Config:`
	`730`	`+provider "coder" {`
	`731`	`+url = "https://example.com"`
	`732`	`+}`
	`733`	`+resource "coder_agent" "test_scope_valid" {`
	`734`	`+os = "linux"`
	`735`	`+arch = "amd64"`
	`736`	`+# api_key_scope is omitted, should default to "default"`
	`737`	`+}`
	`738`	+`,
	`739`	`+Check:resource.ComposeTestCheckFunc(`
	`740`	`+resource.TestCheckResourceAttr(resourceName,"api_key_scope","all"),`
	`741`	`+),`
	`742`	`+},`
	`743`	`+// Step 2: Explicit "default"`
	`744`	`+{`
	`745`	+Config:`
	`746`	`+provider "coder" {`
	`747`	`+url = "https://example.com"`
	`748`	`+}`
	`749`	`+resource "coder_agent" "test_scope_valid" {`
	`750`	`+os = "linux"`
	`751`	`+arch = "amd64"`
	`752`	`+api_key_scope = "all"`
	`753`	`+}`
	`754`	+`,
	`755`	`+Check:resource.ComposeTestCheckFunc(`
	`756`	`+resource.TestCheckResourceAttr(resourceName,"api_key_scope","all"),`
	`757`	`+),`
	`758`	`+},`
	`759`	`+// Step 3: Explicit "no_user_data"`
	`760`	`+{`
	`761`	+Config:`
	`762`	`+provider "coder" {`
	`763`	`+url = "https://example.com"`
	`764`	`+}`
	`765`	`+resource "coder_agent" "test_scope_valid" {`
	`766`	`+os = "linux"`
	`767`	`+arch = "amd64"`
	`768`	`+api_key_scope = "no_user_data"`
	`769`	`+}`
	`770`	+`,
	`771`	`+Check:resource.ComposeTestCheckFunc(`
	`772`	`+resource.TestCheckResourceAttr(resourceName,"api_key_scope","no_user_data"),`
	`773`	`+),`
	`774`	`+},`
	`775`	`+},`
	`776`	`+})`
	`777`	`+})`
	`778`	`+`
	`779`	`+t.Run("InvalidValue",func(t*testing.T) {`
	`780`	`+t.Parallel()`
	`781`	`+`
	`782`	`+resource.Test(t, resource.TestCase{`
	`783`	`+ProviderFactories:coderFactory(),`
	`784`	`+IsUnitTest:true,`
	`785`	`+Steps: []resource.TestStep{`
	`786`	`+// Step 1: Invalid value check`
	`787`	`+{`
	`788`	+Config:`
	`789`	`+provider "coder" {`
	`790`	`+url = "https://example.com"`
	`791`	`+}`
	`792`	`+resource "coder_agent" "test_scope_invalid" { // Use unique name`
	`793`	`+os = "linux"`
	`794`	`+arch = "amd64"`
	`795`	`+api_key_scope = "invalid-scope"`
	`796`	`+}`
	`797`	+`,
	`798`	+ExpectError:regexp.MustCompile(`expected api_key_scope to be one of \["all" "no_user_data"\], got invalid-scope`),
	`799`	`+PlanOnly:true,`
	`800`	`+},`
	`801`	`+},`
	`802`	`+})`
	`803`	`+})`
`713`	`804`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit01334b6

File tree

7 files changed

7 files changed

`‎.gitignore`

`‎docs/resources/agent.md`

`‎examples/resources/coder_agent/resource.tf`

`‎flake.lock`

`‎flake.nix`

`‎provider/agent.go`

`‎provider/agent_test.go`

0 commit comments