- Notifications
You must be signed in to change notification settings - Fork927
feat: addowner_oidc_access_token tocoder_workspace data source#6042
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
See the discussion in Discord here:https://discord.com/channels/747933592273027093/1071182088490987542/1071182088490987542Related provider PR:coder/terraform-provider-coder#91
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This needs to be configurable via a flag. I think it should be disabled by default personally, but at the very least it needs to be the other way around IMO.
| @@ -201,6 +201,7 @@ message Provision { | |||
| string workspace_id = 5; | |||
| string workspace_owner_id = 6; | |||
| string workspace_owner_email = 7; | |||
| string workspace_owner_oidc_access_token = 8; | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
tabs vs spaces
@deansheather why does this need to be configurable via a flag? |
To prevent template admins from reading OIDC secrets without deployment approval. It seems dangerous to allow anyone with write access to templates to push an update that starts reading OIDC tokens and doing nefarious things with them. We have a similar feature in v1 and it's disabled by default for this reason |
Hmm, fair. I suppose this would permit any template author to gain access to users inside of Coder, so it could be real bad. Some additional thought is needed on how we do it... 🤔 |
bpmct commentedFeb 8, 2023 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Can we make it disabled by default? |
This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity. |
bpmct commentedMar 17, 2023 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
We'll need to rethink our template authorship experience since the Because of this, we'll just move forward with it on by default |
6ac4c51 to43dfe91Compare
See the discussion in Discord here:
https://discord.com/channels/747933592273027093/1071182088490987542/1071182088490987542
Related provider PR:coder/terraform-provider-coder#91