From 973c1a0a3702483f1e468c12eac88882b5b9e45e Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Wed, 11 Dec 2024 17:57:45 -0500
Subject: [PATCH] add shared_secret parameter to provider that creates a token
 for the bootstrap service account

---
 .gitignore                                    |  1 +
 Makefile                                      |  5 +++
 example/main.tf                               | 36 ++++++++--------
 go.mod                                        |  3 +-
 .../provider/bootstrap_service_account.go     | 42 +++++++++++++++++++
 internal/provider/namespace.go                |  2 +-
 internal/provider/provider.go                 | 26 +++++++++---
 7 files changed, 88 insertions(+), 27 deletions(-)
 create mode 100644 internal/provider/bootstrap_service_account.go

diff --git a/.gitignore b/.gitignore
index 734d3c1..95afd31 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,4 @@ go.work.sum
 # env file
 .env
 .DS_Store
+bin
diff --git a/Makefile b/Makefile
index 2d71917..a2d8401 100644
--- a/Makefile
+++ b/Makefile
@@ -4,3 +4,8 @@ lint:
 	@echo "@==> $@"
 	@VERSION=$$(go run github.com/mikefarah/yq/v4@v4.34.1 '.jobs.lint.steps[] | select(.uses == "golangci/golangci-lint-action*") | .with.version' .github/workflows/test.yml) && \
 	go run github.com/golangci/golangci-lint/cmd/golangci-lint@$$VERSION run --fix --timeout=20m ./...
+
+.PHONY: build
+build:
+	@echo "@==> $@"
+	@go build -o bin/terraform-provider-pomerium
diff --git a/example/main.tf b/example/main.tf
index d9d9d12..cba84f1 100644
--- a/example/main.tf
+++ b/example/main.tf
@@ -1,31 +1,31 @@
 terraform {
-    required_providers {
-        pomerium = {
-            source = "github.com/pomerium/enterprise-terraform-provider"
-            version = "0.0.1"
-        }
+  required_providers {
+    pomerium = {
+      source  = "pomerium/pomerium"
+      version = "0.0.1"
     }
-}
-
-variable "pomerium_service_account_token" {
-    type = string
-    sensitive = true
+  }
 }
 
 provider "pomerium" {
-    api_url = "https://console-api.localhost.pomerium.io"
-    tls_insecure_skip_verify = true
-    service_account_token = var.pomerium_service_account_token
+  api_url                  = "https://console-api.localhost.pomerium.io"
+  tls_insecure_skip_verify = true
+  # service_account_token = var.pomerium_service_account_token
+  shared_secret_b64 = "9OkZR6hwfmVD3a7Sfmgq58lUbFJGGz4hl/R9xbHFCAg="
 }
 
-resource "pomerium_namespace" "test_namespace" {
-  name = "test-namespace"
-  parent_id = "9d8dbd2c-8cce-4e66-9c1f-c490b4a07243"
+# resource "pomerium_namespace" "test_namespace" {
+#   name      = "test-namespace"
+#   parent_id = "9d8dbd2c-8cce-4e66-9c1f-c490b4a07243"
+# }
+
+locals {
+  namespace_id = "9d8dbd2c-8cce-4e66-9c1f-c490b4a07243"
 }
 
 resource "pomerium_policy" "test_policy" {
   name         = "test-policy"
-  namespace_id = pomerium_namespace.test_namespace.id
+  namespace_id = local.namespace_id
   ppl          = <<EOF
 - allow:
     and:
@@ -35,7 +35,7 @@ EOF
 
 resource "pomerium_route" "test_route" {
   name         = "test-route"
-  namespace_id = pomerium_namespace.test_namespace.id
+  namespace_id = local.namespace_id
   from         = "https://verify-tf.localhost.pomerium.io"
   to           = ["https://verify.pomerium.com"]
   policies     = [pomerium_policy.test_policy.id]
diff --git a/go.mod b/go.mod
index 60dc193..6bd010c 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/pomerium/enterprise-terraform-provider
 go 1.23.0
 
 require (
-	github.com/docker/cli v26.1.4+incompatible
+	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/hashicorp/terraform-plugin-framework v1.11.0
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/pomerium/enterprise-client-go v0.18.1-0.20240903154554-9b855ec72cfd
@@ -22,7 +22,6 @@ require (
 	github.com/envoyproxy/go-control-plane v0.13.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
diff --git a/internal/provider/bootstrap_service_account.go b/internal/provider/bootstrap_service_account.go
new file mode 100644
index 0000000..3e8a581
--- /dev/null
+++ b/internal/provider/bootstrap_service_account.go
@@ -0,0 +1,42 @@
+package provider
+
+import (
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func generateBootstrapServiceAccountToken(
+	sharedSecretB64 string,
+) (string, error) {
+	sharedSecret, err := base64.StdEncoding.DecodeString(sharedSecretB64)
+	if err != nil {
+		return "", fmt.Errorf("shared_secret is invalid: %w", err)
+	}
+
+	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: sharedSecret},
+		(&jose.SignerOptions{}).WithType("JWT"))
+	if err != nil {
+		return "", status.Errorf(codes.Internal, "signing JWT: %s", err.Error())
+	}
+
+	var claims struct {
+		jwt.Claims
+	}
+	claims.ID = "014e587b-3f4b-4fcf-90a9-f6ecdf8154af"
+	claims.Subject = "bootstrap-014e587b-3f4b-4fcf-90a9-f6ecdf8154af.pomerium"
+	now := time.Now()
+	claims.IssuedAt = jwt.NewNumericDate(now)
+	claims.NotBefore = jwt.NewNumericDate(now)
+
+	rawJWT, err := jwt.Signed(sig).Claims(claims).CompactSerialize()
+	if err != nil {
+		return "", status.Errorf(codes.Internal, "signing JWT: %s", err.Error())
+	}
+	return rawJWT, nil
+}
diff --git a/internal/provider/namespace.go b/internal/provider/namespace.go
index dd137e3..d4a66c4 100644
--- a/internal/provider/namespace.go
+++ b/internal/provider/namespace.go
@@ -62,7 +62,7 @@ func (r *NamespaceResource) Schema(_ context.Context, _ resource.SchemaRequest,
 			},
 			"parent_id": schema.StringAttribute{
 				Description: "ID of the parent namespace (optional).",
-				Optional:    false,
+				Optional:    true,
 			},
 		},
 	}
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
index c557b8c..38f917b 100644
--- a/internal/provider/provider.go
+++ b/internal/provider/provider.go
@@ -32,6 +32,7 @@ type PomeriumProvider struct {
 type PomeriumProviderModel struct {
 	APIURL                types.String `tfsdk:"api_url"`
 	ServiceAccountToken   types.String `tfsdk:"service_account_token"`
+	SharedSecretB64       types.String `tfsdk:"shared_secret_b64"`
 	TLSInsecureSkipVerify types.Bool   `tfsdk:"tls_insecure_skip_verify"`
 }
 
@@ -49,7 +50,12 @@ func (p *PomeriumProvider) Schema(_ context.Context, _ provider.SchemaRequest, r
 			},
 			"service_account_token": schema.StringAttribute{
 				MarkdownDescription: "Pomerium Enterprise Service Account Token",
-				Required:            true,
+				Optional:            true,
+				Sensitive:           true,
+			},
+			"shared_secret_b64": schema.StringAttribute{
+				MarkdownDescription: "Pomerium Shared Secret (base64 encoded)",
+				Optional:            true,
 				Sensitive:           true,
 			},
 			"tls_insecure_skip_verify": schema.BoolAttribute{
@@ -88,13 +94,21 @@ func (p *PomeriumProvider) Configure(ctx context.Context, req provider.Configure
 		port = "443"
 	}
 
-	if data.ServiceAccountToken.IsNull() {
-		resp.Diagnostics.AddError("service_account_token is required", "service_account_token is required")
+	tlsConfig := &tls.Config{InsecureSkipVerify: data.TLSInsecureSkipVerify.ValueBool()}
+	var token string
+	if !data.ServiceAccountToken.IsNull() {
+		token = data.ServiceAccountToken.ValueString()
+	} else if !data.SharedSecretB64.IsNull() {
+		token, err = generateBootstrapServiceAccountToken(data.SharedSecretB64.ValueString())
+		if err != nil {
+			resp.Diagnostics.AddError("failed to decode shared_secret_b64", err.Error())
+			return
+		}
+	} else {
+		resp.Diagnostics.AddError("service_account_token or shared_secret_b64 is required", "service_account_token or shared_secret_b64 is required")
 		return
 	}
-
-	tlsConfig := &tls.Config{InsecureSkipVerify: data.TLSInsecureSkipVerify.ValueBool()}
-	c, err := client.NewClient(ctx, net.JoinHostPort(host, port), data.ServiceAccountToken.ValueString(), client.WithTlsConfig(tlsConfig))
+	c, err := client.NewClient(ctx, net.JoinHostPort(host, port), token, client.WithTlsConfig(tlsConfig))
 	if err != nil {
 		resp.Diagnostics.AddError("failed to create Pomerium Enterprise API client", err.Error())
 		return