Merge pull request #337 from pgporada/allow-api-token-auth

Allow API token authentication

Author: ggongaware

docs/guides/installation.md

@@ -6,7 +6,7 @@ To install this provider, copy and paste this code into your Terraform configura
 terraform {
   required_providers {
     proxmox = {
-      source = "Telmate/proxmox"
+      source = "telmate/proxmox"
       version = "<version tag>"
     }
   }

docs/index.md

@@ -3,20 +3,33 @@
 A Terraform provider is responsible for understanding API interactions and exposing resources. The Proxmox provider
 uses the Proxmox API. This provider exposes two resources: [proxmox_vm_qemu](docs/resources/vm_qemu.md) and [proxmox_lxc](docs/resources/lxc.md).
 
-## Creating the connection
+## Creating the connection via username and password
 
 When connecting to the Proxmox API, the provider has to know at least three parameters: the URL, username and password.
-One can supply fields using the provider syntax in Terraform. It is recommended to pass secrets through environment 
+One can supply fields using the provider syntax in Terraform. It is recommended to pass secrets through environment
 variables.
 
 ```bash
-export PM_PASS=password
+export PM_USER="terraform-user@pve"
+export PM_PASS="password"
+```
+
+```hcl
+provider "proxmox" {
+    pm_api_url = "https://proxmox-server01.example.com:8006/api2/json"
+}
+```
+
+## Creating the connection via username and API token
+
+```bash
+export PM_API_TOKEN_ID="terraform-user@pve!mytoken"
+export PM_API_TOKEN_SECRET="afcd8f45-acc1-4d0f-bb12-a70b0777ec11"
 ```
 
 ```hcl
 provider "proxmox" {
     pm_api_url = "https://proxmox-server01.example.com:8006/api2/json"
-    pm_user = "terraform-user@pve"
 }
 ```
 
@@ -25,10 +38,12 @@ provider "proxmox" {
 The following arguments are supported in the provider block:
 
 * `pm_api_url` - (Required; or use environment variable `PM_API_URL`) This is the target Proxmox API endpoint.
-* `pm_user` - (Required; or use environment variable `PM_USER`) The user, maybe required to include @pam.
-* `pm_password` - (Required; sensitive; or use environment variable `PM_PASS`) The password.
-* `pm_otp` - (Optional; or use environment variable `PM_OTP`) The  2FA OTP code.
-* `pm_tls_insecure` - (Optional) Disable TLS verification while connecting.
+* `pm_user` - (Optional; or use environment variable `PM_USER`) The user, remember to include the authentication realm such as myuser@pam or myuser@pve.
+* `pm_password` - (Optional; sensitive; or use environment variable `PM_PASS`) The password.
+* `pm_api_token_id` - (Optional; or use environment variable `PM_API_TOKEN_ID`) This is an [API token](https://pve.proxmox.com/pve-docs/pveum-plain.html) you have previously created for a specific user.
+* `pm_api_token_secret` - (Optional; or use environment variable `PM_API_TOKEN_SECRET`) This is a uuid that is only available when initially creating the token.
+* `pm_otp` - (Optional; or use environment variable `PM_OTP`) The 2FA OTP code.
+* `pm_tls_insecure` - (Optional) Disable TLS verification while connecting to the proxmox server.
 * `pm_parallel` - (Optional; defaults to 4) Allowed simultaneous Proxmox processes (e.g. creating resources).
 * `pm_log_enable` - (Optional; defaults to false) Enable debug logging, see the section below for logging details.
 * `pm_log_levels` - (Optional) A map of log sources and levels.
@@ -42,10 +57,12 @@ Additionally, one can set the `PM_OTP_PROMPT` environment variable to prompt for
 The provider is able to output detailed logs upon request. Note that this feature is intended for development purposes, but could also be used to help investigate bugs. For example: the following code when placed into the provider "proxmox" block will enable loging to the file "terraform-plugin-proxmox.log".  All log sources will default to the "debug" level, and any stdout/stderr from sublibraries (proxmox-api-go) will be silenced (set to non-empty string to enable).
 
 ```hcl
+provider "proxmox" {
   pm_log_enable = true
   pm_log_file = "terraform-plugin-proxmox.log"
   pm_log_levels = {
     _default = "debug"
     _capturelog = ""
   }
+}
 ```

main.go

@@ -2,8 +2,8 @@ package main
 
 import (
 	"github.com/Telmate/terraform-provider-proxmox/proxmox"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/plugin"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/plugin"
 )
 
 func main() {

proxmox/provider.go

@@ -7,9 +7,9 @@ import (
 	"regexp"
 	"strconv"
 	"sync"
+	"strings"
 
 	pxapi "github.com/Telmate/proxmox-api-go/proxmox"
-	//pxapi "github.com/doransmestad/proxmox-api-go/proxmox"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -46,15 +46,15 @@ func Provider() *schema.Provider {
 		Schema: map[string]*schema.Schema{
 			"pm_user": {
 				Type:        schema.TypeString,
-				Required:    true,
+				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("PM_USER", nil),
-				Description: "username, maywith with @pam",
+				Description: "Username e.g. myuser or myuser@pam",
 			},
 			"pm_password": {
 				Type:        schema.TypeString,
-				Required:    true,
+				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("PM_PASS", nil),
-				Description: "secret",
+				Description: "Password to authenticate into proxmox",
 				Sensitive:   true,
 			},
 			"pm_api_url": {
@@ -63,6 +63,19 @@ func Provider() *schema.Provider {
 				DefaultFunc: schema.EnvDefaultFunc("PM_API_URL", nil),
 				Description: "https://host.fqdn:8006/api2/json",
 			},
+			"pm_api_token_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("PM_API_TOKEN_ID", nil),
+				Description: "API TokenID e.g. root@pam!mytesttoken",
+			},
+			"pm_api_token_secret": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("PM_API_TOKEN_SECRET", nil),
+				Description: "The secret uuid corresponding to a TokenID",
+				Sensitive:   true,
+			},
 			"pm_parallel": {
 				Type:     schema.TypeInt,
 				Optional: true,
@@ -72,20 +85,24 @@ func Provider() *schema.Provider {
 				Type:        schema.TypeBool,
 				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("PM_TLS_INSECURE", false),
+				Description: "By default, every TLS connection is verified to be secure. This option allows terraform to proceed and operate on servers considered insecure. For example if you're connecting to a remote host and you do not have the CA cert that issued the proxmox api url's certificate.",
 			},
 			"pm_log_enable": {
-				Type:     schema.TypeBool,
-				Optional: true,
-				Default:  false,
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Enable provider logging to get proxmox API logs",
 			},
 			"pm_log_levels": {
-				Type:     schema.TypeMap,
-				Optional: true,
+				Type:        schema.TypeMap,
+				Optional:    true,
+				Description: "Configure the logging level to display; trace, debug, info, warn, etc",
 			},
 			"pm_log_file": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Default:  "terraform-plugin-proxmox.log",
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "terraform-plugin-proxmox.log",
+				Description: "Write logs to this specific file",
 			},
 			"pm_timeout": {
 				Type:     schema.TypeInt,
@@ -105,17 +122,26 @@ func Provider() *schema.Provider {
 			"proxmox_vm_qemu":  resourceVmQemu(),
 			"proxmox_lxc":      resourceLxc(),
 			"proxmox_lxc_disk": resourceLxcDisk(),
-			// TODO - storage_iso
-			// TODO - bridge
-			// TODO - vm_qemu_template
+			// TODO - proxmox_storage_iso
+			// TODO - proxmox_bridge
+			// TODO - proxmox_vm_qemu_template
 		},
 
 		ConfigureFunc: providerConfigure,
 	}
 }
 
 func providerConfigure(d *schema.ResourceData) (interface{}, error) {
-	client, err := getClient(d.Get("pm_api_url").(string), d.Get("pm_user").(string), d.Get("pm_password").(string), d.Get("pm_otp").(string), d.Get("pm_tls_insecure").(bool), d.Get("pm_timeout").(int))
+	client, err := getClient(
+		d.Get("pm_api_url").(string),
+		d.Get("pm_user").(string),
+		d.Get("pm_password").(string),
+		d.Get("pm_api_token_id").(string),
+		d.Get("pm_api_token_secret").(string),
+		d.Get("pm_otp").(string),
+		d.Get("pm_tls_insecure").(bool),
+		d.Get("pm_timeout").(int),
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -153,13 +179,43 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	}, nil
 }
 
-func getClient(pm_api_url string, pm_user string, pm_password string, pm_otp string, pm_tls_insecure bool, pm_timeout int) (*pxapi.Client, error) {
+func getClient(pm_api_url string, pm_user string, pm_password string, pm_api_token_id string, pm_api_token_secret string, pm_otp string, pm_tls_insecure bool, pm_timeout int) (*pxapi.Client, error) {
 	tlsconf := &tls.Config{InsecureSkipVerify: true}
 	if !pm_tls_insecure {
 		tlsconf = nil
 	}
+
+	var err error
+
+	if pm_password != "" && pm_api_token_secret != "" {
+		err = fmt.Errorf("Password and API token secret both exist, choose one or the other.")
+	}
+
+	if pm_password == "" && pm_api_token_secret == "" {
+		err = fmt.Errorf("Password and API token do not exist, one of these must exist.")
+	}
+
+	if strings.Contains(pm_user, "!") && pm_password != "" {
+		err = fmt.Errorf("You appear to be using an API TokenID username with your password.")
+	}
+
+	if !strings.Contains(pm_api_token_id, "!") {
+		err = fmt.Errorf("Your API TokenID username should contain a !, check your API credentials.")
+	}
+
 	client, _ := pxapi.NewClient(pm_api_url, nil, tlsconf, pm_timeout)
-	err := client.Login(pm_user, pm_password, pm_otp)
+
+	// User+Pass authentication
+	if pm_user != "" && pm_password != "" {
+		err = client.Login(pm_user, pm_password, pm_otp)
+	}
+
+	// API authentication
+	if pm_api_token_id != "" && pm_api_token_secret != "" {
+		// Unsure how to get an err for this
+		client.SetAPIToken( pm_api_token_id, pm_api_token_secret)
+	}
+
 	if err != nil {
 		return nil, err
 	}
@@ -195,6 +251,7 @@ func (lock *pmApiLockHolder) lock() {
 	pconf.CurrentParallel++
 	pconf.Mutex.Unlock()
 }
+
 func (lock *pmApiLockHolder) unlock() {
 	if !lock.locked {
 		return

proxmox/resource_vm_qemu.go

@@ -11,7 +11,6 @@ import (
 	"time"
 
 	pxapi "github.com/Telmate/proxmox-api-go/proxmox"
-	//pxapi "github.com/doransmestad/proxmox-api-go/proxmox"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 

proxmox/resource_vm_qemu_test.go

@@ -300,15 +300,15 @@ func TestAccProxmoxVmQemu_CreateCloneWithTwoDisks(t *testing.T) {
 }
 
 // TestAccProxmoxVmQemu_StandardUpdateNoReboot tests a simple update of a vm_qemu resource,
-// and the modified parameters can be applied without reboot. 
+// and the modified parameters can be applied without reboot.
 func TestAccProxmoxVmQemu_UpdateNoReboot(t *testing.T) {
 	resourceName := acctest.RandStringFromCharSet(10, acctest.CharSetAlpha)
 	resourcePath := fmt.Sprintf("proxmox_vm_qemu.%s", resourceName)
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProxmoxProviderFactory(),
-		
+
 		Steps: []resource.TestStep{
 			{
 				Config: testAccExampleQemuBasic(resourceName, testAccProxmoxTargetNode),
@@ -318,26 +318,26 @@ func TestAccProxmoxVmQemu_UpdateNoReboot(t *testing.T) {
 			},
 			{
 				// since we're just renaming there should be no reboot
-				Config: strings.Replace(testAccExampleQemuBasic(resourceName, testAccProxmoxTargetNode), 
-				"name = \"" + resourceName + "\"", "name = \"" + resourceName + "-renamed\"", 1),
+				Config: strings.Replace(testAccExampleQemuBasic(resourceName, testAccProxmoxTargetNode),
+					"name = \""+resourceName+"\"", "name = \""+resourceName+"-renamed\"", 1),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr(resourcePath, "name", resourceName + "-renamed"),
+					resource.TestCheckResourceAttr(resourcePath, "name", resourceName+"-renamed"),
 				),
 			},
 		},
 	})
 }
 
 // TestAccProxmoxVmQemu_UpdateRebootRequired tests a simple update of a vm_qemu resource,
-// and the modified parameters can be only applied with reboot. 
+// and the modified parameters can be only applied with reboot.
 func TestAccProxmoxVmQemu_UpdateRebootRequired(t *testing.T) {
 	resourceName := acctest.RandStringFromCharSet(10, acctest.CharSetAlpha)
 	resourcePath := fmt.Sprintf("proxmox_vm_qemu.%s", resourceName)
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProxmoxProviderFactory(),
-		
+
 		Steps: []resource.TestStep{
 			{
 				Config: testAccExampleQemuBasic(resourceName, testAccProxmoxTargetNode),
@@ -354,4 +354,4 @@ func TestAccProxmoxVmQemu_UpdateRebootRequired(t *testing.T) {
 			},
 		},
 	})
-}
+}