Skip to content

Commit

Permalink
Reject 'token' join method
Browse files Browse the repository at this point in the history
  • Loading branch information
hugoShaka committed Jul 25, 2024
1 parent 824faa7 commit da696eb
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion integrations/terraform/provider/credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -496,7 +496,16 @@ func (CredentialsFromNativeMachineID) Credentials(ctx context.Context, config pr
return nil, trace.BadParameter("missing parameter %q or environment variable %q", attributeTerraformAddress, constants.EnvVarTerraformAddress)
}

// TODO: reject token JoinMethod (or gate behind an env var)
if apitypes.JoinMethod(joinMethod) == apitypes.JoinMethodToken {
return nil, trace.BadParameter(`the secret token join method ('token') is not supported for native Machine ID joining.
Secret tokens are single use and the Terraform provider does not save the certificates it obtained, so the token join method can only be used once.
If you want to run the Terraform provider in the CI (GitHub Actions, GitlabCI, Circle CI) or in a supported runtime (AWS, GCP, Azure, Kubernetes, machine with a TPM)
you should use the join method specific to your environment.
If you want to use MachineID with secret tokens, the best approach is to run a local tbot on the server where the terraform provider runs.
See https://goteleport.com/docs/reference/join-methods for more details.`)
}

if err := apitypes.ValidateJoinMethod(apitypes.JoinMethod(joinMethod)); err != nil {
return nil, trace.Wrap(err, "Invalid Join Method")
Expand Down

0 comments on commit da696eb

Please sign in to comment.