diff --git a/docs/index.md b/docs/index.md index 8f9c668..dfdab1d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -46,6 +46,7 @@ provider "restapi" { - `debug` (Boolean) Enabling this will cause lots of debug information to be printed to STDOUT by the API client. - `destroy_method` (String) Defaults to `DELETE`. The HTTP method used to DELETE objects of this type on the API server. - `headers` (Map of String) A map of header names and values to set on all outbound requests. This is useful if you want to use a script via the 'external' provider or provide a pre-approved token or change Content-Type from `application/json`. If `username` and `password` are set and Authorization is one of the headers defined here, the BASIC auth credentials take precedence. +- `bearer_token` (String) A token that will be used to set the Authorization: Bearer header on all outbound API requests. This value can be set directly in the provider configuration or indirectly via the BEARER_TOKEN environment variable. Useful for APIs that require Bearer token authentication such as JWT or OAuth2. If set, this takes precedence over any Authorization header defined in headers. - `id_attribute` (String) When set, this key will be used to operate on REST objects. For example, if the ID is set to 'name', changes to the API object will be to http://foo.com/bar/VALUE_OF_NAME. This value may also be a '/'-delimeted path to the id attribute if it is multple levels deep in the data (such as `attributes/id` in the case of an object `{ "attributes": { "id": 1234 }, "config": { "name": "foo", "something": "bar"}}` - `insecure` (Boolean) When using https, this disables TLS verification of the host. - `key_file` (String) When set with the cert_file parameter, the provider will load a client certificate as a file for mTLS authentication. Note that this mechanism simply delegates to golang's tls.LoadX509KeyPair which does not support passphrase protected private keys. The most robust security protections available to the key_file are simple file system permissions. diff --git a/restapi/api_client.go b/restapi/api_client.go index fed7be0..b5cd15c 100644 --- a/restapi/api_client.go +++ b/restapi/api_client.go @@ -28,6 +28,7 @@ type apiClientOpt struct { username string password string headers map[string]string + bearerToken string timeout int idAttribute string createMethod string @@ -65,6 +66,7 @@ type APIClient struct { username string password string headers map[string]string + bearerToken string idAttribute string createMethod string readMethod string @@ -190,6 +192,7 @@ func NewAPIClient(opt *apiClientOpt) (*APIClient, error) { username: opt.username, password: opt.password, headers: opt.headers, + bearerToken: opt.bearerToken, idAttribute: opt.idAttribute, createMethod: opt.createMethod, readMethod: opt.readMethod, diff --git a/restapi/provider.go b/restapi/provider.go index 4f079df..53d2a2c 100644 --- a/restapi/provider.go +++ b/restapi/provider.go @@ -33,6 +33,7 @@ func Provider() *schema.Provider { "password": { Type: schema.TypeString, Optional: true, + Sensitive: true, DefaultFunc: schema.EnvDefaultFunc("REST_API_PASSWORD", nil), Description: "When set, will use this password for BASIC auth to the API.", }, @@ -42,6 +43,13 @@ func Provider() *schema.Provider { Optional: true, Description: "A map of header names and values to set on all outbound requests. This is useful if you want to use a script via the 'external' provider or provide a pre-approved token or change Content-Type from `application/json`. If `username` and `password` are set and Authorization is one of the headers defined here, the BASIC auth credentials take precedence.", }, + "bearer_token": { + Type: schema.TypeString, + Optional: true, + Sensitive: true, + DefaultFunc: schema.EnvDefaultFunc("REST_API_BEARER", nil), + Description: "Token to use for Authorization: Bearer ", + }, "use_cookies": { Type: schema.TypeBool, Optional: true, @@ -235,6 +243,10 @@ func configureProvider(d *schema.ResourceData) (interface{}, error) { } } + if token, ok := d.GetOk("bearer_token"); ok && token.(string) != "" { + headers["Authorization"] = "Bearer " + token.(string) + } + opt := &apiClientOpt{ uri: d.Get("uri").(string), insecure: d.Get("insecure").(bool),