Terraform Cloud joining: Support Terraform Enterprise issuers (#46051)

This adds support for hostname/issuer overrides, needed to support
on-prem Terraform Enterprise installs. When the new `hostname` field
is unset, behavior is changed, but when set, the JWT is validated
against it instead of `app.terraform.io`.

Additionally, this renames `join_terraform.go` to
`join_terraformcloud.go`, since that was missed during the rename
in #45574.

api/proto/teleport/legacy/types/types.proto

@@ -1625,6 +1625,13 @@ message ProvisionTokenSpecV2TerraformCloud {
   // Terraform Cloud, this value should be `foo`. If the variable is set to
   // match the cluster name, it does not need to be set here.
   string Audience = 2 [(gogoproto.jsontag) = "audience,omitempty"];
+
+  // Hostname is the hostname of the Terraform Enterprise instance expected to
+  // issue JWTs allowed by this token. This may be unset for regular Terraform
+  // Cloud use, in which case it will be assumed to be `app.terraform.io`.
+  // Otherwise, it must both match the `iss` (issuer) field included in JWTs,
+  // and provide standard JWKS endpoints.
+  string Hostname = 3 [(gogoproto.jsontag) = "hostname,omitempty"];
 }
 
 // StaticTokensV2 implements the StaticTokens interface.

docs/pages/reference/terraform-provider/data-sources/provision_token.mdx

@@ -204,6 +204,7 @@ Optional:
 
 - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specterraform_cloudallow))
 - `audience` (String) Audience is the JWT audience as configured in the TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is set in Terraform Cloud, this value should be `foo`. If the variable is set to match the cluster name, it does not need to be set here.
+- `hostname` (String) Hostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be `app.terraform.io`. Otherwise, it must both match the `iss` (issuer) field included in JWTs, and provide standard JWKS endpoints.
 
 ### Nested Schema for `spec.terraform_cloud.allow`
 

docs/pages/reference/terraform-provider/resources/provision_token.mdx

@@ -238,6 +238,7 @@ Optional:
 
 - `allow` (Attributes List) Allow is a list of Rules, nodes using this token must match one allow rule to use this token. (see [below for nested schema](#nested-schema-for-specterraform_cloudallow))
 - `audience` (String) Audience is the JWT audience as configured in the TFC_WORKLOAD_IDENTITY_AUDIENCE(_$TAG) variable in Terraform Cloud. If unset, defaults to the Teleport cluster name. For example, if `TFC_WORKLOAD_IDENTITY_AUDIENCE_TELEPORT=foo` is set in Terraform Cloud, this value should be `foo`. If the variable is set to match the cluster name, it does not need to be set here.
+- `hostname` (String) Hostname is the hostname of the Terraform Enterprise instance expected to issue JWTs allowed by this token. This may be unset for regular Terraform Cloud use, in which case it will be assumed to be `app.terraform.io`. Otherwise, it must both match the `iss` (issuer) field included in JWTs, and provide standard JWKS endpoints.
 
 ### Nested Schema for `spec.terraform_cloud.allow`
 

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml

@@ -377,6 +377,14 @@ spec:
                       is set to match the cluster name, it does not need to be set
                       here.
                     type: string
+                  hostname:
+                    description: Hostname is the hostname of the Terraform Enterprise
+                      instance expected to issue JWTs allowed by this token. This
+                      may be unset for regular Terraform Cloud use, in which case
+                      it will be assumed to be `app.terraform.io`. Otherwise, it must
+                      both match the `iss` (issuer) field included in JWTs, and provide
+                      standard JWKS endpoints.
+                    type: string
                 type: object
               tpm:
                 description: TPM allows the configuration of options specific to the

integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml

@@ -377,6 +377,14 @@ spec:
                       is set to match the cluster name, it does not need to be set
                       here.
                     type: string
+                  hostname:
+                    description: Hostname is the hostname of the Terraform Enterprise
+                      instance expected to issue JWTs allowed by this token. This
+                      may be unset for regular Terraform Cloud use, in which case
+                      it will be assumed to be `app.terraform.io`. Otherwise, it must
+                      both match the `iss` (issuer) field included in JWTs, and provide
+                      standard JWKS endpoints.
+                    type: string
                 type: object
               tpm:
                 description: TPM allows the configuration of options specific to the

lib/auth/join_terraform.go → lib/auth/join_terraformcloud.go

@@ -32,7 +32,7 @@ import (
 
 type terraformCloudIDTokenValidator interface {
 	Validate(
-		ctx context.Context, audience string, token string,
+		ctx context.Context, audience, hostname, token string,
 	) (*terraformcloud.IDTokenClaims, error)
 }
 
@@ -68,7 +68,7 @@ func (a *Server) checkTerraformCloudJoinRequest(ctx context.Context, req *types.
 	}
 
 	claims, err := a.terraformIDTokenValidator.Validate(
-		ctx, aud, req.IDToken,
+		ctx, aud, token.Spec.TerraformCloud.Hostname, req.IDToken,
 	)
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/auth/join_terraform_test.go → lib/auth/join_terraformcloud_test.go

@@ -38,12 +38,18 @@ type mockTerraformTokenValidator struct {
 }
 
 func (m *mockTerraformTokenValidator) Validate(
-	_ context.Context, audience string, token string,
+	_ context.Context, audience, hostname, token string,
 ) (*terraformcloud.IDTokenClaims, error) {
 	if audience != "test.localhost" {
 		return nil, fmt.Errorf("bad audience: %s", audience)
 	}
 
+	// Hostname override always fails, but that's okay: we're just making sure
+	// the value gets plumbed through to here.
+	if hostname != "" {
+		return nil, fmt.Errorf("bad issuer: %s", hostname)
+	}
+
 	claims, ok := m.tokens[token]
 	if !ok {
 		return nil, errMockInvalidToken
@@ -363,6 +369,27 @@ func TestAuth_RegisterUsingToken_Terraform(t *testing.T) {
 				require.ErrorContains(t, err, "bad audience")
 			},
 		},
+		{
+			name:          "overridden hostname is honored",
+			setEnterprise: true,
+			tokenSpec: types.ProvisionTokenSpecV2{
+				JoinMethod: types.JoinMethodTerraformCloud,
+				Roles:      []types.SystemRole{types.RoleNode},
+				TerraformCloud: &types.ProvisionTokenSpecV2TerraformCloud{
+					Allow: []*types.ProvisionTokenSpecV2TerraformCloud_Rule{
+						{
+							OrganizationID: "example-organization-id",
+							WorkspaceID:    "example-workspace-id",
+						},
+					},
+					Hostname: "example.com",
+				},
+			},
+			request: newRequest(validIDToken),
+			assertError: func(t require.TestingT, err error, i ...interface{}) {
+				require.ErrorContains(t, err, "bad issuer: example.com")
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {