Enable Terraform Cloud joining for Teleport Community Edition (#46419)

* Terraform Cloud joining: Support Terraform Enterprise issuers This adds support for hostname/issuer overrides, needed to support on-prem Terraform Enterprise installs. When the new `hostname` field is unset, behavior is changed, but when set, the JWT is validated against it instead of `app.terraform.io`. Additionally, this renames `join_terraform.go` to `join_terraformcloud.go`, since that was missed during the rename in #45574. * Enable Terraform Cloud joining for Teleport Community Edition This enables Terraform Cloud joining for Community Edition when using the public HCP Terraform SaaS. Teleport Enterprise is still required for use with self-hosted Terraform Enterprise. changelog: Enable Terraform Cloud joining for Teleport Community Edition when using HCP Terraform * Fix unit tests * Update lib/auth/join_terraformcloud.go Co-authored-by: Tiago Silva <tiago.silva@goteleport.com> * Fix linter --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
gravitational · Sep 13, 2024 · c9f5d14 · c9f5d14
1 parent 1003159
commit c9f5d14
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/lib/auth/join_terraformcloud.go b/lib/auth/join_terraformcloud.go
@@ -50,9 +50,10 @@ func (a *Server) checkTerraformCloudJoinRequest(ctx context.Context, req *types.
 		return nil, trace.BadParameter("terraform_cloud join method only supports ProvisionTokenV2, '%T' was provided", pt)
 	}
 
-	if modules.GetModules().BuildType() != modules.BuildEnterprise {
+	hostnameOverride := token.Spec.TerraformCloud.Hostname
+	if hostnameOverride != "" && modules.GetModules().BuildType() != modules.BuildEnterprise {
 		return nil, fmt.Errorf(
-			"terraform_cloud joining: %w",
+			"terraform_cloud joining for Terraform Enterprise: %w",
 			ErrRequiresEnterprise,
 		)
 	}
@@ -68,7 +69,7 @@ func (a *Server) checkTerraformCloudJoinRequest(ctx context.Context, req *types.
 	}
 
 	claims, err := a.terraformIDTokenValidator.Validate(
-		ctx, aud, token.Spec.TerraformCloud.Hostname, req.IDToken,
+		ctx, aud, hostnameOverride, req.IDToken,
 	)
 	if err != nil {
 		return nil, trace.Wrap(err)

diff --git a/lib/auth/join_terraformcloud_test.go b/lib/auth/join_terraformcloud_test.go
@@ -155,6 +155,7 @@ func TestAuth_RegisterUsingToken_Terraform(t *testing.T) {
 							ProjectName:      "example-project",
 						},
 					},
+					Hostname: "terraform.example.com",
 				},
 			},
 			request: newRequest(validIDToken),