feat: Workload identity federation support for Fabric using STS by rrajagopalan-equinix · Pull Request #908 · equinix/terraform-provider-equinix

rrajagopalan-equinix · 2025-06-17T18:14:11Z

This pull request introduces support for Workload Identity Federation (WIF) using Equinix STS, along with updates to documentation, provider configuration, and acceptance testing. The changes enable authentication via OIDC tokens, enhance the Equinix Terraform provider, and improve testing capabilities.

Workload Identity Federation (WIF) Support:

docs/guides/sts_wif_setup.md: Added a comprehensive guide for setting up Workload Identity Federation using Equinix STS, including steps for obtaining authentication tokens, establishing trust with an identity provider, and authorizing workloads.
docs/index.md: Updated documentation to include details about using Workload Identity Tokens for authentication with Equinix Fabric, including alpha feature limitations and configuration examples. [1] [2] [3]
examples/example_4.tf: Added an example Terraform configuration demonstrating the use of Workload Identity Federation with sts_auth_scope and sts_source_token.

Provider Enhancements:

equinix/provider.go: Added new provider arguments (sts_auth_scope, sts_endpoint, sts_source_token) for configuring STS authentication. Updated the configureProvider function to support STS-based authentication. [1] [2]
internal/config/config.go: Introduced STS-related environment variables and default values. Enhanced the Config struct and authentication logic to support STS tokens. Refactored client creation methods for improved modularity. [1] [2] [3] [4] [5] [6] [7] [8]

Acceptance Testing Improvements:

internal/acceptance/acceptance.go: Updated acceptance testing utilities to include checks for STS authentication credentials. Enhanced pre-check methods to validate STS setup alongside existing authentication mechanisms. [1] [2] [3] [4]

Dependency Updates:

go.mod: Upgraded github.com/equinix/equinix-sdk-go to version v0.54.0 to support new STS features. Removed unused dependencies.

Documentation Improvements:

internal/provider/provider.go: Added package-level documentation for the Terraform provider implementation.

codecov · 2025-06-17T18:16:06Z

Codecov Report

❌ Patch coverage is 43.58974% with 132 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.14%. Comparing base (dfd8929) to head (b32d706).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/sts/context_aware_token_source.go	0.00%	58 Missing ⚠️
internal/sts/context_aware_transport.go	0.00%	32 Missing ⚠️
internal/config/config.go	54.76%	15 Missing and 4 partials ⚠️
internal/sts/config.go	0.00%	13 Missing ⚠️
internal/acceptance/acceptance.go	0.00%	10 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #908       +/-   ##
===========================================
+ Coverage   29.30%   59.14%   +29.83%     
===========================================
  Files         242      245        +3     
  Lines       28101    28297      +196     
===========================================
+ Hits         8236    16737     +8501     
+ Misses      19715    10698     -9017     
- Partials      150      862      +712

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Replaces deprecated API endpoints and curl options with current URLs and headers for OIDC provider creation, role assignment, and access policy setup. Ensures correct usage of --location, --header, and --data for JSON payloads and improves compatibility with Equinix APIs.

Replaces deprecated API endpoints and curl options with current ones in sts_wif_setup.md. Uses '-s' for silent curl output and '--json' for payloads, updating endpoint URLs to match latest Equinix API conventions.

Moved PFCR acceptance tests to a dedicated 'test-PFCR' job and removed duplicate steps from the 'test-STS-creds' job. This improves workflow clarity and separates PFCR testing from STS credentials testing.

Introduces a new sweeper step for PFCR in the Fabric acceptance test GitHub Actions workflow to improve resource cleanup and test reliability. Also removes the STS WIF setup guide from docs and templates, possibly due to deprecation or migration.

Refactored ContextAwareTokenSource to include retry logic for OIDC token exchange on HTTP 409 responses. Extracted config validation, error formatting, and token creation into helper methods for improved readability and maintainability.

Added a step to upload coverage reports to Codecov in the GitHub Actions workflow. In context_aware_token_source.go, replaced fmt.Errorf with errors.New for error formatting.

ctreatma · 2025-10-20T17:14:32Z

@equinix/governor-digin-fabric you have been tagged for review on this as codeowners. Please take a look when you are able.

Co-authored-by: Charles Treatman <ctreatman@equinix.com> Signed-off-by: rrajagopalan-equinix <82961476+rrajagopalan-equinix@users.noreply.github.com>

Replaces direct STS source token value with a configurable environment variable name (`sts_source_token_env_var`) throughout provider configuration, code, and documentation. Updates workflow, provider schema, config, and example usage to support this change, improving flexibility for token management and compatibility with CI/CD environments.

Replaces direct token value with environment variable name for STS source token in provider configuration and documentation. Clarifies usage and updates parameter descriptions to reflect this change.

TestAccPreCheck now checks both custom and default STS source token environment variables, allowing authentication to succeed if either is set. This improves flexibility in environment configuration.

Corrected inconsistent indentation in the error handling block of TestAccPreCheck for improved code readability and maintainability.

Refactors provider configuration, environment variables, and documentation to replace 'sts_auth_scope' and related STS fields with 'token_exchange_scope' and corresponding token exchange fields. Updates code, examples, and docs to reflect the new naming and clarify usage of token exchange subject tokens for authentication. This improves clarity and aligns terminology with current Equinix authentication features.

Replaces EQUINIX_TOKEN_EXCHANGE_SCOPE_PFCR with EQUINIX_STS_AUTH_SCOPE_PFCR in the fabric_acctest GitHub Actions workflow to use the correct secret for token exchange.

ctreatma

Looks good to me! Acceptance test workflow results demonstrate that the introduction of token exchange support has not impacted existing usage of the provider. I appreciate the introduction of multiple acceptance test jobs to exercise different provider configurations! Long-term, we should enact/adopt that pattern more broadly across the provider.

github-actions · 2025-10-30T20:51:07Z

This PR is included in version 4.7.0 🎉

rrajagopalan-equinix added 3 commits June 2, 2025 14:52

631: Add STS support for Fabric Client

ea5dc46

631: Use renewable token source

a6ce8e3

631: First pass at docs for wif support

c386d18

rrajagopalan-equinix requested a review from a team as a code owner June 17, 2025 18:14

rrajagopalan-equinix temporarily deployed to internal June 17, 2025 18:14 — with GitHub Actions Inactive

Merge branch 'main' into fabric-sts-support

729877f

rrajagopalan-equinix temporarily deployed to internal June 17, 2025 18:14 — with GitHub Actions Inactive