s3: add session token

Signed-off-by: Nicola Murino <[email protected]>

docs/data-sources/folders.md

@@ -131,6 +131,7 @@ Read-Only:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with this prefix.
 - `region` (String)
 - `role_arn` (String) IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String)
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).

docs/data-sources/groups.md

@@ -149,6 +149,7 @@ Read-Only:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with this prefix.
 - `region` (String)
 - `role_arn` (String) IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String)
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).
@@ -350,6 +351,7 @@ Read-Only:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with this prefix.
 - `region` (String)
 - `role_arn` (String) IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String)
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).

docs/data-sources/users.md

@@ -160,6 +160,7 @@ Read-Only:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with this prefix.
 - `region` (String)
 - `role_arn` (String) IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String)
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).
@@ -371,6 +372,7 @@ Read-Only:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with this prefix.
 - `region` (String)
 - `role_arn` (String) IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String)
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).

docs/resources/folder.md

@@ -141,6 +141,7 @@ Optional:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with the specified prefix. The prefix must not start with "/" and must end with "/"
 - `region` (String)
 - `role_arn` (String) Optional IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String) The storage class to use when storing objects. Leave not set for default.
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).

docs/resources/group.md

@@ -162,6 +162,7 @@ Optional:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with the specified prefix. The prefix must not start with "/" and must end with "/"
 - `region` (String)
 - `role_arn` (String) Optional IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String) The storage class to use when storing objects. Leave not set for default.
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).
@@ -378,6 +379,7 @@ Read-Only:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with this prefix.
 - `region` (String)
 - `role_arn` (String) IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String)
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).

docs/resources/user.md

@@ -170,6 +170,7 @@ Optional:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with the specified prefix. The prefix must not start with "/" and must end with "/"
 - `region` (String)
 - `role_arn` (String) Optional IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String) The storage class to use when storing objects. Leave not set for default.
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).
@@ -396,6 +397,7 @@ Read-Only:
 - `key_prefix` (String) If specified then the SFTPGo user will be restricted to objects starting with this prefix.
 - `region` (String)
 - `role_arn` (String) IAM Role ARN to assume.
+- `session_token` (String) Optional Session token that is a part of temporary security credentials provisioned by AWS STS.
 - `skip_tls_verify` (Boolean) If set the S3 client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
 - `storage_class` (String)
 - `upload_concurrency` (Number) How many parts are uploaded in parallel. Not set means the default (5).

go.mod

@@ -8,15 +8,15 @@ require (
 	github.com/hashicorp/terraform-plugin-go v0.22.2
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-testing v1.7.0
-	github.com/sftpgo/sdk v0.1.6-0.20240412170843-1176917cf6a3
+	github.com/sftpgo/sdk v0.1.6-0.20240502175518-0e29cf9357a3
 	github.com/stretchr/testify v1.9.0
 )
 
 require (
 	github.com/ProtonMail/go-crypto v1.1.0-alpha.2-proton // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/cloudflare/circl v1.3.8 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -62,8 +62,8 @@ require (
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.20.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
 	google.golang.org/grpc v1.63.2 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	google.golang.org/protobuf v1.34.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -11,8 +11,8 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
 github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8=
-github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
-github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
+github.com/cloudflare/circl v1.3.8 h1:j+V8jJt09PoeMFIu2uh5JUyEaIHTXVOHslFoLNAKqwI=
+github.com/cloudflare/circl v1.3.8/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
 github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
@@ -136,8 +136,8 @@ github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
-github.com/sftpgo/sdk v0.1.6-0.20240412170843-1176917cf6a3 h1:h3mqcGdPvO6uPG63S9gInp3+Tm4rjebvwDR6pK+Ctu4=
-github.com/sftpgo/sdk v0.1.6-0.20240412170843-1176917cf6a3/go.mod h1:AWoY2YYe/P1ymfTlRER/meERQjCcZZTbgVPGcPQgaqc=
+github.com/sftpgo/sdk v0.1.6-0.20240502175518-0e29cf9357a3 h1:EsC1qh/9YS+vybUPOJNcHRwSNTGGUSqsFlDL1wkzO+Y=
+github.com/sftpgo/sdk v0.1.6-0.20240502175518-0e29cf9357a3/go.mod h1:ler/KG6kMLlsOs/8s6dVN3oom+z+NkbXBVWO//Cv/WA=
 github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
 github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -209,14 +209,14 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be h1:LG9vZxsWGOmUKieR8wPAUR3u3MpnYFQZROPIMaXh7/A=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 h1:DujSIu+2tC9Ht0aPNA7jgj23Iq8Ewi5sgkQ++wdvonE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
 google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
 google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.0 h1:Qo/qEd2RZPCf2nKuorzksSknv0d3ERwp1vFG38gSmH4=
+google.golang.org/protobuf v1.34.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

sftpgo/models.go

@@ -719,6 +719,7 @@ type s3FsConfig struct {
 	AccessKey           types.String `tfsdk:"access_key"`
 	AccessSecret        types.String `tfsdk:"access_secret"`
 	RoleARN             types.String `tfsdk:"role_arn"`
+	SessionToken        types.String `tfsdk:"session_token"`
 	Endpoint            types.String `tfsdk:"endpoint"`
 	StorageClass        types.String `tfsdk:"storage_class"`
 	ACL                 types.String `tfsdk:"acl"`
@@ -837,6 +838,7 @@ func (f *filesystem) getTFAttributes() map[string]attr.Type {
 				"access_key":             types.StringType,
 				"access_secret":          types.StringType,
 				"role_arn":               types.StringType,
+				"session_token":          types.StringType,
 				"endpoint":               types.StringType,
 				"storage_class":          types.StringType,
 				"acl":                    types.StringType,
@@ -928,6 +930,7 @@ func (f *filesystem) toSFTPGo(ctx context.Context) (sdk.Filesystem, diag.Diagnos
 				Region:              f.S3Config.Region.ValueString(),
 				AccessKey:           f.S3Config.AccessKey.ValueString(),
 				RoleARN:             f.S3Config.RoleARN.ValueString(),
+				SessionToken:        f.S3Config.SessionToken.ValueString(),
 				Endpoint:            f.S3Config.Endpoint.ValueString(),
 				StorageClass:        f.S3Config.StorageClass.ValueString(),
 				ACL:                 f.S3Config.ACL.ValueString(),
@@ -1035,6 +1038,7 @@ func (f *filesystem) fromSFTPGo(ctx context.Context, fs *sdk.Filesystem) diag.Di
 			AccessKey:           getOptionalString(fs.S3Config.AccessKey),
 			AccessSecret:        getOptionalString(getSecretFromSFTPGo(fs.S3Config.AccessSecret)),
 			RoleARN:             getOptionalString(fs.S3Config.RoleARN),
+			SessionToken:        getOptionalString(fs.S3Config.SessionToken),
 			Endpoint:            getOptionalString(fs.S3Config.Endpoint),
 			StorageClass:        getOptionalString(fs.S3Config.StorageClass),
 			ACL:                 getOptionalString(fs.S3Config.ACL),

sftpgo/user_resource_test.go

@@ -67,6 +67,7 @@ func TestAccUserResource(t *testing.T) {
         				  region = "us-west-1"
         				  access_key = "key"
         				  access_secret = "secret payload"
+						  session_token = "abc"
       				    }
     				  }
     				  groups = [
@@ -129,6 +130,7 @@ func TestAccUserResource(t *testing.T) {
 					resource.TestCheckResourceAttr("sftpgo_user.test", "filesystem.s3config.region", "us-west-1"),
 					resource.TestCheckResourceAttr("sftpgo_user.test", "filesystem.s3config.access_key", "key"),
 					resource.TestCheckResourceAttr("sftpgo_user.test", "filesystem.s3config.access_secret", "secret payload"),
+					resource.TestCheckResourceAttr("sftpgo_user.test", "filesystem.s3config.session_token", "abc"),
 					resource.TestCheckNoResourceAttr("sftpgo_user.test", "filesystem.gcsconfig"),
 					resource.TestCheckNoResourceAttr("sftpgo_user.test", "filesystem.osconfig"),
 					resource.TestCheckNoResourceAttr("sftpgo_user.test", "description"),

sftpgo/util.go

@@ -80,6 +80,10 @@ func getComputedSchemaForFilesystem() schema.SingleNestedAttribute {
 						Computed:    true,
 						Description: "IAM Role ARN to assume.",
 					},
+					"session_token": schema.StringAttribute{
+						Computed:    true,
+						Description: "Optional Session token that is a part of temporary security credentials provisioned by AWS STS.",
+					},
 					"endpoint": schema.StringAttribute{
 						Computed:    true,
 						Description: "The endpoint is generally required for S3 compatible backends.",
@@ -350,6 +354,10 @@ func getSchemaForFilesystem() schema.SingleNestedAttribute {
 						Optional:    true,
 						Description: "Optional IAM Role ARN to assume.",
 					},
+					"session_token": schema.StringAttribute{
+						Optional:    true,
+						Description: "Optional Session token that is a part of temporary security credentials provisioned by AWS STS.",
+					},
 					"endpoint": schema.StringAttribute{
 						Optional:    true,
 						Description: "The endpoint is generally required for S3 compatible backends. For AWS S3, leave not set to use the default endpoint for the specified region.",