feat: Workload identity federation support for Fabric using STS

.github/workflows/fabric_acctest.yml

@@ -26,8 +26,10 @@ on:
   workflow_dispatch:
 
 permissions:
+  #actions: write required to update OIDC subject claim template
   pull-requests: read
   contents: read
+  id-token: write
 
 jobs:
 
@@ -44,6 +46,8 @@ jobs:
     steps:
       - run: true
 
+  # The GitHub OIDC subject claim template has been customized at the repository level to include only the workflow name. Long-term, we should consider using the default template for tests.
+
   build:
     name: Build
     needs: authorize
@@ -85,7 +89,6 @@ jobs:
         terraform:
           - '1.5'
     steps:
-
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
@@ -153,6 +156,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       EQUINIX_API_ENDPOINT: "https://uatapi.equinix.com"
+      EQUINIX_STS_ENDPOINT: "https://sts.uat.equinix.com"
     timeout-minutes: 240
     strategy:
       fail-fast: false
@@ -162,6 +166,20 @@ jobs:
         terraform:
           - '1.5'
     steps:
+      - id: get_id_token
+        name: Get GitHub OIDC Token for PFCR
+        uses: actions/github-script@v6
+        with:
+          script: |
+            try {
+              const idToken = await core.getIDToken('gha-fcr-client');
+              console.log('Token generated with audience: gha-fcr-client');
+              core.setOutput('id_token', idToken);
+            } catch (error) {
+              console.error('Error getting OIDC token:', error.message);
+              core.setFailed(`Error getting OIDC token: ${error.message}`);
+            }
+          result-encoding: string
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -196,7 +214,21 @@ jobs:
           METAL_AUTH_TOKEN: ${{ secrets.METAL_AUTH_TOKEN }}
         run: |
           go test ./... -v -coverprofile coverage_pfcr.txt -covermode=atomic -count 1 -parallel 8 -run "(PFCR)" -timeout 180m | tee pfcr_test_output.log
-
+
+      - name: TF Fabric PFCR acceptance tests STS creds
+        timeout-minutes: 180
+        env:
+          TF_ACC: "1"
+          TF_ACC_FABRIC_CONNECTIONS_TEST_DATA: ${{ secrets.TF_ACC_FABRIC_CONNECTIONS_TEST_DATA }}
+          TF_ACC_FABRIC_DEDICATED_PORTS: ${{ secrets.TF_ACC_FABRIC_DEDICATED_PORTS }}
+          TF_ACC_FABRIC_MARKET_PLACE_SUBSCRIPTION_ID: ${{ secrets.TF_ACC_FABRIC_MARKET_PLACE_SUBSCRIPTION_ID }}
+          TF_ACC_FABRIC_STREAM_TEST_DATA: ${{ secrets.TF_ACC_FABRIC_STREAM_TEST_DATA }}
+          EQUINIX_STS_SOURCE_TOKEN: ${{ steps.get_id_token.outputs.id_token }}
+          EQUINIX_STS_AUTH_SCOPE: ${{ secrets.EQUINIX_STS_AUTH_SCOPE_PFCR }}
+          METAL_AUTH_TOKEN: ${{ secrets.METAL_AUTH_TOKEN }}
+        run: |
+          go test ./... --run "(TestAccFabricCreatePort2SPConnection_PFCR|TestAccCloudRouterCreateOnlyRequiredParameters_PFCR)" -v -coverprofile coverage_pfcr.txt -covermode=atomic -count 1
+
       - name: Upload PFCR Testing Log
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
@@ -206,25 +238,6 @@ jobs:
       - name: Check if Tests are passed
         run: sh scripts/check_tests.sh pfcr_test_output.log
 
-      - name: Sweeper PFCR
-        if: ${{ always() }}
-        env:
-          EQUINIX_API_CLIENTID: ${{ secrets.EQUINIX_API_CLIENTID_PFCR }}
-          EQUINIX_API_CLIENTSECRET: ${{ secrets.EQUINIX_API_CLIENTSECRET_PFCR }}
-          METAL_AUTH_TOKEN: ${{ secrets.METAL_AUTH_TOKEN }}
-          SWEEP: "all" #Flag required to define the regions that the sweeper is to be ran in
-          SWEEP_ALLOW_FAILURES: "true" #Enable to allow Sweeper Tests to continue after failures
-        run: |
-          # Added sweep-run to filter Fabric PFCR test
-          go test $(go list ./... | grep 'internal/sweep\|equinix/equinix') -v -timeout 180m -sweep=${SWEEP} -sweep-allow-failures=${SWEEP_ALLOW_FAILURES} -sweep-run=$(grep -or 'AddTestSweepers("[^"]*"' | grep "_fabric_" | cut -d '"' -f2 | paste -s -d, -)
-
-      - name: Upload coverage to Codecov
-        if: ${{ always() }}
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./coverage_pfcr.txt
-
   upload-test-report:
     name: Upload Testing Report
     if: always()

docs/guides/sts_wif_setup.md

@@ -0,0 +1,112 @@
+# Workload Identity Federation (WIF) using Equinix STS
+
+This guide walks you through setting up Workload Identity Federation (WIF) using Equinix STS. It enables your workloads to securely authenticate with Equinix services without relying on long-lived credentials.
+
+## Prerequisites
+
+- An Equinix account with an organization and project - [Sign up here](https://portal.equinix.com)
+- Access to your identity provider (e.g., Azura AD, Terraform HCP)
+- Equinix API credentials for an administrator user - See [Generating Client ID and Client Secret key](https://docs.equinix.com/equinix-api/api-authentication#generate-client-id-and-client-secret) for more details
+
+## Step 1: Obtain Authentication Token
+
+First, get an authentication token to make API calls:
+
+```bash
+export CLIENT_ID="your_client_id"
+export CLIENT_SECRET="your_client_secret"
+
+TOKEN=$(curl -s "https://api.equinix.com/oauth2/v1/token" \
+  --json "{
+    \"grant_type\": \"client_credentials\",
+    \"client_id\": \"$CLIENT_ID\",
+    \"client_secret\": \"$CLIENT_SECRET\"
+  }" | jq -r '.access_token')
+```
+
+## Step 2: Establish Trust with Identity Provider
+
+Create a trust relationship with your workload's identity provider:
+
+```bash
+ORG_ID="your_organization_id"
+
+OIDCP=$(curl -s "https://sts.eqix.equinix.com/use/createOidcProvider" \
+  -H "Authorization: Bearer $TOKEN" \
+  --json '{
+    "name": "Your Provider Name",
+    "issuerLocation": "https://your-idp-issuer-url",
+    "trustedClientIds": [
+      "your-client-id"
+    ],
+    "idpPrefix": "your-prefix"
+  }')
+
+# Save the IdP ID for later use
+IDP_ID=$(echo "$OIDCP" | jq -r '.result.idpId')
+echo "Identity Provider ID: $IDP_ID"
+```
+
+## Step 3: Authorize Your Workloads
+
+You can authorize workloads using either role assignments or access policies:
+
+The subject in the principal name should match the sub claim of the JWT token issued by your identity provider. This ensures that the workload can be authenticated and authorized correctly.
+
+### Option A: Using Role Assignments
+
+```bash
+# First get a JWT token
+JWT=$(curl -s "https://api.equinix.com/oauth2/v1/userinfo" \
+  -H "Authorization: Bearer $TOKEN" \
+  | jq -r '.jwt_token')
+
+# Create role assignment
+curl -s "https://api.equinix.com/am/v3/assignments" \
+  -H "Authorization: Bearer $JWT" \
+  --json '{
+    "principal": {
+      "type": "FEDERATED",
+      "name": "principal:'$ORG_ID':'${IDP_ID:4}':{subject}"
+    },
+    "roleName": "your-required-role",
+    "resource": {
+      "id": "'$ORG_ID'",
+      "type": "ORGANIZATION"
+    }
+  }'
+```
+
+### Option B: Using Access Policies
+
+```bash
+ACCESS_URL="https://access.equinix.com"
+
+curl -s "$ACCESS_URL/use/createAccessPolicy" \
+  -H "Authorization: Bearer $TOKEN" \
+  --json '{
+    "accessPolicyId": "accesspolicy:your-policy-name",
+    "grants": [
+      "principal:'$ORG_ID':'${IDP_ID:4}':{subject}"
+    ],
+    "tags": {},
+    "permissions": [{
+      "serviceActions": [{
+        "serviceId": "Equinix Service ID", 
+        "actions": ["Action1", "Action2"]
+      }],
+      "resources": "all"
+    }]
+  }'
+```
+
+## Troubleshooting
+
+If your workloads fail to authenticate:
+
+1. Verify the trust relationship was established correctly
+2. Check that the workload's identity matches exactly what's specified in your access policies or role assignments
+3. Ensure the required permissions have been granted
+4. Look for any errors in the token exchange process
+
+For additional support, contact Equinix customer service.

docs/index.md

@@ -8,6 +8,8 @@ The Equinix provider is used to interact with the resources provided by Equinix
 
 For information about obtaining API key and secret required for Equinix Fabric and Network Edge refer to [Generating Client ID and Client Secret key](https://developer.equinix.com/dev-docs/fabric/getting-started/getting-access-token#generating-client-id-and-client-secret) from [Equinix Developer Platform portal](https://developer.equinix.com).
 
+Equinix Fabric also supports authentication using a [Workload Identity Token](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens), which can be used in place of the `client_id` and `client_secret` arguments. Requires an authorization scope and OIDC token from an IdP trusted by Equinix STS. Initial setup steps are detailed in the guide titled 'Workload Identity Federation (WIF) using Equinix STS'. Please note that this is an alpha feature not available for all users. Using workload identity tokens will override client ID/secret, you must use [provider aliases](https://developer.hashicorp.com/terraform/language/providers/configuration#alias-multiple-provider-configurations) to manage both workload identity tokens and client ID/secret in a single Terraform configuration.
+
 Interacting with Equinix Metal requires an API auth token that can be generated at [Project-level](https://metal.equinix.com/developers/docs/accounts/projects/#api-keys) or [User-level](https://metal.equinix.com/developers/docs/accounts/users/#api-keys) tokens can be used.
 
 If you are only using Equinix Metal resources, you may omit the Client ID and Client Secret provider configuration parameters needed to access other Equinix resource types (Network Edge, Fabric, etc).
@@ -44,6 +46,19 @@ provider "equinix" {
 }
 ```
 
+Workload Identity Tokens can be used in service authorization scenarios, like HCP Terraform. Other credential variables are optional for `equinix_fabric_*` resources and datasources when using this method.
+
+```terraform
+# Configuration for using Workload Identity Federation
+provider "equinix" {
+  # Desired scope of the requested security token. Must be an Access Policy ERN or a string of the form `roleassignments:<organization_id>`
+  sts_auth_scope = "roleassignments:<organization_id>"
+
+  # An OIDC ID token issued by a trusted OIDC provider to a trusted client.
+  sts_source_token = "some_workload_identity_token"
+}
+```
+
 Example provider configuration using `environment variables`:
 
 ```sh
@@ -85,4 +100,7 @@ These parameters can be provided in [Terraform variable files](https://www.terra
 - `max_retry_wait_seconds` (Number) Maximum number of seconds to wait before retrying a request.
 - `request_timeout` (Number) The duration of time, in seconds, that the Equinix Platform API Client should wait before canceling an API request. Canceled requests may still result in provisioned resources. (Defaults to `30`)
 - `response_max_page_size` (Number) The maximum number of records in a single response for REST queries that produce paginated responses. (Default is client specific)
+- `sts_auth_scope` (String) The scope of the authentication token. Must be an access policy ERN or a string of the form `roleassignments:<org_id>`. This argument can also be specified with the `EQUINIX_STS_AUTH_SCOPE` shell environment variable. Please note that Equinix STS is an alpha feature and not available for all users.
+- `sts_endpoint` (String) The STS API base URL to point to the desired environment. This argument can also be specified with the `EQUINIX_STS_ENDPOINT` shell environment variable. (Defaults to `https://sts.eqix.equinix.com`). Please note that STS is an alpha feature and not available for all users.
+- `sts_source_token` (String) The source token to use for STS authentication. Must be an OIDC ID token issued by an OIDC provider trusted by Equinix STS. This argument can also be specified with the `EQUINIX_STS_SOURCE_TOKEN` shell environment variable. Please note that STS is an alpha feature and not available for all users.
 - `token` (String) API tokens are generated from API Consumer clients using the [OAuth2 API](https://developer.equinix.com/dev-docs/fabric/getting-started/getting-access-token#request-access-and-refresh-tokens). This argument can also be specified with the `EQUINIX_API_TOKEN` shell environment variable.

equinix/provider.go

@@ -83,6 +83,25 @@ func Provider() *schema.Provider {
 				Default:     30,
 				Description: "Maximum number of seconds to wait before retrying a request.",
 			},
+			"sts_auth_scope": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc(config.AuthScopeEnvVar, ""),
+				Description: "The scope of the authentication token. Must be an access policy ERN or a string of the form `roleassignments:<org_id>`. This argument can also be specified with the `EQUINIX_STS_AUTH_SCOPE` shell environment variable. Please note that Equinix STS is an alpha feature and not available for all users.",
+			},
+			"sts_endpoint": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				DefaultFunc:  schema.EnvDefaultFunc(config.StsEndpointEnvVar, config.DefaultStsBaseURL),
+				ValidateFunc: validation.IsURLWithHTTPorHTTPS,
+				Description:  fmt.Sprintf("The STS API base URL to point to the desired environment. This argument can also be specified with the `EQUINIX_STS_ENDPOINT` shell environment variable. (Defaults to `%s`). Please note that STS is an alpha feature and not available for all users.", config.DefaultStsBaseURL),
+			},
+			"sts_source_token": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc(config.StsSourceTokenEnvVar, ""),
+				Description: "The source token to use for STS authentication. Must be an OIDC ID token issued by an OIDC provider trusted by Equinix STS. This argument can also be specified with the `EQUINIX_STS_SOURCE_TOKEN` shell environment variable. Please note that STS is an alpha feature and not available for all users.",
+			},
 		},
 		DataSourcesMap: datasources,
 		ResourcesMap:   resources,
@@ -118,6 +137,9 @@ func configureProvider(ctx context.Context, d *schema.ResourceData, p *schema.Pr
 		PageSize:       d.Get("response_max_page_size").(int),
 		MaxRetries:     d.Get("max_retries").(int),
 		MaxRetryWait:   time.Duration(mrws) * time.Second,
+		StsAuthScope:   d.Get("sts_auth_scope").(string),
+		StsBaseURL:     d.Get("sts_endpoint").(string),
+		StsSourceToken: d.Get("sts_source_token").(string),
 	}
 	meta := providerMeta{}
 

examples/example_4.tf

@@ -0,0 +1,8 @@
+# Configuration for using Workload Identity Federation
+provider "equinix" {
+  # Desired scope of the requested security token. Must be an Access Policy ERN or a string of the form `roleassignments:<organization_id>`
+  sts_auth_scope = "roleassignments:<organization_id>"
+
+  # An OIDC ID token issued by a trusted OIDC provider to a trusted client.
+  sts_source_token = "some_workload_identity_token"
+}

go.mod

@@ -3,7 +3,7 @@ module github.com/equinix/terraform-provider-equinix
 go 1.23.0
 
 require (
-	github.com/equinix/equinix-sdk-go v0.53.0
+	github.com/equinix/equinix-sdk-go v0.54.0
 	github.com/equinix/ne-go v1.20.0
 	github.com/equinix/rest-go v1.3.0
 	github.com/google/uuid v1.6.0

go.sum

@@ -38,8 +38,8 @@ github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/equinix/equinix-sdk-go v0.53.0 h1:rTSIqLrG0XUe+QMkhv9E9s1HBfC9kTW8b37nfYRaQZw=
-github.com/equinix/equinix-sdk-go v0.53.0/go.mod h1:QokAmUtlYlD4gJ1s5UL1nZ4e6XALV0ftl5ZCwdPYp5M=
+github.com/equinix/equinix-sdk-go v0.54.0 h1:dZn1Bo0RUIjB6hzFrFWjzwo3gHx9uhoKvcNy73s0bSk=
+github.com/equinix/equinix-sdk-go v0.54.0/go.mod h1:QokAmUtlYlD4gJ1s5UL1nZ4e6XALV0ftl5ZCwdPYp5M=
 github.com/equinix/ne-go v1.20.0 h1:dffveVCBYVAB8JjpB2OEh1EpRecRn1ShCBPJqNNrb1o=
 github.com/equinix/ne-go v1.20.0/go.mod h1:eHkkxM4nbTB7DZ9X9zGnwfYnxIJWIsU3aHA+FAoZ1EI=
 github.com/equinix/rest-go v1.3.0 h1:m38scYTOfV6N+gcrwchgVDutDffYd+QoYCMm9Jn6jyk=