Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for KV Secret Engine resources to move away from vault_generic_secret #1457

Merged
merged 53 commits into from
Jun 14, 2022
Merged

Add support for KV Secret Engine resources to move away from vault_generic_secret #1457

Changes from all commits
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
fc20f9a
add vault_generic_secrets_list resource
vinay-gopalan May 13, 2022
0f6cbd8
refactor methods to use context funcs and diagnostics
vinay-gopalan May 18, 2022
990d1c8
split list resource into v1 and v2
vinay-gopalan May 19, 2022
96cba88
add new backend and v2 secret resources
vinay-gopalan Jun 1, 2022
c55d291
Merge branch 'main' into VAULT-1336/support-kv-list
vinay-gopalan Jun 1, 2022
0bc0fb6
add KVV2 config resource
vinay-gopalan Jun 1, 2022
5f5e559
add kvv2 secret resource
vinay-gopalan Jun 1, 2022
f3ca8aa
rename from generic -> kv
vinay-gopalan Jun 2, 2022
3ef0db9
add data source for kv v2 secret
vinay-gopalan Jun 2, 2022
ba584fd
add kvv2 list data source
vinay-gopalan Jun 2, 2022
3474ce9
add kvv1 resource
vinay-gopalan Jun 3, 2022
9c60443
update test for list kvv1 secrets
vinay-gopalan Jun 3, 2022
ad675f6
add kvv1 secret data source
vinay-gopalan Jun 3, 2022
88987e3
add kvv2 subkeys data source
vinay-gopalan Jun 3, 2022
a8a7207
rename list data sources
vinay-gopalan Jun 3, 2022
77b2bd2
rename subkeys datasource test
vinay-gopalan Jun 3, 2022
9dddf67
Merge branch 'main' into VAULT-1336/support-kv-list
vinay-gopalan Jun 3, 2022
853e692
update resources and datasources with ProviderMeta
vinay-gopalan Jun 3, 2022
c0bbcaf
add docs for KV-V1 secret resource and data source
vinay-gopalan Jun 3, 2022
b41d016
add docs for KV-V2 secret resource and datasource
vinay-gopalan Jun 3, 2022
8cd29c8
add docs for KV-V2 backend config resource
vinay-gopalan Jun 3, 2022
b6ece5d
add kv-v1 secrets list resource
vinay-gopalan Jun 4, 2022
d8a3e3e
added docs for kv-v2 secrets list resource
vinay-gopalan Jun 4, 2022
76d5999
add docs for kv-v2 subkeys data source
vinay-gopalan Jun 4, 2022
d4d69b7
add docs to vault.erb
vinay-gopalan Jun 4, 2022
81d73a2
update field names with consts
vinay-gopalan Jun 6, 2022
7edf1b2
assert data can be converted to map type
vinay-gopalan Jun 8, 2022
7f0dcf3
make delete_version_after to int to avoid drift from vault
vinay-gopalan Jun 8, 2022
c2646ac
add more constants
vinay-gopalan Jun 8, 2022
107c2da
fix error message in kv helper
vinay-gopalan Jun 8, 2022
32b038f
add import tests for resources
vinay-gopalan Jun 8, 2022
09aa48a
apply delete_version_after patch
vinay-gopalan Jun 8, 2022
f53842c
Merge branch 'main' into VAULT-1336/support-kv-list
vinay-gopalan Jun 8, 2022
e7128d6
resolve merge conflict
vinay-gopalan Jun 9, 2022
cde534d
replace strings with constant field names
vinay-gopalan Jun 10, 2022
f1c4f4c
add missing package in KMIP role file
vinay-gopalan Jun 10, 2022
5fda7e5
fix conflicting package names
vinay-gopalan Jun 10, 2022
dfbfa99
make subkeys a JSON string
vinay-gopalan Jun 13, 2022
5512189
add CheckJSONData in testutil
vinay-gopalan Jun 13, 2022
b6a0543
resolve merge conflicts
vinay-gopalan Jun 13, 2022
cb07b45
Update vault/data_source_kv_secret_v2.go
vinay-gopalan Jun 14, 2022
ac8bb10
Update vault/data_source_kv_secret_v2.go
vinay-gopalan Jun 14, 2022
ecc13e4
Update vault/resource_kv_secret_v2_test.go
vinay-gopalan Jun 14, 2022
e1039be
Update vault/resource_kv_secret_backend_v2_test.go
vinay-gopalan Jun 14, 2022
794a139
Update vault/resource_kv_secret.go
vinay-gopalan Jun 14, 2022
ce4f799
add constants for depth and data_json
vinay-gopalan Jun 14, 2022
e1f1bfa
add error messaging and update test names
vinay-gopalan Jun 14, 2022
48f131f
Merge branch 'VAULT-1336/support-kv-list' of github.com:hashicorp/ter…
vinay-gopalan Jun 14, 2022
106ef58
update subkeys test name
vinay-gopalan Jun 14, 2022
1fe0704
convert computed data for datasource to TypeString instead of map
vinay-gopalan Jun 14, 2022
01bb2b1
resolve merge conflicts
vinay-gopalan Jun 14, 2022
242b229
remove unnecessary docs
vinay-gopalan Jun 14, 2022
2f503a8
add second step with updated path
vinay-gopalan Jun 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 17 additions & 7 deletions internal/consts/consts.go
View file
Original file line number Diff line number Diff line change
@@ -4,13 +4,23 @@ const (
/*
common field names
*/
FieldPath = "path"
FieldParameters = "parameters"
FieldMethod = "method"
FieldNamespace = "namespace"
FieldNamespaceID = "namespace_id"
FieldBackend = "backend"

FieldPath = "path"
FieldParameters = "parameters"
FieldMethod = "method"
FieldNamespace = "namespace"
FieldNamespaceID = "namespace_id"
FieldBackend = "backend"
FieldData = "data"
FieldMount = "mount"
FieldName = "name"
FieldVersion = "version"
FieldMetadata = "metadata"
FieldNames = "names"
FieldLeaseID = "lease_id"
FieldLeaseDuration = "lease_duration"
FieldLeaseRenewable = "lease_renewable"
FieldDepth = "depth"
FieldDataJSON = "data_json"
/*
common environment variables
*/
31 changes: 31 additions & 0 deletions testutil/testutil.go
View file
Original file line number Diff line number Diff line change
@@ -601,3 +601,34 @@ func GetResourceFromRootModule(s *terraform.State, resourceName string) (*terraf

return nil, fmt.Errorf("expected resource %q, not found in state", resourceName)
}

// CheckJSONData from an expected string for a given resource attribute.
func CheckJSONData(resourceName, attr, expected string) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, err := GetResourceFromRootModule(s, resourceName)
if err != nil {
return err
}

actual, ok := rs.Primary.Attributes[attr]
if !ok {
return fmt.Errorf("resource %q has no attribute %q", resourceName, attr)
}

var e map[string]interface{}
if err := json.Unmarshal([]byte(expected), &e); err != nil {
return nil
}

var a map[string]interface{}
if err := json.Unmarshal([]byte(actual), &a); err != nil {
return nil
}

if !reflect.DeepEqual(e, a) {
return fmt.Errorf("expected %#v, got %#v for resource attr %s.%s", e, a, resourceName, attr)
}

return nil
}
}
11 changes: 5 additions & 6 deletions vault/data_identity_entity.go
View file
Original file line number Diff line number Diff line change
@@ -6,11 +6,10 @@ import (
"log"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/vault/api"

"github.com/hashicorp/terraform-provider-vault/internal/consts"
"github.com/hashicorp/terraform-provider-vault/internal/identity/entity"
"github.com/hashicorp/terraform-provider-vault/internal/provider"
"github.com/hashicorp/vault/api"
)

var (
@@ -64,7 +63,7 @@ var (
},
Computed: true,
},
"metadata": {
consts.FieldMetadata: {
Type: schema.TypeMap,
Computed: true,
},
@@ -123,7 +122,7 @@ func identityEntityDataSource() *schema.Resource {
Description: "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.",
},

"data_json": {
consts.FieldDataJSON: {
Type: schema.TypeString,
Computed: true,
Description: "Entity data from Vault in JSON String form",
@@ -169,7 +168,7 @@ func identityEntityDataSource() *schema.Resource {
},
Computed: true,
},
"metadata": {
consts.FieldMetadata: {
Type: schema.TypeMap,
Computed: true,
},
@@ -277,7 +276,7 @@ func identityEntityDataSourceRead(d *schema.ResourceData, meta interface{}) erro
// Ignoring error because this value came from JSON in the
// first place so no reason why it should fail to re-encode.
jsonDataBytes, _ := json.Marshal(resp.Data)
d.Set("data_json", string(jsonDataBytes))
d.Set(consts.FieldDataJSON, string(jsonDataBytes))

return nil
}
4 changes: 2 additions & 2 deletions vault/data_identity_group.go
View file
Original file line number Diff line number Diff line change
@@ -77,7 +77,7 @@ func identityGroupDataSource() *schema.Resource {
Description: "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with `alias_name`.",
},

"data_json": {
consts.FieldDataJSON: {
Type: schema.TypeString,
Computed: true,
Description: "Group data from Vault in JSON String form",
@@ -251,7 +251,7 @@ func identityGroupDataSourceRead(d *schema.ResourceData, meta interface{}) error
// Ignoring error because this value came from JSON in the
// first place so no reason why it should fail to re-encode.
jsonDataBytes, _ := json.Marshal(resp.Data)
d.Set("data_json", string(jsonDataBytes))
d.Set(consts.FieldDataJSON, string(jsonDataBytes))

return nil
}
13 changes: 7 additions & 6 deletions vault/data_source_aws_access_credentials.go
View file
Original file line number Diff line number Diff line change
@@ -15,6 +15,7 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"

"github.com/hashicorp/terraform-provider-vault/internal/consts"
"github.com/hashicorp/terraform-provider-vault/internal/provider"
)

@@ -93,13 +94,13 @@ func awsAccessCredentialsDataSource() *schema.Resource {
Description: "AWS security token read from Vault. (Only returned if type is 'sts').",
},

"lease_id": {
consts.FieldLeaseID: {
Type: schema.TypeString,
Computed: true,
Description: "Lease identifier assigned by vault.",
},

"lease_duration": {
consts.FieldLeaseDuration: {
Type: schema.TypeInt,
Computed: true,
Description: "Lease duration in seconds relative to the time in lease_start_time.",
@@ -111,7 +112,7 @@ func awsAccessCredentialsDataSource() *schema.Resource {
Description: "Time at which the lease was read, using the clock of the system where Terraform was running",
},

"lease_renewable": {
consts.FieldLeaseRenewable: {
Type: schema.TypeBool,
Computed: true,
Description: "True if the duration of this lease can be extended through renewal.",
@@ -168,10 +169,10 @@ func awsAccessCredentialsDataSourceRead(d *schema.ResourceData, meta interface{}
d.Set("access_key", secret.Data["access_key"])
d.Set("secret_key", secret.Data["secret_key"])
d.Set("security_token", secret.Data["security_token"])
d.Set("lease_id", secret.LeaseID)
d.Set("lease_duration", secret.LeaseDuration)
d.Set(consts.FieldLeaseID, secret.LeaseID)
d.Set(consts.FieldLeaseDuration, secret.LeaseDuration)
d.Set("lease_start_time", time.Now().Format(time.RFC3339))
d.Set("lease_renewable", secret.Renewable)
d.Set(consts.FieldLeaseRenewable, secret.Renewable)

awsConfig := &aws.Config{
Credentials: credentials.NewStaticCredentials(accessKey, secretKey, securityToken),
9 changes: 5 additions & 4 deletions vault/data_source_aws_access_credentials_test.go
View file
Original file line number Diff line number Diff line change
@@ -15,6 +15,7 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"

"github.com/hashicorp/terraform-provider-vault/internal/consts"
"github.com/hashicorp/terraform-provider-vault/testutil"
)

@@ -34,7 +35,7 @@ func TestAccDataSourceAWSAccessCredentials_basic(t *testing.T) {
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "secret_key"),
resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "security_token", ""),
resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "type", "creds"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "lease_id"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", consts.FieldLeaseID),
testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(region),
),
},
@@ -116,7 +117,7 @@ func TestAccDataSourceAWSAccessCredentials_sts(t *testing.T) {
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "secret_key"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "security_token"),
resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "type", "sts"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "lease_id"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", consts.FieldLeaseID),
testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(region),
),
},
@@ -143,7 +144,7 @@ func TestAccDataSourceAWSAccessCredentials_sts_ttl(t *testing.T) {
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "secret_key"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "security_token"),
resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "type", "sts"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "lease_id"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", consts.FieldLeaseID),
testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(region),
),
},
@@ -155,7 +156,7 @@ func TestAccDataSourceAWSAccessCredentials_sts_ttl(t *testing.T) {
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "security_token"),
resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "type", "sts"),
resource.TestCheckResourceAttr("data.vault_aws_access_credentials.test", "ttl", ttl),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", "lease_id"),
resource.TestCheckResourceAttrSet("data.vault_aws_access_credentials.test", consts.FieldLeaseID),
testAccDataSourceAWSAccessCredentialsCheck_tokenWorks(region),
),
},
13 changes: 7 additions & 6 deletions vault/data_source_azure_access_credentials.go
View file
Original file line number Diff line number Diff line change
@@ -15,6 +15,7 @@ import (
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/sdk/helper/pointerutil"

"github.com/hashicorp/terraform-provider-vault/internal/consts"
"github.com/hashicorp/terraform-provider-vault/internal/provider"
)

@@ -67,12 +68,12 @@ func azureAccessCredentialsDataSource() *schema.Resource {
Computed: true,
Description: "The client secret for credentials to query the Azure APIs.",
},
"lease_id": {
consts.FieldLeaseID: {
Type: schema.TypeString,
Computed: true,
Description: "Lease identifier assigned by vault.",
},
"lease_duration": {
consts.FieldLeaseDuration: {
Type: schema.TypeInt,
Computed: true,
Description: "Lease duration in seconds relative to the time in lease_start_time.",
@@ -82,7 +83,7 @@ func azureAccessCredentialsDataSource() *schema.Resource {
Computed: true,
Description: "Time at which the lease was read, using the clock of the system where Terraform was running",
},
"lease_renewable": {
consts.FieldLeaseRenewable: {
Type: schema.TypeBool,
Computed: true,
Description: "True if the duration of this lease can be extended through renewal.",
@@ -137,10 +138,10 @@ func azureAccessCredentialsDataSourceRead(d *schema.ResourceData, meta interface
d.SetId(secret.LeaseID)
_ = d.Set("client_id", secret.Data["client_id"])
_ = d.Set("client_secret", secret.Data["client_secret"])
_ = d.Set("lease_id", secret.LeaseID)
_ = d.Set("lease_duration", secret.LeaseDuration)
_ = d.Set(consts.FieldLeaseID, secret.LeaseID)
_ = d.Set(consts.FieldLeaseDuration, secret.LeaseDuration)
_ = d.Set("lease_start_time", time.Now().Format(time.RFC3339))
_ = d.Set("lease_renewable", secret.Renewable)
_ = d.Set(consts.FieldLeaseRenewable, secret.Renewable)

// If we're not supposed to validate creds, or we don't have enough
// information to do it, there's nothing further to do here.
23 changes: 12 additions & 11 deletions vault/data_source_generic_secret.go
View file
Original file line number Diff line number Diff line change
@@ -8,6 +8,7 @@ import (

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"

"github.com/hashicorp/terraform-provider-vault/internal/consts"
"github.com/hashicorp/terraform-provider-vault/internal/provider"
)

@@ -16,13 +17,13 @@ func genericSecretDataSource() *schema.Resource {
Read: genericSecretDataSourceRead,

Schema: map[string]*schema.Schema{
"path": {
consts.FieldPath: {
Type: schema.TypeString,
Required: true,
Description: "Full path from which a secret will be read.",
},

"version": {
consts.FieldVersion: {
Type: schema.TypeInt,
Required: false,
Optional: true,
@@ -37,27 +38,27 @@ func genericSecretDataSource() *schema.Resource {
"in the TF state.",
},

"data_json": {
consts.FieldDataJSON: {
Type: schema.TypeString,
Computed: true,
Description: "JSON-encoded secret data read from Vault.",
Sensitive: true,
},

"data": {
consts.FieldData: {
Type: schema.TypeMap,
Computed: true,
Description: "Map of strings read from Vault.",
Sensitive: true,
},

"lease_id": {
consts.FieldLeaseID: {
Type: schema.TypeString,
Computed: true,
Description: "Lease identifier assigned by vault.",
},

"lease_duration": {
consts.FieldLeaseDuration: {
Type: schema.TypeInt,
Computed: true,
Description: "Lease duration in seconds relative to the time in lease_start_time.",
@@ -69,7 +70,7 @@ func genericSecretDataSource() *schema.Resource {
Description: "Time at which the lease was read, using the clock of the system where Terraform was running",
},

"lease_renewable": {
consts.FieldLeaseRenewable: {
Type: schema.TypeBool,
Computed: true,
Description: "True if the duration of this lease can be extended through renewal.",
@@ -102,7 +103,7 @@ func genericSecretDataSourceRead(d *schema.ResourceData, meta interface{}) error
// Ignoring error because this value came from JSON in the
// first place so no reason why it should fail to re-encode.
jsonDataBytes, _ := json.Marshal(secret.Data)
if err := d.Set("data_json", string(jsonDataBytes)); err != nil {
if err := d.Set(consts.FieldDataJSON, string(jsonDataBytes)); err != nil {
return err
}

@@ -126,15 +127,15 @@ func genericSecretDataSourceRead(d *schema.ResourceData, meta interface{}) error
return err
}

if err := d.Set("lease_id", secret.LeaseID); err != nil {
if err := d.Set(consts.FieldLeaseID, secret.LeaseID); err != nil {
return err
}

if err := d.Set("lease_duration", secret.LeaseDuration); err != nil {
if err := d.Set(consts.FieldLeaseDuration, secret.LeaseDuration); err != nil {
return err
}

if err := d.Set("lease_renewable", secret.Renewable); err != nil {
if err := d.Set(consts.FieldLeaseRenewable, secret.Renewable); err != nil {
return err
}

Loading