terraform/builtin/providers/vault/resource_generic_secret.go

package vault

import (
	"encoding/json"
	"fmt"
	"log"

	"github.com/hashicorp/terraform/helper/schema"

	"github.com/hashicorp/vault/api"
)

func genericSecretResource() *schema.Resource {
	return &schema.Resource{
		Create: genericSecretResourceWrite,
		Update: genericSecretResourceWrite,
		Delete: genericSecretResourceDelete,
		Read:   genericSecretResourceRead,

		Schema: map[string]*schema.Schema{
			"path": &schema.Schema{
				Type:        schema.TypeString,
				Required:    true,
				ForceNew:    true,
				Description: "Full path where the generic secret will be written.",
			},

			// Data is passed as JSON so that an arbitrary structure is
			// possible, rather than forcing e.g. all values to be strings.
			"data_json": &schema.Schema{
				Type:        schema.TypeString,
				Required:    true,
				Description: "JSON-encoded secret data to write.",
			},
		},
	}
}

func genericSecretResourceWrite(d *schema.ResourceData, meta interface{}) error {
	client := meta.(*api.Client)

	path := d.Get("path").(string)

	var data map[string]interface{}
	err := json.Unmarshal([]byte(d.Get("data_json").(string)), &data)
	if err != nil {
		return fmt.Errorf("data_json %#v syntax error: %s", d.Get("data_json"), err)
	}

	log.Printf("[DEBUG] Writing generic Vault secret to %s", path)
	_, err = client.Logical().Write(path, data)
	if err != nil {
		return fmt.Errorf("error writing to Vault: %s", err)
	}

	d.SetId(path)

	return nil
}

func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error {
	client := meta.(*api.Client)

	path := d.Id()

	log.Printf("[DEBUG] Deleting generic Vault from %s", path)
	_, err := client.Logical().Delete(path)
	if err != nil {
		return fmt.Errorf("error deleting from Vault: %s", err)
	}

	return nil
}

func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error {
	// We don't actually attempt to read back the secret data
	// here, so that Terraform can be configured with a token
	// that has only write access to the relevant part of the
	// store.
	//
	// This means that Terraform cannot detect drift for
	// generic secrets, but detecting drift seems less important
	// than being able to limit the effect of exposure of
	// Terraform's Vault token.
	log.Printf("[WARN] vault_generic_secret does not automatically refresh")
	return nil
}
provider/vault: vault_generic_secret resource This resource allows writing a generic secret, and indeed anything else that obeys the expected create/update/delete lifecycle, into vault via writes to its logical path namespace. 2016-10-01 00:12:54 +02:00			`package vault`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"log"`

			`"github.com/hashicorp/terraform/helper/schema"`

			`"github.com/hashicorp/vault/api"`
			`)`

			`func genericSecretResource() *schema.Resource {`
			`return &schema.Resource{`
			`Create: genericSecretResourceWrite,`
			`Update: genericSecretResourceWrite,`
			`Delete: genericSecretResourceDelete,`
			`Read: genericSecretResourceRead,`

			`Schema: map[string]*schema.Schema{`
			`"path": &schema.Schema{`
			`Type: schema.TypeString,`
			`Required: true,`
			`ForceNew: true,`
			`Description: "Full path where the generic secret will be written.",`
			`},`

			`// Data is passed as JSON so that an arbitrary structure is`
			`// possible, rather than forcing e.g. all values to be strings.`
			`"data_json": &schema.Schema{`
			`Type: schema.TypeString,`
			`Required: true,`
			`Description: "JSON-encoded secret data to write.",`
			`},`
			`},`
			`}`
			`}`

			`func genericSecretResourceWrite(d *schema.ResourceData, meta interface{}) error {`
			`client := meta.(*api.Client)`

			`path := d.Get("path").(string)`

			`var data map[string]interface{}`
			`err := json.Unmarshal([]byte(d.Get("data_json").(string)), &data)`
			`if err != nil {`
			`return fmt.Errorf("data_json %#v syntax error: %s", d.Get("data_json"), err)`
			`}`

			`log.Printf("[DEBUG] Writing generic Vault secret to %s", path)`
			`_, err = client.Logical().Write(path, data)`
			`if err != nil {`
			`return fmt.Errorf("error writing to Vault: %s", err)`
			`}`

			`d.SetId(path)`

			`return nil`
			`}`

			`func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error {`
			`client := meta.(*api.Client)`

			`path := d.Id()`

			`log.Printf("[DEBUG] Deleting generic Vault from %s", path)`
			`_, err := client.Logical().Delete(path)`
			`if err != nil {`
			`return fmt.Errorf("error deleting from Vault: %s", err)`
			`}`

			`return nil`
			`}`

			`func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error {`
			`// We don't actually attempt to read back the secret data`
			`// here, so that Terraform can be configured with a token`
			`// that has only write access to the relevant part of the`
			`// store.`
			`//`
			`// This means that Terraform cannot detect drift for`
			`// generic secrets, but detecting drift seems less important`
			`// than being able to limit the effect of exposure of`
			`// Terraform's Vault token.`
			`log.Printf("[WARN] vault_generic_secret does not automatically refresh")`
			`return nil`
			`}`