terraform/builtin/providers/vault/resource_generic_secret.go

package vault

import (
	"encoding/json"
	"fmt"
	"log"

	"github.com/hashicorp/terraform/helper/schema"

	"github.com/hashicorp/vault/api"
)

func genericSecretResource() *schema.Resource {
	return &schema.Resource{
		Create: genericSecretResourceWrite,
		Update: genericSecretResourceWrite,
		Delete: genericSecretResourceDelete,
		Read:   genericSecretResourceRead,

		Schema: map[string]*schema.Schema{
			"path": &schema.Schema{
				Type:        schema.TypeString,
				Required:    true,
				ForceNew:    true,
				Description: "Full path where the generic secret will be written.",
			},

			// Data is passed as JSON so that an arbitrary structure is
			// possible, rather than forcing e.g. all values to be strings.
			"data_json": &schema.Schema{
				Type:        schema.TypeString,
				Required:    true,
				Description: "JSON-encoded secret data to write.",
				// We rebuild the attached JSON string to a simple singleline
				// string. This makes terraform not want to change when an extra
				// space is included in the JSON string. It is also necesarry
				// when allow_read is true for comparing values.
				StateFunc: func(v interface{}) string {
					var dat map[string]interface{}
					if err := json.Unmarshal([]byte(v.(string)), &dat); err != nil {
						return fmt.Errorf("data_json %#v syntax error: %s", v.(string), err)
					}
					jsonDataBytes, _ := json.Marshal(dat)
					return string(jsonDataBytes)
				},
			},

			"allow_read": &schema.Schema{
				Type:        schema.TypeBool,
				Optional:    true,
				Default:     false,
				Description: "True if the provided token is allowed to read the secret from vault, and therefore canupdate values",
			},
		},
	}
}

func genericSecretResourceWrite(d *schema.ResourceData, meta interface{}) error {
	client := meta.(*api.Client)

	path := d.Get("path").(string)

	var data map[string]interface{}
	err := json.Unmarshal([]byte(d.Get("data_json").(string)), &data)
	if err != nil {
		return fmt.Errorf("data_json %#v syntax error: %s", d.Get("data_json"), err)
	}

	log.Printf("[DEBUG] Writing generic Vault secret to %s", path)
	_, err = client.Logical().Write(path, data)
	if err != nil {
		return fmt.Errorf("error writing to Vault: %s", err)
	}

	d.SetId(path)

	return nil
}

func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error {
	client := meta.(*api.Client)

	path := d.Id()

	log.Printf("[DEBUG] Deleting generic Vault from %s", path)
	_, err := client.Logical().Delete(path)
	if err != nil {
		return fmt.Errorf("error deleting from Vault: %s", err)
	}

	return nil
}

func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error {
	allowed_to_read := d.Get("allow_read").(bool)

	if allowed_to_read {
		path := d.Get("path").(string)

		client := meta.(*api.Client)

		log.Printf("[DEBUG] Reading %s from Vault", path)
		secret, err := client.Logical().Read(path)
		if err != nil {
			return fmt.Errorf("error reading from Vault: %s", err)
		}

		d.SetId(path)

		// Ignoring error because this value came from JSON in the
		// first place so no reason why it should fail to re-encode.
		jsonDataBytes, _ := json.Marshal(secret.Data)
		d.Set("data_json", string(jsonDataBytes))
	}

	path := d.Get("path").(string)
	d.SetId(path)
	return nil

	// We don't actually attempt to read back the secret data
	// here, so that Terraform can be configured with a token
	// that has only write access to the relevant part of the
	// store.
	//
	// This means that Terraform cannot detect drift for
	// generic secrets, but detecting drift seems less important
	// than being able to limit the effect of exposure of
	// Terraform's Vault token.
	// log.Printf("[WARN] vault_generic_secret does not automatically refresh")
}