provider/vault: vault_policy resource (#10980)
* provider/vault: vault_policy resource * website: vault_policy resource * Refresh state when reading vault policy
This commit is contained in:
parent
91f309528e
commit
a4d03c9cd1
|
@ -88,6 +88,7 @@ func Provider() terraform.ResourceProvider {
|
|||
|
||||
ResourcesMap: map[string]*schema.Resource{
|
||||
"vault_generic_secret": genericSecretResource(),
|
||||
"vault_policy": policyResource(),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,82 @@
|
|||
package vault
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
"github.com/hashicorp/vault/api"
|
||||
)
|
||||
|
||||
func policyResource() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
Create: policyWrite,
|
||||
Update: policyWrite,
|
||||
Delete: policyDelete,
|
||||
Read: policyRead,
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"name": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
Description: "Name of the policy",
|
||||
},
|
||||
|
||||
"policy": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
Description: "The policy document",
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func policyWrite(d *schema.ResourceData, meta interface{}) error {
|
||||
client := meta.(*api.Client)
|
||||
|
||||
name := d.Get("name").(string)
|
||||
policy := d.Get("policy").(string)
|
||||
|
||||
log.Printf("[DEBUG] Writing policy %s to Vault", name)
|
||||
err := client.Sys().PutPolicy(name, policy)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("error writing to Vault: %s", err)
|
||||
}
|
||||
|
||||
d.SetId(name)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func policyDelete(d *schema.ResourceData, meta interface{}) error {
|
||||
client := meta.(*api.Client)
|
||||
|
||||
name := d.Id()
|
||||
|
||||
log.Printf("[DEBUG] Deleting policy %s from Vault", name)
|
||||
|
||||
err := client.Sys().DeletePolicy(name)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error deleting from Vault: %s", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func policyRead(d *schema.ResourceData, meta interface{}) error {
|
||||
client := meta.(*api.Client)
|
||||
|
||||
name := d.Id()
|
||||
|
||||
policy, err := client.Sys().GetPolicy(name)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("error reading from Vault: %s", err)
|
||||
}
|
||||
|
||||
d.Set("policy", policy)
|
||||
|
||||
return nil
|
||||
}
|
|
@ -0,0 +1,115 @@
|
|||
package vault
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
r "github.com/hashicorp/terraform/helper/resource"
|
||||
"github.com/hashicorp/terraform/terraform"
|
||||
"github.com/hashicorp/vault/api"
|
||||
)
|
||||
|
||||
func TestResourcePolicy(t *testing.T) {
|
||||
r.Test(t, r.TestCase{
|
||||
Providers: testProviders,
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Steps: []r.TestStep{
|
||||
r.TestStep{
|
||||
Config: testResourcePolicy_initialConfig,
|
||||
Check: testResourcePolicy_initialCheck,
|
||||
},
|
||||
r.TestStep{
|
||||
Config: testResourcePolicy_updateConfig,
|
||||
Check: testResourcePolicy_updateCheck,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
var testResourcePolicy_initialConfig = `
|
||||
|
||||
resource "vault_policy" "test" {
|
||||
name = "dev-team"
|
||||
policy = <<EOT
|
||||
path "secret/*" {
|
||||
policy = "read"
|
||||
}
|
||||
EOT
|
||||
}
|
||||
|
||||
`
|
||||
|
||||
func testResourcePolicy_initialCheck(s *terraform.State) error {
|
||||
resourceState := s.Modules[0].Resources["vault_policy.test"]
|
||||
if resourceState == nil {
|
||||
return fmt.Errorf("resource not found in state")
|
||||
}
|
||||
|
||||
instanceState := resourceState.Primary
|
||||
if instanceState == nil {
|
||||
return fmt.Errorf("resource has no primary instance")
|
||||
}
|
||||
|
||||
name := instanceState.ID
|
||||
|
||||
if name != instanceState.Attributes["name"] {
|
||||
return fmt.Errorf("id doesn't match name")
|
||||
}
|
||||
|
||||
if name != "dev-team" {
|
||||
return fmt.Errorf("unexpected policy name")
|
||||
}
|
||||
|
||||
client := testProvider.Meta().(*api.Client)
|
||||
policy, err := client.Sys().GetPolicy(name)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error reading back policy: %s", err)
|
||||
}
|
||||
|
||||
if got, want := policy, "path \"secret/*\" {\n\tpolicy = \"read\"\n}\n"; got != want {
|
||||
return fmt.Errorf("policy data is %q; want %q", got, want)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
var testResourcePolicy_updateConfig = `
|
||||
|
||||
resource "vault_policy" "test" {
|
||||
name = "dev-team"
|
||||
policy = <<EOT
|
||||
path "secret/*" {
|
||||
policy = "write"
|
||||
}
|
||||
EOT
|
||||
}
|
||||
|
||||
`
|
||||
|
||||
func testResourcePolicy_updateCheck(s *terraform.State) error {
|
||||
resourceState := s.Modules[0].Resources["vault_policy.test"]
|
||||
instanceState := resourceState.Primary
|
||||
|
||||
name := instanceState.ID
|
||||
|
||||
client := testProvider.Meta().(*api.Client)
|
||||
|
||||
if name != instanceState.Attributes["name"] {
|
||||
return fmt.Errorf("id doesn't match name")
|
||||
}
|
||||
|
||||
if name != "dev-team" {
|
||||
return fmt.Errorf("unexpected policy name")
|
||||
}
|
||||
|
||||
policy, err := client.Sys().GetPolicy(name)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error reading back policy: %s", err)
|
||||
}
|
||||
|
||||
if got, want := policy, "path \"secret/*\" {\n\tpolicy = \"write\"\n}\n"; got != want {
|
||||
return fmt.Errorf("policy data is %q; want %q", got, want)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
layout: "vault"
|
||||
page_title: "Vault: vault_policy resource"
|
||||
sidebar_current: "docs-vault-resource-policy"
|
||||
description: |-
|
||||
Writes arbitrary policies for Vault
|
||||
---
|
||||
|
||||
# vault\_policy
|
||||
|
||||
|
||||
## Example Usage
|
||||
|
||||
```
|
||||
resource "vault_policy" "example" {
|
||||
name = "dev-team"
|
||||
|
||||
policy = <<EOT
|
||||
path "secret/my_app" {
|
||||
policy = "write"
|
||||
}
|
||||
EOT
|
||||
}
|
||||
```
|
||||
|
||||
## Argument Reference
|
||||
|
||||
The following arguments are supported:
|
||||
|
||||
* `name` - (Required) The name of the policy
|
||||
|
||||
* `policy` - (Required) String containing a Vault policy
|
||||
|
||||
## Attributes Reference
|
||||
|
||||
No additional attributes are exported by this resource.
|
Loading…
Reference in New Issue