provider/vault: vault_policy resource (#10980)

* provider/vault: vault_policy resource

* website: vault_policy resource

* Refresh state when reading vault policy
This commit is contained in:
Conor Mongey 2017-02-13 18:53:45 +00:00 committed by Paul Stack
parent 91f309528e
commit a4d03c9cd1
4 changed files with 234 additions and 0 deletions

View File

@ -88,6 +88,7 @@ func Provider() terraform.ResourceProvider {
ResourcesMap: map[string]*schema.Resource{
"vault_generic_secret": genericSecretResource(),
"vault_policy": policyResource(),
},
}
}

View File

@ -0,0 +1,82 @@
package vault
import (
"fmt"
"log"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/vault/api"
)
func policyResource() *schema.Resource {
return &schema.Resource{
Create: policyWrite,
Update: policyWrite,
Delete: policyDelete,
Read: policyRead,
Schema: map[string]*schema.Schema{
"name": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
Description: "Name of the policy",
},
"policy": &schema.Schema{
Type: schema.TypeString,
Required: true,
Description: "The policy document",
},
},
}
}
func policyWrite(d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
name := d.Get("name").(string)
policy := d.Get("policy").(string)
log.Printf("[DEBUG] Writing policy %s to Vault", name)
err := client.Sys().PutPolicy(name, policy)
if err != nil {
return fmt.Errorf("error writing to Vault: %s", err)
}
d.SetId(name)
return nil
}
func policyDelete(d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
name := d.Id()
log.Printf("[DEBUG] Deleting policy %s from Vault", name)
err := client.Sys().DeletePolicy(name)
if err != nil {
return fmt.Errorf("error deleting from Vault: %s", err)
}
return nil
}
func policyRead(d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
name := d.Id()
policy, err := client.Sys().GetPolicy(name)
if err != nil {
return fmt.Errorf("error reading from Vault: %s", err)
}
d.Set("policy", policy)
return nil
}

View File

@ -0,0 +1,115 @@
package vault
import (
"fmt"
"testing"
r "github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
"github.com/hashicorp/vault/api"
)
func TestResourcePolicy(t *testing.T) {
r.Test(t, r.TestCase{
Providers: testProviders,
PreCheck: func() { testAccPreCheck(t) },
Steps: []r.TestStep{
r.TestStep{
Config: testResourcePolicy_initialConfig,
Check: testResourcePolicy_initialCheck,
},
r.TestStep{
Config: testResourcePolicy_updateConfig,
Check: testResourcePolicy_updateCheck,
},
},
})
}
var testResourcePolicy_initialConfig = `
resource "vault_policy" "test" {
name = "dev-team"
policy = <<EOT
path "secret/*" {
policy = "read"
}
EOT
}
`
func testResourcePolicy_initialCheck(s *terraform.State) error {
resourceState := s.Modules[0].Resources["vault_policy.test"]
if resourceState == nil {
return fmt.Errorf("resource not found in state")
}
instanceState := resourceState.Primary
if instanceState == nil {
return fmt.Errorf("resource has no primary instance")
}
name := instanceState.ID
if name != instanceState.Attributes["name"] {
return fmt.Errorf("id doesn't match name")
}
if name != "dev-team" {
return fmt.Errorf("unexpected policy name")
}
client := testProvider.Meta().(*api.Client)
policy, err := client.Sys().GetPolicy(name)
if err != nil {
return fmt.Errorf("error reading back policy: %s", err)
}
if got, want := policy, "path \"secret/*\" {\n\tpolicy = \"read\"\n}\n"; got != want {
return fmt.Errorf("policy data is %q; want %q", got, want)
}
return nil
}
var testResourcePolicy_updateConfig = `
resource "vault_policy" "test" {
name = "dev-team"
policy = <<EOT
path "secret/*" {
policy = "write"
}
EOT
}
`
func testResourcePolicy_updateCheck(s *terraform.State) error {
resourceState := s.Modules[0].Resources["vault_policy.test"]
instanceState := resourceState.Primary
name := instanceState.ID
client := testProvider.Meta().(*api.Client)
if name != instanceState.Attributes["name"] {
return fmt.Errorf("id doesn't match name")
}
if name != "dev-team" {
return fmt.Errorf("unexpected policy name")
}
policy, err := client.Sys().GetPolicy(name)
if err != nil {
return fmt.Errorf("error reading back policy: %s", err)
}
if got, want := policy, "path \"secret/*\" {\n\tpolicy = \"write\"\n}\n"; got != want {
return fmt.Errorf("policy data is %q; want %q", got, want)
}
return nil
}

View File

@ -0,0 +1,36 @@
---
layout: "vault"
page_title: "Vault: vault_policy resource"
sidebar_current: "docs-vault-resource-policy"
description: |-
Writes arbitrary policies for Vault
---
# vault\_policy
## Example Usage
```
resource "vault_policy" "example" {
name = "dev-team"
policy = <<EOT
path "secret/my_app" {
policy = "write"
}
EOT
}
```
## Argument Reference
The following arguments are supported:
* `name` - (Required) The name of the policy
* `policy` - (Required) String containing a Vault policy
## Attributes Reference
No additional attributes are exported by this resource.