provider/vault: vault_generic_secret resource
This resource allows writing a generic secret, and indeed anything else that obeys the expected create/update/delete lifecycle, into vault via writes to its logical path namespace.
This commit is contained in:
parent
b2b5831205
commit
c1d1f902f5
|
@ -83,6 +83,7 @@ func Provider() terraform.ResourceProvider {
|
|||
ConfigureFunc: providerConfigure,
|
||||
|
||||
ResourcesMap: map[string]*schema.Resource{
|
||||
"vault_generic_secret": genericSecretResource(),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,87 @@
|
|||
package vault
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"github.com/hashicorp/terraform/helper/schema"
|
||||
|
||||
"github.com/hashicorp/vault/api"
|
||||
)
|
||||
|
||||
func genericSecretResource() *schema.Resource {
|
||||
return &schema.Resource{
|
||||
Create: genericSecretResourceWrite,
|
||||
Update: genericSecretResourceWrite,
|
||||
Delete: genericSecretResourceDelete,
|
||||
Read: genericSecretResourceRead,
|
||||
|
||||
Schema: map[string]*schema.Schema{
|
||||
"path": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
ForceNew: true,
|
||||
Description: "Full path where the generic secret will be written.",
|
||||
},
|
||||
|
||||
// Data is passed as JSON so that an arbitrary structure is
|
||||
// possible, rather than forcing e.g. all values to be strings.
|
||||
"data_json": &schema.Schema{
|
||||
Type: schema.TypeString,
|
||||
Required: true,
|
||||
Description: "JSON-encoded secret data to write.",
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func genericSecretResourceWrite(d *schema.ResourceData, meta interface{}) error {
|
||||
client := meta.(*api.Client)
|
||||
|
||||
path := d.Get("path").(string)
|
||||
|
||||
var data map[string]interface{}
|
||||
err := json.Unmarshal([]byte(d.Get("data_json").(string)), &data)
|
||||
if err != nil {
|
||||
return fmt.Errorf("data_json %#v syntax error: %s", d.Get("data_json"), err)
|
||||
}
|
||||
|
||||
log.Printf("[DEBUG] Writing generic Vault secret to %s", path)
|
||||
_, err = client.Logical().Write(path, data)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error writing to Vault: %s", err)
|
||||
}
|
||||
|
||||
d.SetId(path)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error {
|
||||
client := meta.(*api.Client)
|
||||
|
||||
path := d.Id()
|
||||
|
||||
log.Printf("[DEBUG] Deleting generic Vault from %s", path)
|
||||
_, err := client.Logical().Delete(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error deleting from Vault: %s", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error {
|
||||
// We don't actually attempt to read back the secret data
|
||||
// here, so that Terraform can be configured with a token
|
||||
// that has only write access to the relevant part of the
|
||||
// store.
|
||||
//
|
||||
// This means that Terraform cannot detect drift for
|
||||
// generic secrets, but detecting drift seems less important
|
||||
// than being able to limit the effect of exposure of
|
||||
// Terraform's Vault token.
|
||||
log.Printf("[WARN] vault_generic_secret does not automatically refresh")
|
||||
return nil
|
||||
}
|
|
@ -0,0 +1,106 @@
|
|||
package vault
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
r "github.com/hashicorp/terraform/helper/resource"
|
||||
"github.com/hashicorp/terraform/terraform"
|
||||
|
||||
"github.com/hashicorp/vault/api"
|
||||
)
|
||||
|
||||
func TestResourceGenericSecret(t *testing.T) {
|
||||
r.Test(t, r.TestCase{
|
||||
Providers: testProviders,
|
||||
PreCheck: func() { testAccPreCheck(t) },
|
||||
Steps: []r.TestStep{
|
||||
r.TestStep{
|
||||
Config: testResourceGenericSecret_initialConfig,
|
||||
Check: testResourceGenericSecret_initialCheck,
|
||||
},
|
||||
r.TestStep{
|
||||
Config: testResourceGenericSecret_updateConfig,
|
||||
Check: testResourceGenericSecret_updateCheck,
|
||||
},
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
var testResourceGenericSecret_initialConfig = `
|
||||
|
||||
resource "vault_generic_secret" "test" {
|
||||
path = "secret/foo"
|
||||
data_json = <<EOT
|
||||
{
|
||||
"zip": "zap"
|
||||
}
|
||||
EOT
|
||||
}
|
||||
|
||||
`
|
||||
|
||||
func testResourceGenericSecret_initialCheck(s *terraform.State) error {
|
||||
resourceState := s.Modules[0].Resources["vault_generic_secret.test"]
|
||||
if resourceState == nil {
|
||||
return fmt.Errorf("resource not found in state")
|
||||
}
|
||||
|
||||
instanceState := resourceState.Primary
|
||||
if instanceState == nil {
|
||||
return fmt.Errorf("resource has no primary instance")
|
||||
}
|
||||
|
||||
path := instanceState.ID
|
||||
|
||||
if path != instanceState.Attributes["path"] {
|
||||
return fmt.Errorf("id doesn't match path")
|
||||
}
|
||||
if path != "secret/foo" {
|
||||
return fmt.Errorf("unexpected secret path")
|
||||
}
|
||||
|
||||
client := testProvider.Meta().(*api.Client)
|
||||
secret, err := client.Logical().Read(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error reading back secret: %s", err)
|
||||
}
|
||||
|
||||
if got, want := secret.Data["zip"], "zap"; got != want {
|
||||
return fmt.Errorf("'zip' data is %q; want %q", got, want)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
var testResourceGenericSecret_updateConfig = `
|
||||
|
||||
resource "vault_generic_secret" "test" {
|
||||
path = "secret/foo"
|
||||
data_json = <<EOT
|
||||
{
|
||||
"zip": "zoop"
|
||||
}
|
||||
EOT
|
||||
}
|
||||
|
||||
`
|
||||
|
||||
func testResourceGenericSecret_updateCheck(s *terraform.State) error {
|
||||
resourceState := s.Modules[0].Resources["vault_generic_secret.test"]
|
||||
instanceState := resourceState.Primary
|
||||
|
||||
path := instanceState.ID
|
||||
|
||||
client := testProvider.Meta().(*api.Client)
|
||||
secret, err := client.Logical().Read(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error reading back secret: %s", err)
|
||||
}
|
||||
|
||||
if got, want := secret.Data["zip"], "zoop"; got != want {
|
||||
return fmt.Errorf("'zip' data is %q; want %q", got, want)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
Loading…
Reference in New Issue