provider/vault: vault_generic_secret resource

This resource allows writing a generic secret, and indeed anything else
that obeys the expected create/update/delete lifecycle, into vault via
writes to its logical path namespace.
This commit is contained in:
Martin Atkins 2016-09-30 15:12:54 -07:00
parent b2b5831205
commit c1d1f902f5
3 changed files with 194 additions and 0 deletions

View File

@ -83,6 +83,7 @@ func Provider() terraform.ResourceProvider {
ConfigureFunc: providerConfigure, ConfigureFunc: providerConfigure,
ResourcesMap: map[string]*schema.Resource{ ResourcesMap: map[string]*schema.Resource{
"vault_generic_secret": genericSecretResource(),
}, },
} }
} }

View File

@ -0,0 +1,87 @@
package vault
import (
"encoding/json"
"fmt"
"log"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/vault/api"
)
func genericSecretResource() *schema.Resource {
return &schema.Resource{
Create: genericSecretResourceWrite,
Update: genericSecretResourceWrite,
Delete: genericSecretResourceDelete,
Read: genericSecretResourceRead,
Schema: map[string]*schema.Schema{
"path": &schema.Schema{
Type: schema.TypeString,
Required: true,
ForceNew: true,
Description: "Full path where the generic secret will be written.",
},
// Data is passed as JSON so that an arbitrary structure is
// possible, rather than forcing e.g. all values to be strings.
"data_json": &schema.Schema{
Type: schema.TypeString,
Required: true,
Description: "JSON-encoded secret data to write.",
},
},
}
}
func genericSecretResourceWrite(d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
path := d.Get("path").(string)
var data map[string]interface{}
err := json.Unmarshal([]byte(d.Get("data_json").(string)), &data)
if err != nil {
return fmt.Errorf("data_json %#v syntax error: %s", d.Get("data_json"), err)
}
log.Printf("[DEBUG] Writing generic Vault secret to %s", path)
_, err = client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error writing to Vault: %s", err)
}
d.SetId(path)
return nil
}
func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error {
client := meta.(*api.Client)
path := d.Id()
log.Printf("[DEBUG] Deleting generic Vault from %s", path)
_, err := client.Logical().Delete(path)
if err != nil {
return fmt.Errorf("error deleting from Vault: %s", err)
}
return nil
}
func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error {
// We don't actually attempt to read back the secret data
// here, so that Terraform can be configured with a token
// that has only write access to the relevant part of the
// store.
//
// This means that Terraform cannot detect drift for
// generic secrets, but detecting drift seems less important
// than being able to limit the effect of exposure of
// Terraform's Vault token.
log.Printf("[WARN] vault_generic_secret does not automatically refresh")
return nil
}

View File

@ -0,0 +1,106 @@
package vault
import (
"fmt"
"testing"
r "github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
"github.com/hashicorp/vault/api"
)
func TestResourceGenericSecret(t *testing.T) {
r.Test(t, r.TestCase{
Providers: testProviders,
PreCheck: func() { testAccPreCheck(t) },
Steps: []r.TestStep{
r.TestStep{
Config: testResourceGenericSecret_initialConfig,
Check: testResourceGenericSecret_initialCheck,
},
r.TestStep{
Config: testResourceGenericSecret_updateConfig,
Check: testResourceGenericSecret_updateCheck,
},
},
})
}
var testResourceGenericSecret_initialConfig = `
resource "vault_generic_secret" "test" {
path = "secret/foo"
data_json = <<EOT
{
"zip": "zap"
}
EOT
}
`
func testResourceGenericSecret_initialCheck(s *terraform.State) error {
resourceState := s.Modules[0].Resources["vault_generic_secret.test"]
if resourceState == nil {
return fmt.Errorf("resource not found in state")
}
instanceState := resourceState.Primary
if instanceState == nil {
return fmt.Errorf("resource has no primary instance")
}
path := instanceState.ID
if path != instanceState.Attributes["path"] {
return fmt.Errorf("id doesn't match path")
}
if path != "secret/foo" {
return fmt.Errorf("unexpected secret path")
}
client := testProvider.Meta().(*api.Client)
secret, err := client.Logical().Read(path)
if err != nil {
return fmt.Errorf("error reading back secret: %s", err)
}
if got, want := secret.Data["zip"], "zap"; got != want {
return fmt.Errorf("'zip' data is %q; want %q", got, want)
}
return nil
}
var testResourceGenericSecret_updateConfig = `
resource "vault_generic_secret" "test" {
path = "secret/foo"
data_json = <<EOT
{
"zip": "zoop"
}
EOT
}
`
func testResourceGenericSecret_updateCheck(s *terraform.State) error {
resourceState := s.Modules[0].Resources["vault_generic_secret.test"]
instanceState := resourceState.Primary
path := instanceState.ID
client := testProvider.Meta().(*api.Client)
secret, err := client.Logical().Read(path)
if err != nil {
return fmt.Errorf("error reading back secret: %s", err)
}
if got, want := secret.Data["zip"], "zoop"; got != want {
return fmt.Errorf("'zip' data is %q; want %q", got, want)
}
return nil
}