provider/vault: vault_generic_secret resource

This resource allows writing a generic secret, and indeed anything else
that obeys the expected create/update/delete lifecycle, into vault via
writes to its logical path namespace.

builtin/providers/vault/provider.go

@@ -83,6 +83,7 @@ func Provider() terraform.ResourceProvider {
 		ConfigureFunc: providerConfigure,
 
 		ResourcesMap: map[string]*schema.Resource{
+			"vault_generic_secret": genericSecretResource(),
 		},
 	}
 }

builtin/providers/vault/resource_generic_secret.go

@@ -0,0 +1,87 @@
+package vault
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform/helper/schema"
+
+	"github.com/hashicorp/vault/api"
+)
+
+func genericSecretResource() *schema.Resource {
+	return &schema.Resource{
+		Create: genericSecretResourceWrite,
+		Update: genericSecretResourceWrite,
+		Delete: genericSecretResourceDelete,
+		Read:   genericSecretResourceRead,
+
+		Schema: map[string]*schema.Schema{
+			"path": &schema.Schema{
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Full path where the generic secret will be written.",
+			},
+
+			// Data is passed as JSON so that an arbitrary structure is
+			// possible, rather than forcing e.g. all values to be strings.
+			"data_json": &schema.Schema{
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "JSON-encoded secret data to write.",
+			},
+		},
+	}
+}
+
+func genericSecretResourceWrite(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*api.Client)
+
+	path := d.Get("path").(string)
+
+	var data map[string]interface{}
+	err := json.Unmarshal([]byte(d.Get("data_json").(string)), &data)
+	if err != nil {
+		return fmt.Errorf("data_json %#v syntax error: %s", d.Get("data_json"), err)
+	}
+
+	log.Printf("[DEBUG] Writing generic Vault secret to %s", path)
+	_, err = client.Logical().Write(path, data)
+	if err != nil {
+		return fmt.Errorf("error writing to Vault: %s", err)
+	}
+
+	d.SetId(path)
+
+	return nil
+}
+
+func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*api.Client)
+
+	path := d.Id()
+
+	log.Printf("[DEBUG] Deleting generic Vault from %s", path)
+	_, err := client.Logical().Delete(path)
+	if err != nil {
+		return fmt.Errorf("error deleting from Vault: %s", err)
+	}
+
+	return nil
+}
+
+func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error {
+	// We don't actually attempt to read back the secret data
+	// here, so that Terraform can be configured with a token
+	// that has only write access to the relevant part of the
+	// store.
+	//
+	// This means that Terraform cannot detect drift for
+	// generic secrets, but detecting drift seems less important
+	// than being able to limit the effect of exposure of
+	// Terraform's Vault token.
+	log.Printf("[WARN] vault_generic_secret does not automatically refresh")
+	return nil
+}

builtin/providers/vault/resource_generic_secret_test.go

@@ -0,0 +1,106 @@
+package vault
+
+import (
+	"fmt"
+	"testing"
+
+	r "github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+
+	"github.com/hashicorp/vault/api"
+)
+
+func TestResourceGenericSecret(t *testing.T) {
+	r.Test(t, r.TestCase{
+		Providers: testProviders,
+		PreCheck:  func() { testAccPreCheck(t) },
+		Steps: []r.TestStep{
+			r.TestStep{
+				Config: testResourceGenericSecret_initialConfig,
+				Check:  testResourceGenericSecret_initialCheck,
+			},
+			r.TestStep{
+				Config: testResourceGenericSecret_updateConfig,
+				Check:  testResourceGenericSecret_updateCheck,
+			},
+		},
+	})
+}
+
+var testResourceGenericSecret_initialConfig = `
+
+resource "vault_generic_secret" "test" {
+    path = "secret/foo"
+    data_json = <<EOT
+{
+    "zip": "zap"
+}
+EOT
+}
+
+`
+
+func testResourceGenericSecret_initialCheck(s *terraform.State) error {
+	resourceState := s.Modules[0].Resources["vault_generic_secret.test"]
+	if resourceState == nil {
+		return fmt.Errorf("resource not found in state")
+	}
+
+	instanceState := resourceState.Primary
+	if instanceState == nil {
+		return fmt.Errorf("resource has no primary instance")
+	}
+
+	path := instanceState.ID
+
+	if path != instanceState.Attributes["path"] {
+		return fmt.Errorf("id doesn't match path")
+	}
+	if path != "secret/foo" {
+		return fmt.Errorf("unexpected secret path")
+	}
+
+	client := testProvider.Meta().(*api.Client)
+	secret, err := client.Logical().Read(path)
+	if err != nil {
+		return fmt.Errorf("error reading back secret: %s", err)
+	}
+
+	if got, want := secret.Data["zip"], "zap"; got != want {
+		return fmt.Errorf("'zip' data is %q; want %q", got, want)
+	}
+
+	return nil
+}
+
+var testResourceGenericSecret_updateConfig = `
+
+resource "vault_generic_secret" "test" {
+    path = "secret/foo"
+    data_json = <<EOT
+{
+    "zip": "zoop"
+}
+EOT
+}
+
+`
+
+func testResourceGenericSecret_updateCheck(s *terraform.State) error {
+	resourceState := s.Modules[0].Resources["vault_generic_secret.test"]
+	instanceState := resourceState.Primary
+
+	path := instanceState.ID
+
+	client := testProvider.Meta().(*api.Client)
+	secret, err := client.Logical().Read(path)
+	if err != nil {
+		return fmt.Errorf("error reading back secret: %s", err)
+	}
+
+	if got, want := secret.Data["zip"], "zoop"; got != want {
+		return fmt.Errorf("'zip' data is %q; want %q", got, want)
+	}
+
+	return nil
+}