-
Notifications
You must be signed in to change notification settings - Fork 549
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: data_source vault_transit_secret_backend_key
- Loading branch information
1 parent
9af82cb
commit 2173beb
Showing
4 changed files
with
251 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,176 @@ | ||
// Copyright (c) HashiCorp, Inc. | ||
// SPDX-License-Identifier: MPL-2.0 | ||
|
||
package vault | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"log" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/v2/diag" | ||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
|
||
"github.com/hashicorp/terraform-provider-vault/internal/consts" | ||
"github.com/hashicorp/terraform-provider-vault/internal/provider" | ||
) | ||
|
||
func transitSecretBackendKeyDataSource() *schema.Resource { | ||
return &schema.Resource{ | ||
ReadContext: provider.ReadContextWrapper(readTransitSecretBackendKey), | ||
Schema: map[string]*schema.Schema{ | ||
consts.FieldBackend: { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
Description: "Full path where transit backend is mounted.", | ||
}, | ||
consts.FieldName: { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
Description: "Name of the key.", | ||
}, | ||
"type": { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
Description: "Specifies the type of the key.", | ||
}, | ||
"deletion_allowed": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Specifies if the key is allowed to be deleted.", | ||
}, | ||
"derived": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Specifies if key derivation is used.", | ||
}, | ||
"exportable": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Speficies if keys is exportable.", | ||
}, | ||
"allow_plaintext_backup": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Specifies if taking backup of named key in the plaintext format is enabled.", | ||
}, | ||
"keys": { | ||
Type: schema.TypeList, | ||
Computed: true, | ||
Description: "List of key versions in the keyring with the corresponding creation time, name and public key.", | ||
Elem: &schema.Resource{ | ||
Schema: map[string]*schema.Schema{ | ||
"creation_time": { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
}, | ||
"name": { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
}, | ||
"public_key": { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
}, | ||
"certificate_chain": { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
}, | ||
}, | ||
}, | ||
}, | ||
"min_decryption_version": { | ||
Type: schema.TypeInt, | ||
Computed: true, | ||
Description: "Minimum key version to use for decryption.", | ||
}, | ||
"min_encryption_version": { | ||
Type: schema.TypeInt, | ||
Computed: true, | ||
Description: "Minimum key version to use for encryption.", | ||
}, | ||
"supports_encryption": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Whether or not the key supports encryption, based on key type.", | ||
}, | ||
"supports_decryption": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Whether or not the key supports decryption, based on key type.", | ||
}, | ||
"supports_derivation": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Whether or not the key supports derivation, based on key type.", | ||
}, | ||
"supports_signing": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Whether or not the key supports signing, based on key type.", | ||
}, | ||
"imported": { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Specifies if the key is imported.", | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func readTransitSecretBackendKey(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { | ||
client, err := provider.GetClient(d, meta) | ||
if err != nil { | ||
return diag.FromErr(err) | ||
} | ||
|
||
backend := d.Get(consts.FieldBackend).(string) | ||
keyName := d.Get(consts.FieldName).(string) | ||
path := fmt.Sprintf("%s/keys/%s", backend, keyName) | ||
|
||
resp, err := client.Logical().ReadWithContext(ctx, path) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("error reading from Vault: %s", err)) | ||
} | ||
log.Printf("[DEBUG] Read %q from Vault", path) | ||
if resp == nil { | ||
return diag.FromErr(fmt.Errorf("no key found at %q", path)) | ||
} | ||
|
||
d.SetId(path) | ||
|
||
keyComputedFields := []string{ | ||
"type", | ||
"deletion_allowed", | ||
"derived", | ||
"exportable", | ||
"allow_plaintext_backup", | ||
"min_decryption_version", | ||
"min_encryption_version", | ||
"supports_encryption", | ||
"supports_decryption", | ||
"supports_derivation", | ||
"supports_signing", | ||
"imported", | ||
} | ||
|
||
for _, k := range keyComputedFields { | ||
if err := d.Set(k, resp.Data[k]); err != nil { | ||
return diag.FromErr(err) | ||
} | ||
} | ||
|
||
var keys []interface{} | ||
for _, keyData := range resp.Data["keys"].(map[string]interface{}) { | ||
keyMap := keyData.(map[string]interface{}) | ||
keys = append(keys, keyMap) | ||
} | ||
|
||
if err := d.Set("keys", keys); err != nil { | ||
return diag.FromErr(err) | ||
} | ||
|
||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
// Copyright (c) HashiCorp, Inc. | ||
// SPDX-License-Identifier: MPL-2.0 | ||
|
||
package vault | ||
|
||
import ( | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" | ||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" | ||
|
||
"github.com/hashicorp/terraform-provider-vault/internal/consts" | ||
"github.com/hashicorp/terraform-provider-vault/internal/provider" | ||
"github.com/hashicorp/terraform-provider-vault/testutil" | ||
) | ||
|
||
func TestAccDataSourceTransitSecretKey(t *testing.T) { | ||
backend := acctest.RandomWithPrefix("tf-test-transit-backend") | ||
keyName := acctest.RandomWithPrefix("tf-test-transit-key") | ||
dataName := "data.vault_transit_secret_backend_key.test" | ||
resource.Test(t, resource.TestCase{ | ||
ProviderFactories: providerFactories, | ||
PreCheck: func() { | ||
testutil.TestAccPreCheck(t) | ||
SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion111) | ||
}, | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: testTransitSecretKeyDataSource(backend, keyName), | ||
Check: resource.ComposeTestCheckFunc( | ||
resource.TestCheckResourceAttr(dataName, consts.FieldBackend, backend), | ||
resource.TestCheckResourceAttr(dataName, consts.FieldName, keyName), | ||
resource.TestCheckResourceAttr(dataName, "type", "rsa-4096"), | ||
resource.TestCheckResourceAttr(dataName, "deletion_allowed", "true"), | ||
resource.TestCheckResourceAttr(dataName, "exportable", "true"), | ||
resource.TestCheckResourceAttr(dataName, "keys.0.name", "rsa-4096"), | ||
resource.TestCheckResourceAttr(dataName, "keys.0.certificate_chain", ""), | ||
resource.TestCheckResourceAttrSet(dataName, "keys.0.creation_time"), | ||
resource.TestCheckResourceAttrSet(dataName, "keys.0.public_key"), | ||
), | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testTransitSecretKeyDataSource(path, keyName string) string { | ||
return fmt.Sprintf(` | ||
resource "vault_mount" "test" { | ||
path = "%s" | ||
type = "transit" | ||
description = "Transit engine mount" | ||
} | ||
resource "vault_transit_secret_backend_key" "test" { | ||
backend = vault_mount.test.path | ||
name = "%s" | ||
type = "rsa-4096" | ||
deletion_allowed = true | ||
exportable = true | ||
} | ||
data "vault_transit_secret_backend_key" "test" { | ||
backend = vault_mount.test.path | ||
name = vault_transit_secret_backend_key.test.name | ||
}`, path, keyName) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters