Skip to content

Commit

Permalink
Feat: add new OIDC credentials creation and assigment (vault)
Browse files Browse the repository at this point in the history
  • Loading branch information
TomerHeber committed Jan 14, 2024
1 parent 102d637 commit 1df0014
Show file tree
Hide file tree
Showing 12 changed files with 449 additions and 0 deletions.
21 changes: 21 additions & 0 deletions client/cloud_credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import "strings"
type AwsCredentialsType string
type GcpCredentialsType string
type AzureCredentialsType string
type VaultCrednetialsType string

type Credentials struct {
Id string `json:"id"`
Expand Down Expand Up @@ -80,6 +81,21 @@ type GcpCredentialsValuePayload struct {
CredentialConfigurationFileContent string `json:"credentialConfigurationFileContent,omitempty"`
}

type VaultCredentialsValuePayload struct {
Address string `json:"address"`
JwtAuthBackendPath string `json:"jwtAuthBackendPath"`
RoleName string `json:"roleName"`
Version string `json:"version"`
Namespace string `json:"namespace,omitempty"`
}

type VaultCredentialsCreatePayload struct {
Name string `json:"name"`
OrganizationId string `json:"organizationId"`
Type VaultCrednetialsType `json:"type"`
Value VaultCredentialsValuePayload `json:"value"`
}

func (c *GoogleCostCredentialsCreatePayload) SetOrganizationId(organizationId string) {
c.OrganizationId = organizationId
}
Expand All @@ -96,6 +112,10 @@ func (c *AzureCredentialsCreatePayload) SetOrganizationId(organizationId string)
c.OrganizationId = organizationId
}

func (c *VaultCredentialsCreatePayload) SetOrganizationId(organizationId string) {
c.OrganizationId = organizationId
}

const (
AwsCostCredentialsType AwsCredentialsType = "AWS_ASSUMED_ROLE"
AwsAssumedRoleCredentialsType AwsCredentialsType = "AWS_ASSUMED_ROLE_FOR_DEPLOYMENT"
Expand All @@ -107,6 +127,7 @@ const (
AzureCostCredentialsType AzureCredentialsType = "AZURE_CREDENTIALS"
AzureServicePrincipalCredentialsType AzureCredentialsType = "AZURE_SERVICE_PRINCIPAL_FOR_DEPLOYMENT"
AzureOidcCredentialsType AzureCredentialsType = "AZURE_OIDC"
VaultOidcCredentialsType VaultCrednetialsType = "VAULT_OIDC"
)

func (client *ApiClient) CloudCredentials(id string) (Credentials, error) {
Expand Down
2 changes: 2 additions & 0 deletions env0/credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ const (
GCP_TYPE CloudType = "gcp"
GCP_OIDC_TYPE CloudType = "gcp_oidc"
GCP_COST_TYPE CloudType = "google_cost"
VAULT_OIDC_TYPE CloudType = "vault_oidc"
)

var credentialsTypeToPrefixList map[CloudType][]string = map[CloudType][]string{
Expand All @@ -36,6 +37,7 @@ var credentialsTypeToPrefixList map[CloudType][]string = map[CloudType][]string{
GCP_TYPE: {string(client.GcpServiceAccountCredentialsType)},
GCP_COST_TYPE: {string(client.GoogleCostCredentialsType)},
GCP_OIDC_TYPE: {string(client.GcpOidcCredentialsType)},
VAULT_OIDC_TYPE: {string(client.VaultOidcCredentialsType)},
}

func getCredentialsByName(name string, prefixList []string, meta interface{}) (client.Credentials, error) {
Expand Down
1 change: 1 addition & 0 deletions env0/data_oidc_credentials_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ func TestOidcCredentialDataSource(t *testing.T) {
{"env0_aws_oidc_credentials", string(client.AwsOidcCredentialsType)},
{"env0_azure_oidc_credentials", string(client.AzureOidcCredentialsType)},
{"env0_gcp_oidc_credentials", string(client.GcpOidcCredentialsType)},
{"env0_vault_oidc_credentials", string(client.VaultOidcCredentialsType)},
}

for _, test := range tests {
Expand Down
2 changes: 2 additions & 0 deletions env0/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ func Provider(version string) plugin.ProviderFunc {
"env0_gcp_oidc_credentials": dataOidcCredentials(GCP_OIDC_TYPE),
"env0_azure_credentials": dataCredentials(AZURE_TYPE),
"env0_azure_oidc_credentials": dataOidcCredentials(AZURE_OIDC_TYPE),
"env0_vault_oidc_credentials": dataOidcCredentials(VAULT_OIDC_TYPE),
"env0_team": dataTeam(),
"env0_teams": dataTeams(),
"env0_environment": dataEnvironment(),
Expand Down Expand Up @@ -111,6 +112,7 @@ func Provider(version string) plugin.ProviderFunc {
"env0_gcp_cost_credentials": resourceCostCredentials("google"),
"env0_gcp_credentials": resourceGcpCredentials(),
"env0_gcp_oidc_credentials": resourceGcpOidcCredentials(),
"env0_vault_oidc_credentials": resourceVaultOidcCredentials(),
"env0_template_project_assignment": resourceTemplateProjectAssignment(),
"env0_cloud_credentials_project_assignment": resourceCloudCredentialsProjectAssignment(),
"env0_cost_credentials_project_assignment": resourceCostCredentialsProjectAssignment(),
Expand Down
109 changes: 109 additions & 0 deletions env0/resource_vault_oidc_credentials.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
package env0

import (
"context"
"fmt"

"github.com/env0/terraform-provider-env0/client"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
)

func resourceVaultOidcCredentials() *schema.Resource {
return &schema.Resource{
CreateContext: resourceVaultOidcCredentialsCreate,
UpdateContext: resourceVaultOidcCredentialsUpdate,
ReadContext: resourceCredentialsRead(VAULT_OIDC_TYPE),
DeleteContext: resourceCredentialsDelete,

Importer: &schema.ResourceImporter{StateContext: resourceCredentialsImport(VAULT_OIDC_TYPE)},

Schema: map[string]*schema.Schema{
"name": {
Type: schema.TypeString,
Description: "name for the oidc credentials",
Required: true,
ForceNew: true,
},
"address": {
Type: schema.TypeString,
Description: "the vault address, including port",
Required: true,
},
"version": {
Type: schema.TypeString,
Description: "the vault version to use",
Required: true,
},
"role_name": {
Type: schema.TypeString,
Description: "the vault role name",
Required: true,
},
"jwt_auth_backend_path": {
Type: schema.TypeString,
Description: "path to the new authentication method",
Required: true,
},
"namespace": {
Type: schema.TypeString,
Description: "an optional vault namespace",
Optional: true,
},
},
}
}

func vaultOidcCredentialsGetValue(d *schema.ResourceData) (client.VaultCredentialsValuePayload, error) {
var value client.VaultCredentialsValuePayload

if err := readResourceData(&value, d); err != nil {
return value, fmt.Errorf("schema resource data deserialization failed: %w", err)
}

return value, nil
}

func resourceVaultOidcCredentialsCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
apiClient := meta.(client.ApiClientInterface)

value, err := vaultOidcCredentialsGetValue(d)
if err != nil {
return diag.FromErr(err)
}

request := client.VaultCredentialsCreatePayload{
Name: d.Get("name").(string),
Value: value,
Type: client.VaultOidcCredentialsType,
}

credentials, err := apiClient.CredentialsCreate(&request)
if err != nil {
return diag.Errorf("could not create vault oidc credentials: %v", err)
}

d.SetId(credentials.Id)

return nil
}

func resourceVaultOidcCredentialsUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
apiClient := meta.(client.ApiClientInterface)

value, err := vaultOidcCredentialsGetValue(d)
if err != nil {
return diag.FromErr(err)
}

request := client.VaultCredentialsCreatePayload{
Value: value,
Type: client.VaultOidcCredentialsType,
}

if _, err := apiClient.CredentialsUpdate(d.Id(), &request); err != nil {
return diag.Errorf("could not update vault oidc credentials: %s %v", d.Id(), err)
}

return nil
}
Loading

0 comments on commit 1df0014

Please sign in to comment.