diff --git a/client/cloud_credentials.go b/client/cloud_credentials.go index f240c929..92e87ccc 100644 --- a/client/cloud_credentials.go +++ b/client/cloud_credentials.go @@ -5,6 +5,7 @@ import "strings" type AwsCredentialsType string type GcpCredentialsType string type AzureCredentialsType string +type VaultCrednetialsType string type Credentials struct { Id string `json:"id"` @@ -80,6 +81,21 @@ type GcpCredentialsValuePayload struct { CredentialConfigurationFileContent string `json:"credentialConfigurationFileContent,omitempty"` } +type VaultCredentialsValuePayload struct { + Address string `json:"address"` + JwtAuthBackendPath string `json:"jwtAuthBackendPath"` + RoleName string `json:"roleName"` + Version string `json:"version"` + Namespace string `json:"namespace,omitempty"` +} + +type VaultCredentialsCreatePayload struct { + Name string `json:"name"` + OrganizationId string `json:"organizationId"` + Type VaultCrednetialsType `json:"type"` + Value VaultCredentialsValuePayload `json:"value"` +} + func (c *GoogleCostCredentialsCreatePayload) SetOrganizationId(organizationId string) { c.OrganizationId = organizationId } @@ -96,6 +112,10 @@ func (c *AzureCredentialsCreatePayload) SetOrganizationId(organizationId string) c.OrganizationId = organizationId } +func (c *VaultCredentialsCreatePayload) SetOrganizationId(organizationId string) { + c.OrganizationId = organizationId +} + const ( AwsCostCredentialsType AwsCredentialsType = "AWS_ASSUMED_ROLE" AwsAssumedRoleCredentialsType AwsCredentialsType = "AWS_ASSUMED_ROLE_FOR_DEPLOYMENT" @@ -107,6 +127,7 @@ const ( AzureCostCredentialsType AzureCredentialsType = "AZURE_CREDENTIALS" AzureServicePrincipalCredentialsType AzureCredentialsType = "AZURE_SERVICE_PRINCIPAL_FOR_DEPLOYMENT" AzureOidcCredentialsType AzureCredentialsType = "AZURE_OIDC" + VaultOidcCredentialsType VaultCrednetialsType = "VAULT_OIDC" ) func (client *ApiClient) CloudCredentials(id string) (Credentials, error) { diff --git a/env0/credentials.go b/env0/credentials.go index 4e78c93e..215e1972 100644 --- a/env0/credentials.go +++ b/env0/credentials.go @@ -24,6 +24,7 @@ const ( GCP_TYPE CloudType = "gcp" GCP_OIDC_TYPE CloudType = "gcp_oidc" GCP_COST_TYPE CloudType = "google_cost" + VAULT_OIDC_TYPE CloudType = "vault_oidc" ) var credentialsTypeToPrefixList map[CloudType][]string = map[CloudType][]string{ @@ -36,6 +37,7 @@ var credentialsTypeToPrefixList map[CloudType][]string = map[CloudType][]string{ GCP_TYPE: {string(client.GcpServiceAccountCredentialsType)}, GCP_COST_TYPE: {string(client.GoogleCostCredentialsType)}, GCP_OIDC_TYPE: {string(client.GcpOidcCredentialsType)}, + VAULT_OIDC_TYPE: {string(client.VaultOidcCredentialsType)}, } func getCredentialsByName(name string, prefixList []string, meta interface{}) (client.Credentials, error) { diff --git a/env0/data_oidc_credentials_test.go b/env0/data_oidc_credentials_test.go index 04970fd2..4764a798 100644 --- a/env0/data_oidc_credentials_test.go +++ b/env0/data_oidc_credentials_test.go @@ -15,6 +15,7 @@ func TestOidcCredentialDataSource(t *testing.T) { {"env0_aws_oidc_credentials", string(client.AwsOidcCredentialsType)}, {"env0_azure_oidc_credentials", string(client.AzureOidcCredentialsType)}, {"env0_gcp_oidc_credentials", string(client.GcpOidcCredentialsType)}, + {"env0_vault_oidc_credentials", string(client.VaultOidcCredentialsType)}, } for _, test := range tests { diff --git a/env0/provider.go b/env0/provider.go index 2777f527..b5b81155 100644 --- a/env0/provider.go +++ b/env0/provider.go @@ -74,6 +74,7 @@ func Provider(version string) plugin.ProviderFunc { "env0_gcp_oidc_credentials": dataOidcCredentials(GCP_OIDC_TYPE), "env0_azure_credentials": dataCredentials(AZURE_TYPE), "env0_azure_oidc_credentials": dataOidcCredentials(AZURE_OIDC_TYPE), + "env0_vault_oidc_credentials": dataOidcCredentials(VAULT_OIDC_TYPE), "env0_team": dataTeam(), "env0_teams": dataTeams(), "env0_environment": dataEnvironment(), @@ -111,6 +112,7 @@ func Provider(version string) plugin.ProviderFunc { "env0_gcp_cost_credentials": resourceCostCredentials("google"), "env0_gcp_credentials": resourceGcpCredentials(), "env0_gcp_oidc_credentials": resourceGcpOidcCredentials(), + "env0_vault_oidc_credentials": resourceVaultOidcCredentials(), "env0_template_project_assignment": resourceTemplateProjectAssignment(), "env0_cloud_credentials_project_assignment": resourceCloudCredentialsProjectAssignment(), "env0_cost_credentials_project_assignment": resourceCostCredentialsProjectAssignment(), diff --git a/env0/resource_vault_oidc_credentials.go b/env0/resource_vault_oidc_credentials.go new file mode 100644 index 00000000..32fbd100 --- /dev/null +++ b/env0/resource_vault_oidc_credentials.go @@ -0,0 +1,109 @@ +package env0 + +import ( + "context" + "fmt" + + "github.com/env0/terraform-provider-env0/client" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func resourceVaultOidcCredentials() *schema.Resource { + return &schema.Resource{ + CreateContext: resourceVaultOidcCredentialsCreate, + UpdateContext: resourceVaultOidcCredentialsUpdate, + ReadContext: resourceCredentialsRead(VAULT_OIDC_TYPE), + DeleteContext: resourceCredentialsDelete, + + Importer: &schema.ResourceImporter{StateContext: resourceCredentialsImport(VAULT_OIDC_TYPE)}, + + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Description: "name for the oidc credentials", + Required: true, + ForceNew: true, + }, + "address": { + Type: schema.TypeString, + Description: "the vault address, including port", + Required: true, + }, + "version": { + Type: schema.TypeString, + Description: "the vault version to use", + Required: true, + }, + "role_name": { + Type: schema.TypeString, + Description: "the vault role name", + Required: true, + }, + "jwt_auth_backend_path": { + Type: schema.TypeString, + Description: "path to the new authentication method", + Required: true, + }, + "namespace": { + Type: schema.TypeString, + Description: "an optional vault namespace", + Optional: true, + }, + }, + } +} + +func vaultOidcCredentialsGetValue(d *schema.ResourceData) (client.VaultCredentialsValuePayload, error) { + var value client.VaultCredentialsValuePayload + + if err := readResourceData(&value, d); err != nil { + return value, fmt.Errorf("schema resource data deserialization failed: %w", err) + } + + return value, nil +} + +func resourceVaultOidcCredentialsCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + apiClient := meta.(client.ApiClientInterface) + + value, err := vaultOidcCredentialsGetValue(d) + if err != nil { + return diag.FromErr(err) + } + + request := client.VaultCredentialsCreatePayload{ + Name: d.Get("name").(string), + Value: value, + Type: client.VaultOidcCredentialsType, + } + + credentials, err := apiClient.CredentialsCreate(&request) + if err != nil { + return diag.Errorf("could not create vault oidc credentials: %v", err) + } + + d.SetId(credentials.Id) + + return nil +} + +func resourceVaultOidcCredentialsUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + apiClient := meta.(client.ApiClientInterface) + + value, err := vaultOidcCredentialsGetValue(d) + if err != nil { + return diag.FromErr(err) + } + + request := client.VaultCredentialsCreatePayload{ + Value: value, + Type: client.VaultOidcCredentialsType, + } + + if _, err := apiClient.CredentialsUpdate(d.Id(), &request); err != nil { + return diag.Errorf("could not update vault oidc credentials: %s %v", d.Id(), err) + } + + return nil +} diff --git a/env0/resource_vault_oidc_credentials_test.go b/env0/resource_vault_oidc_credentials_test.go new file mode 100644 index 00000000..6e3c5d4b --- /dev/null +++ b/env0/resource_vault_oidc_credentials_test.go @@ -0,0 +1,251 @@ +package env0 + +import ( + "fmt" + "regexp" + "testing" + + "github.com/env0/terraform-provider-env0/client" + "github.com/env0/terraform-provider-env0/client/http" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "go.uber.org/mock/gomock" +) + +func TestUnitVaultOidcCredentialsResource(t *testing.T) { + resourceType := "env0_vault_oidc_credentials" + resourceName := "test" + resourceNameImport := resourceType + "." + resourceName + accessor := resourceAccessor(resourceType, resourceName) + + vaultCredentialsResource := map[string]interface{}{ + "name": "test", + "address": "http://fake1.com:80", + "version": "version1", + "role_name": "rolename1", + "jwt_auth_backend_path": "path1", + "namespace": "namespace1", + } + + updatedVaultCredentialsResource := map[string]interface{}{ + "name": "test", + "address": "http://fake2.com:80", + "version": "version2", + "role_name": "rolename2", + "jwt_auth_backend_path": "path2", + } + + createPayload := client.VaultCredentialsCreatePayload{ + Name: vaultCredentialsResource["name"].(string), + Value: client.VaultCredentialsValuePayload{ + Address: vaultCredentialsResource["address"].(string), + Version: vaultCredentialsResource["version"].(string), + RoleName: vaultCredentialsResource["role_name"].(string), + JwtAuthBackendPath: vaultCredentialsResource["jwt_auth_backend_path"].(string), + Namespace: vaultCredentialsResource["namespace"].(string), + }, + Type: client.VaultOidcCredentialsType, + } + + updatePayload := client.VaultCredentialsCreatePayload{ + Value: client.VaultCredentialsValuePayload{ + Address: updatedVaultCredentialsResource["address"].(string), + Version: updatedVaultCredentialsResource["version"].(string), + RoleName: updatedVaultCredentialsResource["role_name"].(string), + JwtAuthBackendPath: updatedVaultCredentialsResource["jwt_auth_backend_path"].(string), + }, + Type: client.VaultOidcCredentialsType, + } + + returnValues := client.Credentials{ + Id: "f595c4b6-0a24-4c22-89f7-7030045de30f", + Name: "test", + OrganizationId: "id", + Type: string(client.VaultOidcCredentialsType), + } + + otherTypeReturnValues := client.Credentials{ + Id: "f595c4b6-0a24-4c22-89f7-7030045de30a", + Name: "test", + OrganizationId: "id", + Type: "AWS_....", + } + + updateReturnValues := client.Credentials{ + Id: returnValues.Id, + Name: returnValues.Name, + OrganizationId: "id", + Type: string(client.VaultOidcCredentialsType), + } + + testCaseForCreateAndUpdate := resource.TestCase{ + Steps: []resource.TestStep{ + { + Config: resourceConfigCreate(resourceType, resourceName, vaultCredentialsResource), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(accessor, "id", returnValues.Id), + resource.TestCheckResourceAttr(accessor, "name", vaultCredentialsResource["name"].(string)), + resource.TestCheckResourceAttr(accessor, "address", vaultCredentialsResource["address"].(string)), + resource.TestCheckResourceAttr(accessor, "version", vaultCredentialsResource["version"].(string)), + resource.TestCheckResourceAttr(accessor, "role_name", vaultCredentialsResource["role_name"].(string)), + resource.TestCheckResourceAttr(accessor, "jwt_auth_backend_path", vaultCredentialsResource["jwt_auth_backend_path"].(string)), + resource.TestCheckResourceAttr(accessor, "namespace", vaultCredentialsResource["namespace"].(string)), + ), + }, + { + Config: resourceConfigCreate(resourceType, resourceName, updatedVaultCredentialsResource), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(accessor, "id", updateReturnValues.Id), + resource.TestCheckResourceAttr(accessor, "name", updatedVaultCredentialsResource["name"].(string)), + resource.TestCheckResourceAttr(accessor, "address", updatedVaultCredentialsResource["address"].(string)), + resource.TestCheckResourceAttr(accessor, "version", updatedVaultCredentialsResource["version"].(string)), + resource.TestCheckResourceAttr(accessor, "role_name", updatedVaultCredentialsResource["role_name"].(string)), + resource.TestCheckResourceAttr(accessor, "jwt_auth_backend_path", updatedVaultCredentialsResource["jwt_auth_backend_path"].(string)), + resource.TestCheckResourceAttr(accessor, "namespace", ""), + ), + }, + }, + } + + t.Run("create and update", func(t *testing.T) { + runUnitTest(t, testCaseForCreateAndUpdate, func(mock *client.MockApiClientInterface) { + gomock.InOrder( + mock.EXPECT().CredentialsCreate(&createPayload).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(2).Return(returnValues, nil), + mock.EXPECT().CredentialsUpdate(returnValues.Id, &updatePayload).Times(1).Return(updateReturnValues, nil), + mock.EXPECT().CloudCredentials(updateReturnValues.Id).Times(1).Return(updateReturnValues, nil), + mock.EXPECT().CloudCredentialsDelete(returnValues.Id).Times(1).Return(nil), + ) + }) + }) + + t.Run("drift", func(t *testing.T) { + stepConfig := resourceConfigCreate(resourceType, resourceName, vaultCredentialsResource) + + createTestCase := resource.TestCase{ + Steps: []resource.TestStep{ + { + Config: stepConfig, + }, + { + Config: stepConfig, + }, + }, + } + + runUnitTest(t, createTestCase, func(mock *client.MockApiClientInterface) { + gomock.InOrder( + mock.EXPECT().CredentialsCreate(&createPayload).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(1).Return(returnValues, http.NewMockFailedResponseError(404)), + mock.EXPECT().CredentialsCreate(&createPayload).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentialsDelete(returnValues.Id).Times(1).Return(nil), + ) + }) + }) + + t.Run("import by name", func(t *testing.T) { + testCase := resource.TestCase{ + Steps: []resource.TestStep{ + { + Config: resourceConfigCreate(resourceType, resourceName, vaultCredentialsResource), + }, + { + ResourceName: resourceNameImport, + ImportState: true, + ImportStateId: vaultCredentialsResource["name"].(string), + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"address", "version", "role_name", "jwt_auth_backend_path", "namespace"}, + }, + }, + } + + runUnitTest(t, testCase, func(mock *client.MockApiClientInterface) { + gomock.InOrder( + mock.EXPECT().CredentialsCreate(&createPayload).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentialsList().Times(1).Return([]client.Credentials{otherTypeReturnValues, returnValues}, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentialsDelete(returnValues.Id).Times(1).Return(nil), + ) + }) + }) + + t.Run("import by id", func(t *testing.T) { + testCase := resource.TestCase{ + Steps: []resource.TestStep{ + { + Config: resourceConfigCreate(resourceType, resourceName, vaultCredentialsResource), + }, + { + ResourceName: resourceNameImport, + ImportState: true, + ImportStateId: returnValues.Id, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"address", "version", "role_name", "jwt_auth_backend_path", "namespace"}, + }, + }, + } + + runUnitTest(t, testCase, func(mock *client.MockApiClientInterface) { + gomock.InOrder( + mock.EXPECT().CredentialsCreate(&createPayload).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(3).Return(returnValues, nil), + mock.EXPECT().CloudCredentialsDelete(returnValues.Id).Times(1).Return(nil), + ) + }) + }) + + t.Run("import by id not found", func(t *testing.T) { + testCase := resource.TestCase{ + Steps: []resource.TestStep{ + { + Config: resourceConfigCreate(resourceType, resourceName, vaultCredentialsResource), + }, + { + ResourceName: resourceNameImport, + ImportState: true, + ImportStateId: otherTypeReturnValues.Id, + ImportStateVerify: true, + ExpectError: regexp.MustCompile("credentials not found"), + }, + }, + } + + runUnitTest(t, testCase, func(mock *client.MockApiClientInterface) { + gomock.InOrder( + mock.EXPECT().CredentialsCreate(&createPayload).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(otherTypeReturnValues.Id).Times(1).Return(client.Credentials{}, &client.NotFoundError{}), + mock.EXPECT().CloudCredentialsDelete(returnValues.Id).Times(1).Return(nil), + ) + }) + }) + + t.Run("import by name not found", func(t *testing.T) { + testCase := resource.TestCase{ + Steps: []resource.TestStep{ + { + Config: resourceConfigCreate(resourceType, resourceName, vaultCredentialsResource), + }, + { + ResourceName: resourceNameImport, + ImportState: true, + ImportStateId: vaultCredentialsResource["name"].(string), + ImportStateVerify: true, + ExpectError: regexp.MustCompile(fmt.Sprintf("credentials with name %v not found", vaultCredentialsResource["name"].(string))), + }, + }, + } + + runUnitTest(t, testCase, func(mock *client.MockApiClientInterface) { + gomock.InOrder( + mock.EXPECT().CredentialsCreate(&createPayload).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentials(returnValues.Id).Times(1).Return(returnValues, nil), + mock.EXPECT().CloudCredentialsList().Times(1).Return([]client.Credentials{otherTypeReturnValues}, nil), + mock.EXPECT().CloudCredentialsDelete(returnValues.Id).Times(1).Return(nil), + ) + }) + }) +} diff --git a/examples/data-sources/env0_vault_oidc_credentials/data-source.tf b/examples/data-sources/env0_vault_oidc_credentials/data-source.tf new file mode 100644 index 00000000..0153e1c9 --- /dev/null +++ b/examples/data-sources/env0_vault_oidc_credentials/data-source.tf @@ -0,0 +1,16 @@ +resource "env0_vault_oidc_credentials" "example" { + name = "example" + address = "http://fake1.com:80" + version = "version" + role_name = "role_name" + jwt_auth_backend_path = "path" + namespace = "namespace" +} + +data "env0_vault_oidc_credentials" "by_id" { + id = env0_vault_oidc_credentials.example.id +} + +data "env0_vault_oidc_credentials" "by_name" { + name = env0_vault_oidc_credentials.example.name +} diff --git a/examples/resources/env0_vault_oidc_credentials/import.sh b/examples/resources/env0_vault_oidc_credentials/import.sh new file mode 100644 index 00000000..a39520cf --- /dev/null +++ b/examples/resources/env0_vault_oidc_credentials/import.sh @@ -0,0 +1,2 @@ +terraform import env0_vault_oidc_credentials.by_id d31a6b30-5f69-4d24-937c-22322754934e +terraform import env0_vault_oidc_credentials.by_name "credentials name" diff --git a/examples/resources/env0_vault_oidc_credentials/resource.tf b/examples/resources/env0_vault_oidc_credentials/resource.tf new file mode 100644 index 00000000..74e398c3 --- /dev/null +++ b/examples/resources/env0_vault_oidc_credentials/resource.tf @@ -0,0 +1,8 @@ +resource "env0_vault_oidc_credentials" "example" { + name = "example" + address = "http://fake1.com:80" + version = "version" + role_name = "role_name" + jwt_auth_backend_path = "path" + namespace = "namespace" +} diff --git a/tests/integration/031_vault_credentials/conf.tf b/tests/integration/031_vault_credentials/conf.tf new file mode 100644 index 00000000..8d6d2954 --- /dev/null +++ b/tests/integration/031_vault_credentials/conf.tf @@ -0,0 +1,15 @@ +terraform { + backend "local" { + } + required_providers { + env0 = { + source = "terraform-registry.env0.com/env0/env0" + } + } +} + +provider "env0" {} + +variable "second_run" { + default = false +} diff --git a/tests/integration/031_vault_credentials/expected_outputs.json b/tests/integration/031_vault_credentials/expected_outputs.json new file mode 100644 index 00000000..2c63c085 --- /dev/null +++ b/tests/integration/031_vault_credentials/expected_outputs.json @@ -0,0 +1,2 @@ +{ +} diff --git a/tests/integration/031_vault_credentials/main.tf b/tests/integration/031_vault_credentials/main.tf new file mode 100644 index 00000000..b4e46870 --- /dev/null +++ b/tests/integration/031_vault_credentials/main.tf @@ -0,0 +1,20 @@ +resource "random_string" "random" { + length = 8 + special = false + min_lower = 8 +} + +resource "env0_vault_oidc_credentials" "oidc_credentials" { + name = "test vault oidc credentials ${random_string.random.result}" + address = "http://fake1.com:80" + version = "version" + role_name = "role_name" + jwt_auth_backend_path = "path" + namespace = "namespace" +} + +data "env0_vault_oidc_credentials" "oidc_credentials" { + name = "test vault oidc credentials ${random_string.random.result}" + depends_on = [env0_vault_oidc_credentials.oidc_credentials] +} +