Add resource_secret and resource_access_secret

README.md

@@ -82,4 +82,4 @@ grep "@module=juju.datasource" ./terraform.log
 To find logs specific to the juju client talking to juju itself:
 ```shell
 grep "@module=juju.client" ./terraform.log
-```
+```

docs/resources/access_secret.md

@@ -0,0 +1,22 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "juju_access_secret Resource - terraform-provider-juju"
+subcategory: ""
+description: |-
+  A resource that represents a Juju secret access.
+---
+
+# juju_access_secret (Resource)
+
+A resource that represents a Juju secret access.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `applications` (List of String) The list of applications to which the secret is granted or revoked.
+- `model` (String) The model in which the secret belongs.
+- `secret_id` (String) The ID of the secret.

docs/resources/secret.md

@@ -10,7 +10,19 @@ description: |-
 
 A resource that represents a Juju secret.
 
-
+## Example Usage
+
+```terraform
+resource "juju_secret" "this" {
+  model = juju_model.development.name
+  name  = "this_secret_name"
+  value = {
+    key1 = "value1"
+    key2 = "value2"
+  }
+  info = "This is the secret"
+}
+```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
@@ -28,3 +40,20 @@ A resource that represents a Juju secret.
 ### Read-Only
 
 - `secret_id` (String) The ID of the secret.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Secrets can be imported by using the URI as in the juju show-secrets output.
+# Example:
+# $juju show-secret secret-name
+# coh2uo2ji6m0ue9a7tj0:
+#   revision: 1
+#   owner: <model>
+#   name: secret-name
+#   created: 2024-04-19T08:46:25Z
+#   updated: 2024-04-19T08:46:25Z
+$ terraform import juju_secret.secret-name coh2uo2ji6m0ue9a7tj0
+```

examples/resources/juju_secret/import.sh

@@ -0,0 +1,10 @@
+# Secrets can be imported by using the URI as in the juju show-secrets output.
+# Example:
+# $juju show-secret secret-name
+# coh2uo2ji6m0ue9a7tj0:
+#   revision: 1
+#   owner: <model>
+#   name: secret-name
+#   created: 2024-04-19T08:46:25Z
+#   updated: 2024-04-19T08:46:25Z
+$ terraform import juju_secret.secret-name coh2uo2ji6m0ue9a7tj0

examples/resources/juju_secret/resource.tf

@@ -0,0 +1,9 @@
+resource "juju_secret" "this" {
+  model = juju_model.development.name
+  name  = "this_secret_name"
+  value = {
+    key1 = "value1"
+    key2 = "value2"
+  }
+  info = "This is the secret"
+}

examples/resources/juju_secret_access/import.sh

@@ -0,0 +1,10 @@
+# Secret access can be imported by using the URI as in the juju show-secrets output.
+# Example:
+# $juju show-secret secret-name
+# coh2uo2ji6m0ue9a7tj0:
+#   revision: 1
+#   owner: <model>
+#   name: secret-name
+#   created: 2024-04-19T08:46:25Z
+#   updated: 2024-04-19T08:46:25Z
+$ terraform import juju_access_secret.access-secret-name coh2uo2ji6m0ue9a7tj0

examples/resources/juju_secret_access/resource.tf

@@ -0,0 +1,7 @@
+resource "juju_access_secret" "this" {
+  model = juju_model.development.name
+  applications = [
+    juju_application.app.name, juju_application.app2.name
+  ]
+  secret_id = juju_secret.that.secret_id
+}

go.mod

@@ -22,6 +22,7 @@ require (
 	github.com/juju/cmd/v3 v3.0.14
 	github.com/juju/collections v1.0.4
 	github.com/juju/errors v1.0.0
+	github.com/juju/names/v4 v4.0.0-20220207005702-9c6532a52823
 	github.com/juju/names/v5 v5.0.0
 	github.com/juju/retry v1.0.0
 	github.com/juju/utils/v3 v3.1.1
@@ -128,7 +129,6 @@ require (
 	github.com/juju/lumberjack/v2 v2.0.2 // indirect
 	github.com/juju/mgo/v3 v3.0.4 // indirect
 	github.com/juju/mutex/v2 v2.0.0 // indirect
-	github.com/juju/names/v4 v4.0.0-20220207005702-9c6532a52823 // indirect
 	github.com/juju/os/v2 v2.2.3 // indirect
 	github.com/juju/packaging/v2 v2.0.1 // indirect
 	github.com/juju/persistent-cookiejar v1.0.0 // indirect

internal/juju/applications_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/juju/juju/core/resources"
 	"github.com/juju/juju/environs/config"
 	"github.com/juju/juju/rpc/params"
-	"github.com/juju/names/v5"
+	"github.com/juju/names/v4"
 	"github.com/juju/utils/v3"
 	"github.com/juju/version/v2"
 	"github.com/stretchr/testify/suite"

internal/juju/client.go

@@ -24,6 +24,7 @@ const (
 	PrefixCharm         = "charm-"
 	PrefixUser          = "user-"
 	PrefixMachine       = "machine-"
+	PrefixApplication   = "application-"
 	UnspecifiedRevision = -1
 	connectionTimeout   = 30 * time.Second
 )

internal/juju/secrets.go

@@ -35,10 +35,10 @@ type secretsClient struct {
 	getSecretAPIClient func(connection api.Connection) SecretAPIClient
 }
 
-type SecretAccessAction int
+type AccessSecretAction int
 
 const (
-	GrantAccess SecretAccessAction = iota
+	GrantAccess AccessSecretAction = iota
 	RevokeAccess
 )
 
@@ -61,10 +61,11 @@ type ReadSecretInput struct {
 }
 
 type ReadSecretOutput struct {
-	SecretId string
-	Name     string
-	Value    map[string]string
-	Info     string
+	SecretId     string
+	Name         string
+	Value        map[string]string
+	Applications []string
+	Info         string
 }
 
 type UpdateSecretInput struct {
@@ -81,7 +82,7 @@ type DeleteSecretInput struct {
 	ModelName string
 }
 
-type GrantRevokeSecretAccessInput struct {
+type GrantRevokeAccessSecretInput struct {
 	SecretId     string
 	ModelName    string
 	Applications []string
@@ -176,11 +177,15 @@ func (c *secretsClient) ReadSecret(input *ReadSecretInput) (ReadSecretOutput, er
 		return ReadSecretOutput{}, err
 	}
 
+	// Get applications from Access info
+	applications := getApplicationsFromAccessInfo(results[0].Access)
+
 	return ReadSecretOutput{
-		SecretId: results[0].Metadata.URI.String(),
-		Name:     results[0].Metadata.Label,
-		Value:    decodedValue,
-		Info:     results[0].Metadata.Description,
+		SecretId:     results[0].Metadata.URI.String(),
+		Name:         results[0].Metadata.Label,
+		Value:        decodedValue,
+		Applications: applications,
+		Info:         results[0].Metadata.Description,
 	}, nil
 }
 
@@ -266,8 +271,8 @@ func (c *secretsClient) DeleteSecret(input *DeleteSecretInput) error {
 	return nil
 }
 
-// UpdateSecretAccess updates access to a secret.
-func (c *secretsClient) UpdateSecretAccess(input *GrantRevokeSecretAccessInput, op SecretAccessAction) error {
+// UpdateAccessSecret updates access to a secret.
+func (c *secretsClient) UpdateAccessSecret(input *GrantRevokeAccessSecretInput, op AccessSecretAction) error {
 	conn, err := c.GetConnection(&input.ModelName)
 	if err != nil {
 		return err
@@ -301,3 +306,13 @@ func (c *secretsClient) UpdateSecretAccess(input *GrantRevokeSecretAccessInput,
 
 	return nil
 }
+
+// getApplicationsFromAccessInfo returns a list of applications from the access info.
+func getApplicationsFromAccessInfo(accessInfo []coresecrets.AccessInfo) []string {
+	applications := make([]string, 0, len(accessInfo))
+	for _, info := range accessInfo {
+		// Trim the prefix "application-" from the application name (info.Target)
+		applications = append(applications, strings.TrimPrefix(info.Target, PrefixApplication))
+	}
+	return applications
+}

internal/juju/secrets_test.go

@@ -301,7 +301,7 @@ func (s *SecretSuite) TestDeleteSecret() {
 	s.Assert().NoError(err)
 }
 
-func (s *SecretSuite) TestUpdateSecretAccess() {
+func (s *SecretSuite) TestUpdateAccessSecret() {
 	ctlr := s.setupMocks(s.T())
 	defer ctlr.Finish()
 
@@ -315,14 +315,14 @@ func (s *SecretSuite) TestUpdateSecretAccess() {
 	s.mockSecretClient.EXPECT().RevokeSecret(secretURI, "", applications).Return([]error{nil}, nil).AnyTimes()
 
 	client := s.getSecretsClient()
-	err = client.UpdateSecretAccess(&GrantRevokeSecretAccessInput{
+	err = client.UpdateAccessSecret(&GrantRevokeAccessSecretInput{
 		SecretId:     secretId,
 		ModelName:    s.testModelName,
 		Applications: applications,
 	}, GrantAccess)
 	s.Require().NoError(err)
 
-	err = client.UpdateSecretAccess(&GrantRevokeSecretAccessInput{
+	err = client.UpdateAccessSecret(&GrantRevokeAccessSecretInput{
 		SecretId:     secretId,
 		ModelName:    s.testModelName,
 		Applications: applications,

internal/provider/helpers.go

@@ -21,15 +21,16 @@ const (
 	LogDataSourceOffer   = "datasource-offer"
 	LogDataSourceSecret  = "datasource-secret"
 
-	LogResourceApplication = "resource-application"
-	LogResourceAccessModel = "resource-assess-model"
-	LogResourceCredential  = "resource-credential"
-	LogResourceMachine     = "resource-machine"
-	LogResourceModel       = "resource-model"
-	LogResourceOffer       = "resource-offer"
-	LogResourceSSHKey      = "resource-sshkey"
-	LogResourceUser        = "resource-user"
-	LogResourceSecret      = "resource-secret"
+	LogResourceApplication  = "resource-application"
+	LogResourceAccessModel  = "resource-assess-model"
+	LogResourceCredential   = "resource-credential"
+	LogResourceMachine      = "resource-machine"
+	LogResourceModel        = "resource-model"
+	LogResourceOffer        = "resource-offer"
+	LogResourceSSHKey       = "resource-sshkey"
+	LogResourceUser         = "resource-user"
+	LogResourceSecret       = "resource-secret"
+	LogResourceAccessSecret = "resource-access-secret"
 )
 
 const LogResourceIntegration = "resource-integration"

internal/provider/main_test.go

@@ -19,6 +19,7 @@ const TestCloudEnvKey string = "TEST_CLOUD"
 const TestMachineIPEnvKey string = "TEST_ADD_MACHINE_IP"
 const TestSSHPublicKeyFileEnvKey string = "TEST_SSH_PUB_KEY_PATH"
 const TestSSHPrivateKeyFileEnvKey string = "TEST_SSH_PRIV_KEY_PATH"
+const TestJujuAgentVersion = "JUJU_AGENT_VERSION"
 
 // CloudTesting is a value indicating the current cloud
 // available for testing

internal/provider/provider.go

@@ -293,6 +293,7 @@ func (p *jujuProvider) Resources(_ context.Context) []func() resource.Resource {
 		func() resource.Resource { return NewSSHKeyResource() },
 		func() resource.Resource { return NewUserResource() },
 		func() resource.Resource { return NewSecretResource() },
+		func() resource.Resource { return NewAccessSecretResource() },
 	}
 }