-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Terraform Cloud/Enterprise credential support #959
Conversation
Also updated tests to be more comprehensive
Tests will continue to fail until tf secrets is bundled with vault, or I create a setup script for adding the plugin to vault. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great so far! Some minor nits that may or may not be accurate, depending on how good my Terraform knowledge has kept up.
The comment on data source and resource will be had internally, I'll bring it up.
The other thing is documentation missing, will that be opened/add separately?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍 (data source -> resource discussion goes beyond this PR so we'll leave it as is)
Great work thanks! We look forward to using this new TFE secret backend. What happens to the Terraform resource when the generated token's TTL expires? Also, I didn't see any TTL argument in |
@husunal the creds' TTL should be based on the role used to create the creds. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The secret resource cred needs to look up the current secret by lease ID to verify the token still exists, otherwise we generate a token with every read. I believe that for Team/Org tokens we wont have a lease ID so we can go ahead and do the full read again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're getting close, but the handling of the lease look up across orgs/teams and users is not quite right. Let me know if you have any questions here or if I need to clarify anything
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few more minor edits and I think we'll be good to go here. Please let me know when you have a chance to look!
organization := d.Get("organization") | ||
teamId := d.Get("team_id") | ||
|
||
if organization == "" && teamId == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can also check for leaseId != ""
now that it's an attribute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, fixed in latest commit.
organization := d.Get("organization") | ||
teamId := d.Get("team_id") | ||
|
||
if organization == "" && teamId == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, you can now lease perform the lookup if leaseId != ""
(maybe even get rid of organization == "" && teamId == ""
since it doesn't really depend on that).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in latest commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
return &schema.Resource{ | ||
Create: createTerraformCloudSecretCredsResource, | ||
Read: readTerraformCloudSecretCredsResource, | ||
Update: updateTerraformCloudSecretCredsResource, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: in hindsight and looking at the updateTerraformCloudSecretCredsResource
(which just destroys then recreates) I think we can just omit this and remove the updateTerraformCloudSecretCredsResource
method completely. To my general knowledge and specifically here, I don't think we can update credentials, e.g. we can't do renewals through this resource (or in any other comparable credential resources, for that matter)
…FVP support. (#974) * Add docs to accompany the release of the Terraform Cloud/Enterprise TFVP support. * Add reference to lease_id for user tokens
This PR seeks to introduce support for the upcoming Terraform Cloud Secrets Engine. It will enable users to create and manage the Terraform Secrets engine config, any associated roles, and generate credentials from those roles.
Community Note
Relates OR Closes #0000
Release note for CHANGELOG:
Output from acceptance testing: