Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add resource for Okta auth backend #8

Merged
merged 2 commits into from
Feb 13, 2018

Conversation

wjam
Copy link
Contributor

@wjam wjam commented Jul 23, 2017

This adds a resource specific to the Okta auth backend to start to allow a more 'terraform-native' approach to maintaining the configuration of a Vault cluster, rather than having to deal with using vault_generic_secret with random paths. This fixes #7.

@wjam
Copy link
Contributor Author

wjam commented Aug 15, 2017

@radeksimko @apparentlymart Any thoughts on this PR or the approach of having resources more specific to Vault rather than just having the vault_generic_secret resource?

@wjam
Copy link
Contributor Author

wjam commented Sep 2, 2017

@grubernaut @apparentlymart @paddycarver @catsby Is there any appetite for merging this?

@paddycarver paddycarver self-assigned this Sep 6, 2017
@wjam
Copy link
Contributor Author

wjam commented Sep 29, 2017

Any update on this being reviewed?

Copy link
Contributor

@paddycarver paddycarver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @wjam! Thanks for submitting this resource, and my apologies for the extremely delayed review.

This is, overall, very well done and your hard work on it is super appreciated. I did notice a few areas that I'd like to see some changes to before I can merge this, and then a few nitpicks. Let me know if you have any questions.

If, due to the lengthy delay before this got reviewed, you've moved on, or don't have the time/interest to shepherd this through the review process anymore, that's totally understandable. Either just comment here, or ignore this, and if I haven't heard back by the first week in November, I'll make the necessary changes myself.


var err error

if path == "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's easier to just set path to Default: true.

"organization": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is organization ForceNew if it's being set in Update?

return nil
}

func oktaAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function should update all the values on the resource with the values that Vault returns. In this case, that'd mean setting all the fields of the vault_okta_auth_backend resource--including users and groups.

This is important to detect when the state of the world has drifted from the config, so it can be corrected. It's also important if import functionality is to be added.

return nil
}

func oktaAuthBackendGroupRead(d *schema.ResourceData, meta interface{}) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, we need to actually set these values in state, not just assert that the group exists.

return nil
}

func assertEquals(expected, actual interface{}) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super crazy about the assert* helpers; first because the Terraform style tends to just repeat the error checking and formatting, second because the way it's implemented right now makes it a bit tricky to understand which field didn't match if there's not a match, and finally because it obscures the implementation detail (that it's doing a != instead of (e.g., for time.Time) using the built-in equality method.

return nil
}

func oktaAuthBackendUserRead(d *schema.ResourceData, meta interface{}) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, we should set the data from the API response here, not just check for existence.

token = "this must be kept secret"
ttl = "1h"
group {
group_name = "dummy"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We like making any test data that requires uniqueness randomized, so multiple tests can run at once and so if a test doesn't clean up properly after itself, it doesn't break integration tests until someone goes in and cleans it up. You can find some helpers for randomising these names in the acctest package: https://godoc.org/github.com/hashicorp/terraform/helper/acctest

Generally how this is done is by making the config a function, passing in randomised or environment-determined variables, injecting them with fmt.Sprintf, and initializing all these variables in the TestAcc* functions. You can see a few examples in the tests for the AWS auth backend.

@@ -0,0 +1,75 @@
---
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These website docs should be added to the sidebar, in website/vault.erb.

Additional changes:
* Change things that should have been a set to be sets
* Read the resource after updating it
@wjam
Copy link
Contributor Author

wjam commented Oct 24, 2017

Fixed issues and somehow managed to rebase the PR, although this did fix the merge conflict

@wjam
Copy link
Contributor Author

wjam commented Dec 1, 2017

@paddycarver @grubernaut ???

@grubernaut
Copy link
Contributor

Hey @wjam,

Sorry for the delay in someone looking at this, unfortunately I no longer work for HashiCorp. However, I do see that there is now a merge conflict, but the majority of the issues mentioned by @paddycarver were addressed. I believe fixing the merge conflict in website/vault.erb should be all that's needed for this contribution. Thank you again for your patience here, and the code contribution. 💯

@paddycarver
Copy link
Contributor

Hey @wjam, apologies for the delay on this. I have notes here on the last few pieces of feedback, which somehow I had convinced myself I had submitted to you, and was waiting on your response. :( Sincere apologies for losing track like that.

Because you've been so patient and worked hard on this, and the pieces of feedback I have are just minor bugs and nitpicks at this point (adding docs to the sidebar, a bug with IDs not being unique enough, and a couple things I'd like to see persisted in state that aren't at the moment) I'm going to just fix them and merge this so it's in the next release of the provider, leaving your commits intact so you get credit for doing ~all the work on this.

Thank you so much for your patience and this awesome contribution to the Vault provider. Really excited about it getting merged.

@wjam
Copy link
Contributor Author

wjam commented Jan 21, 2018

This PR will be 6 months old on Tuesday

@paddycarver
Copy link
Contributor

Really sorry for the delay on this. I've opened #72 with some really minor fixes and the merge conflicts sorted, and I'll get a coworker to look over my changes commit in the morning so we can get this merged and closed out.

@paddycarver paddycarver merged commit 017e469 into hashicorp:master Feb 13, 2018
@paddycarver
Copy link
Contributor

This has now been merged and will be released with the next release of the provider. Thanks for contributing it to Terraform!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unable to run terraform destroy when configuring okta auth backend
3 participants