Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vault_token: add pgp_key support #686

Merged
merged 5 commits into from
Mar 30, 2020

Conversation

greut
Copy link
Contributor

@greut greut commented Feb 25, 2020

The goal is to mimic what has been done for Consul, https://github.com/terraform-providers/terraform-provider-consul/blob/master/consul/data_source_consul_acl_token_secret_id.go

Being able to encrypt the client_token via a GPG (public) key would be really helpful for us.

Let me know when I should start investing energy into acceptance tests and documentation.

Cheers,

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Release note for CHANGELOG:

vault_token to support PGP encryption of the token

Output from acceptance testing:

$ $ VAULT_ADDR=http://localhost:8200 VAULT_TOKEN=root TF_ACC=1 go test -v ./vault -run TestResourceToken    
=== RUN   TestResourceToken_basic
--- PASS: TestResourceToken_basic (0.12s)
=== RUN   TestResourceToken_import
--- PASS: TestResourceToken_import (0.12s)
=== RUN   TestResourceToken_full
--- PASS: TestResourceToken_full (0.11s)
=== RUN   TestResourceToken_lookup
--- PASS: TestResourceToken_lookup (0.11s)
=== RUN   TestResourceToken_expire
--- PASS: TestResourceToken_expire (10.37s)
=== RUN   TestResourceToken_renew
--- PASS: TestResourceToken_renew (20.36s)
=== RUN   TestResourceToken_pgp
--- PASS: TestResourceToken_pgp (0.59s)
PASS
ok      github.com/terraform-providers/terraform-provider-vault/vault   31.789s

@ghost ghost added the size/S label Feb 25, 2020
Signed-off-by: Yoan Blanc <[email protected]>
@ghost ghost added size/XXL dependencies and removed size/S labels Feb 25, 2020
The default value being true, it should simply ignore it when gpg is used.

Signed-off-by: Yoan Blanc <[email protected]>
Signed-off-by: Yoan Blanc <[email protected]>
@greut greut marked this pull request as ready for review March 6, 2020 06:37
@tyrannosaurus-becks tyrannosaurus-becks self-assigned this Mar 7, 2020
@tyrannosaurus-becks
Copy link
Contributor

tyrannosaurus-becks commented Mar 7, 2020

This is an interesting PR! We haven't had anything like it before. There's a discussion here about a very similar feature. I'm going to read that through and think about it carefully before I do an initial pass of this PR. Thanks for submitting this!

Copy link
Contributor

@tyrannosaurus-becks tyrannosaurus-becks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! I had the opportunity to think about this more, and to pull it down and play with it a little. It's very cool! I could see that it does what it intends, of course, encrypting the client token if you point it at a Keybase public key to use.

I was almost tempted to ask that we do this at the provider level for all sensitive fields. But I think for now we'll just give this a spin here and if it become popular, consider moving to that.

Thank you adding this!

@tyrannosaurus-becks tyrannosaurus-becks merged commit 712d940 into hashicorp:master Mar 30, 2020
@greut greut deleted the vault_token_with_pgp_key branch March 31, 2020 06:06
dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021
* vault_token: add pgp_key support

Signed-off-by: Yoan Blanc <[email protected]>

* update vendor

Signed-off-by: Yoan Blanc <[email protected]>

* fixup! vault_token: add pgp_key support

Signed-off-by: Yoan Blanc <[email protected]>

* vault_token: conflicts with renewable doesn't work

The default value being true, it should simply ignore it when gpg is used.

Signed-off-by: Yoan Blanc <[email protected]>

* token: test and docs

Signed-off-by: Yoan Blanc <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants