Skip to content

Commit

Permalink
Add the api key resource
Browse files Browse the repository at this point in the history
An Api Key will authenticate a service account for use with the cockroach
cloud api.  Service accounts can have multiple api keys attached to
them.
  • Loading branch information
fantapop committed Apr 25, 2024
1 parent 124f1f8 commit ba33181
Show file tree
Hide file tree
Showing 16 changed files with 624 additions and 12 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## Added

- The [cockroach_api_key](https://registry.terraform.io/providers/cockroachdb/cockroach/latest/docs/resources/api_key) resource was added.

- The [cockroach_service_account](https://registry.terraform.io/providers/cockroachdb/cockroach/latest/docs/resources/service_account) resource was added.

## [1.4.1] - 2024-04-04
Expand Down
57 changes: 57 additions & 0 deletions docs/resources/api_key.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "cockroach_api_key Resource - terraform-provider-cockroach"
subcategory: ""
description: |-
API Keys can be used for programmatic access to the cockroach cloud api. Each key is mapped to a cockroachserviceaccount service_account.
To access the secret, declare an output value for it and use the terraform output command. i.e. terraform output -raw example_secret
During API key creation, a sensitive key is created and stored in the terraform state. Always follow best practices https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables#sensitive-values-in-state when managing sensitive data.
---

# cockroach_api_key (Resource)

API Keys can be used for programmatic access to the cockroach cloud api. Each key is mapped to a [cockroach_service_account](service_account).

To access the secret, declare an output value for it and use the terraform output command. i.e. `terraform output -raw example_secret`

During API key creation, a sensitive key is created and stored in the terraform state. Always follow [best practices](https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables#sensitive-values-in-state) when managing sensitive data.

## Example Usage

```terraform
resource "cockroach_api_key" "example" {
name = "An example api key"
service_account_id = cockroach_service_account.example_sa.id
}
output "example_secret" {
value = cockroach_api_key.example.secret
description = "The api key for the example api key"
sensitive = true
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `name` (String) Name of the api key.
- `service_account_id` (String)

### Read-Only

- `created_at` (String) Creation time of the api key.
- `id` (String) The ID of this resource.
- `secret` (String, Sensitive)

## Import

Import is supported using the following syntax:

```shell
# Since the secret, is not retreivable after creation, it must be provided
# during import. The API key ID can be derived from the secret.
# format: terraform import <resource> <api key secret>
terraform import cockroach_api_key.example CCDB1_D4zMI3pZTmk5rGrzYqMhbc_NkcXLI8d81Mtx3djD45iwPfgtnaRv0XCh0Z9047K
```
4 changes: 4 additions & 0 deletions examples/resources/cockroach_api_key/import.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Since the secret, is not retreivable after creation, it must be provided
# during import. The API key ID can be derived from the secret.
# format: terraform import <resource> <api key secret>
terraform import cockroach_api_key.example CCDB1_D4zMI3pZTmk5rGrzYqMhbc_NkcXLI8d81Mtx3djD45iwPfgtnaRv0XCh0Z9047K
10 changes: 10 additions & 0 deletions examples/resources/cockroach_api_key/resource.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
resource "cockroach_api_key" "example" {
name = "An example api key"
service_account_id = cockroach_service_account.example_sa.id
}

output "example_secret" {
value = cockroach_api_key.example.secret
description = "The api key for the example api key"
sensitive = true
}
25 changes: 25 additions & 0 deletions examples/workflows/cockroach_serverless_cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,28 @@ resource "cockroach_database" "example" {
name = "example-database"
cluster_id = cockroach_cluster.example.id
}

resource "cockroach_service_account" "example_scoped_sa" {
name = "example-scoped-service-account"
description = "A service account providing limited read access to single cluster."
}

resource "cockroach_user_role_grant" "example_limited_access_scoped_grant" {
user_id = cockroach_service_account.example_scoped_sa.id
role = {
role_name = "CLUSTER_OPERATOR_WRITER",
resource_type = "CLUSTER",
resource_id = cockroach_cluster.example.id
}
}

resource "cockroach_api_key" "example_cluster_op_key_v1" {
name = "example-cluster-operator-key-v1"
service_account_id = cockroach_service_account.example_scoped_sa.id
}

output "example_cluster_op_key_v1_secret" {
value = cockroach_api_key.example_cluster_op_key_v1.secret
description = "The api key for example_cluster_op_key_v1_secret"
sensitive = true
}
1 change: 1 addition & 0 deletions internal/provider/allowlist_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,7 @@ func (r *allowListResource) ImportState(
resp.Diagnostics.AddError(
"Invalid allowlist entry ID format",
`When importing an allowlist entry, the ID field should follow the format "<cluster ID>:<CIDR IP>/<CIDR mask>")`)
return
}
// We can swallow this error because it's already been regex-validated.
mask, _ = strconv.Atoi(matches[4])
Expand Down
Loading

0 comments on commit ba33181

Please sign in to comment.