Add the api key resource

An Api Key will authenticate a service account for use with the cockroach cloud api. Service accounts can have multiple api keys attached to them.
cockroachdb · May 2, 2024 · ffb857a · ffb857a
1 parent 951ea20
commit ffb857a
Show file tree

Hide file tree

Showing 16 changed files with 628 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,16 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.6.0] - 2024-05-02
+
 ## Added
 
+- The [cockroach_api_key](https://registry.terraform.io/providers/cockroachdb/cockroach/latest/docs/resources/api_key) 
+  resource was added.
+
 - The [cockroach_service_account](https://registry.terraform.io/providers/cockroachdb/cockroach/latest/docs/resources/service_account)
   resource was added.
 
 - Added `delete_protection` to the Cluster resource and data source. When set
   to true, attempts to delete the cluster will fail. Set to false to disable
   delete protection.
 
-## [1.5.0] - 2024-05-26
+## [1.5.0] - 2024-04-26
 
 - No changes.
 

diff --git a/docs/resources/api_key.md b/docs/resources/api_key.md
@@ -0,0 +1,57 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "cockroach_api_key Resource - terraform-provider-cockroach"
+subcategory: ""
+description: |-
+  API Keys can be used for programmatic access to the cockroach cloud api. Each key is mapped to a cockroachserviceaccount service_account.
+  To access the secret, declare an output value for it and use the terraform output command. i.e. terraform output -raw example_secret
+  During API key creation, a sensitive key is created and stored in the terraform state. Always follow best practices https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables#sensitive-values-in-state when managing sensitive data.
+---
+
+# cockroach_api_key (Resource)
+
+API Keys can be used for programmatic access to the cockroach cloud api. Each key is mapped to a [cockroach_service_account](service_account).
+
+To access the secret, declare an output value for it and use the terraform output command. i.e. `terraform output -raw example_secret` 
+
+During API key creation, a sensitive key is created and stored in the terraform state. Always follow [best practices](https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables#sensitive-values-in-state) when managing sensitive data.
+
+## Example Usage
+
+```terraform
+resource "cockroach_api_key" "example" {
+  name               = "An example api key"
+  service_account_id = cockroach_service_account.example_sa.id
+}
+
+output "example_secret" {
+  value       = cockroach_api_key.example.secret
+  description = "The api key for the example api key"
+  sensitive   = true
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Name of the api key.
+- `service_account_id` (String)
+
+### Read-Only
+
+- `created_at` (String) Creation time of the api key.
+- `id` (String) The ID of this resource.
+- `secret` (String, Sensitive)
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Since the secret, is not retreivable after creation, it must be provided
+# during import.  The API key ID can be derived from the secret.
+# format: terraform import <resource> <api key secret>
+terraform import cockroach_api_key.example CCDB1_D4zMI3pZTmk5rGrzYqMhbc_NkcXLI8d81Mtx3djD45iwPfgtnaRv0XCh0Z9047K
+```
diff --git a/examples/resources/cockroach_api_key/import.sh b/examples/resources/cockroach_api_key/import.sh
@@ -0,0 +1,4 @@
+# Since the secret, is not retreivable after creation, it must be provided
+# during import.  The API key ID can be derived from the secret.
+# format: terraform import <resource> <api key secret>
+terraform import cockroach_api_key.example CCDB1_D4zMI3pZTmk5rGrzYqMhbc_NkcXLI8d81Mtx3djD45iwPfgtnaRv0XCh0Z9047K
diff --git a/examples/resources/cockroach_api_key/resource.tf b/examples/resources/cockroach_api_key/resource.tf
@@ -0,0 +1,10 @@
+resource "cockroach_api_key" "example" {
+  name               = "An example api key"
+  service_account_id = cockroach_service_account.example_sa.id
+}
+
+output "example_secret" {
+  value       = cockroach_api_key.example.secret
+  description = "The api key for the example api key"
+  sensitive   = true
+}
diff --git a/examples/workflows/cockroach_serverless_cluster/main.tf b/examples/workflows/cockroach_serverless_cluster/main.tf
@@ -67,3 +67,28 @@ resource "cockroach_database" "example" {
   name       = "example-database"
   cluster_id = cockroach_cluster.example.id
 }
+
+resource "cockroach_service_account" "example_scoped_sa" {
+  name        = "example-scoped-service-account"
+  description = "A service account providing limited read access to single cluster."
+}
+
+resource "cockroach_user_role_grant" "example_limited_access_scoped_grant" {
+  user_id = cockroach_service_account.example_scoped_sa.id
+  role = {
+    role_name     = "CLUSTER_OPERATOR_WRITER",
+    resource_type = "CLUSTER",
+    resource_id   = cockroach_cluster.example.id
+  }
+}
+
+resource "cockroach_api_key" "example_cluster_op_key_v1" {
+  name               = "example-cluster-operator-key-v1"
+  service_account_id = cockroach_service_account.example_scoped_sa.id
+}
+
+output "example_cluster_op_key_v1_secret" {
+  value       = cockroach_api_key.example_cluster_op_key_v1.secret
+  description = "The api key for example_cluster_op_key_v1_secret"
+  sensitive   = true
+}
diff --git a/internal/provider/allowlist_resource.go b/internal/provider/allowlist_resource.go
@@ -334,6 +334,7 @@ func (r *allowListResource) ImportState(
 		resp.Diagnostics.AddError(
 			"Invalid allowlist entry ID format",
 			`When importing an allowlist entry, the ID field should follow the format "<cluster ID>:<CIDR IP>/<CIDR mask>")`)
+		return
 	}
 	// We can swallow this error because it's already been regex-validated.
 	mask, _ = strconv.Atoi(matches[4])