Azure Rotating Secrets Changes (#1143)

* adding azure integration for rotating secrets changes

* adding test file

* adding changelog file

* updateing validation

* fixing test failures

* docs

* minor changes

* Update internal/provider/vaultsecrets/resource_vault_secrets_rotating_secret.go

Co-authored-by: Max Coulombe <[email protected]>

* addressing review comments

* addressing review comments

* addressing review comments

---------

Co-authored-by: Max Coulombe <[email protected]>

.changelog/1143.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+add vault_secrets_integration_azure resource and add support for azure secrets to vault_secrets_rotating_secret resource
+```

docs/resources/vault_secrets_integration_azure.md

@@ -0,0 +1,75 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "hcp_vault_secrets_integration_azure Resource - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  The Vault Secrets Azure integration resource manages an Azure integration.
+---
+
+# hcp_vault_secrets_integration_azure (Resource)
+
+The Vault Secrets Azure integration resource manages an Azure integration.
+
+## Example Usage
+
+```terraform
+resource "hcp_vault_secrets_integration_azure" "example" {
+  name         = "my-azure-1"
+  capabilities = ["ROTATION"]
+  client_secret = {
+    "tenant_id"     = "7eb3...",
+    "client_id"     = "9de0...",
+    "client_secret" = "WZk8..."
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `capabilities` (Set of String) Capabilities enabled for the integration. See the Vault Secrets documentation for the list of supported capabilities per provider.
+- `name` (String) The Vault Secrets integration name.
+
+### Optional
+
+- `client_secret` (Attributes) Azure client secret used to authenticate against the target Azure application. Cannot be used with `federated_workload_identity`. (see [below for nested schema](#nestedatt--client_secret))
+- `federated_workload_identity` (Attributes) (Recommended) Federated identity configuration to authenticate against the target Azure application. Cannot be used with `client_secret`. (see [below for nested schema](#nestedatt--federated_workload_identity))
+- `project_id` (String) HCP project ID that owns the HCP Vault Secrets integration. Inferred from the provider configuration if omitted.
+
+### Read-Only
+
+- `organization_id` (String) HCP organization ID that owns the HCP Vault Secrets integration.
+- `resource_id` (String) Resource ID used to uniquely identify the integration instance on the HCP platform.
+- `resource_name` (String) Resource name used to uniquely identify the integration instance on the HCP platform.
+
+<a id="nestedatt--client_secret"></a>
+### Nested Schema for `client_secret`
+
+Required:
+
+- `client_id` (String) Azure client ID corresponding to the Azure application.
+- `client_secret` (String) Secret value corresponding to the Azure client secret.
+- `tenant_id` (String) Azure tenant ID corresponding to the Azure application.
+
+
+<a id="nestedatt--federated_workload_identity"></a>
+### Nested Schema for `federated_workload_identity`
+
+Required:
+
+- `audience` (String) Audience configured on the Azure federated identity credentials to federate access with HCP.
+- `client_id` (String) Azure client ID corresponding to the Azure application.
+- `tenant_id` (String) Azure tenant ID corresponding to the Azure application.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Vault Secrets Azure Integration can be imported by specifying the name of the integration
+# Note that since the client secret is never returned on the Vault Secrets API,
+# the next plan or apply will show a diff for that field.
+terraform import hcp_vault_secrets_integration_azure.example my-azure-1
+```

docs/resources/vault_secrets_rotating_secret.md

@@ -66,6 +66,18 @@ resource "hcp_vault_secrets_rotating_secret" "example_confluent" {
     service_account_id = "<service-account-id>"
   }
 }
+
+resource "hcp_vault_secrets_rotating_secret" "example_azure" {
+  app_name             = "my-app-1"
+  secret_provider      = "azure"
+  name                 = "my_azure_1_secret"
+  integration_name     = "my-azure-1"
+  rotation_policy_name = "built-in:60-days-2-active"
+  azure_application_password = {
+    app_object_id = "<app_object_id>"
+    app_client_id = "<app_client_id>"
+  }
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -82,6 +94,7 @@ resource "hcp_vault_secrets_rotating_secret" "example_confluent" {
 ### Optional
 
 - `aws_access_keys` (Attributes) AWS configuration to manage the access key rotation for the given IAM user. Required if `secret_provider` is `aws`. (see [below for nested schema](#nestedatt--aws_access_keys))
+- `azure_application_password` (Attributes) Azure configuration to manage the application password rotation for the given application. Required if `secret_provider` is `Azure`. (see [below for nested schema](#nestedatt--azure_application_password))
 - `confluent_service_account` (Attributes) Confluent configuration to manage the cloud api key rotation for the given service account. Required if `secret_provider` is `confluent`. (see [below for nested schema](#nestedatt--confluent_service_account))
 - `gcp_service_account_key` (Attributes) GCP configuration to manage the service account key rotation for the given service account. Required if `secret_provider` is `gcp`. (see [below for nested schema](#nestedatt--gcp_service_account_key))
 - `mongodb_atlas_user` (Attributes) MongoDB Atlas configuration to manage the user password rotation on the given database. Required if `secret_provider` is `mongodb_atlas`. (see [below for nested schema](#nestedatt--mongodb_atlas_user))
@@ -100,6 +113,15 @@ Required:
 - `iam_username` (String) AWS IAM username to rotate the access keys for.
 
 
+<a id="nestedatt--azure_application_password"></a>
+### Nested Schema for `azure_application_password`
+
+Required:
+
+- `app_client_id` (String) Application client ID to rotate the application password for.
+- `app_object_id` (String) Application object ID to rotate the application password for.
+
+
 <a id="nestedatt--confluent_service_account"></a>
 ### Nested Schema for `confluent_service_account`
 

examples/resources/hcp_vault_secrets_integration_azure/import.sh

@@ -0,0 +1,4 @@
+# Vault Secrets Azure Integration can be imported by specifying the name of the integration
+# Note that since the client secret is never returned on the Vault Secrets API,
+# the next plan or apply will show a diff for that field.
+terraform import hcp_vault_secrets_integration_azure.example my-azure-1

examples/resources/hcp_vault_secrets_integration_azure/resource.tf

@@ -0,0 +1,9 @@
+resource "hcp_vault_secrets_integration_azure" "example" {
+  name         = "my-azure-1"
+  capabilities = ["ROTATION"]
+  client_secret = {
+    "tenant_id"     = "7eb3...",
+    "client_id"     = "9de0...",
+    "client_secret" = "WZk8..."
+  }
+}

examples/resources/hcp_vault_secrets_rotating_secret/resource.tf

@@ -53,3 +53,14 @@ resource "hcp_vault_secrets_rotating_secret" "example_confluent" {
   }
 }
 
+resource "hcp_vault_secrets_rotating_secret" "example_azure" {
+  app_name             = "my-app-1"
+  secret_provider      = "azure"
+  name                 = "my_azure_1_secret"
+  integration_name     = "my-azure-1"
+  rotation_policy_name = "built-in:60-days-2-active"
+  azure_application_password = {
+    app_object_id = "<app_object_id>"
+    app_client_id = "<app_client_id>"
+  }
+}

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.7.0
-	github.com/hashicorp/hcp-sdk-go v0.123.0
+	github.com/hashicorp/hcp-sdk-go v0.124.0
 	github.com/hashicorp/terraform-plugin-docs v0.19.4
 	github.com/hashicorp/terraform-plugin-framework v1.5.0
 	github.com/hashicorp/terraform-plugin-framework-validators v0.12.0

go.sum

@@ -124,8 +124,8 @@ github.com/hashicorp/hc-install v0.7.0 h1:Uu9edVqjKQxxuD28mR5TikkKDd/p55S8vzPC16
 github.com/hashicorp/hc-install v0.7.0/go.mod h1:ELmmzZlGnEcqoUMKUuykHaPCIR1sYLYX+KSggWSKZuA=
 github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI=
 github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE=
-github.com/hashicorp/hcp-sdk-go v0.123.0 h1:kUf/kSCVkQ4XXyny8GUyUWjvIIIanGRRkhRmgj2lC+4=
-github.com/hashicorp/hcp-sdk-go v0.123.0/go.mod h1:vQ4fzdL1AmhIAbCw+4zmFe5Hbpajj3NvRWkJoVuxmAk=
+github.com/hashicorp/hcp-sdk-go v0.124.0 h1:Th4qCAAqlPrC5s2riHnMTsHFIZ5GsFWzK7l2W7vqsN4=
+github.com/hashicorp/hcp-sdk-go v0.124.0/go.mod h1:vQ4fzdL1AmhIAbCw+4zmFe5Hbpajj3NvRWkJoVuxmAk=
 github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/terraform-exec v0.21.0 h1:uNkLAe95ey5Uux6KJdua6+cv8asgILFVWkd/RG0D2XQ=

internal/provider/provider.go

@@ -159,6 +159,7 @@ func (p *ProviderFramework) Resources(ctx context.Context) []func() resource.Res
 		vaultsecrets.NewVaultSecretsIntegrationMongoDBAtlasResource,
 		vaultsecrets.NewVaultSecretsIntegrationTwilioResource,
 		vaultsecrets.NewVaultSecretsIntegrationsConfluentResource,
+		vaultsecrets.NewVaultSecretsIntegrationAzureResource,
 		vaultsecrets.NewVaultSecretsDynamicSecretResource,
 		vaultsecrets.NewVaultSecretsRotatingSecretResource,
 		// IAM