Merge pull request #97 from hashicorp/hcpe-955-vault-resources-2

HCPE-955: Vault resources

README.md

@@ -69,4 +69,10 @@ resource "aws_vpc_peering_connection_accepter" "peer" {
   vpc_peering_connection_id = hcp_aws_network_peering.example.provider_peering_id
   auto_accept               = true
 }
+
+// Create a Vault cluster within the HVN.
+resource "hcp_vault_cluster" "example" {
+  cluster_id = "vault-cluster"
+  hvn_id     = hcp_hvn.example_hvn.hvn_id
+}
 ```

docs/data-sources/vault_cluster.md

@@ -0,0 +1,54 @@
+---
+page_title: "hcp_vault_cluster Data Source - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  The cluster data source provides information about an existing HCP Vault cluster.
+---
+
+# Data Source `hcp_vault_cluster`
+
+The cluster data source provides information about an existing HCP Vault cluster.
+
+## Example Usage
+
+```terraform
+data "hcp_vault_cluster" "example" {
+  cluster_id = var.cluster_id
+}
+```
+
+## Schema
+
+### Required
+
+- **cluster_id** (String) The ID of the HCP Vault cluster.
+
+### Optional
+
+- **id** (String) The ID of this resource.
+- **timeouts** (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+
+### Read-only
+
+- **cloud_provider** (String) The provider where the HCP Vault cluster is located.
+- **created_at** (String) The time that the Vault cluster was created.
+- **hvn_id** (String) The ID of the HVN this HCP Vault cluster is associated to.
+- **min_vault_version** (String) The minimum Vault version to use when creating the cluster. If not specified, it is defaulted to the version that is currently recommended by HCP.
+- **namespace** (String) The name of the customer namespace this HCP Vault cluster is located in.
+- **organization_id** (String) The ID of the organization this HCP Vault cluster is located in.
+- **project_id** (String) The ID of the project this HCP Vault cluster is located in.
+- **public_endpoint** (Boolean) Denotes that the cluster has a public endpoint. Defaults to false.
+- **region** (String) The region where the HCP Vault cluster is located.
+- **tier** (String) The tier that the HCP Vault cluster will be provisioned as.  Only 'development' is available at this time.
+- **vault_private_endpoint_url** (String) The private URL for the Vault cluster.
+- **vault_public_endpoint_url** (String) The public URL for the Vault cluster. This will be empty if `public_endpoint` is `false`.
+- **vault_version** (String) The Vault version of the cluster.
+
+<a id="nestedblock--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- **default** (String)
+
+

docs/guides/vault-admin-token.md

@@ -0,0 +1,23 @@
+---
+subcategory: ""
+page_title: "Create a Vault cluster and admin token - HCP Provider"
+description: |-
+    An example of creating a Vault cluster and admin token.
+---
+
+# Create a new Vault cluster and an admin token
+
+Once you have an HVN, HCP Vault enables you to quickly deploy a Vault Enterprise cluster in AWS across a variety of environments while offloading the operations burden to the SRE experts at HashiCorp.
+The cluster's admin token grants its bearer administrator access to the Vault cluster. This admin token is valid for six hours. On subsequent reads after creation, 
+the resource will check if the admin token is close to expiration or expired and automatically refresh as needed.
+
+```terraform
+resource "hcp_vault_cluster" "example_vault_cluster" {
+  hvn_id     = hcp_hvn.example_hvn.hvn_id
+  cluster_id = "hcp-tf-example-vault-cluster"
+}
+
+resource "hcp_vault_cluster_admin_token" "example_vault_admin_token" {
+  cluster_id = hcp_vault_cluster.example_vault_cluster.cluster_id
+}
+```

docs/index.md

@@ -79,6 +79,12 @@ resource "hcp_consul_cluster" "example_secondary" {
   tier         = "development"
   primary_link = hcp_consul_cluster.example.self_link
 }
+
+// Create a Vault cluster in the same region and cloud provider as the HVN
+resource "hcp_vault_cluster" "example" {
+  cluster_id = "hcp-tf-example-vault-cluster"
+  hvn_id     = hcp_hvn.example_hvn.hvn_id
+}
 ```
 
 ## Schema

docs/resources/vault_cluster.md

@@ -0,0 +1,71 @@
+---
+page_title: "hcp_vault_cluster Resource - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  The Vault cluster resource allows you to manage an HCP Vault cluster.
+---
+
+# Resource `hcp_vault_cluster`
+
+The Vault cluster resource allows you to manage an HCP Vault cluster.
+
+## Example Usage
+
+```terraform
+resource "hcp_hvn" "example" {
+  hvn_id         = "hvn"
+  cloud_provider = "aws"
+  region         = "us-west-2"
+  cidr_block     = "172.25.16.0/20"
+}
+
+resource "hcp_vault_cluster" "example" {
+  cluster_id = "vault-cluster"
+  hvn_id     = hcp_hvn.example.hvn_id
+}
+```
+
+## Schema
+
+### Required
+
+- **cluster_id** (String) The ID of the HCP Vault cluster.
+- **hvn_id** (String) The ID of the HVN this HCP Vault cluster is associated to.
+
+### Optional
+
+- **id** (String) The ID of this resource.
+- **min_vault_version** (String) The minimum Vault version to use when creating the cluster. If not specified, it is defaulted to the version that is currently recommended by HCP.
+- **public_endpoint** (Boolean) Denotes that the cluster has a public endpoint. Defaults to false.
+- **timeouts** (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+
+### Read-only
+
+- **cloud_provider** (String) The provider where the HCP Vault cluster is located.
+- **created_at** (String) The time that the Vault cluster was created.
+- **namespace** (String) The name of the customer namespace this HCP Vault cluster is located in.
+- **organization_id** (String) The ID of the organization this HCP Vault cluster is located in.
+- **project_id** (String) The ID of the project this HCP Vault cluster is located in.
+- **region** (String) The region where the HCP Vault cluster is located.
+- **tier** (String) The tier that the HCP Vault cluster will be provisioned as.  Only 'development' is available at this time.
+- **vault_private_endpoint_url** (String) The private URL for the Vault cluster.
+- **vault_public_endpoint_url** (String) The public URL for the Vault cluster. This will be empty if `public_endpoint` is `false`.
+- **vault_version** (String) The Vault version of the cluster.
+
+<a id="nestedblock--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- **create** (String)
+- **default** (String)
+- **delete** (String)
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# The import ID is {cluster_id}
+terraform import hcp_vault_cluster.example vault-cluster
+```

docs/resources/vault_cluster_admin_token.md

@@ -0,0 +1,56 @@
+---
+page_title: "hcp_vault_cluster_admin_token Resource - terraform-provider-hcp"
+subcategory: ""
+description: |-
+  The Vault cluster admin token resource generates an admin-level token for the HCP Vault cluster.
+---
+
+# Resource `hcp_vault_cluster_admin_token`
+
+~> **Important Security Notice** The admin token generated by this resource will
+be stored *unencrypted* in your Terraform state file. **Use of this resource
+for production deployments is *not* recommended**. Instead, generate
+an admin token outside of Terraform and distribute it securely
+to the system where Terraform will be run.
+
+The Vault cluster admin token resource generates an admin-level token for the HCP Vault cluster.
+
+This resource saves a single admin token per Vault cluster and auto-refreshes the token when it is about to expire.
+Destroying this resource *does not* invalidate the admin token.
+
+~> **Known Issue** An admin token may be generated during a `terraform plan` if the current token is expiring. 
+Since the Plan phase does not save any state, the Apply phase saves a different generated token, and the token generated during Plan ends up orphaned. 
+It will expire in six hours.
+
+## Example Usage
+
+```terraform
+resource "hcp_vault_cluster_admin_token" "example" {
+  cluster_id = "test-vault-cluster"
+}
+```
+
+## Schema
+
+### Required
+
+- **cluster_id** (String) The ID of the HCP Vault cluster.
+
+### Optional
+
+- **id** (String) The ID of this resource.
+- **timeouts** (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+
+### Read-only
+
+- **created_at** (String) The time that the admin token was created.
+- **token** (String, Sensitive) The admin token of this HCP Vault cluster.
+
+<a id="nestedblock--timeouts"></a>
+### Nested Schema for `timeouts`
+
+Optional:
+
+- **create** (String)
+- **delete** (String)
+- **read** (String)

examples/data-sources/hcp_vault_cluster/data-source.tf

@@ -0,0 +1,3 @@
+data "hcp_vault_cluster" "example" {
+  cluster_id = var.cluster_id
+}

examples/guides/vault_cluster_admin_token/main.tf

@@ -0,0 +1,8 @@
+resource "hcp_vault_cluster" "example_vault_cluster" {
+  hvn_id     = hcp_hvn.example_hvn.hvn_id
+  cluster_id = "hcp-tf-example-vault-cluster"
+}
+
+resource "hcp_vault_cluster_admin_token" "example_vault_admin_token" {
+  cluster_id = hcp_vault_cluster.example_vault_cluster.cluster_id
+}

examples/provider/provider.tf

@@ -60,4 +60,10 @@ resource "hcp_consul_cluster" "example_secondary" {
   cluster_id   = "hcp-tf-example-consul-cluster-secondary"
   tier         = "development"
   primary_link = hcp_consul_cluster.example.self_link
+}
+
+// Create a Vault cluster in the same region and cloud provider as the HVN
+resource "hcp_vault_cluster" "example" {
+  cluster_id = "hcp-tf-example-vault-cluster"
+  hvn_id     = hcp_hvn.example_hvn.hvn_id
 }

examples/resources/hcp_vault_cluster/import.sh

@@ -0,0 +1,2 @@
+# The import ID is {cluster_id}
+terraform import hcp_vault_cluster.example vault-cluster

examples/resources/hcp_vault_cluster/resource.tf

@@ -0,0 +1,11 @@
+resource "hcp_hvn" "example" {
+  hvn_id         = "hvn"
+  cloud_provider = "aws"
+  region         = "us-west-2"
+  cidr_block     = "172.25.16.0/20"
+}
+
+resource "hcp_vault_cluster" "example" {
+  cluster_id = "vault-cluster"
+  hvn_id     = hcp_hvn.example.hvn_id
+}

examples/resources/hcp_vault_cluster_admin_token/resource.tf

@@ -0,0 +1,3 @@
+resource "hcp_vault_cluster_admin_token" "example" {
+  cluster_id = "test-vault-cluster"
+}

internal/clients/client.go

@@ -10,6 +10,8 @@ import (
 	cloud_resource_manager "github.com/hashicorp/hcp-sdk-go/clients/cloud-resource-manager/preview/2019-12-10/client"
 	"github.com/hashicorp/hcp-sdk-go/clients/cloud-resource-manager/preview/2019-12-10/client/organization_service"
 	"github.com/hashicorp/hcp-sdk-go/clients/cloud-resource-manager/preview/2019-12-10/client/project_service"
+	cloud_vault "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-service/preview/2020-11-25/client"
+	"github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-service/preview/2020-11-25/client/vault_service"
 	sdk "github.com/hashicorp/hcp-sdk-go/httpclient"
 )
 
@@ -22,6 +24,7 @@ type Client struct {
 	Project      project_service.ClientService
 	Organization organization_service.ClientService
 	Consul       consul_service.ClientService
+	Vault        vault_service.ClientService
 }
 
 // ClientConfig specifies configuration for the client that interacts with HCP
@@ -65,6 +68,7 @@ func NewClient(config ClientConfig) (*Client, error) {
 		Project:      cloud_resource_manager.New(httpClient, nil).ProjectService,
 		Organization: cloud_resource_manager.New(httpClient, nil).OrganizationService,
 		Consul:       cloud_consul.New(httpClient, nil).ConsulService,
+		Vault:        cloud_vault.New(httpClient, nil).VaultService,
 	}
 
 	return client, nil

internal/clients/vault_cluster.go

@@ -0,0 +1,87 @@
+package clients
+
+import (
+	"context"
+
+	sharedmodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-shared/v1/models"
+	"github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-service/preview/2020-11-25/client/vault_service"
+	vaultmodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-service/preview/2020-11-25/models"
+)
+
+// GetVaultClusterByID gets an Vault cluster by its ID.
+func GetVaultClusterByID(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation,
+	vaultClusterID string) (*vaultmodels.HashicorpCloudVault20201125Cluster, error) {
+
+	getParams := vault_service.NewGetParams()
+	getParams.Context = ctx
+	getParams.ClusterID = vaultClusterID
+	getParams.LocationOrganizationID = loc.OrganizationID
+	getParams.LocationProjectID = loc.ProjectID
+
+	getResp, err := client.Vault.Get(getParams, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return getResp.Payload.Cluster, nil
+}
+
+// CreateVaultCluster will make a call to the Consul service to initiate the create Consul
+// cluster workflow.
+func CreateVaultCluster(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation,
+	vaultCluster *vaultmodels.HashicorpCloudVault20201125InputCluster) (*vaultmodels.HashicorpCloudVault20201125CreateResponse, error) {
+
+	p := vault_service.NewCreateParams()
+	p.Context = ctx
+	p.Body = &vaultmodels.HashicorpCloudVault20201125CreateRequest{Cluster: vaultCluster}
+
+	p.ClusterLocationOrganizationID = loc.OrganizationID
+	p.ClusterLocationProjectID = loc.ProjectID
+
+	resp, err := client.Vault.Create(p, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp.Payload, nil
+}
+
+// DeleteVaultCluster will make a call to the Vault service to initiate the delete Vault
+// cluster workflow.
+func DeleteVaultCluster(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation,
+	clusterID string) (*vaultmodels.HashicorpCloudVault20201125DeleteResponse, error) {
+
+	p := vault_service.NewDeleteParams()
+	p.Context = ctx
+	p.ClusterID = clusterID
+	p.LocationOrganizationID = loc.OrganizationID
+	p.LocationProjectID = loc.ProjectID
+
+	deleteResp, err := client.Vault.Delete(p, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return deleteResp.Payload, nil
+}
+
+// CreateVaultClusterAdminToken will make a call to the Vault service to generate an admin token for the Vault cluster
+// that expires after 6 hours.
+func CreateVaultClusterAdminToken(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation,
+	vaultClusterID string) (*vaultmodels.HashicorpCloudVault20201125GetAdminTokenResponse, error) {
+
+	p := vault_service.NewGetAdminTokenParams()
+	p.Context = ctx
+	p.ClusterID = vaultClusterID
+	p.LocationOrganizationID = loc.OrganizationID
+	p.LocationProjectID = loc.ProjectID
+	p.LocationRegionProvider = &loc.Region.Provider
+	p.LocationRegionRegion = &loc.Region.Region
+
+	resp, err := client.Vault.GetAdminToken(p, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp.Payload, nil
+}