diff --git a/.changelog/1143.txt b/.changelog/1143.txt
new file mode 100644
index 000000000..db72e3c80
--- /dev/null
+++ b/.changelog/1143.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+add vault_secrets_integration_azure resource and add support for azure secrets to vault_secrets_rotating_secret resource
+```
\ No newline at end of file
diff --git a/docs/resources/vault_secrets_integration_azure.md b/docs/resources/vault_secrets_integration_azure.md
new file mode 100644
index 000000000..122de295e
--- /dev/null
+++ b/docs/resources/vault_secrets_integration_azure.md
@@ -0,0 +1,75 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "hcp_vault_secrets_integration_azure Resource - terraform-provider-hcp"
+subcategory: ""
+description: |-
+ The Vault Secrets Azure integration resource manages an Azure integration.
+---
+
+# hcp_vault_secrets_integration_azure (Resource)
+
+The Vault Secrets Azure integration resource manages an Azure integration.
+
+## Example Usage
+
+```terraform
+resource "hcp_vault_secrets_integration_azure" "example" {
+ name = "my-azure-1"
+ capabilities = ["ROTATION"]
+ client_secret = {
+ "tenant_id" = "7eb3...",
+ "client_id" = "9de0...",
+ "client_secret" = "WZk8..."
+ }
+}
+```
+
+
+## Schema
+
+### Required
+
+- `capabilities` (Set of String) Capabilities enabled for the integration. See the Vault Secrets documentation for the list of supported capabilities per provider.
+- `name` (String) The Vault Secrets integration name.
+
+### Optional
+
+- `client_secret` (Attributes) Azure client secret used to authenticate against the target Azure application. Cannot be used with `federated_workload_identity`. (see [below for nested schema](#nestedatt--client_secret))
+- `federated_workload_identity` (Attributes) (Recommended) Federated identity configuration to authenticate against the target Azure application. Cannot be used with `client_secret`. (see [below for nested schema](#nestedatt--federated_workload_identity))
+- `project_id` (String) HCP project ID that owns the HCP Vault Secrets integration. Inferred from the provider configuration if omitted.
+
+### Read-Only
+
+- `organization_id` (String) HCP organization ID that owns the HCP Vault Secrets integration.
+- `resource_id` (String) Resource ID used to uniquely identify the integration instance on the HCP platform.
+- `resource_name` (String) Resource name used to uniquely identify the integration instance on the HCP platform.
+
+
+### Nested Schema for `client_secret`
+
+Required:
+
+- `client_id` (String) Azure client ID corresponding to the Azure application.
+- `client_secret` (String) Secret value corresponding to the Azure client secret.
+- `tenant_id` (String) Azure tenant ID corresponding to the Azure application.
+
+
+
+### Nested Schema for `federated_workload_identity`
+
+Required:
+
+- `audience` (String) Audience configured on the Azure federated identity credentials to federate access with HCP.
+- `client_id` (String) Azure client ID corresponding to the Azure application.
+- `tenant_id` (String) Azure tenant ID corresponding to the Azure application.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Vault Secrets Azure Integration can be imported by specifying the name of the integration
+# Note that since the client secret is never returned on the Vault Secrets API,
+# the next plan or apply will show a diff for that field.
+terraform import hcp_vault_secrets_integration_azure.example my-azure-1
+```
diff --git a/docs/resources/vault_secrets_rotating_secret.md b/docs/resources/vault_secrets_rotating_secret.md
index 388d81f8c..4c24966b2 100644
--- a/docs/resources/vault_secrets_rotating_secret.md
+++ b/docs/resources/vault_secrets_rotating_secret.md
@@ -66,6 +66,18 @@ resource "hcp_vault_secrets_rotating_secret" "example_confluent" {
service_account_id = ""
}
}
+
+resource "hcp_vault_secrets_rotating_secret" "example_azure" {
+ app_name = "my-app-1"
+ secret_provider = "azure"
+ name = "my_azure_1_secret"
+ integration_name = "my-azure-1"
+ rotation_policy_name = "built-in:60-days-2-active"
+ azure_application_password = {
+ app_object_id = ""
+ app_client_id = ""
+ }
+}
```
@@ -82,6 +94,7 @@ resource "hcp_vault_secrets_rotating_secret" "example_confluent" {
### Optional
- `aws_access_keys` (Attributes) AWS configuration to manage the access key rotation for the given IAM user. Required if `secret_provider` is `aws`. (see [below for nested schema](#nestedatt--aws_access_keys))
+- `azure_application_password` (Attributes) Azure configuration to manage the application password rotation for the given application. Required if `secret_provider` is `Azure`. (see [below for nested schema](#nestedatt--azure_application_password))
- `confluent_service_account` (Attributes) Confluent configuration to manage the cloud api key rotation for the given service account. Required if `secret_provider` is `confluent`. (see [below for nested schema](#nestedatt--confluent_service_account))
- `gcp_service_account_key` (Attributes) GCP configuration to manage the service account key rotation for the given service account. Required if `secret_provider` is `gcp`. (see [below for nested schema](#nestedatt--gcp_service_account_key))
- `mongodb_atlas_user` (Attributes) MongoDB Atlas configuration to manage the user password rotation on the given database. Required if `secret_provider` is `mongodb_atlas`. (see [below for nested schema](#nestedatt--mongodb_atlas_user))
@@ -100,6 +113,15 @@ Required:
- `iam_username` (String) AWS IAM username to rotate the access keys for.
+
+### Nested Schema for `azure_application_password`
+
+Required:
+
+- `app_client_id` (String) Application client ID to rotate the application password for.
+- `app_object_id` (String) Application object ID to rotate the application password for.
+
+
### Nested Schema for `confluent_service_account`
diff --git a/examples/resources/hcp_vault_secrets_integration_azure/import.sh b/examples/resources/hcp_vault_secrets_integration_azure/import.sh
new file mode 100644
index 000000000..ac22c516c
--- /dev/null
+++ b/examples/resources/hcp_vault_secrets_integration_azure/import.sh
@@ -0,0 +1,4 @@
+# Vault Secrets Azure Integration can be imported by specifying the name of the integration
+# Note that since the client secret is never returned on the Vault Secrets API,
+# the next plan or apply will show a diff for that field.
+terraform import hcp_vault_secrets_integration_azure.example my-azure-1
diff --git a/examples/resources/hcp_vault_secrets_integration_azure/resource.tf b/examples/resources/hcp_vault_secrets_integration_azure/resource.tf
new file mode 100644
index 000000000..f33fe393f
--- /dev/null
+++ b/examples/resources/hcp_vault_secrets_integration_azure/resource.tf
@@ -0,0 +1,9 @@
+resource "hcp_vault_secrets_integration_azure" "example" {
+ name = "my-azure-1"
+ capabilities = ["ROTATION"]
+ client_secret = {
+ "tenant_id" = "7eb3...",
+ "client_id" = "9de0...",
+ "client_secret" = "WZk8..."
+ }
+}
\ No newline at end of file
diff --git a/examples/resources/hcp_vault_secrets_rotating_secret/resource.tf b/examples/resources/hcp_vault_secrets_rotating_secret/resource.tf
index 3aea335ba..ea115d9c4 100644
--- a/examples/resources/hcp_vault_secrets_rotating_secret/resource.tf
+++ b/examples/resources/hcp_vault_secrets_rotating_secret/resource.tf
@@ -53,3 +53,14 @@ resource "hcp_vault_secrets_rotating_secret" "example_confluent" {
}
}
+resource "hcp_vault_secrets_rotating_secret" "example_azure" {
+ app_name = "my-app-1"
+ secret_provider = "azure"
+ name = "my_azure_1_secret"
+ integration_name = "my-azure-1"
+ rotation_policy_name = "built-in:60-days-2-active"
+ azure_application_password = {
+ app_object_id = ""
+ app_client_id = ""
+ }
+}
diff --git a/go.mod b/go.mod
index 9db7b44b6..1f287ace3 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637
github.com/hashicorp/go-uuid v1.0.3
github.com/hashicorp/go-version v1.7.0
- github.com/hashicorp/hcp-sdk-go v0.123.0
+ github.com/hashicorp/hcp-sdk-go v0.124.0
github.com/hashicorp/terraform-plugin-docs v0.19.4
github.com/hashicorp/terraform-plugin-framework v1.5.0
github.com/hashicorp/terraform-plugin-framework-validators v0.12.0
diff --git a/go.sum b/go.sum
index 93bbb3b81..3d88edefb 100644
--- a/go.sum
+++ b/go.sum
@@ -124,8 +124,8 @@ github.com/hashicorp/hc-install v0.7.0 h1:Uu9edVqjKQxxuD28mR5TikkKDd/p55S8vzPC16
github.com/hashicorp/hc-install v0.7.0/go.mod h1:ELmmzZlGnEcqoUMKUuykHaPCIR1sYLYX+KSggWSKZuA=
github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI=
github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE=
-github.com/hashicorp/hcp-sdk-go v0.123.0 h1:kUf/kSCVkQ4XXyny8GUyUWjvIIIanGRRkhRmgj2lC+4=
-github.com/hashicorp/hcp-sdk-go v0.123.0/go.mod h1:vQ4fzdL1AmhIAbCw+4zmFe5Hbpajj3NvRWkJoVuxmAk=
+github.com/hashicorp/hcp-sdk-go v0.124.0 h1:Th4qCAAqlPrC5s2riHnMTsHFIZ5GsFWzK7l2W7vqsN4=
+github.com/hashicorp/hcp-sdk-go v0.124.0/go.mod h1:vQ4fzdL1AmhIAbCw+4zmFe5Hbpajj3NvRWkJoVuxmAk=
github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y=
github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
github.com/hashicorp/terraform-exec v0.21.0 h1:uNkLAe95ey5Uux6KJdua6+cv8asgILFVWkd/RG0D2XQ=
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
index e739f2c82..288536ef7 100644
--- a/internal/provider/provider.go
+++ b/internal/provider/provider.go
@@ -159,6 +159,7 @@ func (p *ProviderFramework) Resources(ctx context.Context) []func() resource.Res
vaultsecrets.NewVaultSecretsIntegrationMongoDBAtlasResource,
vaultsecrets.NewVaultSecretsIntegrationTwilioResource,
vaultsecrets.NewVaultSecretsIntegrationsConfluentResource,
+ vaultsecrets.NewVaultSecretsIntegrationAzureResource,
vaultsecrets.NewVaultSecretsDynamicSecretResource,
vaultsecrets.NewVaultSecretsRotatingSecretResource,
// IAM
diff --git a/internal/provider/vaultsecrets/resource_vault_secrets_integration_azure.go b/internal/provider/vaultsecrets/resource_vault_secrets_integration_azure.go
new file mode 100644
index 000000000..41aff0019
--- /dev/null
+++ b/internal/provider/vaultsecrets/resource_vault_secrets_integration_azure.go
@@ -0,0 +1,359 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package vaultsecrets
+
+import (
+ "context"
+ "fmt"
+
+ "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/client/secret_service"
+ secretmodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/models"
+ "github.com/hashicorp/terraform-plugin-framework-validators/objectvalidator"
+ "github.com/hashicorp/terraform-plugin-framework/attr"
+ "github.com/hashicorp/terraform-plugin-framework/diag"
+ "github.com/hashicorp/terraform-plugin-framework/path"
+ "github.com/hashicorp/terraform-plugin-framework/resource"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema"
+ "github.com/hashicorp/terraform-plugin-framework/schema/validator"
+ "github.com/hashicorp/terraform-plugin-framework/types"
+ "github.com/hashicorp/terraform-plugin-framework/types/basetypes"
+ "github.com/hashicorp/terraform-provider-hcp/internal/clients"
+ "github.com/hashicorp/terraform-provider-hcp/internal/provider/modifiers"
+ "golang.org/x/exp/maps"
+)
+
+type IntegrationAzure struct {
+ // Input fields
+ ProjectID types.String `tfsdk:"project_id"`
+ Name types.String `tfsdk:"name"`
+ Capabilities types.Set `tfsdk:"capabilities"`
+ ClientSecret types.Object `tfsdk:"client_secret"`
+ FederatedWorkloadIdentity types.Object `tfsdk:"federated_workload_identity"`
+
+ // Computed fields
+ OrganizationID types.String `tfsdk:"organization_id"`
+ ResourceID types.String `tfsdk:"resource_id"`
+ ResourceName types.String `tfsdk:"resource_name"`
+
+ // Inner API-compatible models derived from the Terraform fields
+ capabilities []*secretmodels.Secrets20231128Capability `tfsdk:"-"`
+ clientSecret *secretmodels.Secrets20231128AzureClientSecretRequest `tfsdk:"-"`
+ federatedWorkloadIdentity *secretmodels.Secrets20231128AzureFederatedWorkloadIdentityRequest `tfsdk:"-"`
+}
+
+// Helper structs to help populate concrete targets from types.Object fields
+type clientSecret struct {
+ TenantID types.String `tfsdk:"tenant_id"`
+ ClientID types.String `tfsdk:"client_id"`
+ ClientSecret types.String `tfsdk:"client_secret"`
+}
+
+type azureFederatedWorkloadIdentity struct {
+ TenantID types.String `tfsdk:"tenant_id"`
+ ClientID types.String `tfsdk:"client_id"`
+ Audience types.String `tfsdk:"audience"`
+}
+
+var _ resource.Resource = &resourceVaultSecretsIntegrationAzure{}
+var _ resource.ResourceWithConfigure = &resourceVaultSecretsIntegrationAzure{}
+var _ resource.ResourceWithModifyPlan = &resourceVaultSecretsIntegrationAzure{}
+var _ resource.ResourceWithImportState = &resourceVaultSecretsIntegrationAzure{}
+
+func NewVaultSecretsIntegrationAzureResource() resource.Resource {
+ return &resourceVaultSecretsIntegrationAzure{}
+}
+
+type resourceVaultSecretsIntegrationAzure struct {
+ client *clients.Client
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+ resp.TypeName = req.ProviderTypeName + "_vault_secrets_integration_azure"
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+ attributes := map[string]schema.Attribute{
+ "client_secret": schema.SingleNestedAttribute{
+ Description: "Azure client secret used to authenticate against the target Azure application. Cannot be used with `federated_workload_identity`.",
+ Optional: true,
+ Attributes: map[string]schema.Attribute{
+ "tenant_id": schema.StringAttribute{
+ Description: "Azure tenant ID corresponding to the Azure application.",
+ Required: true,
+ },
+ "client_id": schema.StringAttribute{
+ Description: "Azure client ID corresponding to the Azure application.",
+ Required: true,
+ },
+ "client_secret": schema.StringAttribute{
+ Description: "Secret value corresponding to the Azure client secret.",
+ Required: true,
+ },
+ },
+ Validators: []validator.Object{
+ objectvalidator.ExactlyOneOf(path.Expressions{
+ path.MatchRoot("federated_workload_identity"),
+ }...),
+ },
+ },
+ "federated_workload_identity": schema.SingleNestedAttribute{
+ Description: "(Recommended) Federated identity configuration to authenticate against the target Azure application. Cannot be used with `client_secret`.",
+ Optional: true,
+ Attributes: map[string]schema.Attribute{
+ "tenant_id": schema.StringAttribute{
+ Description: "Azure tenant ID corresponding to the Azure application.",
+ Required: true,
+ },
+ "client_id": schema.StringAttribute{
+ Description: "Azure client ID corresponding to the Azure application.",
+ Required: true,
+ },
+ "audience": schema.StringAttribute{
+ Description: "Audience configured on the Azure federated identity credentials to federate access with HCP.",
+ Required: true,
+ },
+ },
+ Validators: []validator.Object{
+ objectvalidator.ExactlyOneOf(path.Expressions{
+ path.MatchRoot("client_secret"),
+ }...),
+ },
+ },
+ }
+
+ maps.Copy(attributes, locationAttributes)
+ maps.Copy(attributes, sharedIntegrationAttributes)
+
+ resp.Schema = schema.Schema{
+ MarkdownDescription: "The Vault Secrets Azure integration resource manages an Azure integration.",
+ Attributes: attributes,
+ }
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+ if req.ProviderData == nil {
+ return
+ }
+ client, ok := req.ProviderData.(*clients.Client)
+ if !ok {
+ resp.Diagnostics.AddError(
+ "Unexpected Data Source Configure Type",
+ fmt.Sprintf("Expected *clients.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+ )
+ return
+ }
+ r.client = client
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) ModifyPlan(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse) {
+ modifiers.ModifyPlanForDefaultProjectChange(ctx, r.client.Config.ProjectID, req.State, req.Config, req.Plan, resp)
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+ resp.Diagnostics.Append(decorateOperation[*IntegrationAzure](ctx, r.client, &resp.State, req.State.Get, "reading", func(i hvsResource) (any, error) {
+ integration, ok := i.(*IntegrationAzure)
+ if !ok {
+ return nil, fmt.Errorf("invalid integration type, expected *IntegrationAzure, got: %T, this is a bug on the provider", i)
+ }
+
+ response, err := r.client.VaultSecrets.GetAzureIntegration(
+ secret_service.NewGetAzureIntegrationParamsWithContext(ctx).
+ WithOrganizationID(integration.OrganizationID.ValueString()).
+ WithProjectID(integration.ProjectID.ValueString()).
+ WithName(integration.Name.ValueString()), nil)
+ if err != nil && !clients.IsResponseCodeNotFound(err) {
+ return nil, err
+ }
+ if response == nil || response.Payload == nil {
+ return nil, nil
+ }
+ return response.Payload.Integration, nil
+ })...)
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+ resp.Diagnostics.Append(decorateOperation[*IntegrationAzure](ctx, r.client, &resp.State, req.Plan.Get, "creating", func(i hvsResource) (any, error) {
+ integration, ok := i.(*IntegrationAzure)
+ if !ok {
+ return nil, fmt.Errorf("invalid integration type, expected *IntegrationAzure, got: %T, this is a bug on the provider", i)
+ }
+
+ response, err := r.client.VaultSecrets.CreateAzureIntegration(&secret_service.CreateAzureIntegrationParams{
+ Body: &secretmodels.SecretServiceCreateAzureIntegrationBody{
+ Capabilities: integration.capabilities,
+ FederatedWorkloadIdentity: integration.federatedWorkloadIdentity,
+ Name: integration.Name.ValueString(),
+ ClientSecret: integration.clientSecret,
+ },
+ OrganizationID: integration.OrganizationID.ValueString(),
+ ProjectID: integration.ProjectID.ValueString(),
+ }, nil)
+ if err != nil && !clients.IsResponseCodeNotFound(err) {
+ return nil, err
+ }
+ if response == nil || response.Payload == nil {
+ return nil, nil
+ }
+ return response.Payload.Integration, nil
+ })...)
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+ resp.Diagnostics.Append(decorateOperation[*IntegrationAzure](ctx, r.client, &resp.State, req.Plan.Get, "updating", func(i hvsResource) (any, error) {
+ integration, ok := i.(*IntegrationAzure)
+ if !ok {
+ return nil, fmt.Errorf("invalid integration type, expected *IntegrationAzure, got: %T, this is a bug on the provider", i)
+ }
+
+ response, err := r.client.VaultSecrets.UpdateAzureIntegration(&secret_service.UpdateAzureIntegrationParams{
+ Body: &secretmodels.SecretServiceUpdateAzureIntegrationBody{
+ Capabilities: integration.capabilities,
+ FederatedWorkloadIdentity: integration.federatedWorkloadIdentity,
+ ClientSecret: integration.clientSecret,
+ },
+ Name: integration.Name.ValueString(),
+ OrganizationID: integration.OrganizationID.ValueString(),
+ ProjectID: integration.ProjectID.ValueString(),
+ }, nil)
+ if err != nil && !clients.IsResponseCodeNotFound(err) {
+ return nil, err
+ }
+ if response == nil || response.Payload == nil {
+ return nil, nil
+ }
+ return response.Payload.Integration, nil
+ })...)
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+ resp.Diagnostics.Append(decorateOperation[*IntegrationAzure](ctx, r.client, &resp.State, req.State.Get, "deleting", func(i hvsResource) (any, error) {
+ integration, ok := i.(*IntegrationAzure)
+ if !ok {
+ return nil, fmt.Errorf("invalid integration type, expected *IntegrationAzure, got: %T, this is a bug on the provider", i)
+ }
+
+ _, err := r.client.VaultSecrets.DeleteAzureIntegration(
+ secret_service.NewDeleteAzureIntegrationParams().
+ WithOrganizationID(integration.OrganizationID.ValueString()).
+ WithProjectID(integration.ProjectID.ValueString()).
+ WithName(integration.Name.ValueString()), nil)
+ if err != nil && !clients.IsResponseCodeNotFound(err) {
+ return nil, err
+ }
+ return nil, nil
+ })...)
+}
+
+func (r *resourceVaultSecretsIntegrationAzure) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+ // The Vault Secrets API does not return sensitive values like the client secret, so they will be initialized to an empty value
+ // It means the first plan/apply after a successful import will always show a diff for the client secret.
+ resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("organization_id"), r.client.Config.OrganizationID)...)
+ resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("project_id"), r.client.Config.ProjectID)...)
+ resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), req.ID)...)
+}
+
+var _ hvsResource = &IntegrationAzure{}
+
+func (i *IntegrationAzure) projectID() types.String {
+ return i.ProjectID
+}
+
+func (i *IntegrationAzure) initModel(ctx context.Context, orgID, projID string) diag.Diagnostics {
+ // Init fields that depend on the Terraform provider configuration
+ i.OrganizationID = types.StringValue(orgID)
+ i.ProjectID = types.StringValue(projID)
+
+ // Init the HVS domain models from the Terraform domain models
+ var capabilities []types.String
+ diags := i.Capabilities.ElementsAs(ctx, &capabilities, false)
+ if diags.HasError() {
+ return diags
+ }
+ for _, c := range capabilities {
+ i.capabilities = append(i.capabilities, secretmodels.Secrets20231128Capability(c.ValueString()).Pointer())
+ }
+
+ if !i.ClientSecret.IsNull() {
+ cs := clientSecret{}
+ diags = i.ClientSecret.As(ctx, &cs, basetypes.ObjectAsOptions{})
+ if diags.HasError() {
+ return diags
+ }
+
+ i.clientSecret = &secretmodels.Secrets20231128AzureClientSecretRequest{
+ TenantID: cs.TenantID.ValueString(),
+ ClientID: cs.ClientID.ValueString(),
+ ClientSecret: cs.ClientSecret.ValueString(),
+ }
+ }
+
+ if !i.FederatedWorkloadIdentity.IsNull() {
+ fwi := azureFederatedWorkloadIdentity{}
+ diags = i.FederatedWorkloadIdentity.As(ctx, &fwi, basetypes.ObjectAsOptions{})
+ if diags.HasError() {
+ return diags
+ }
+
+ i.federatedWorkloadIdentity = &secretmodels.Secrets20231128AzureFederatedWorkloadIdentityRequest{
+ Audience: fwi.Audience.ValueString(),
+ TenantID: fwi.TenantID.ValueString(),
+ ClientID: fwi.ClientID.ValueString(),
+ }
+ }
+
+ return diag.Diagnostics{}
+}
+
+func (i *IntegrationAzure) fromModel(ctx context.Context, orgID, projID string, model any) diag.Diagnostics {
+ diags := diag.Diagnostics{}
+
+ integrationModel, ok := model.(*secretmodels.Secrets20231128AzureIntegration)
+ if !ok {
+ diags.AddError("Invalid model type, this is a bug on the provider.", fmt.Sprintf("Expected *secretmodels.Secrets20231128AzureIntegration, got: %T", model))
+ return diags
+ }
+
+ i.OrganizationID = types.StringValue(orgID)
+ i.ProjectID = types.StringValue(projID)
+ i.ResourceID = types.StringValue(integrationModel.ResourceID)
+ i.ResourceName = types.StringValue(integrationModel.ResourceName)
+ i.Name = types.StringValue(integrationModel.Name)
+
+ var values []attr.Value
+ for _, c := range integrationModel.Capabilities {
+ values = append(values, types.StringValue(string(*c)))
+ }
+ i.Capabilities, diags = types.SetValue(types.StringType, values)
+ if diags.HasError() {
+ return diags
+ }
+
+ if integrationModel.ClientSecret != nil {
+ clientSecret := ""
+ if i.clientSecret != nil {
+ clientSecret = i.clientSecret.ClientSecret
+ }
+ i.ClientSecret, diags = types.ObjectValue(i.ClientSecret.AttributeTypes(ctx), map[string]attr.Value{
+ "tenant_id": types.StringValue(integrationModel.ClientSecret.TenantID),
+ "client_id": types.StringValue(integrationModel.ClientSecret.ClientID),
+ "client_secret": types.StringValue(clientSecret),
+ })
+ if diags.HasError() {
+ return diags
+ }
+ }
+
+ if integrationModel.FederatedWorkloadIdentity != nil {
+ i.FederatedWorkloadIdentity, diags = types.ObjectValue(i.FederatedWorkloadIdentity.AttributeTypes(ctx), map[string]attr.Value{
+ "tenant_id": types.StringValue(integrationModel.FederatedWorkloadIdentity.TenantID),
+ "client_id": types.StringValue(integrationModel.FederatedWorkloadIdentity.ClientID),
+ "audience": types.StringValue(integrationModel.FederatedWorkloadIdentity.Audience),
+ })
+ if diags.HasError() {
+ return diags
+ }
+ }
+
+ return diags
+}
diff --git a/internal/provider/vaultsecrets/resource_vault_secrets_integration_azure_test.go b/internal/provider/vaultsecrets/resource_vault_secrets_integration_azure_test.go
new file mode 100644
index 000000000..875e0342a
--- /dev/null
+++ b/internal/provider/vaultsecrets/resource_vault_secrets_integration_azure_test.go
@@ -0,0 +1,190 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package vaultsecrets_test
+
+import (
+ "fmt"
+ "os"
+ "testing"
+
+ "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/client/secret_service"
+ secretmodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/models"
+ "github.com/hashicorp/terraform-plugin-testing/helper/resource"
+ "github.com/hashicorp/terraform-plugin-testing/terraform"
+ "github.com/hashicorp/terraform-provider-hcp/internal/clients"
+ "github.com/hashicorp/terraform-provider-hcp/internal/provider/acctest"
+)
+
+func TestAccVaultSecretsResourceIntegrationAzure(t *testing.T) {
+ tenantID := checkRequiredEnvVarOrFail(t, "AZURE_TENANT_ID")
+ clientID := checkRequiredEnvVarOrFail(t, "AZURE_CLIENT_ID")
+ clientSecret := checkRequiredEnvVarOrFail(t, "AZURE_CLIENT_SECRET")
+ audience := checkRequiredEnvVarOrFail(t, "AZURE_INTEGRATION_AUDIENCE")
+
+ integrationName1 := generateRandomSlug()
+ // Set the integration name that is configured in the subject claim while creating a federated credential.
+ integrationName2 := checkRequiredEnvVarOrFail(t, "AZURE_INTEGRATION_NAME_WIF")
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { acctest.PreCheck(t) },
+ ProtoV6ProviderFactories: acctest.ProtoV6ProviderFactories,
+ Steps: []resource.TestStep{
+ // Create initial integration with access keys
+ {
+ Config: azureClientSecretConfig(integrationName1, clientID, tenantID, clientSecret),
+ Check: resource.ComposeTestCheckFunc(
+ azureCheckClientSecretKeyFuncs(integrationName1, clientID, tenantID, clientSecret)...,
+ ),
+ },
+ // Changing the name forces a recreation
+ {
+ Config: azureClientSecretConfig(integrationName2, clientID, tenantID, clientSecret),
+ Check: resource.ComposeTestCheckFunc(
+ azureCheckClientSecretKeyFuncs(integrationName2, clientID, tenantID, clientSecret)...,
+ ),
+ },
+ // Modifying mutable fields causes an update
+ {
+ Config: azureFederatedIdentityConfig(integrationName2, clientID, tenantID, audience),
+ Check: resource.ComposeTestCheckFunc(
+ azureCheckFederatedIdentityFuncs(integrationName2, clientID, tenantID, audience)...,
+ ),
+ },
+ // Deleting the integration out of band causes a recreation
+ {
+ PreConfig: func() {
+ t.Helper()
+ client := acctest.HCPClients(t)
+ _, err := client.VaultSecrets.DeleteAzureIntegration(&secret_service.DeleteAzureIntegrationParams{
+ Name: integrationName2,
+ OrganizationID: client.Config.OrganizationID,
+ ProjectID: client.Config.ProjectID,
+ }, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
+ },
+ Config: azureFederatedIdentityConfig(integrationName2, clientID, tenantID, audience),
+ Check: resource.ComposeTestCheckFunc(
+ azureCheckFederatedIdentityFuncs(integrationName2, clientID, tenantID, audience)...,
+ ),
+ PlanOnly: true,
+ ExpectNonEmptyPlan: true,
+ },
+ // Pre-existing integration can be imported
+ {
+ PreConfig: func() {
+ t.Helper()
+ client := acctest.HCPClients(t)
+ _, err := client.VaultSecrets.CreateAzureIntegration(&secret_service.CreateAzureIntegrationParams{
+ Body: &secretmodels.SecretServiceCreateAzureIntegrationBody{
+ Capabilities: []*secretmodels.Secrets20231128Capability{secretmodels.Secrets20231128CapabilityROTATION.Pointer()},
+ FederatedWorkloadIdentity: &secretmodels.Secrets20231128AzureFederatedWorkloadIdentityRequest{
+ Audience: audience,
+ ClientID: clientID,
+ TenantID: tenantID,
+ },
+ Name: integrationName2,
+ },
+ OrganizationID: client.Config.OrganizationID,
+ ProjectID: client.Config.ProjectID,
+ }, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
+ },
+ Config: azureFederatedIdentityConfig(integrationName2, clientID, tenantID, audience),
+ Check: resource.ComposeTestCheckFunc(
+ azureCheckFederatedIdentityFuncs(integrationName2, clientID, tenantID, audience)...,
+ ),
+ ResourceName: "hcp_vault_secrets_integration_azure.acc_test",
+ ImportStateId: integrationName2,
+ ImportState: true,
+ PlanOnly: true,
+ },
+ },
+ CheckDestroy: func(_ *terraform.State) error {
+ if azureIntegrationExists(t, integrationName1) {
+ return fmt.Errorf("test azure integration %s was not destroyed", integrationName1)
+ }
+ if azureIntegrationExists(t, integrationName2) {
+ return fmt.Errorf("test azure integration %s was not destroyed", integrationName2)
+ }
+ return nil
+ },
+ })
+}
+
+func azureClientSecretConfig(integrationName, clientID, tenantID, clientSecret string) string {
+ return fmt.Sprintf(`
+ resource "hcp_vault_secrets_integration_azure" "acc_test" {
+ name = %q
+ capabilities = ["ROTATION"]
+ client_secret = {
+ tenant_id = %q
+ client_id = %q
+ client_secret = %q
+ }
+ }`, integrationName, tenantID, clientID, clientSecret)
+}
+
+func azureFederatedIdentityConfig(integrationName, clientID, tenantID, audience string) string {
+ return fmt.Sprintf(`
+ resource "hcp_vault_secrets_integration_azure" "acc_test" {
+ name = %q
+ capabilities = ["ROTATION"]
+ federated_workload_identity = {
+ tenant_id = %q
+ client_id = %q
+ audience = %q
+ }
+ }`, integrationName, tenantID, clientID, audience)
+}
+
+func azureCheckClientSecretKeyFuncs(integrationName, clientID, tenantID, clientSecret string) []resource.TestCheckFunc {
+ return []resource.TestCheckFunc{
+ resource.TestCheckResourceAttrSet("hcp_vault_secrets_integration_azure.acc_test", "organization_id"),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "project_id", os.Getenv("HCP_PROJECT_ID")),
+ resource.TestCheckResourceAttrSet("hcp_vault_secrets_integration_azure.acc_test", "resource_id"),
+ resource.TestCheckResourceAttrSet("hcp_vault_secrets_integration_azure.acc_test", "resource_name"),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "name", integrationName),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "capabilities.#", "1"),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "capabilities.0", "ROTATION"),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "client_secret.client_id", clientID),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "client_secret.tenant_id", tenantID),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "client_secret.client_secret", clientSecret),
+ }
+}
+
+func azureCheckFederatedIdentityFuncs(integrationName, clientID, tenantID, audience string) []resource.TestCheckFunc {
+ return []resource.TestCheckFunc{
+ resource.TestCheckResourceAttrSet("hcp_vault_secrets_integration_azure.acc_test", "organization_id"),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "project_id", os.Getenv("HCP_PROJECT_ID")),
+ resource.TestCheckResourceAttrSet("hcp_vault_secrets_integration_azure.acc_test", "resource_id"),
+ resource.TestCheckResourceAttrSet("hcp_vault_secrets_integration_azure.acc_test", "resource_name"),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "name", integrationName),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "capabilities.#", "1"),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "capabilities.0", "ROTATION"),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "federated_workload_identity.audience", audience),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "federated_workload_identity.tenant_id", tenantID),
+ resource.TestCheckResourceAttr("hcp_vault_secrets_integration_azure.acc_test", "federated_workload_identity.client_id", clientID),
+ }
+}
+
+func azureIntegrationExists(t *testing.T, name string) bool {
+ t.Helper()
+
+ client := acctest.HCPClients(t)
+
+ response, err := client.VaultSecrets.GetAzureIntegration(
+ secret_service.NewGetAzureIntegrationParamsWithContext(ctx).
+ WithOrganizationID(client.Config.OrganizationID).
+ WithProjectID(client.Config.ProjectID).
+ WithName(name), nil)
+ if err != nil && !clients.IsResponseCodeNotFound(err) {
+ t.Fatal(err)
+ }
+
+ return !clients.IsResponseCodeNotFound(err) && response != nil && response.Payload != nil && response.Payload.Integration != nil
+}
diff --git a/internal/provider/vaultsecrets/resource_vault_secrets_rotating_secret.go b/internal/provider/vaultsecrets/resource_vault_secrets_rotating_secret.go
index a45777b73..05e9fee98 100644
--- a/internal/provider/vaultsecrets/resource_vault_secrets_rotating_secret.go
+++ b/internal/provider/vaultsecrets/resource_vault_secrets_rotating_secret.go
@@ -31,6 +31,7 @@ var exactlyOneRotatingSecretTypeFieldsValidator = objectvalidator.ExactlyOneOf(
path.MatchRoot("mongodb_atlas_user"),
path.MatchRoot("twilio_api_key"),
path.MatchRoot("confluent_service_account"),
+ path.MatchRoot("azure_application_password"),
}...,
)
@@ -50,6 +51,7 @@ var rotatingSecretsImpl = map[Provider]rotatingSecret{
ProviderMongoDBAtlas: &mongoDBAtlasRotatingSecret{},
ProviderTwilio: &twilioRotatingSecret{},
ProviderConfluent: &confluentRotatingSecret{},
+ ProviderAzure: &azureRotatingSecret{},
}
type RotatingSecret struct {
@@ -62,12 +64,12 @@ type RotatingSecret struct {
RotationPolicyName types.String `tfsdk:"rotation_policy_name"`
// Provider specific mutually exclusive fields
- AWSAccessKeys *awsAccessKeys `tfsdk:"aws_access_keys"`
- GCPServiceAccountKey *gcpServiceAccountKey `tfsdk:"gcp_service_account_key"`
- MongoDBAtlasUser *mongoDBAtlasUser `tfsdk:"mongodb_atlas_user"`
- TwilioAPIKey *twilioAPIKey `tfsdk:"twilio_api_key"`
- ConfluentServiceAccount *confluentServiceAccount `tfsdk:"confluent_service_account"`
-
+ AWSAccessKeys *awsAccessKeys `tfsdk:"aws_access_keys"`
+ GCPServiceAccountKey *gcpServiceAccountKey `tfsdk:"gcp_service_account_key"`
+ MongoDBAtlasUser *mongoDBAtlasUser `tfsdk:"mongodb_atlas_user"`
+ TwilioAPIKey *twilioAPIKey `tfsdk:"twilio_api_key"`
+ ConfluentServiceAccount *confluentServiceAccount `tfsdk:"confluent_service_account"`
+ AzureApplicationPassword *AzureApplicationPassword `tfsdk:"azure_application_password"`
// Computed fields
OrganizationID types.String `tfsdk:"organization_id"`
@@ -93,6 +95,11 @@ type confluentServiceAccount struct {
ServiceAccountID types.String `tfsdk:"service_account_id"`
}
+type AzureApplicationPassword struct {
+ AppClientID types.String `tfsdk:"app_client_id"`
+ AppObjectID types.String `tfsdk:"app_object_id"`
+}
+
type twilioAPIKey struct{}
var _ resource.Resource = &resourceVaultSecretsRotatingSecret{}
@@ -206,6 +213,29 @@ func (r *resourceVaultSecretsRotatingSecret) Schema(_ context.Context, _ resourc
exactlyOneRotatingSecretTypeFieldsValidator,
},
},
+ "azure_application_password": schema.SingleNestedAttribute{
+ Description: "Azure configuration to manage the application password rotation for the given application. Required if `secret_provider` is `Azure`.",
+ Optional: true,
+ Attributes: map[string]schema.Attribute{
+ "app_client_id": schema.StringAttribute{
+ Description: "Application client ID to rotate the application password for.",
+ Required: true,
+ PlanModifiers: []planmodifier.String{
+ stringplanmodifier.RequiresReplace(),
+ },
+ },
+ "app_object_id": schema.StringAttribute{
+ Description: "Application object ID to rotate the application password for.",
+ Required: true,
+ PlanModifiers: []planmodifier.String{
+ stringplanmodifier.RequiresReplace(),
+ },
+ },
+ },
+ Validators: []validator.Object{
+ exactlyOneRotatingSecretTypeFieldsValidator,
+ },
+ },
}
maps.Copy(attributes, locationAttributes)
diff --git a/internal/provider/vaultsecrets/rotating_secret_azure.go b/internal/provider/vaultsecrets/rotating_secret_azure.go
new file mode 100644
index 000000000..cde2cd88e
--- /dev/null
+++ b/internal/provider/vaultsecrets/rotating_secret_azure.go
@@ -0,0 +1,89 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package vaultsecrets
+
+import (
+ "context"
+ "fmt"
+
+ "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/client/secret_service"
+ secretmodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/models"
+ "github.com/hashicorp/terraform-provider-hcp/internal/clients"
+)
+
+var _ rotatingSecret = &azureRotatingSecret{}
+
+type azureRotatingSecret struct{}
+
+func (s *azureRotatingSecret) read(ctx context.Context, client secret_service.ClientService, secret *RotatingSecret) (any, error) {
+ response, err := client.GetAzureApplicationPasswordRotatingSecretConfig(
+ secret_service.NewGetAzureApplicationPasswordRotatingSecretConfigParamsWithContext(ctx).
+ WithOrganizationID(secret.OrganizationID.ValueString()).
+ WithProjectID(secret.ProjectID.ValueString()).
+ WithAppName(secret.AppName.ValueString()).
+ WithName(secret.Name.ValueString()), nil)
+ if err != nil && !clients.IsResponseCodeNotFound(err) {
+ return nil, err
+ }
+ if response == nil || response.Payload == nil {
+ return nil, nil
+ }
+ return response.Payload.Config, nil
+}
+
+func (s *azureRotatingSecret) create(ctx context.Context, client secret_service.ClientService, secret *RotatingSecret) (any, error) {
+ if secret.AzureApplicationPassword == nil {
+ return nil, fmt.Errorf("missing required field 'azure_application_password'")
+ }
+
+ response, err := client.CreateAzureApplicationPasswordRotatingSecret(
+ secret_service.NewCreateAzureApplicationPasswordRotatingSecretParamsWithContext(ctx).
+ WithOrganizationID(secret.OrganizationID.ValueString()).
+ WithProjectID(secret.ProjectID.ValueString()).
+ WithAppName(secret.AppName.ValueString()).
+ WithBody(&secretmodels.SecretServiceCreateAzureApplicationPasswordRotatingSecretBody{
+ IntegrationName: secret.IntegrationName.ValueString(),
+ RotationPolicyName: secret.RotationPolicyName.ValueString(),
+ AzureApplicationPasswordParams: &secretmodels.Secrets20231128AzureApplicationPasswordParams{
+ AppClientID: secret.AzureApplicationPassword.AppClientID.ValueString(),
+ AppObjectID: secret.AzureApplicationPassword.AppObjectID.ValueString(),
+ },
+ Name: secret.Name.ValueString(),
+ }),
+ nil)
+ if err != nil {
+ return nil, err
+ }
+ if response == nil || response.Payload == nil {
+ return nil, nil
+ }
+ return response.Payload.Config, nil
+}
+
+func (s *azureRotatingSecret) update(ctx context.Context, client secret_service.ClientService, secret *RotatingSecret) (any, error) {
+ if secret.AzureApplicationPassword == nil {
+ return nil, fmt.Errorf("missing required field 'azure_application_password'")
+ }
+ response, err := client.UpdateAzureApplicationPasswordRotatingSecret(
+ secret_service.NewUpdateAzureApplicationPasswordRotatingSecretParamsWithContext(ctx).
+ WithOrganizationID(secret.OrganizationID.ValueString()).
+ WithProjectID(secret.ProjectID.ValueString()).
+ WithAppName(secret.AppName.ValueString()).
+ WithName(secret.Name.ValueString()).
+ WithBody(&secretmodels.SecretServiceUpdateAzureApplicationPasswordRotatingSecretBody{
+ RotationPolicyName: secret.RotationPolicyName.ValueString(),
+ AzureApplicationPasswordParams: &secretmodels.Secrets20231128AzureApplicationPasswordParams{
+ AppClientID: secret.AzureApplicationPassword.AppClientID.ValueString(),
+ AppObjectID: secret.AzureApplicationPassword.AppObjectID.ValueString(),
+ },
+ }),
+ nil)
+ if err != nil {
+ return nil, err
+ }
+ if response == nil || response.Payload == nil {
+ return nil, nil
+ }
+ return response.Payload.Config, nil
+}
diff --git a/internal/provider/vaultsecrets/vault_secrets_utils.go b/internal/provider/vaultsecrets/vault_secrets_utils.go
index 16a25d46d..83707569d 100644
--- a/internal/provider/vaultsecrets/vault_secrets_utils.go
+++ b/internal/provider/vaultsecrets/vault_secrets_utils.go
@@ -27,6 +27,7 @@ const (
ProviderMongoDBAtlas Provider = "mongodb_atlas"
ProviderTwilio Provider = "twilio"
ProviderConfluent Provider = "confluent"
+ ProviderAzure Provider = "azure"
)
func (p Provider) String() string {