Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include rotated secrets for cloud vault secrets VAULT-22307 #850

Merged
merged 8 commits into from
Jun 4, 2024
Merged

Include rotated secrets for cloud vault secrets VAULT-22307 #850

merged 8 commits into from
Jun 4, 2024

Conversation

dhuckins
Copy link
Contributor

@dhuckins dhuckins commented May 28, 2024
edited
Loading

🛠️ Description

Allows users to fetch rotating secrets using the hcp_vault_secrets_app and hcp_vault_secrets_secret data sources

hcp_vault_secrets_app

hcp_vault_secrets_app: keys from complex (rotating) secrets are concatenated in the same pattern we've been using

Given these secrets
image
with

data "hcp_vault_secrets_app" "example" {
  app_name = "sample-app"
}

output "all-secrets" {
  value = data.hcp_vault_secrets_app.example.secrets
  sensitive = true
}

gives (secret values print out to stdout successfully, am not including here)

❯ terraform output all-secrets
tomap({
  "READ_ME" = ***
  "Step1" = ***
  "Step2" = ***
  "Step3" = ***
  "mongodb_atlas_password" = ***
  "mongodb_atlas_username" = ***
})

hcp_vault_secrets_secret

For backwards compatibility in the hcp_vault_secrets_secret, any rotating secret will be JSON encoded
using the same secrets setup above in the portal

data "hcp_vault_secrets_secret" "rotating" {
  app_name    = "sample-app"
  secret_name = "mongodb_atlas"
}

output "rotating-secret" {
  value = data.hcp_vault_secrets_secret.rotating.secret_value
  sensitive = true
}

gives

❯ terraform output rotating-secret
"{\"password\":\"***\",\"username\":\"***\"}"

Because the user may not expect a json payload we emit a warning
image

🏗️ Acceptance tests

  • Are there any feature flags that are required to use this functionality?
  • Have you added an acceptance test for the functionality being added?
  • Have you run the acceptance tests on this branch?

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

@dhuckins dhuckins changed the title Include rotated secrets for cloud vault secrets Include rotated secrets for cloud vault secrets VAULT-22307 May 28, 2024
@dhuckins dhuckins marked this pull request as ready for review May 28, 2024 21:02
@dhuckins dhuckins requested review from a team as code owners May 28, 2024 21:02
averche
averche approved these changes May 30, 2024
View reviewed changes
Copy link
Contributor

@averche averche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments, nothing is blocking, LGTM!

internal/clients/vault_secrets_preview.go
Comment on lines +21 to +25
getParams := secret_service.NewOpenAppSecretParamsWithContext(ctx).
WithAppName(appName).
WithSecretName(secretName).
WithOrganizationID(loc.OrganizationID).
WithProjectID(loc.ProjectID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice improvement!

internal/provider/vaultsecrets/data_source_vault_secrets_app.go
@@ -106,8 +106,20 @@ func (d *DataSourceVaultSecretsApp) Read(ctx context.Context, req datasource.Rea

openAppSecrets := map[string]string{}
for _, appSecret := range appSecrets {
secretName := appSecret.Name
openAppSecrets[secretName] = appSecret.Version.Value
switch {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be cleaner to switch on secret.Type instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cleaner: yes

was concerned about the string type, are we going to switch to enum at some point?

Copy link
Contributor

@averche averche May 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe 🤷 It's OK to leave as is for now

internal/provider/vaultsecrets/data_source_vault_secrets_secret.go Outdated Show resolved Hide resolved
internal/provider/vaultsecrets/data_source_vault_secrets_secret.go
// NOTE: for backwards compatibility purposes, if the secret is not a static secret (aka a string)
// encode the complex secret as a json string
var secretValue string
switch {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, switching on secret.Type might be cleaner

internal/provider/vaultsecrets/data_source_vault_secrets_secret.go
Comment on lines +124 to +127
resp.Diagnostics.AddWarning(
"HCP Vault Secrets mismatched type",
"Attempted to get a rotating secret in a KV secret data source, encoding the secret values as JSON",
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit unsure about this warning. We may want to keep this data source as an equivalent of vault_generic_secret data source. In this case, it should be perfectly valid to use it to fetch a rotating secret.

I think it's OK to leave it here as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets keep, was in the original discussion when we planned this out

@dhuckins dhuckins requested a review from a team as a code owner June 4, 2024 01:02
@dhuckins dhuckins removed the request for review from a team June 4, 2024 01:03
jasonpilz
jasonpilz approved these changes Jun 4, 2024
View reviewed changes
Copy link
Member

@jasonpilz jasonpilz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dhuckins dhuckins merged commit ee8b04a into main Jun 4, 2024
6 checks passed
@dhuckins dhuckins deleted the dh/vault-secrets/rotated-secrets2 branch June 4, 2024 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@averche averche averche approved these changes

@jasonpilz jasonpilz jasonpilz approved these changes

@keeefer keeefer keeefer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dhuckins @jasonpilz @averche @keeefer