Add new force_destroy flag (#7)

* Update dependencies

* Use local token if none is specified

* Add new 'force_destroy' flags and acceptance tests

* update documentation

* Fix platn modifiers names

.github/workflows/build.yml

@@ -1,15 +1,14 @@
 name: Go build
 
-on: [push]
+on: [ push ]
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -20,4 +19,44 @@ jobs:
           go mod download
       - name: Build
         run: |
-          go build -v .
+          make build
+      - name: Run unit tests
+        run: |
+          make test
+
+  acceptance:
+    needs: [ build ]
+    runs-on: ubuntu-latest
+    services:
+      vault:
+        image: hashicorp/vault
+        env:
+          VAULT_DEV_ROOT_TOKEN_ID: ROOT_TOKEN
+        options: >-
+          --health-cmd "VAULT_ADDR=http://127.0.0.1:8200 vault status"
+          --health-interval 1s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 8200:8200
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+      # setup-terraform is used to install the Terraform CLI. If we don't do
+      # this then the terraform-plugin-sdk will attempt to download it for each test!
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: '1.5.*'
+          terraform_wrapper: false
+      - name: Check Terraform CLI version
+        run: terraform --version
+      - name: Acceptance Tests
+        env:
+          VAULT_TOKEN: "ROOT_TOKEN"
+          VAULT_ADDR: "http://localhost:8200"
+          # RUNS_IN_CONTAINER is false if not using jobs.<job_id>.container
+          RUNS_IN_CONTAINER: "false"
+        run: make testacc

Makefile

@@ -3,7 +3,7 @@ HOSTNAME=registry.terraform.io
 NAMESPACE=blablacar
 NAME=vaultprov
 BINARY=terraform-provider-${NAME}
-VERSION=0.2.0
+VERSION=0.3.0
 OS_ARCH=darwin_arm64
 
 default: install

README.md

@@ -1,35 +1,49 @@
 # Terraform Provider vaultprov
 
-`blablacar/vaultprov` is a custom provider to generate and store random secrets directly into Vault without storing any sensitive value into Terraform state. Secrets metadata are still stored into Terraform state as for any other resources, only the secret itself isn't.
+`blablacar/vaultprov` is a custom provider to generate and store random secrets directly into Vault without storing any
+sensitive value into Terraform state. Secrets metadata are still stored into Terraform state as for any other resources,
+only the secret itself isn't.
 
 ## Resources
-There's only one resource: `vaultprov_random_secret`. It will generate a fully random bytes array that can be used for symmetric cryptography operation (encryption, MAC).
+
+There's only one resource: `vaultprov_random_secret`. It will generate a fully random bytes array that can be used for
+symmetric cryptography operation (encryption, MAC).
 
 ```hcl
 resource "vaultprov_random_secret" "my_key" {
-    path     = "/secrets/foo/bar"
-    length   = 32
-    metadata = {
-        owner    = "my_team"
-        some-key = "some-value"
-    }
+  path     = "/secrets/foo/bar"
+  length   = 32
+  metadata = {
+    owner    = "my_team"
+    some-key = "some-value"
+  }
 }
 ```
+
 `vaultprov_random_secret` attributes:
-- `path`: path of the generated Secret into Vault. Must be a path to a [KV v2 mount](https://www.vaultproject.io/docs/secrets/kv/kv-v2). Used as ID for the resource
+
+- `path`: path of the generated Secret into Vault. Must be a path to
+  a [KV v2 mount](https://www.vaultproject.io/docs/secrets/kv/kv-v2). Used as ID for the resource
 - `length`: length of the secret (default: `32`)
-- `metadata`: Key/value (`string` only) custom metadata that will be added to the Vault Secret 
+- `metadata`: Key/value (`string` only) custom metadata that will be added to the Vault Secret
+- `force_destroy`: If set to `true`, removing the resource will delete the secret and all versions in Vault. If set
+  to `false` or not defined, removing the resource will fail.
 
 The resulting Vault secret will have 2 additional metadata:
+
 - `secret_type`:`random_secret` value
 - `secret_length`: secret length as defined in Terraform
 
-Once created, only metadata can be updated without deleting the secret. `path` can't be changed afterward. Changing `length` will cause the secret to be deleted and re-created.
+Once created, only metadata can be updated without deleting the secret. `path` can't be changed afterward.
+Changing `length` will cause the secret to be deleted and re-created.
 
-:warning: When deleting a `vaultprov_random_secret` resource, every secret's versions and metadata will be **permanently deleted**.
+:warning: When deleting a `vaultprov_random_secret` resource, every secret's versions and metadata will be **permanently
+deleted**.
 
 ## Provider configuration
-In order to communicate with a Vault cluster, the provider needs to be configured accordingly. Only [Kubernetes authentication](https://www.vaultproject.io/docs/auth/kubernetes) is supported.
+
+In order to communicate with a Vault cluster, the provider needs to be configured accordingly.
+Only [Kubernetes authentication](https://www.vaultproject.io/docs/auth/kubernetes) is supported.
 
 ```hcl
 terraform {
@@ -45,41 +59,79 @@ provider "vaultprov" {
   address = "https://some.vault.com:8200"
 
   auth = {
-    path     = "auth/kubernetes/login"
-    role     = "some-role"
-    jwt      = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
+    path = "auth/kubernetes/login"
+    role = "some-role"
+    jwt  = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
   }
 }
 ```
+
 Provider attributes:
+
 - `address`: Vault address
 - `auth`
-  - `path`: Authentication endpoint to use with Vault
-  - `role`: Vault Kubernetes authentication role to use
-  - `jwt`: Path of the local Kubernetes service account to be used for authentication
+    - `path`: Authentication endpoint to use with Vault
+    - `role`: Vault Kubernetes authentication role to use
+    - `jwt`: Path of the local Kubernetes service account to be used for authentication
 
 ## Build
 
 To build for current or specific arch:
+
 ```shell
 make build
 # or
 OS_ARCH="linux_amd64" make build
 ```
 
 To build & install on locally
+
 ```shell
 make install
 # or
 OS_ARCH="linux_amd64" make install
 ```
 
 To build for release:
+
 ```shell
 make release
 ```
 
 To generate documentation:
+
 ```shell
 make docs
 ```
+
+## Test
+
+### Acceptance tests
+
+In order to launch acceptance you must first have a running Vault instance:
+
+```shell
+vault server -dev -dev-root-token-id=ROOT_TOKEN
+```
+
+You must also set the following environment variables:
+
+```shell
+export VAULT_ADDR='http://127.0.0.1:8200'
+export VAULT_TOKEN='ROOT_TOKEN'
+```
+
+Then you can launch tests: `make testacc`
+
+### Local testing
+
+In order to use the provider locally (without publishing it on Terraform Registry), use the `make install` command in
+order to copy the provider binary in the local provider registry.
+
+## Publish
+
+GitHub action is used to released new versions of the provider in Terraform Registry.
+
+Follow the [official Terraform documentation](https://developer.hashicorp.com/terraform/registry/providers/publishing)
+for the publishing procedure.
+

docs/index.md

@@ -28,12 +28,9 @@ provider "vaultprov" {
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
-### Required
-
-- `address` (String) Origin URL of the Vault server. This is a URL with a scheme, a hostname and a port but with no path.
-
 ### Optional
 
+- `address` (String) Origin URL of the Vault server. This is a URL with a scheme, a hostname and a port but with no path.
 - `auth` (Attributes) (see [below for nested schema](#nestedatt--auth))
 - `token` (String) Vault token that will be used by Terraform to authenticate. For debug purpose only. For production, use the `auth` attributes
 

docs/resources/random_secret.md

@@ -32,7 +32,6 @@ resource "vaultprov_random_secret" "example" {
 
 ### Optional
 
+- `force_destroy` (Boolean) If set to `true`, removing the resource will delete the secret and all versions in Vault. If set to `false` or not defined, removing the resource will fail.
 - `length` (Number) The length (in bytes) of the secret. Default is 32. This information will be stored as a custom metadata under the key `secret_length`
 - `metadata` (Map of String) A map of key/value strings that will be stored along the secret as custom metadata
-
-