Skip to content

Commit

Permalink
HCP Vault Secrets Generic Integration (#1151)
Browse files Browse the repository at this point in the history
* aggregate all the provider-specific integration resource into a provider-agnostic resource
  • Loading branch information
maxcoulombe authored Dec 13, 2024
1 parent 522f9fe commit 7ce6feb
Show file tree
Hide file tree
Showing 33 changed files with 1,294 additions and 157 deletions.
13 changes: 13 additions & 0 deletions .changelog/1151.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
```release-note:deprecation
the following resources are deprecated:
- `hcp_vault_secrets_integration_aws`
- `hcp_vault_secrets_integration_azure`
- `hcp_vault_secrets_integration_confluent`
- `hcp_vault_secrets_integration_gcp`
- `hcp_vault_secrets_integration_mongodbatlas`
- 'hcp_vault_secrets_integration_twilio'
```

```release-note:feature
add 'hcp_vault_secrets_integration' resource as a replacement for the provider-specific resources
```
224 changes: 224 additions & 0 deletions docs/resources/vault_secrets_integration.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,224 @@
---
page_title: "Resource hcp_vault_secrets_integration"
subcategory: "HCP Vault Secrets"
description: |-
The Vault Secrets integration resource manages an integration.
---

# hcp_vault_secrets_integration (Resource)

The Vault Secrets integration resource manages an integration.

## Example Usage

```terraform
// AWS
resource "hcp_vault_secrets_integration" "example_aws_federated_identity" {
name = "my-aws-1"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "aws"
aws_federated_workload_identity = {
audience = "<audience>>"
role_arn = "<role-arn>"
}
}
resource "hcp_vault_secrets_integration" "example_aws_access_keys" {
name = "my-aws-2"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "aws"
aws_access_keys = {
access_key_id = "<access-key-id>"
secret_access_key = "<secret-access-key>"
}
}
// Confluent
resource "hcp_vault_secrets_integration" "example_confluent" {
name = "my-confluent-1"
capabilities = ["ROTATION"]
provider_type = "confluent"
confluent_static_credentials = {
cloud_api_key_id = "<cloud-api-key-id>"
cloud_api_secret = "<cloud-api-secret>"
}
}
// GCP
resource "hcp_vault_secrets_integration" "example_gcp_json_service_account_key" {
name = "my-gcp-1"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "gcp"
gcp_service_account_key = {
credentials = file("${path.module}/my-service-account-key.json")
}
}
resource "hcp_vault_secrets_integration" "example_gcp_base64_service_account_key" {
name = "my-gcp-2"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "gcp"
gcp_service_account_key = {
credentials = filebase64("${path.module}/my-service-account-key.json")
}
}
resource "hcp_vault_secrets_integration" "example_gcp_federated_identity" {
name = "my-gcp-3"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "gcp"
gcp_federated_workload_identity = {
service_account_email = "<service-account-email>"
audience = "<audience>"
}
}
// MongoDB-Atlas
resource "hcp_vault_secrets_integration" "example_mongodb_atlas" {
name = "my-mongodb-1"
capabilities = ["ROTATION"]
provider_type = "mongodb-atlas"
mongodb_atlas_static_credentials = {
api_public_key = "<api-public-key>"
api_private_key = "<api-private-key>"
}
}
// Twilio
resource "hcp_vault_secrets_integration" "example_twilio" {
name = "my-twilio-1"
capabilities = ["ROTATION"]
provider_type = "twilio"
twilio_static_credentials = {
account_sid = "<account-sid>"
api_key_secret = "<api-key-secret>"
api_key_sid = "<api-key-sid>"
}
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `capabilities` (Set of String) Capabilities enabled for the integration. See the Vault Secrets documentation for the list of supported capabilities per provider.
- `name` (String) The Vault Secrets integration name.
- `provider_type` (String) The provider or 3rd party platform the integration is for.

### Optional

- `aws_access_keys` (Attributes) AWS IAM key pair used to authenticate against the target AWS account. Cannot be used with `federated_workload_identity`. (see [below for nested schema](#nestedatt--aws_access_keys))
- `aws_federated_workload_identity` (Attributes) (Recommended) Federated identity configuration to authenticate against the target AWS account. Cannot be used with `access_keys`. (see [below for nested schema](#nestedatt--aws_federated_workload_identity))
- `azure_client_secret` (Attributes) Azure client secret used to authenticate against the target Azure application. Cannot be used with `federated_workload_identity`. (see [below for nested schema](#nestedatt--azure_client_secret))
- `azure_federated_workload_identity` (Attributes) (Recommended) Federated identity configuration to authenticate against the target Azure application. Cannot be used with `client_secret`. (see [below for nested schema](#nestedatt--azure_federated_workload_identity))
- `confluent_static_credentials` (Attributes) Confluent API key used to authenticate for cloud apis. (see [below for nested schema](#nestedatt--confluent_static_credentials))
- `gcp_federated_workload_identity` (Attributes) (Recommended) Federated identity configuration to authenticate against the target GCP project. Cannot be used with `service_account_key`. (see [below for nested schema](#nestedatt--gcp_federated_workload_identity))
- `gcp_service_account_key` (Attributes) GCP service account key used to authenticate against the target GCP project. Cannot be used with `federated_workload_identity`. (see [below for nested schema](#nestedatt--gcp_service_account_key))
- `mongodb_atlas_static_credentials` (Attributes) MongoDB Atlas API key used to authenticate against the target project. (see [below for nested schema](#nestedatt--mongodb_atlas_static_credentials))
- `project_id` (String) HCP project ID that owns the HCP Vault Secrets integration. Inferred from the provider configuration if omitted.
- `twilio_static_credentials` (Attributes) Twilio API key parts used to authenticate against the target Twilio account. (see [below for nested schema](#nestedatt--twilio_static_credentials))

### Read-Only

- `organization_id` (String) HCP organization ID that owns the HCP Vault Secrets integration.
- `resource_id` (String) Resource ID used to uniquely identify the integration instance on the HCP platform.
- `resource_name` (String) Resource name used to uniquely identify the integration instance on the HCP platform.

<a id="nestedatt--aws_access_keys"></a>
### Nested Schema for `aws_access_keys`

Required:

- `access_key_id` (String) Key ID used with the secret key to authenticate against the target AWS account.
- `secret_access_key` (String, Sensitive) Secret key used with the key ID to authenticate against the target AWS account.


<a id="nestedatt--aws_federated_workload_identity"></a>
### Nested Schema for `aws_federated_workload_identity`

Required:

- `audience` (String) Audience configured on the AWS IAM identity provider to federate access with HCP.
- `role_arn` (String) AWS IAM role ARN the integration will assume to carry operations for the appropriate capabilities.


<a id="nestedatt--azure_client_secret"></a>
### Nested Schema for `azure_client_secret`

Required:

- `client_id` (String) Azure client ID corresponding to the Azure application.
- `client_secret` (String) Secret value corresponding to the Azure client secret.
- `tenant_id` (String) Azure tenant ID corresponding to the Azure application.


<a id="nestedatt--azure_federated_workload_identity"></a>
### Nested Schema for `azure_federated_workload_identity`

Required:

- `audience` (String) Audience configured on the Azure federated identity credentials to federate access with HCP.
- `client_id` (String) Azure client ID corresponding to the Azure application.
- `tenant_id` (String) Azure tenant ID corresponding to the Azure application.


<a id="nestedatt--confluent_static_credentials"></a>
### Nested Schema for `confluent_static_credentials`

Required:

- `cloud_api_key_id` (String) Public key used alongside the private key to authenticate for cloud apis.
- `cloud_api_secret` (String, Sensitive) Private key used alongside the public key to authenticate for cloud apis.


<a id="nestedatt--gcp_federated_workload_identity"></a>
### Nested Schema for `gcp_federated_workload_identity`

Required:

- `audience` (String) Audience configured on the GCP identity provider to federate access with HCP.
- `service_account_email` (String) GCP service account email that HVS will impersonate to carry operations for the appropriate capabilities.


<a id="nestedatt--gcp_service_account_key"></a>
### Nested Schema for `gcp_service_account_key`

Required:

- `credentials` (String) JSON or base64 encoded service account key received from GCP.

Read-Only:

- `client_email` (String) Service account email corresponding to the service account key.
- `project_id` (String) GCP project ID corresponding to the service account key.


<a id="nestedatt--mongodb_atlas_static_credentials"></a>
### Nested Schema for `mongodb_atlas_static_credentials`

Required:

- `api_private_key` (String, Sensitive) Private key used alongside the public key to authenticate against the target project.
- `api_public_key` (String) Public key used alongside the private key to authenticate against the target project.


<a id="nestedatt--twilio_static_credentials"></a>
### Nested Schema for `twilio_static_credentials`

Required:

- `account_sid` (String) Account SID for the target Twilio account.
- `api_key_secret` (String, Sensitive) Api key secret used with the api key SID to authenticate against the target Twilio account.
- `api_key_sid` (String) Api key SID to authenticate against the target Twilio account.

## Import

Import is supported using the following syntax:

```shell
# Vault Secrets Integration can be imported by specifying the name of the integration
# Note that since sensitive information are never returned on the Vault Secrets API,
# the next plan or apply will show a diff for sensitive fields.
terraform import hcp_vault_secrets_integration.example my-integration-name
```
2 changes: 2 additions & 0 deletions docs/resources/vault_secrets_integration_aws.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ description: |-

The Vault Secrets AWS integration resource manages an AWS integration.

~> **Note:** This resource is deprecated, please use `hcp_vault_secrets_integration` instead.

## Example Usage

```terraform
Expand Down
2 changes: 2 additions & 0 deletions docs/resources/vault_secrets_integration_confluent.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ description: |-

The Vault Secrets Confluent integration resource manages an Confluent integration.

~> **Note:** This resource is deprecated, please use `hcp_vault_secrets_integration` instead.

## Example Usage

```terraform
Expand Down
2 changes: 2 additions & 0 deletions docs/resources/vault_secrets_integration_gcp.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ description: |-

The Vault Secrets GCP integration resource manages an GCP integration.

~> **Note:** This resource is deprecated, please use `hcp_vault_secrets_integration` instead.

## Example Usage

```terraform
Expand Down
2 changes: 2 additions & 0 deletions docs/resources/vault_secrets_integration_mongodbatlas.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ description: |-

The Vault Secrets MongoDB Atlas integration resource manages an MongoDB Atlas integration.

~> **Note:** This resource is deprecated, please use `hcp_vault_secrets_integration` instead.

## Example Usage

```terraform
Expand Down
2 changes: 2 additions & 0 deletions docs/resources/vault_secrets_integration_twilio.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ description: |-

The Vault Secrets Twilio integration resource manages a Twilio integration.

~> **Note:** This resource is deprecated, please use `hcp_vault_secrets_integration` instead.

## Example Usage

```terraform
Expand Down
4 changes: 4 additions & 0 deletions examples/resources/hcp_vault_secrets_integration/import.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Vault Secrets Integration can be imported by specifying the name of the integration
# Note that since sensitive information are never returned on the Vault Secrets API,
# the next plan or apply will show a diff for sensitive fields.
terraform import hcp_vault_secrets_integration.example my-integration-name
83 changes: 83 additions & 0 deletions examples/resources/hcp_vault_secrets_integration/resource.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
// AWS
resource "hcp_vault_secrets_integration" "example_aws_federated_identity" {
name = "my-aws-1"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "aws"
aws_federated_workload_identity = {
audience = "<audience>>"
role_arn = "<role-arn>"
}
}

resource "hcp_vault_secrets_integration" "example_aws_access_keys" {
name = "my-aws-2"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "aws"
aws_access_keys = {
access_key_id = "<access-key-id>"
secret_access_key = "<secret-access-key>"
}
}

// Confluent
resource "hcp_vault_secrets_integration" "example_confluent" {
name = "my-confluent-1"
capabilities = ["ROTATION"]
provider_type = "confluent"
confluent_static_credentials = {
cloud_api_key_id = "<cloud-api-key-id>"
cloud_api_secret = "<cloud-api-secret>"
}
}

// GCP
resource "hcp_vault_secrets_integration" "example_gcp_json_service_account_key" {
name = "my-gcp-1"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "gcp"
gcp_service_account_key = {
credentials = file("${path.module}/my-service-account-key.json")
}
}

resource "hcp_vault_secrets_integration" "example_gcp_base64_service_account_key" {
name = "my-gcp-2"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "gcp"
gcp_service_account_key = {
credentials = filebase64("${path.module}/my-service-account-key.json")
}
}

resource "hcp_vault_secrets_integration" "example_gcp_federated_identity" {
name = "my-gcp-3"
capabilities = ["DYNAMIC", "ROTATION"]
provider_type = "gcp"
gcp_federated_workload_identity = {
service_account_email = "<service-account-email>"
audience = "<audience>"
}
}

// MongoDB-Atlas
resource "hcp_vault_secrets_integration" "example_mongodb_atlas" {
name = "my-mongodb-1"
capabilities = ["ROTATION"]
provider_type = "mongodb-atlas"
mongodb_atlas_static_credentials = {
api_public_key = "<api-public-key>"
api_private_key = "<api-private-key>"
}
}

// Twilio
resource "hcp_vault_secrets_integration" "example_twilio" {
name = "my-twilio-1"
capabilities = ["ROTATION"]
provider_type = "twilio"
twilio_static_credentials = {
account_sid = "<account-sid>"
api_key_secret = "<api-key-secret>"
api_key_sid = "<api-key-sid>"
}
}
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ require (
github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637
github.com/hashicorp/go-uuid v1.0.3
github.com/hashicorp/go-version v1.7.0
github.com/hashicorp/hcp-sdk-go v0.124.0
github.com/hashicorp/hcp-sdk-go v0.126.0
github.com/hashicorp/terraform-plugin-docs v0.19.4
github.com/hashicorp/terraform-plugin-framework v1.5.0
github.com/hashicorp/terraform-plugin-framework-validators v0.12.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,8 @@ github.com/hashicorp/hc-install v0.7.0 h1:Uu9edVqjKQxxuD28mR5TikkKDd/p55S8vzPC16
github.com/hashicorp/hc-install v0.7.0/go.mod h1:ELmmzZlGnEcqoUMKUuykHaPCIR1sYLYX+KSggWSKZuA=
github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI=
github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE=
github.com/hashicorp/hcp-sdk-go v0.124.0 h1:Th4qCAAqlPrC5s2riHnMTsHFIZ5GsFWzK7l2W7vqsN4=
github.com/hashicorp/hcp-sdk-go v0.124.0/go.mod h1:vQ4fzdL1AmhIAbCw+4zmFe5Hbpajj3NvRWkJoVuxmAk=
github.com/hashicorp/hcp-sdk-go v0.126.0 h1:/ByCyXaKrwJwK5SMjp/JFK3ZbVqDxEaADQev3t6odI4=
github.com/hashicorp/hcp-sdk-go v0.126.0/go.mod h1:vQ4fzdL1AmhIAbCw+4zmFe5Hbpajj3NvRWkJoVuxmAk=
github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y=
github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
github.com/hashicorp/terraform-exec v0.21.0 h1:uNkLAe95ey5Uux6KJdua6+cv8asgILFVWkd/RG0D2XQ=
Expand Down
Loading

0 comments on commit 7ce6feb

Please sign in to comment.