-
Notifications
You must be signed in to change notification settings - Fork 548
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into VAULT-21621/add-max-retries-field
- Loading branch information
Showing
34 changed files
with
1,521 additions
and
353 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# See GitHub's docs for more information on this file: | ||
# https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates | ||
version: 2 | ||
updates: | ||
# Dependabot only updates hashicorp GHAs, external GHAs are managed by internal tooling (tsccr) | ||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
schedule: | ||
interval: "weekly" | ||
allow: | ||
- dependency-name: "hashicorp/*" | ||
# Defines a group by package name, for security updates for golang dependencies | ||
- package-ecosystem: "gomod" | ||
directory: "/" | ||
schedule: | ||
interval: "weekly" | ||
groups: | ||
golang: | ||
applies-to: security-updates | ||
patterns: | ||
- "golang.org*" | ||
- "google.golang.org*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
1.21.6 | ||
1.22.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,168 @@ | ||
// Copyright (c) HashiCorp, Inc. | ||
// SPDX-License-Identifier: MPL-2.0 | ||
|
||
package vault | ||
|
||
import ( | ||
"context" | ||
"errors" | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/v2/diag" | ||
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
"github.com/hashicorp/terraform-provider-vault/internal/consts" | ||
"github.com/hashicorp/terraform-provider-vault/internal/provider" | ||
"github.com/hashicorp/vault/api" | ||
) | ||
|
||
func pkiSecretBackendConfigEstDataSource() *schema.Resource { | ||
return &schema.Resource{ | ||
Description: "Reads Vault PKI EST configuration", | ||
ReadContext: provider.ReadContextWrapper(readPKISecretBackendConfigEst), | ||
Schema: map[string]*schema.Schema{ | ||
consts.FieldBackend: { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
Description: "Path where PKI engine is mounted", | ||
}, | ||
consts.FieldEnabled: { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "Specifies whether EST is enabled", | ||
}, | ||
consts.FieldDefaultMount: { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "If set, this mount is registered as the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster", | ||
}, | ||
consts.FieldDefaultPathPolicy: { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
Description: "Required to be set if default_mount is enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:<role_name>", | ||
}, | ||
consts.FieldLabelToPathPolicy: { | ||
Type: schema.TypeMap, | ||
Computed: true, | ||
Description: "A pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:<role_name>. Labels must be unique across Vault cluster, and will register .well-known/est/<label> URL paths", | ||
}, | ||
consts.FieldAuthenticators: { | ||
Type: schema.TypeList, | ||
Computed: true, | ||
Description: "Lists the mount accessors EST should delegate authentication requests towards", | ||
Elem: &schema.Resource{ | ||
Schema: map[string]*schema.Schema{ | ||
"cert": { | ||
Type: schema.TypeMap, | ||
Optional: true, | ||
Description: "The accessor and cert_role properties for cert auth backends", | ||
}, | ||
"userpass": { | ||
Type: schema.TypeMap, | ||
Optional: true, | ||
Description: "The accessor property for user pass auth backends", | ||
}, | ||
}, | ||
}, | ||
}, | ||
consts.FieldEnableSentinelParsing: { | ||
Type: schema.TypeBool, | ||
Computed: true, | ||
Description: "If set, parse out fields from the provided CSR making them available for Sentinel policies", | ||
}, | ||
consts.FieldAuditFields: { | ||
Type: schema.TypeList, | ||
Computed: true, | ||
Description: "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies", | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
}, | ||
}, | ||
consts.FieldLastUpdated: { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
Description: "A read-only timestamp representing the last time the configuration was updated", | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func readPKISecretBackendConfigEst(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { | ||
if err := verifyPkiEstFeatureSupported(meta); err != nil { | ||
return diag.FromErr(err) | ||
} | ||
|
||
client, err := provider.GetClient(d, meta) | ||
if err != nil { | ||
return diag.FromErr(fmt.Errorf("failed getting client: %w", err)) | ||
} | ||
|
||
backend := d.Get(consts.FieldBackend).(string) | ||
path := pkiSecretBackendConfigEstPath(backend) | ||
|
||
if err := readEstConfig(ctx, d, client, path); err != nil { | ||
return diag.FromErr(err) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func readEstConfig(ctx context.Context, d *schema.ResourceData, client *api.Client, path string) error { | ||
resp, err := client.Logical().ReadWithContext(ctx, path) | ||
if err != nil { | ||
return fmt.Errorf("error reading from Vault: %w", err) | ||
} | ||
if resp == nil { | ||
return fmt.Errorf("got nil response from Vault from path: %q", path) | ||
} | ||
|
||
d.SetId(path) | ||
|
||
keyComputedFields := []string{ | ||
consts.FieldEnabled, | ||
consts.FieldDefaultMount, | ||
consts.FieldDefaultPathPolicy, | ||
consts.FieldLabelToPathPolicy, | ||
consts.FieldEnableSentinelParsing, | ||
consts.FieldAuditFields, | ||
consts.FieldLastUpdated, | ||
} | ||
|
||
for _, k := range keyComputedFields { | ||
if fieldVal, ok := resp.Data[k]; ok { | ||
if err := d.Set(k, fieldVal); err != nil { | ||
return fmt.Errorf("failed setting field [%s] with val [%s]: %w", k, fieldVal, err) | ||
} | ||
} | ||
} | ||
|
||
if authenticators, authOk := resp.Data[consts.FieldAuthenticators]; authOk { | ||
if err := d.Set(consts.FieldAuthenticators, []interface{}{authenticators}); err != nil { | ||
return fmt.Errorf("failed setting field [%s] with val [%s]: %w", consts.FieldAuthenticators, authenticators, err) | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
// verifyPkiEstFeatureSupported verifies that we are talking to a Vault enterprise edition | ||
// and its version 1.16.0 or higher, returns nil if the above is met, otherwise an error | ||
func verifyPkiEstFeatureSupported(meta interface{}) error { | ||
currentVersion := meta.(*provider.ProviderMeta).GetVaultVersion() | ||
|
||
minVersion := provider.VaultVersion116 | ||
if !provider.IsAPISupported(meta, minVersion) { | ||
return fmt.Errorf("feature not enabled on current Vault version. min version required=%s; "+ | ||
"current vault version=%s", minVersion, currentVersion) | ||
} | ||
|
||
if !provider.IsEnterpriseSupported(meta) { | ||
return errors.New("feature requires Vault Enterprise") | ||
} | ||
return nil | ||
} | ||
|
||
func pkiSecretBackendConfigEstPath(backend string) string { | ||
return strings.Trim(backend, "/") + "/config/est" | ||
} |
Oops, something went wrong.