Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault 22912/sync config #2125

Merged
merged 10 commits into from
Jan 17, 2024
Merged

Vault 22912/sync config #2125

merged 10 commits into from
Jan 17, 2024

Conversation

maxcoulombe
Copy link
Contributor

@maxcoulombe maxcoulombe commented Jan 10, 2024
edited
Loading

Description

This PR adds a resource to manage the global config of the enterprise Secrets Sync feature.

This API is only available on the root namespace so using a provider defined on a different namespace will error during the creation. Let me know if this is something that could/should be covered by automated tests.

Since the config is global, in theory it should not be possible to define this resource twice for the same Vault cluster but I'm not sure this is something that can be prevented as code. If a user defines the resource twice, the last config to be applied will be effective.

Checklist

  • Added CHANGELOG entry (only for user-facing changes) (I feel like we can use a single CHANGELOG entry on Vinay's PR)
  • Acceptance tests where run against all supported Vault Versions
/usr/local/go/bin/go tool test2json -t /home/max/.cache/JetBrains/GoLand2023.2/tmp/GoLand/___TestSecretsSyncConfig_in_github_com_hashicorp_terraform_provider_vault_vault.test -test.v -test.paniconexit0 -test.run ^\QTestSecretsSyncConfig\E$
=== RUN   TestSecretsSyncConfig
    resource_secrets_sync_config_test.go:22: Vault server version "1.16.0-beta1+ent"
--- PASS: TestSecretsSyncConfig (1.07s)
PASS

@maxcoulombe maxcoulombe changed the base branch from main to VAULT-18672/aws-secrets-sync-loop January 10, 2024 16:38
@github-actions github-actions bot added size/L and removed size/XL labels Jan 10, 2024
@maxcoulombe maxcoulombe force-pushed the VAULT-22912/sync-config branch from 030ea71 to 3422d66 Compare January 10, 2024 16:40
@maxcoulombe
+ added sync config resource
404c524 
* format


* imports


* use proper version check


* using defaults
@maxcoulombe maxcoulombe force-pushed the VAULT-22912/sync-config branch from e790dde to 404c524 Compare January 10, 2024 16:51
@maxcoulombe maxcoulombe requested review from vinay-gopalan and raymonstah and removed request for vinay-gopalan January 10, 2024 16:53
vinay-gopalan
vinay-gopalan reviewed Jan 10, 2024
View reviewed changes
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this! Things are looking great, had a couple initial thoughts. Whenever you get the time, could we also add the documentation for this resource to close out the loop on development? Thanks again!

vault/resource_secrets_sync_config.go Outdated Show resolved Hide resolved
vault/resource_secrets_sync_config.go Show resolved Hide resolved
vault/resource_secrets_sync_config.go
fieldDisabled: {
Type: schema.TypeBool,
Optional: true,
Default: false,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's avoid setting the default here and let the Vault default value handle that case by marking this as Computed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The request on the Vault side is implemented as a PATCH. If we remove the default value from the TF schema, omitting a field in the resource definition keep it as is instead of reverting to Vault's default. This may be ok if we document it accordingly but most often I've seen that removing an optional field in a TF resource should update it to some default value.

For example, if the current config is:

    "data": {
        "disabled": false,
        "queue_capacity": 1234
    },

This TF resource definition resets it to 1,000,000:

resource "vault_secrets_sync_config" "cfg" {
  disabled       = false
}

If we remove the default value here, the same TF resource definition has no effect instead because Vault is called an empty queue_capacity field.

Does that make sense? Are we fine with the behavior of not updating to a default value for a missing field?

vault/resource_secrets_sync_config_test.go Outdated Show resolved Hide resolved
@maxcoulombe
* fix bool evaluation
f3249f1 
+ actually save content to the statefile
@maxcoulombe
* typo
864c3e7
@maxcoulombe maxcoulombe force-pushed the VAULT-22912/sync-config branch from 128080b to 864c3e7 Compare January 10, 2024 22:45
@maxcoulombe
Copy link
Contributor Author

Whenever you get the time, could we also add the documentation for this resource to close out the loop on development?

Done!

@maxcoulombe
Copy link
Contributor Author

@vinay-gopalan I added the doc so I'll go ahead and merge the PR so it is ready to ship with the rest of the TFVP support. Let me know if the explanation for the default value make sense. If you'd like to discuss a different approach or there are other adjustments to do on the config resource please ping me, I'll fix them in a follow-up PR!

@maxcoulombe maxcoulombe merged commit 4da4fbd into VAULT-18672/aws-secrets-sync-loop Jan 17, 2024
13 checks passed
@maxcoulombe maxcoulombe deleted the VAULT-22912/sync-config branch January 17, 2024 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vinay-gopalan vinay-gopalan vinay-gopalan left review comments

@raymonstah raymonstah raymonstah approved these changes

Assignees
No one assigned
Labels
documentation size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maxcoulombe @raymonstah @vinay-gopalan