From 86aea6b09451aa36124098692ec453a090bfb195 Mon Sep 17 00:00:00 2001 From: Gerrit Tamboer Date: Wed, 8 Feb 2017 11:18:18 +0100 Subject: [PATCH] WIP: VaMaking vault allowed to read values --- .../vault/resource_generic_secret.go | 47 ++++++++++++++++++- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/builtin/providers/vault/resource_generic_secret.go b/builtin/providers/vault/resource_generic_secret.go index a2a820c74..e7c310df1 100644 --- a/builtin/providers/vault/resource_generic_secret.go +++ b/builtin/providers/vault/resource_generic_secret.go @@ -31,6 +31,25 @@ func genericSecretResource() *schema.Resource { Type: schema.TypeString, Required: true, Description: "JSON-encoded secret data to write.", + // We rebuild the attached JSON string to a simple singleline + // string. This makes terraform not want to change when an extra + // space is included in the JSON string. It is also necesarry + // when allow_read is true for comparing values. + StateFunc: func(v interface{}) string { + var dat map[string]interface{} + if err := json.Unmarshal([]byte(v.(string)), &dat); err != nil { + return fmt.Errorf("data_json %#v syntax error: %s", v.(string), err) + } + jsonDataBytes, _ := json.Marshal(dat) + return string(jsonDataBytes) + }, + }, + + "allow_read": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "True if the provided token is allowed to read the secret from vault, and therefore canupdate values", }, }, } @@ -73,6 +92,31 @@ func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error } func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error { + allowed_to_read := d.Get("allow_read").(bool) + + if allowed_to_read { + path := d.Get("path").(string) + + client := meta.(*api.Client) + + log.Printf("[DEBUG] Reading %s from Vault", path) + secret, err := client.Logical().Read(path) + if err != nil { + return fmt.Errorf("error reading from Vault: %s", err) + } + + d.SetId(path) + + // Ignoring error because this value came from JSON in the + // first place so no reason why it should fail to re-encode. + jsonDataBytes, _ := json.Marshal(secret.Data) + d.Set("data_json", string(jsonDataBytes)) + } + + path := d.Get("path").(string) + d.SetId(path) + return nil + // We don't actually attempt to read back the secret data // here, so that Terraform can be configured with a token // that has only write access to the relevant part of the @@ -82,6 +126,5 @@ func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error { // generic secrets, but detecting drift seems less important // than being able to limit the effect of exposure of // Terraform's Vault token. - log.Printf("[WARN] vault_generic_secret does not automatically refresh") - return nil + // log.Printf("[WARN] vault_generic_secret does not automatically refresh") }