provider/vault: vault_policy resource (#10980)

* provider/vault: vault_policy resource * website: vault_policy resource * Refresh state when reading vault policy
2017-02-13 18:53:45 +00:00 · 2017-02-13 18:53:45 +00:00 · a4d03c9cd1
parent 91f309528e
commit a4d03c9cd1
4 changed files with 234 additions and 0 deletions
--- a/builtin/providers/vault/provider.go
+++ b/builtin/providers/vault/provider.go
@ -88,6 +88,7 @@ func Provider() terraform.ResourceProvider {

 		ResourcesMap: map[string]*schema.Resource{
 			"vault_generic_secret": genericSecretResource(),
+			"vault_policy":         policyResource(),
 		},
 	}
 }
--- a/builtin/providers/vault/resource_policy.go
+++ b/builtin/providers/vault/resource_policy.go
@ -0,0 +1,82 @@
+package vault
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/vault/api"
+)
+
+func policyResource() *schema.Resource {
+	return &schema.Resource{
+		Create: policyWrite,
+		Update: policyWrite,
+		Delete: policyDelete,
+		Read:   policyRead,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Name of the policy",
+			},
+
+			"policy": &schema.Schema{
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The policy document",
+			},
+		},
+	}
+}
+
+func policyWrite(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*api.Client)
+
+	name := d.Get("name").(string)
+	policy := d.Get("policy").(string)
+
+	log.Printf("[DEBUG] Writing policy %s to Vault", name)
+	err := client.Sys().PutPolicy(name, policy)
+
+	if err != nil {
+		return fmt.Errorf("error writing to Vault: %s", err)
+	}
+
+	d.SetId(name)
+
+	return nil
+}
+
+func policyDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*api.Client)
+
+	name := d.Id()
+
+	log.Printf("[DEBUG] Deleting policy %s from Vault", name)
+
+	err := client.Sys().DeletePolicy(name)
+	if err != nil {
+		return fmt.Errorf("error deleting from Vault: %s", err)
+	}
+
+	return nil
+}
+
+func policyRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*api.Client)
+
+	name := d.Id()
+
+	policy, err := client.Sys().GetPolicy(name)
+
+	if err != nil {
+		return fmt.Errorf("error reading from Vault: %s", err)
+	}
+
+	d.Set("policy", policy)
+
+	return nil
+}
--- a/builtin/providers/vault/resource_policy_test.go
+++ b/builtin/providers/vault/resource_policy_test.go
@ -0,0 +1,115 @@
+package vault
+
+import (
+	"fmt"
+	"testing"
+
+	r "github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+	"github.com/hashicorp/vault/api"
+)
+
+func TestResourcePolicy(t *testing.T) {
+	r.Test(t, r.TestCase{
+		Providers: testProviders,
+		PreCheck:  func() { testAccPreCheck(t) },
+		Steps: []r.TestStep{
+			r.TestStep{
+				Config: testResourcePolicy_initialConfig,
+				Check:  testResourcePolicy_initialCheck,
+			},
+			r.TestStep{
+				Config: testResourcePolicy_updateConfig,
+				Check:  testResourcePolicy_updateCheck,
+			},
+		},
+	})
+}
+
+var testResourcePolicy_initialConfig = `
+
+resource "vault_policy" "test" {
+	name = "dev-team"
+	policy = <<EOT
+path "secret/*" {
+	policy = "read"
+}
+EOT
+}
+
+`
+
+func testResourcePolicy_initialCheck(s *terraform.State) error {
+	resourceState := s.Modules[0].Resources["vault_policy.test"]
+	if resourceState == nil {
+		return fmt.Errorf("resource not found in state")
+	}
+
+	instanceState := resourceState.Primary
+	if instanceState == nil {
+		return fmt.Errorf("resource has no primary instance")
+	}
+
+	name := instanceState.ID
+
+	if name != instanceState.Attributes["name"] {
+		return fmt.Errorf("id doesn't match name")
+	}
+
+	if name != "dev-team" {
+		return fmt.Errorf("unexpected policy name")
+	}
+
+	client := testProvider.Meta().(*api.Client)
+	policy, err := client.Sys().GetPolicy(name)
+	if err != nil {
+		return fmt.Errorf("error reading back policy: %s", err)
+	}
+
+	if got, want := policy, "path \"secret/*\" {\n\tpolicy = \"read\"\n}\n"; got != want {
+		return fmt.Errorf("policy data is %q; want %q", got, want)
+	}
+
+	return nil
+}
+
+var testResourcePolicy_updateConfig = `
+
+resource "vault_policy" "test" {
+	name = "dev-team"
+	policy = <<EOT
+path "secret/*" {
+	policy = "write"
+}
+EOT
+}
+
+`
+
+func testResourcePolicy_updateCheck(s *terraform.State) error {
+	resourceState := s.Modules[0].Resources["vault_policy.test"]
+	instanceState := resourceState.Primary
+
+	name := instanceState.ID
+
+	client := testProvider.Meta().(*api.Client)
+
+	if name != instanceState.Attributes["name"] {
+		return fmt.Errorf("id doesn't match name")
+	}
+
+	if name != "dev-team" {
+		return fmt.Errorf("unexpected policy name")
+	}
+
+	policy, err := client.Sys().GetPolicy(name)
+	if err != nil {
+		return fmt.Errorf("error reading back policy: %s", err)
+	}
+
+	if got, want := policy, "path \"secret/*\" {\n\tpolicy = \"write\"\n}\n"; got != want {
+		return fmt.Errorf("policy data is %q; want %q", got, want)
+	}
+
+	return nil
+}
--- a/website/source/docs/providers/vault/r/policy.md
+++ b/website/source/docs/providers/vault/r/policy.md
@ -0,0 +1,36 @@
+---
+layout: "vault"
+page_title: "Vault: vault_policy resource"
+sidebar_current: "docs-vault-resource-policy"
+description: |-
+  Writes arbitrary policies for Vault
+---
+
+# vault\_policy
+
+
+## Example Usage
+
+```
+resource "vault_policy" "example" {
+  name = "dev-team"
+
+  policy = <<EOT
+path "secret/my_app" {
+  policy = "write"
+}
+EOT
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the policy
+
+* `policy` - (Required) String containing a Vault policy
+
+## Attributes Reference
+
+No additional attributes are exported by this resource.