Skip to content

Commit a15334b

Browse files
vsin12Maxrovr
vsin12
authored and
Maxrovr
committed
Added - Support for Secrets in Vault - Cross Region Replication Feature
1 parent c99017a commit a15334b

File tree

8 files changed

+493
-39
lines changed

8 files changed

+493
-39
lines changed

examples/vault_secret/XRR/main.tf

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
variable "tenancy_ocid" {}
2+
variable "region" {}
3+
variable "kms_vault_ocid" {}
4+
variable "kms_key_ocid" {}
5+
variable "compartment_ocid" {}
6+
7+
provider "oci" {
8+
tenancy_ocid = var.tenancy_ocid
9+
region = var.region
10+
// .. auth options
11+
}
12+
13+
data "oci_vault_secrets" "test_secrets" {
14+
compartment_id = var.compartment_ocid
15+
state = "ACTIVE"
16+
vault_id = var.kms_vault_ocid
17+
}
18+
19+
resource "oci_vault_secret" "test_secret" {
20+
#Required
21+
compartment_id = var.compartment_ocid
22+
secret_content {
23+
#Required
24+
content_type = "BASE64"
25+
26+
#Optional
27+
content = "PHZhcj4mbHQ7YmFzZTY0X2VuY29kZWRfc2VjcmV0X2NvbnRlbnRzJmd0OzwvdmFyPg=="
28+
name = "XRRSecretSample1"
29+
stage = "CURRENT"
30+
}
31+
replication_config {
32+
replication_targets {
33+
target_key_id = var.kms_key_ocid
34+
target_region = "us-phoenix-1"
35+
target_vault_id = var.kms_vault_ocid
36+
}
37+
#Optional
38+
is_write_forward_enabled = false
39+
}
40+
41+
key_id = var.kms_key_ocid
42+
secret_name = "XRRSecretSample1105"
43+
vault_id = var.kms_vault_ocid
44+
}
45+
46+
resource "oci_vault_secret" "test_secret_wf_enabled" {
47+
#Required
48+
compartment_id = var.compartment_ocid
49+
secret_content {
50+
#Required
51+
content_type = "BASE64"
52+
53+
#Optional
54+
content = "PHZhcj4mbHQ7YmFzZTY0X2VuY29kZWRfc2VjcmV0X2NvbnRlbnRzJmd0OzwvdmFyPg=="
55+
name = "XRRSecretSample102"
56+
stage = "CURRENT"
57+
}
58+
replication_config {
59+
replication_targets {
60+
target_key_id = var.kms_key_ocid
61+
target_region = "us-phoenix-1"
62+
target_vault_id = var.kms_vault_ocid
63+
}
64+
#Optional
65+
is_write_forward_enabled = true
66+
}
67+
68+
key_id = var.kms_key_ocid
69+
secret_name = "XRRSecretSample1104"
70+
vault_id = var.kms_vault_ocid
71+
}
72+
73+
resource "oci_vault_secret" "test_secret_multiple_replication_targets" {
74+
#Required
75+
compartment_id = var.compartment_ocid
76+
secret_content {
77+
#Required
78+
content_type = "BASE64"
79+
80+
#Optional
81+
content = "PHZhcj4mbHQ7YmFzZTY0X2VuY29kZWRfc2VjcmV0X2NvbnRlbnRzJmd0OzwvdmFyPg=="
82+
name = "XRRSecretSample1"
83+
stage = "CURRENT"
84+
}
85+
replication_config {
86+
replication_targets {
87+
target_key_id = var.kms_key_ocid
88+
target_region = "us-phoenix-1"
89+
target_vault_id = var.kms_vault_ocid
90+
}
91+
replication_targets {
92+
target_key_id = var.kms_key_ocid
93+
target_region = "us-sanjose-1"
94+
target_vault_id = var.kms_vault_ocid
95+
}
96+
#Optional
97+
is_write_forward_enabled = true
98+
}
99+
100+
key_id = var.kms_key_ocid
101+
secret_name = "XRRSecretSample1103"
102+
vault_id = var.kms_vault_ocid
103+
}
104+
105+
data "oci_vault_secret" "test_secret" {
106+
secret_id = oci_vault_secret.test_secret.id
107+
}
108+
109+
data "oci_vault_secret" "test_secret_wf_enabled" {
110+
secret_id = oci_vault_secret.test_secret_wf_enabled.id
111+
}
112+
113+
data "oci_vault_secret" "test_secret_multiple_replication_targets" {
114+
secret_id = oci_vault_secret.test_secret_multiple_replication_targets.id
115+
}
116+
117+
data "oci_vault_secrets" "test_secret_xrr" {
118+
compartment_id = var.compartment_ocid
119+
}
120+
121+
data "oci_secrets_secretbundle_versions" "test_secretbundle_versions" {
122+
#Required
123+
secret_id = oci_vault_secret.test_secret.id
124+
}
125+
126+
// Get Secret content
127+
data "oci_secrets_secretbundle" "test_secretbundles" {
128+
#Required
129+
secret_id = oci_vault_secret.test_secret.id
130+
stage = "CURRENT"
131+
}
132+
133+
output "all_vault_secrets_data" {
134+
value = data.oci_vault_secrets.test_secret_xrr
135+
}
136+
137+
output "all_vault_secrets_data_for_xrr_secret" {
138+
value = data.oci_vault_secret.test_secret
139+
}
140+
141+
output "all_vault_secrets_data_for_xrr_secret_wf_enabled" {
142+
value = data.oci_vault_secret.test_secret_wf_enabled
143+
}
144+
145+
output "all_vault_secrets_data_for_xrr_secret_multiple_replication_targets" {
146+
value = data.oci_vault_secret.test_secret_multiple_replication_targets
147+
}

internal/integrationtest/vault_secret_test.go

Lines changed: 52 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,9 @@ package integrationtest
55

66
import (
77
"fmt"
8-
"testing"
9-
"time"
10-
118
"github.com/oracle/terraform-provider-oci/internal/acctest"
129
"github.com/oracle/terraform-provider-oci/internal/utils"
10+
"testing"
1311

1412
"github.com/hashicorp/terraform-plugin-testing/helper/resource"
1513
"github.com/hashicorp/terraform-plugin-testing/terraform"
@@ -50,11 +48,16 @@ var (
5048
"enable_auto_generation": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
5149
"freeform_tags": acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"Department": "Finance"}, Update: map[string]string{"Department": "Accounting"}},
5250
"metadata": acctest.Representation{RepType: acctest.Optional, Create: map[string]string{"metadata": "metadata"}, Update: map[string]string{"metadata2": "metadata2"}},
51+
"replication_config": acctest.RepresentationGroup{RepType: acctest.Optional, Group: VaultSecretReplicationConfigRepresentation},
5352
"rotation_config": acctest.RepresentationGroup{RepType: acctest.Optional, Group: VaultSecretRotationConfigRepresentation},
5453
"secret_content": acctest.RepresentationGroup{RepType: acctest.Required, Group: VaultSecretSecretContentRepresentation},
5554
"secret_generation_context": acctest.RepresentationGroup{RepType: acctest.Optional, Group: VaultSecretSecretGenerationContextRepresentation},
5655
"secret_rules": acctest.RepresentationGroup{RepType: acctest.Optional, Group: VaultSecretSecretRulesRepresentation},
5756
}
57+
VaultSecretReplicationConfigRepresentation = map[string]interface{}{
58+
"replication_targets": acctest.RepresentationGroup{RepType: acctest.Required, Group: VaultSecretReplicationConfigReplicationTargetsRepresentation},
59+
"is_write_forward_enabled": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
60+
}
5861
VaultSecretRotationConfigRepresentation = map[string]interface{}{
5962
"target_system_details": acctest.RepresentationGroup{RepType: acctest.Required, Group: VaultSecretRotationConfigTargetSystemDetailsRepresentation},
6063
"is_scheduled_rotation_enabled": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `false`},
@@ -76,7 +79,12 @@ var (
7679
"is_enforced_on_deleted_secret_versions": acctest.Representation{RepType: acctest.Optional, Create: `false`, Update: `true`},
7780
"is_secret_content_retrieval_blocked_on_expiry": acctest.Representation{RepType: acctest.Optional, Create: `false`},
7881
"secret_version_expiry_interval": acctest.Representation{RepType: acctest.Optional, Create: `P3D`},
79-
"time_of_absolute_expiry": acctest.Representation{RepType: acctest.Optional, Create: deletionTime.Format(time.RFC3339)},
82+
"time_of_absolute_expiry": acctest.Representation{RepType: acctest.Optional, Create: ``},
83+
}
84+
VaultSecretReplicationConfigReplicationTargetsRepresentation = map[string]interface{}{
85+
"target_key_id": acctest.Representation{RepType: acctest.Required, Create: `${var.key_id}`},
86+
"target_region": acctest.Representation{RepType: acctest.Required, Create: `us-phoenix-1`, Update: `us-sanjose-1`},
87+
"target_vault_id": acctest.Representation{RepType: acctest.Required, Create: `${var.vault_id}`},
8088
}
8189
VaultSecretRotationConfigTargetSystemDetailsRepresentation = map[string]interface{}{
8290
"target_system_type": acctest.Representation{RepType: acctest.Required, Create: `ADB`, Update: `ADB`},
@@ -159,6 +167,12 @@ func TestVaultSecretResource_basic(t *testing.T) {
159167
resource.TestCheckResourceAttrSet(resourceName, "id"),
160168
resource.TestCheckResourceAttrSet(resourceName, "key_id"),
161169
resource.TestCheckResourceAttr(resourceName, "metadata.%", "1"),
170+
resource.TestCheckResourceAttr(resourceName, "replication_config.#", "1"),
171+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.is_write_forward_enabled", "false"),
172+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.replication_targets.#", "1"),
173+
resource.TestCheckResourceAttrSet(resourceName, "replication_config.0.replication_targets.0.target_key_id"),
174+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.replication_targets.0.target_region", "us-phoenix-1"),
175+
resource.TestCheckResourceAttrSet(resourceName, "replication_config.0.replication_targets.0.target_vault_id"),
162176
resource.TestCheckResourceAttr(resourceName, "rotation_config.#", "1"),
163177
resource.TestCheckResourceAttr(resourceName, "rotation_config.0.is_scheduled_rotation_enabled", "false"),
164178
resource.TestCheckResourceAttr(resourceName, "rotation_config.0.rotation_interval", "P30D"),
@@ -180,7 +194,7 @@ func TestVaultSecretResource_basic(t *testing.T) {
180194
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.is_secret_content_retrieval_blocked_on_expiry", "false"),
181195
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.rule_type", "SECRET_EXPIRY_RULE"),
182196
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.secret_version_expiry_interval", "P3D"),
183-
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.time_of_absolute_expiry", deletionTime.Format(time.RFC3339)),
197+
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.time_of_absolute_expiry", ``),
184198
resource.TestCheckResourceAttrSet(resourceName, "state"),
185199
resource.TestCheckResourceAttrSet(resourceName, "time_created"),
186200
resource.TestCheckResourceAttrSet(resourceName, "vault_id"),
@@ -213,6 +227,12 @@ func TestVaultSecretResource_basic(t *testing.T) {
213227
resource.TestCheckResourceAttrSet(resourceName, "id"),
214228
resource.TestCheckResourceAttrSet(resourceName, "key_id"),
215229
resource.TestCheckResourceAttr(resourceName, "metadata.%", "1"),
230+
resource.TestCheckResourceAttr(resourceName, "replication_config.#", "1"),
231+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.is_write_forward_enabled", "false"),
232+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.replication_targets.#", "1"),
233+
resource.TestCheckResourceAttrSet(resourceName, "replication_config.0.replication_targets.0.target_key_id"),
234+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.replication_targets.0.target_region", "us-phoenix-1"),
235+
resource.TestCheckResourceAttrSet(resourceName, "replication_config.0.replication_targets.0.target_vault_id"),
216236
resource.TestCheckResourceAttr(resourceName, "rotation_config.#", "1"),
217237
resource.TestCheckResourceAttr(resourceName, "rotation_config.0.is_scheduled_rotation_enabled", "false"),
218238
resource.TestCheckResourceAttr(resourceName, "rotation_config.0.rotation_interval", "P30D"),
@@ -234,7 +254,7 @@ func TestVaultSecretResource_basic(t *testing.T) {
234254
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.is_secret_content_retrieval_blocked_on_expiry", "false"),
235255
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.rule_type", "SECRET_EXPIRY_RULE"),
236256
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.secret_version_expiry_interval", "P3D"),
237-
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.time_of_absolute_expiry", deletionTime.Format(time.RFC3339)),
257+
resource.TestCheckResourceAttr(resourceName, "secret_rules.0.time_of_absolute_expiry", ``),
238258
resource.TestCheckResourceAttrSet(resourceName, "state"),
239259
resource.TestCheckResourceAttrSet(resourceName, "time_created"),
240260
resource.TestCheckResourceAttrSet(resourceName, "vault_id"),
@@ -267,6 +287,12 @@ func TestVaultSecretResource_basic(t *testing.T) {
267287
resource.TestCheckResourceAttrSet(resourceName, "id"),
268288
resource.TestCheckResourceAttrSet(resourceName, "key_id"),
269289
resource.TestCheckResourceAttr(resourceName, "metadata.%", "1"),
290+
resource.TestCheckResourceAttr(resourceName, "replication_config.#", "1"),
291+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.is_write_forward_enabled", "true"),
292+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.replication_targets.#", "1"),
293+
resource.TestCheckResourceAttrSet(resourceName, "replication_config.0.replication_targets.0.target_key_id"),
294+
resource.TestCheckResourceAttr(resourceName, "replication_config.0.replication_targets.0.target_region", "us-sanjose-1"),
295+
resource.TestCheckResourceAttrSet(resourceName, "replication_config.0.replication_targets.0.target_vault_id"),
270296
resource.TestCheckResourceAttr(resourceName, "rotation_config.#", "1"),
271297
resource.TestCheckResourceAttr(resourceName, "rotation_config.0.is_scheduled_rotation_enabled", "false"),
272298
resource.TestCheckResourceAttr(resourceName, "rotation_config.0.rotation_interval", "P90D"),
@@ -319,7 +345,16 @@ func TestVaultSecretResource_basic(t *testing.T) {
319345
resource.TestCheckResourceAttr(datasourceName, "secrets.0.freeform_tags.%", "1"),
320346
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.id"),
321347
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.is_auto_generation_enabled"),
348+
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.is_replica"),
322349
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.key_id"),
350+
//resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.last_rotation_time"),
351+
//resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.next_rotation_time"),
352+
resource.TestCheckResourceAttr(datasourceName, "secrets.0.replication_config.#", "1"),
353+
resource.TestCheckResourceAttr(datasourceName, "secrets.0.replication_config.0.is_write_forward_enabled", "true"),
354+
resource.TestCheckResourceAttr(datasourceName, "secrets.0.replication_config.0.replication_targets.#", "1"),
355+
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.replication_config.0.replication_targets.0.target_key_id"),
356+
resource.TestCheckResourceAttr(datasourceName, "secrets.0.replication_config.0.replication_targets.0.target_region", "us-sanjose-1"),
357+
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.replication_config.0.replication_targets.0.target_vault_id"),
323358
resource.TestCheckResourceAttr(datasourceName, "secrets.0.rotation_config.#", "1"),
324359
resource.TestCheckResourceAttr(datasourceName, "secrets.0.rotation_config.0.is_scheduled_rotation_enabled", "false"),
325360
resource.TestCheckResourceAttr(datasourceName, "secrets.0.rotation_config.0.rotation_interval", "P90D"),
@@ -331,6 +366,7 @@ func TestVaultSecretResource_basic(t *testing.T) {
331366
resource.TestCheckResourceAttr(datasourceName, "secrets.0.secret_generation_context.0.generation_template", "DBAAS_DEFAULT_PASSWORD"),
332367
resource.TestCheckResourceAttr(datasourceName, "secrets.0.secret_generation_context.0.generation_type", "PASSPHRASE"),
333368
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.secret_name"),
369+
resource.TestCheckResourceAttr(datasourceName, "secrets.0.source_region_information.#", "0"),
334370
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.state"),
335371
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.time_created"),
336372
resource.TestCheckResourceAttrSet(datasourceName, "secrets.0.vault_id"),
@@ -356,7 +392,14 @@ func TestVaultSecretResource_basic(t *testing.T) {
356392
resource.TestCheckResourceAttr(singularDatasourceName, "freeform_tags.%", "1"),
357393
resource.TestCheckResourceAttrSet(singularDatasourceName, "id"),
358394
resource.TestCheckResourceAttrSet(singularDatasourceName, "is_auto_generation_enabled"),
395+
resource.TestCheckResourceAttrSet(singularDatasourceName, "is_replica"),
396+
//resource.TestCheckResourceAttrSet(singularDatasourceName, "last_rotation_time"),
359397
resource.TestCheckResourceAttr(singularDatasourceName, "metadata.%", "1"),
398+
//resource.TestCheckResourceAttrSet(singularDatasourceName, "next_rotation_time"),
399+
resource.TestCheckResourceAttr(singularDatasourceName, "replication_config.#", "1"),
400+
resource.TestCheckResourceAttr(singularDatasourceName, "replication_config.0.is_write_forward_enabled", "true"),
401+
resource.TestCheckResourceAttr(singularDatasourceName, "replication_config.0.replication_targets.#", "1"),
402+
resource.TestCheckResourceAttr(singularDatasourceName, "replication_config.0.replication_targets.0.target_region", "us-sanjose-1"),
360403
resource.TestCheckResourceAttr(singularDatasourceName, "rotation_config.#", "1"),
361404
resource.TestCheckResourceAttr(singularDatasourceName, "rotation_config.0.is_scheduled_rotation_enabled", "false"),
362405
resource.TestCheckResourceAttr(singularDatasourceName, "rotation_config.0.rotation_interval", "P90D"),
@@ -370,7 +413,9 @@ func TestVaultSecretResource_basic(t *testing.T) {
370413
resource.TestCheckResourceAttr(singularDatasourceName, "secret_rules.0.is_enforced_on_deleted_secret_versions", "true"),
371414
resource.TestCheckResourceAttr(singularDatasourceName, "secret_rules.0.is_secret_content_retrieval_blocked_on_expiry", "false"),
372415
resource.TestCheckResourceAttr(singularDatasourceName, "secret_rules.0.rule_type", "SECRET_REUSE_RULE"),
373-
resource.TestCheckResourceAttr(singularDatasourceName, "secret_rules.0.secret_version_expiry_interval", ""),
416+
//resource.TestCheckResourceAttr(singularDatasourceName, "secret_rules.0.secret_version_expiry_interval", "secretVersionExpiryInterval2"),
417+
//resource.TestCheckResourceAttrSet(singularDatasourceName, "secret_rules.0.time_of_absolute_expiry"),
418+
resource.TestCheckResourceAttr(singularDatasourceName, "source_region_information.#", "0"),
374419
resource.TestCheckResourceAttrSet(singularDatasourceName, "state"),
375420
resource.TestCheckResourceAttrSet(singularDatasourceName, "time_created"),
376421
resource.TestCheckResourceAttrSet(singularDatasourceName, "time_of_current_version_expiry"),

internal/service/vault/vault_secret_data_source.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,10 @@ func (s *VaultSecretDataSourceCrud) SetData() error {
8989
s.D.Set("is_auto_generation_enabled", *s.Res.IsAutoGenerationEnabled)
9090
}
9191

92+
if s.Res.IsReplica != nil {
93+
s.D.Set("is_replica", *s.Res.IsReplica)
94+
}
95+
9296
if s.Res.KeyId != nil {
9397
s.D.Set("key_id", *s.Res.KeyId)
9498
}
@@ -107,6 +111,12 @@ func (s *VaultSecretDataSourceCrud) SetData() error {
107111
s.D.Set("next_rotation_time", s.Res.NextRotationTime.String())
108112
}
109113

114+
if s.Res.ReplicationConfig != nil {
115+
s.D.Set("replication_config", []interface{}{ReplicationConfigToMap(s.Res.ReplicationConfig)})
116+
} else {
117+
s.D.Set("replication_config", nil)
118+
}
119+
110120
if s.Res.RotationConfig != nil {
111121
s.D.Set("rotation_config", []interface{}{RotationConfigToMap(s.Res.RotationConfig)})
112122
} else {
@@ -135,6 +145,12 @@ func (s *VaultSecretDataSourceCrud) SetData() error {
135145
}
136146
s.D.Set("secret_rules", secretRules)
137147

148+
if s.Res.SourceRegionInformation != nil {
149+
s.D.Set("source_region_information", []interface{}{SourceRegionInformationToMap(s.Res.SourceRegionInformation)})
150+
} else {
151+
s.D.Set("source_region_information", nil)
152+
}
153+
138154
s.D.Set("state", s.Res.LifecycleState)
139155

140156
if s.Res.TimeCreated != nil {

0 commit comments

Comments
 (0)