add ssm service type (#1931)

hellertang · web-flow · commit db36b210ca67 · 2023-07-04T18:30:17.000+08:00
* add ssm service type

* add changelog
diff --git a/.changelog/1931.txt b/.changelog/1931.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_ssm_secret: support `service_type` and `additional_config`
+```
diff --git a/tencentcloud/resource_tc_ssm_secret.go b/tencentcloud/resource_tc_ssm_secret.go
@@ -1,10 +1,14 @@
 /*
 Provide a resource to create a SSM secret.
+
 Example Usage
+
+Create user defined secret
+
 ```hcl
 resource "tencentcloud_ssm_secret" "foo" {
   secret_name = "test"
-  description = "test secret"
+  description = "user defined secret"
   recovery_window_in_days = 0
   is_enabled = true
 
@@ -13,7 +17,39 @@ resource "tencentcloud_ssm_secret" "foo" {
   }
 }
 ```
+
+Create redis secret
+
+```hcl
+data "tencentcloud_redis_instances" "instance" {
+  zone = "ap-guangzhou-6"
+}
+
+resource "tencentcloud_ssm_secret" "secret" {
+  secret_name = "for-redis-test"
+  description = "redis secret"
+  is_enabled  = false
+
+  secret_type       = 4
+  additional_config = jsonencode(
+    {
+      "Region" : "ap-guangzhou"
+      "Privilege" : "r",
+      "InstanceId" : data.tencentcloud_redis_instances.instance.instance_list.0.redis_id
+      "ReadonlyPolicy" : ["master"],
+      "Remark" : "for tf test"
+    }
+  )
+  tags = {
+    test-tag = "test"
+  }
+
+  recovery_window_in_days = 0
+}
+```
+
 Import
+
 SSM secret can be imported using the secretName, e.g.
 ```
 $ terraform import tencentcloud_ssm_secret.foo test
@@ -78,6 +114,19 @@ func resourceTencentCloudSsmSecret() *schema.Resource {
 				Computed:    true,
 				Description: "KMS keyId used to encrypt secret. If it is empty, it means that the CMK created by SSM for you by default is used for encryption. You can also specify the KMS CMK created by yourself in the same region for encryption.",
 			},
+			"secret_type": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Computed:    true,
+				Description: "Type of secret. `0`: user-defined secret. `4`: redis secret.",
+			},
+
+			"additional_config": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Additional config for specific secret types in JSON string format.",
+			},
+
 			"status": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -103,9 +152,14 @@ func resourceTencentCloudSsmSecretCreate(d *schema.ResourceData, meta interface{
 	if v, ok := d.GetOk("kms_key_id"); ok {
 		param["kms_key_id"] = v.(string)
 	}
+	if v, ok := d.GetOkExists("secret_type"); ok {
+		param["secret_type"] = v.(int)
+	}
+	if v, ok := d.GetOk("additional_config"); ok {
+		param["additional_config"] = v.(string)
+	}
 	//use a default version info, after create secret will delete this version
 	//because sdk do not support create secret without version
-	param["version_id"] = "default"
 	param["secret_string"] = "default"
 
 	var outErr, inErr error
@@ -122,18 +176,6 @@ func resourceTencentCloudSsmSecretCreate(d *schema.ResourceData, meta interface{
 	}
 	d.SetId(secretName)
 
-	//delete default version info
-	outErr = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
-		inErr = ssmService.DeleteSecretVersion(ctx, secretName, "default")
-		if inErr != nil {
-			return retryError(inErr)
-		}
-		return nil
-	})
-	if outErr != nil {
-		return outErr
-	}
-
 	if isEnabled := d.Get("is_enabled").(bool); !isEnabled {
 		outErr = resource.Retry(writeRetryTimeout, func() *resource.RetryError {
 			inErr = ssmService.DisableSecret(ctx, secretName)
@@ -200,6 +242,8 @@ func resourceTencentCloudSsmSecretRead(d *schema.ResourceData, meta interface{})
 	_ = d.Set("secret_name", secretInfo.secretName)
 	_ = d.Set("description", secretInfo.description)
 	_ = d.Set("kms_key_id", secretInfo.kmsKeyId)
+	_ = d.Set("secret_type", secretInfo.secretType)
+	_ = d.Set("additional_config", secretInfo.additionalConfig)
 	_ = d.Set("status", secretInfo.status)
 
 	if secretInfo.status == SSM_STATUS_ENABLED {
@@ -229,6 +273,17 @@ func resourceTencentCloudSsmSecretUpdate(d *schema.ResourceData, meta interface{
 	d.Partial(true)
 	secretName := d.Id()
 
+	immutableArgs := []string{
+		"secret_type",
+		"additional_config",
+	}
+
+	for _, v := range immutableArgs {
+		if d.HasChange(v) {
+			return fmt.Errorf("argument `%s` cannot be changed", v)
+		}
+	}
+
 	if d.HasChange("description") {
 		description := d.Get("description").(string)
 		err := resource.Retry(writeRetryTimeout, func() *resource.RetryError {
diff --git a/tencentcloud/service_tencentcloud_ssm.go b/tencentcloud/service_tencentcloud_ssm.go
@@ -16,14 +16,16 @@ type SsmService struct {
 }
 
 type SecretInfo struct {
-	secretName  string
-	description string
-	kmsKeyId    string
-	createUin   uint64
-	status      string
-	deleteTime  uint64
-	createTime  uint64
-	resourceId  string
+	secretName       string
+	description      string
+	kmsKeyId         string
+	secretType       int64
+	additionalConfig string
+	createUin        uint64
+	status           string
+	deleteTime       uint64
+	createTime       uint64
+	resourceId       string
 }
 
 type SecretVersionInfo struct {
@@ -101,14 +103,16 @@ func (me *SsmService) DescribeSecretByName(ctx context.Context, secretName strin
 		logId, request.GetAction(), request.ToJsonString(), response.ToJsonString())
 
 	secret = &SecretInfo{
-		secretName:  *response.Response.SecretName,
-		description: *response.Response.Description,
-		kmsKeyId:    *response.Response.KmsKeyId,
-		createUin:   *response.Response.CreateUin,
-		status:      *response.Response.Status,
-		deleteTime:  *response.Response.DeleteTime,
-		createTime:  *response.Response.CreateTime,
-		resourceId:  fmt.Sprintf("creatorUin/%d/%s", *response.Response.CreateUin, *response.Response.SecretName),
+		secretName:       *response.Response.SecretName,
+		description:      *response.Response.Description,
+		kmsKeyId:         *response.Response.KmsKeyId,
+		secretType:       *response.Response.SecretType,
+		additionalConfig: *response.Response.AdditionalConfig,
+		createUin:        *response.Response.CreateUin,
+		status:           *response.Response.Status,
+		deleteTime:       *response.Response.DeleteTime,
+		createTime:       *response.Response.CreateTime,
+		resourceId:       fmt.Sprintf("creatorUin/%d/%s", *response.Response.CreateUin, *response.Response.SecretName),
 	}
 	return
 }
@@ -175,6 +179,12 @@ func (me *SsmService) CreateSecret(ctx context.Context, param map[string]interfa
 		if k == "kms_key_id" {
 			request.KmsKeyId = helper.String(v.(string))
 		}
+		if k == "secret_type" {
+			request.SecretType = helper.IntUint64(v.(int))
+		}
+		if k == "additional_config" {
+			request.AdditionalConfig = helper.String(v.(string))
+		}
 		if k == "secret_binary" {
 			request.SecretBinary = helper.String(v.(string))
 		}
diff --git a/website/docs/r/ssm_secret.html.markdown b/website/docs/r/ssm_secret.html.markdown
@@ -13,10 +13,12 @@ Provide a resource to create a SSM secret.
 
 ## Example Usage
 
+Create user defined secret
+
 ```hcl
 resource "tencentcloud_ssm_secret" "foo" {
   secret_name             = "test"
-  description             = "test secret"
+  description             = "user defined secret"
   recovery_window_in_days = 0
   is_enabled              = true
 
@@ -26,15 +28,47 @@ resource "tencentcloud_ssm_secret" "foo" {
 }
 ```
 
+Create redis secret
+
+```hcl
+data "tencentcloud_redis_instances" "instance" {
+  zone = "ap-guangzhou-6"
+}
+
+resource "tencentcloud_ssm_secret" "secret" {
+  secret_name = "for-redis-test"
+  description = "redis secret"
+  is_enabled  = false
+
+  secret_type = 4
+  additional_config = jsonencode(
+    {
+      "Region" : "ap-guangzhou"
+      "Privilege" : "r",
+      "InstanceId" : data.tencentcloud_redis_instances.instance.instance_list.0.redis_id
+      "ReadonlyPolicy" : ["master"],
+      "Remark" : "for tf test"
+    }
+  )
+  tags = {
+    test-tag = "test"
+  }
+
+  recovery_window_in_days = 0
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
 
 * `secret_name` - (Required, String, ForceNew) Name of secret which cannot be repeated in the same region. The maximum length is 128 bytes. The name can only contain English letters, numbers, underscore and hyphen '-'. The first character must be a letter or number.
+* `additional_config` - (Optional, String) Additional config for specific secret types in JSON string format.
 * `description` - (Optional, String) Description of secret. The maximum is 2048 bytes.
 * `is_enabled` - (Optional, Bool) Specify whether to enable secret. Default value is `true`.
 * `kms_key_id` - (Optional, String, ForceNew) KMS keyId used to encrypt secret. If it is empty, it means that the CMK created by SSM for you by default is used for encryption. You can also specify the KMS CMK created by yourself in the same region for encryption.
 * `recovery_window_in_days` - (Optional, Int) Specify the scheduled deletion date. Default value is `0` that means to delete immediately. 1-30 means the number of days reserved, completely deleted after this date.
+* `secret_type` - (Optional, Int) Type of secret. `0`: user-defined secret. `4`: redis secret.
 * `tags` - (Optional, Map) Tags of secret.
 
 ## Attributes Reference

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+resource/tencentcloud_ssm_secret: support `service_type` and `additional_config`
	`3`	+```