github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/vault/resource_generic_secret.go

github.com/vtorhonen/terraform@v0.9.0-beta2.0.20170307220345-5d894e4ffda7/builtin/providers/vault/resource_generic_secret.go (about)

     1  package vault
     2  
     3  import (
     4  	"encoding/json"
     5  	"fmt"
     6  	"log"
     7  
     8  	"github.com/hashicorp/terraform/helper/schema"
     9  
    10  	"github.com/hashicorp/vault/api"
    11  )
    12  
    13  func genericSecretResource() *schema.Resource {
    14  	return &schema.Resource{
    15  		Create: genericSecretResourceWrite,
    16  		Update: genericSecretResourceWrite,
    17  		Delete: genericSecretResourceDelete,
    18  		Read:   genericSecretResourceRead,
    19  
    20  		Schema: map[string]*schema.Schema{
    21  			"path": &schema.Schema{
    22  				Type:        schema.TypeString,
    23  				Required:    true,
    24  				ForceNew:    true,
    25  				Description: "Full path where the generic secret will be written.",
    26  			},
    27  
    28  			// Data is passed as JSON so that an arbitrary structure is
    29  			// possible, rather than forcing e.g. all values to be strings.
    30  			"data_json": &schema.Schema{
    31  				Type:        schema.TypeString,
    32  				Required:    true,
    33  				Description: "JSON-encoded secret data to write.",
    34  			},
    35  		},
    36  	}
    37  }
    38  
    39  func genericSecretResourceWrite(d *schema.ResourceData, meta interface{}) error {
    40  	client := meta.(*api.Client)
    41  
    42  	path := d.Get("path").(string)
    43  
    44  	var data map[string]interface{}
    45  	err := json.Unmarshal([]byte(d.Get("data_json").(string)), &data)
    46  	if err != nil {
    47  		return fmt.Errorf("data_json %#v syntax error: %s", d.Get("data_json"), err)
    48  	}
    49  
    50  	log.Printf("[DEBUG] Writing generic Vault secret to %s", path)
    51  	_, err = client.Logical().Write(path, data)
    52  	if err != nil {
    53  		return fmt.Errorf("error writing to Vault: %s", err)
    54  	}
    55  
    56  	d.SetId(path)
    57  
    58  	return nil
    59  }
    60  
    61  func genericSecretResourceDelete(d *schema.ResourceData, meta interface{}) error {
    62  	client := meta.(*api.Client)
    63  
    64  	path := d.Id()
    65  
    66  	log.Printf("[DEBUG] Deleting generic Vault from %s", path)
    67  	_, err := client.Logical().Delete(path)
    68  	if err != nil {
    69  		return fmt.Errorf("error deleting from Vault: %s", err)
    70  	}
    71  
    72  	return nil
    73  }
    74  
    75  func genericSecretResourceRead(d *schema.ResourceData, meta interface{}) error {
    76  	// We don't actually attempt to read back the secret data
    77  	// here, so that Terraform can be configured with a token
    78  	// that has only write access to the relevant part of the
    79  	// store.
    80  	//
    81  	// This means that Terraform cannot detect drift for
    82  	// generic secrets, but detecting drift seems less important
    83  	// than being able to limit the effect of exposure of
    84  	// Terraform's Vault token.
    85  	log.Printf("[WARN] vault_generic_secret does not automatically refresh")
    86  	return nil
    87  }