Merge pull request #126 from secrethub/release/v1.3.0

Release v1.3.0

examples/rds.tf

@@ -10,10 +10,6 @@ variable "environment" {
   default = "dev"
 }
 
-locals {
-  secrethub_dir = "company/repo/${var.environment}"
-}
-
 provider "aws" {
   access_key = var.aws_access_key
   secret_key = var.aws_secret_key
@@ -24,8 +20,16 @@ provider "secrethub" {
   credential = file("~/.secrethub/credential")
 }
 
+data "secrethub_dir" "repo" {
+    path = "company/repo"
+}
+
+resource "secrethub_dir" "environment" {
+    path = "${data.secrethub_dir.repo.path}/${var.environment}"
+}
+
 resource "secrethub_secret" "db_password" {
-  path = "${local.secrethub_dir}/db/password"
+  path = "${secrethub_dir.environment.path}/db/password"
 
   generate {
     length      = 22
@@ -34,7 +38,7 @@ resource "secrethub_secret" "db_password" {
 }
 
 resource "secrethub_secret" "db_username" {
-  path  = "${local.secrethub_dir}/db/username"
+  path  = "${secrethub_dir.environment.path}/db/username"
   value = "mysqluser"
 }
 
@@ -48,4 +52,4 @@ resource "aws_db_instance" "default" {
   username             = secrethub_secret.db_username.value
   password             = secrethub_secret.db_password.value
   parameter_group_name = "default.mysql5.7"
-}
+}

go.mod

@@ -3,7 +3,7 @@ module github.com/secrethub/terraform-provider-secrethub
 require (
 	github.com/aws/aws-sdk-go v1.25.49
 	github.com/hashicorp/terraform v0.12.3
-	github.com/secrethub/secrethub-go v0.30.0
+	github.com/secrethub/secrethub-go v0.32.1
 )
 
 go 1.13

go.sum

@@ -351,6 +351,10 @@ github.com/secrethub/secrethub-go v0.29.0 h1:BUM7lcxmjJENNF6pxq13dKPXf4sP6iQKWq7
 github.com/secrethub/secrethub-go v0.29.0/go.mod h1:tDeBtyjfFQX3UqgaZfY+H4dYkcGfiVzrwLDf0XtfOrw=
 github.com/secrethub/secrethub-go v0.30.0 h1:Nh1twPDwPbYQj/cYc1NG+j7sv76LZiXLPovyV83tZj0=
 github.com/secrethub/secrethub-go v0.30.0/go.mod h1:tDeBtyjfFQX3UqgaZfY+H4dYkcGfiVzrwLDf0XtfOrw=
+github.com/secrethub/secrethub-go v0.32.0 h1:hypQsdyCpocd8v9xo3lYvP5viOkjDLKx51z62/obKoU=
+github.com/secrethub/secrethub-go v0.32.0/go.mod h1:ZIco8Y0G0Pi0Vb7pQROjvEKgSreZiRMLhAbzWUneUSQ=
+github.com/secrethub/secrethub-go v0.32.1 h1:5Ux44/0Ey6XKpkmzMOtxzx0T85v30k0bADnAGa27eBY=
+github.com/secrethub/secrethub-go v0.32.1/go.mod h1:ZIco8Y0G0Pi0Vb7pQROjvEKgSreZiRMLhAbzWUneUSQ=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4/go.mod h1:XhFIlyj5a1fBNx5aJTbKoIq0mNaPvOagO+HjB3EtxrY=

secrethub/data_source_dir.go

@@ -0,0 +1,32 @@
+package secrethub
+
+import "github.com/hashicorp/terraform/helper/schema"
+
+func dataSourceDir() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceDirRead,
+		Schema: map[string]*schema.Schema{
+			"path": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The path of the directory",
+			},
+		},
+	}
+}
+
+func dataSourceDirRead(d *schema.ResourceData, m interface{}) error {
+	provider := m.(providerMeta)
+	client := *provider.client
+
+	path := d.Get("path").(string)
+
+	_, err := client.Dirs().GetTree(path, 0, false)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(path)
+
+	return nil
+}

secrethub/data_source_dir_test.go

@@ -0,0 +1,51 @@
+package secrethub
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccDataSourceDir(t *testing.T) {
+	cases := map[string]struct {
+		config string
+	}{
+		"repo root directory": {
+			config: fmt.Sprintf(`
+				data "secrethub_dir" "repo" {
+					path = "%v"
+				}
+				`, testAcc.repoPath),
+		},
+		"subdirectory": {
+			config: fmt.Sprintf(`
+				data "secrethub_dir" "repo" {
+					path = "%v"
+				}
+
+				resource "secrethub_dir" "subdir" {
+					path = "${data.secrethub_dir.repo.path}/subdir"
+				}
+
+				data "secrethub_dir" "subdir" {
+					path = secrethub_dir.subdir.path
+				}
+				`, testAcc.repoPath),
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			resource.Test(t, resource.TestCase{
+				Providers: testAccProviders,
+				PreCheck:  testAccPreCheck(t),
+				Steps: []resource.TestStep{
+					{
+						Config: tc.config,
+					},
+				},
+			})
+		})
+	}
+}

secrethub/data_source_secret_test.go

@@ -17,7 +17,7 @@ func TestAccDataSourceSecret_PathUnversioned(t *testing.T) {
 		data "secrethub_secret" "%v" {
 			path = secrethub_secret.%v.path
 		}
-	`, testAcc.secretName, testAcc.path, testAcc.secretName, testAcc.secretName)
+	`, testAcc.secretName, testAcc.secretPath, testAcc.secretName, testAcc.secretName)
 
 	resource.Test(t, resource.TestCase{
 		Providers: testAccProviders,
@@ -29,7 +29,7 @@ func TestAccDataSourceSecret_PathUnversioned(t *testing.T) {
 					resource.TestCheckResourceAttr(
 						fmt.Sprintf("data.secrethub_secret.%v", testAcc.secretName),
 						"path",
-						testAcc.path,
+						testAcc.secretPath,
 					),
 					resource.TestCheckResourceAttr(
 						fmt.Sprintf("data.secrethub_secret.%v", testAcc.secretName),
@@ -52,7 +52,7 @@ func TestAccDataSourceSecret_PathVersioned(t *testing.T) {
 		data "secrethub_secret" "%v" {
 			path = "${secrethub_secret.%v.path}:1"
 		}
-	`, testAcc.secretName, testAcc.path, testAcc.secretName, testAcc.secretName)
+	`, testAcc.secretName, testAcc.secretPath, testAcc.secretName, testAcc.secretName)
 
 	configVersioned := fmt.Sprintf(`
 		resource "secrethub_secret" "%v" {
@@ -63,7 +63,7 @@ func TestAccDataSourceSecret_PathVersioned(t *testing.T) {
 		data "secrethub_secret" "%v" {
 			path = "${secrethub_secret.%v.path}:1"
 		}
-	`, testAcc.secretName, testAcc.path, testAcc.secretName, testAcc.secretName)
+	`, testAcc.secretName, testAcc.secretPath, testAcc.secretName, testAcc.secretName)
 
 	resource.Test(t, resource.TestCase{
 		Providers: testAccProviders,

secrethub/provider.go

@@ -23,19 +23,21 @@ func Provider() terraform.ResourceProvider {
 				Type:        schema.TypeString,
 				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("SECRETHUB_CREDENTIAL_PASSPHRASE", nil),
-				Description: "Passphrase to unlock the authentication passed in `credential`. Can also be sourced from SECRETHUB_CREDENTIAL_PASSPHRASE.",
+				Description: "Passphrase to unlock the credential. Can also be sourced from SECRETHUB_CREDENTIAL_PASSPHRASE.",
 			},
 		},
 		ConfigureFunc: configureProvider,
 		ResourcesMap: map[string]*schema.Resource{
 			"secrethub_secret":      resourceSecret(),
+			"secrethub_dir":         resourceDir(),
 			"secrethub_access_rule": resourceAccessRule(),
 			"secrethub_service":     resourceService(),
 			"secrethub_service_aws": resourceServiceAWS(),
 			"secrethub_service_gcp": resourceServiceGCP(),
 		},
 		DataSourcesMap: map[string]*schema.Resource{
 			"secrethub_secret": dataSourceSecret(),
+			"secrethub_dir":    dataSourceDir(),
 		},
 	}
 }
@@ -52,7 +54,14 @@ func configureProvider(d *schema.ResourceData) (interface{}, error) {
 	}
 
 	if credRaw != "" {
-		options = append(options, secrethub.WithCredentials(credentials.UseKey(credentials.FromString(credRaw)).Passphrase(credentials.FromString(passphrase))))
+		keyProvider := credentials.UseKey(credentials.FromString(credRaw))
+		var provider credentials.Provider = keyProvider
+		if passphrase != "" {
+			provider = keyProvider.Passphrase(credentials.FromString(passphrase))
+		}
+		options = append(options, secrethub.WithCredentials(provider))
+	} else if passphrase != "" {
+		options = append(options, secrethub.WithDefaultPassphraseReader(credentials.FromString(passphrase)))
 	}
 
 	client, err := secrethub.NewClient(options...)

secrethub/provider_test.go

@@ -32,7 +32,10 @@ type testAccValues struct {
 	repository        string
 	secretName        string
 	secondAccountName string
-	path              string
+	secretPath        string
+	dirName           string
+	dirPath           string
+	repoPath          string
 	awsRole           string
 	awsKmsKey         string
 	gcpServiceAccount string
@@ -71,13 +74,16 @@ func init() {
 		repository:        os.Getenv(envRepo),
 		secondAccountName: os.Getenv(envSecondAccountName),
 		secretName:        "test_acc_secret",
+		dirName:           "test_acc_dir",
 		awsKmsKey:         os.Getenv(envAWSKMSKey),
 		awsRole:           os.Getenv(envAWSRole),
 		gcpKmsKey:         os.Getenv(envGCPKMSKey),
 		gcpServiceAccount: os.Getenv(envGCPServiceAccount),
 	}
 
-	testAcc.path = secretpath.Join(testAcc.namespace, testAcc.repository, testAcc.secretName)
+	testAcc.repoPath = secretpath.Join(testAcc.namespace, testAcc.repository)
+	testAcc.secretPath = secretpath.Join(testAcc.repoPath, testAcc.secretName)
+	testAcc.dirPath = secretpath.Join(testAcc.repoPath, testAcc.dirName)
 }
 
 func client() *secrethub.Client {

secrethub/resource_dir.go

@@ -0,0 +1,117 @@
+package secrethub
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/secrethub/secrethub-go/internals/api"
+)
+
+func resourceDir() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceDirCreate,
+		Read:   resourceDirRead,
+		Update: resourceDirUpdate,
+		Delete: resourceDirDelete,
+		Importer: &schema.ResourceImporter{
+			State: resourceDirImport,
+		},
+		Schema: map[string]*schema.Schema{
+			"path": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "The path of the directory.",
+			},
+			"force_destroy": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Whether to allow deleting this directory if it's not empty. When set to `false`, you'll get an error when trying to delete the directory if it still contains directories or secrets.",
+			},
+		},
+	}
+}
+
+func resourceDirCreate(d *schema.ResourceData, m interface{}) error {
+	provider := m.(providerMeta)
+	client := *provider.client
+
+	path := d.Get("path").(string)
+
+	_, err := client.Dirs().Create(path)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(path)
+
+	return resourceDirRead(d, m)
+}
+
+func resourceDirRead(d *schema.ResourceData, m interface{}) error {
+	provider := m.(providerMeta)
+	client := *provider.client
+
+	path := d.Id()
+
+	_, err := client.Dirs().GetTree(path, 0, true)
+	if api.IsErrNotFound(err) {
+		// The directory was deleted outside of the current Terraform workspace, so invalidate this resource
+		d.SetId("")
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("error fetching directory: %s", err)
+	}
+
+	return nil
+}
+
+func resourceDirUpdate(d *schema.ResourceData, m interface{}) error {
+	return resourceDirRead(d, m)
+}
+
+func resourceDirDelete(d *schema.ResourceData, m interface{}) error {
+	provider := m.(providerMeta)
+	client := *provider.client
+
+	path := d.Id()
+
+	forceDestroy := d.Get("force_destroy").(bool)
+
+	if !forceDestroy {
+		tree, err := client.Dirs().GetTree(path, 1, false)
+		if api.IsErrNotFound(err) {
+			return nil
+		}
+		if err != nil {
+			return err
+		}
+		if len(tree.Dirs) > 1 || len(tree.Secrets) > 0 {
+			return fmt.Errorf("cannot remove directory %s: it is not empty", path)
+		}
+	}
+
+	err := client.Dirs().Delete(path)
+	if api.IsErrNotFound(err) {
+		return nil
+	}
+	return err
+}
+
+func resourceDirImport(d *schema.ResourceData, m interface{}) ([]*schema.ResourceData, error) {
+	path := d.Id()
+
+	err := api.ValidateDirPath(path)
+	if err != nil {
+		return nil, err
+	}
+
+	err = d.Set("path", path)
+	if err != nil {
+		return nil, err
+	}
+
+	return []*schema.ResourceData{d}, nil
+}