terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

feat: kv-v2 generic secret metadata

Open vfoucault opened this issue 3 years ago • 5 comments

Added support for kv-v2 secret's metadata:

  • cas_required

  • custom_metadata

  • delete_version_after

  • max_versions

Thought cas_required can be set (via the http api options block), none of the above settings could be set with the regular resources.

It might become handy to read/write the secret metadata, to set per secret these settings.

usage example:

resource

resource "vault_generic_secret" "foo" {
  path          = "secrets/foo"
  data_json = jsonencode({"blah": "diblah"})
}

resource "vault_generic_secret_metadata" "foo" {
  path = vault_generic_secret.foo.path
  custom_metadata = {
    blah = "diblah"
    foo  = "bar"
  }
  cas_required         = true
  delete_version_after = "730h"
  max_versions         = 17
}

data source

data "vault_generic_secret_metadata" "foo" {
  path = "secrets/foo"
}

output "foo_metadata" {
  value = vault_generic_secret_metadata.foo
}

output "foo_custom_metadata" "foo" {
  value = vault_generic_secret_metadata.foo.custom_metadata
}

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Relates to #491 to #1156

Release note for CHANGELOG:

* **New Resource** `vault_generic_secret_metadata`: Configure Vault's KVv2 secret metadata
* **New Data Source** `vault_generic_secret_metadata`: read Vault's KVv2 secret metadata

Output from acceptance testing:

$ ==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./...) -v -run=TestResourceGenericSecretMetadata -run=genericSecretMetadataDataSource -timeout 20m
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/codegen   0.359s [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/generated [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/decode    0.299s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/encode    0.980s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/alphabet    0.899s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/role        0.480s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/template    0.687s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/transformation      1.177s [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/helper    [no test files]
?       github.com/hashicorp/terraform-provider-vault/schema    [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/util      0.264s [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     0.739s [no tests to run]

vfoucault avatar Nov 29 '21 18:11 vfoucault

@benashz @jasonodonnell Hi team, could you review this by any chance ? Thanks !

vfoucault avatar Jan 12 '22 10:01 vfoucault

@vfoucault I took a different route via #1311 but I think there is some overlap

harsimranmaan avatar Jan 19 '22 23:01 harsimranmaan

@vfoucault I took a different route via #1311 but I think there is some overlap

Hi there, I haven't been in details, but it seems that you are configuring global mount metadata, applying to all secrets, where I configure metadata per secret + custom metadata.

I believe there are no overlap as metadata could be overwritten. In a scenario where eg. delete_version_after = 3h in global mount settings, I could set delete_version_after=20h specifically for a secret.

vfoucault avatar Jan 20 '22 08:01 vfoucault

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Mar 12 '22 17:03 hashicorp-cla

Would really like to see this merged!

johnalotoski avatar Jul 14 '22 21:07 johnalotoski

I'm interesting in this feature, any ideas about date, when this could be merged?

s-vitaliy avatar Oct 21 '22 11:10 s-vitaliy

Hi @vfoucault, thanks for contributing with this PR and apologies for the delay! In v3.7.0 of the TF Vault Provider we added dedicated KV V1 and V2 secret engine resources/datasources which support the latest individual V1 and V2 APIs respectively and which supersede the vault_generic_secret resource. Going forward, there will be no new feature updates to the legacy vault_generic_secret resource.

With that said, we do recognize a gap in our feature set with the demand for a KV V2 secret metadata resource. A PR for the resource is currently being tracked in #1687, and the code is compatible with the newer dedicated KV V2 Engine support. The feature is slated to be released as part of the v3.12.0 milestone. We're going to close this PR for now and move forward with the updated implementation, but please feel free to open another issue if you face any problems with the upcoming metadata resource feature. Thanks once again for bringing this to our attention!

vinay-gopalan avatar Dec 05 '22 23:12 vinay-gopalan