terraform-provider-vault
terraform-provider-vault copied to clipboard
hashicorp
Add support to manage items within a generic secret
Description
This PR add support for the vault_generic_secret_item resource.
This new feature aims to enhance the existing vault_generic_secret resource in the terraform-provider-vault by allowing granular management of key/value items within a Vault generic secret (KV). Currently, this resource enables management at the whole secret level, meaning the entire secret is created or destroyed as a single unit. This enhancement provides the ability to create, update, and delete individual key/value pairs within a secret, offering more precise control over secrets management.
Users can now update specific key/value pairs within an existing secret without affecting other items. This is particularly useful in scenarios where multiple applications or services share a secret, and individual updates need to be isolated.
With the ability to manage keys within a secret, users can avoid destroying the entire secret when running terraform destroy on specific key/value pairs. By isolating key/value updates, the risk of accidental data loss or exposure due to the complete deletion of secrets is minimized. The feature also introduces a more efficient way of managing secrets, as users no longer need to recreate entire JSON structures for minor updates.
Use Cases
- Managing configuration secrets shared among various microservices in a dynamic application environment.
- Facilitating compliance and security requirements by ensuring that secrets are consistently managed and never inadvertently deleted.
- Enabling iterative development practices by allowing incremental secret updates without reconfiguration of dependent services.
Checklist
- [x] Added CHANGELOG entry (only for user-facing changes)
- [x] Acceptance tests where run against all supported Vault Versions
Output from acceptance testing:
$ make testacc TESTARGS='-run="(TestDataSourceGenericSecretItem|TestResourceGenericSecretItem)"'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -run="(TestDataSourceGenericSecretItem|TestResourceGenericSecretItem)" -timeout 30m ./...
? github.com/hashicorp/terraform-provider-vault [no test files]
? github.com/hashicorp/terraform-provider-vault/cmd/coverage [no test files]
? github.com/hashicorp/terraform-provider-vault/cmd/generate [no test files]
? github.com/hashicorp/terraform-provider-vault/helper [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/consts [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/identity/group [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/identity/mfa [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/pki [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/sync [no test files]
? github.com/hashicorp/terraform-provider-vault/schema [no test files]
ok github.com/hashicorp/terraform-provider-vault/codegen 0.882s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/internal/identity/entity 1.019s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/internal/provider 2.173s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/testutil 2.655s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/util 3.223s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/util/mountutil 1.291s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/vault 33.111s
Community Note
- Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
- Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request
![hashicorp-cla-app[bot] avatar](https://avatars.githubusercontent.com/in/865473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi there @kaerimichi - please feel free to tag me directly when you feel this is ready for review! I'll get direct notifications when you do. Thank you!
@heatherezell it's now ready for review! please let me know if this addition makes sense... thanks in advance
@heatherezell do you have a plan if and when this PR will be merged?
Is it a good feature for you? If not, why not?
We need the proposed solution and are currently considering using @kaerimichi's fork for now.
@heatherezell do you have a plan if and when this PR will be merged?
Is it a good feature for you? If not, why not?
We need the proposed solution and are currently considering using @kaerimichi's fork for now.
Thanks for checking in! Our engineering and product teams will be taking this under consideration. I can't guarantee a timeline, as it's a net-new feature, but we hear that folks want it included. :)
stevendpclark I see you're pretty active in this repo 😅
Would you mind taking a closer look here to see if this is an interesting feature to have (or maybe redirect this request to someone that could evaluate)?
Thanks in advance!
stevendpclark I see you're pretty active in this repo 😅
Would you mind taking a closer look here to see if this is an interesting feature to have (or maybe redirect this request to someone that could evaluate)?
Thanks in advance!
Hello! We're still working on that for you. Let me check with the product owners again. Thanks!
Hey @heatherezell! Any news on this? 😄
Hi there! Thanks for checking in. I know our product and engineering teams are working on this feature request. I can't make guarantees about when it'll make it in - or which method will be used for implementing it - but I will continue to advocate for this, because it's a very popular request!