29 support all provider attributes in .tf files

CHANGELOG.md

@@ -5,10 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
-### Fixed
-- Each brew recipe binary now includes the provider version [#47](https://github.com/cyberark/terraform-provider-conjur/issues/47)
-- Updated output binary file names to include version suffix so that the
-  version command returns the correct version [#30](https://github.com/cyberark/terraform-provider-conjur/issues/30)
+### Added
+- You can now specify `account`, `appliance_url`, `ssl_cert`, and `ssl_cert_path` values
+  directly in the `.tf` provider config [#29](https://github.com/cyberark/terraform-provider-conjur/issues/29)
 
 ## [0.3.1] - 2020-04-20
 ### Fixed

README.md

@@ -102,14 +102,15 @@ For more details, see the "Authentication" section
 
 ### Provider configuration
 
-#### Using environment variables
-
 The provider uses [conjur-api-go](https://github.com/cyberark/conjur-api-go) to load its
-configuration. `conjur-api-go` can be configured using environment variables:
+configuration. `conjur-api-go` can be configured using environment variables or using the
+provider configuration in the `.tf` file.
+
+#### Using environment variables
 
 ```sh-session
-export CONJUR_APPLIANCE_URL="https://localhost:8443"
-export CONJUR_ACCOUNT="quick-start"
+export CONJUR_APPLIANCE_URL="https://conjur-server"
+export CONJUR_ACCOUNT="myorg"
 export CONJUR_AUTHN_LOGIN="admin"
 export CONJUR_AUTHN_API_KEY="3ahcddy39rcxzh3ggac4cwk3j2r8pqwdg33059y835ys2rh2kzs2a"
 export CONJUR_CERT_FILE="/etc/conjur.pem"
@@ -128,17 +129,37 @@ In addition, the provider can be configured using attributes in the
 configuration. Attributes specified in `main.tf` override the configuration loaded by
 `conjur-api-go`.
 
-For example, if the environment is initialized as above, this configuration would
-authenticate as `terraform-user` instead of `admin`:
+For example, with `conjur_api_key` and `conjur_ssl_cert`defined as
+[input variables](https://www.terraform.io/docs/configuration/variables.html), this
+type of configuration could be used:
 
 ```
 # main.tf
+variable "conjur_api_key" {}
+variable "conjur_ssl_cert" {}
+# If you have the certificate as a file, use this line instead
+# variable "conjur_ssl_cert_path" {}
+
 provider "conjur" {
-  login = "terraform-user"
-  api_key = "x0dwqc3jrqkye3xhn7k62rw31c6216ewfe1wv71291jrqm4j15b3dg9"
+  appliance_url = "http://conjur-server"
+  ssl_cert = var.conjur_ssl_cert
+  # If you have the certificate as a file, use this line instead
+  # ssl_cert_path = var.conjur_ssl_cert_path
+
+  account = "myorg"
+
+  login = "admin"
+  api_key = var.conjur_api_key
 }
 ```
 
+**Notes on precedence of configuration variable setting:**
+
+- If both the environment variable **and** `.tf` configuration are present for a
+  configuration setting, the `.tf` configuration takes precedence and the environment
+  variable will be ignored.
+- If the `.tf` configuration does not include **both** `login` and `api_key`, then
+  environment variables will be used for these values instead.
 
 ### Fetch secrets
 

bin/test

@@ -3,12 +3,17 @@ set -eo pipefail
 
 TARGET="${1:-oss}"  # can also be set to 'enterprise'
 
-export CONJUR_ACCOUNT='myaccount'
 export CONJUR_DATA_KEY='iFra75qdvsLENSV+qXYFMkv7KJS3t+82Po4mmjZLxZc='
 
+CONJUR_ACCOUNT='myaccount'
 CONJUR_AUTHN_PASSWORD='SEcret12!!!!'
+
 LOCAL_SECRET_FILE='test/dbpass'
 
+# These variables are set after configuring conjur
+api_key=""
+ssl_cert=""
+
 function finish() {
   if [[ -z "$KEEP_CONTAINERS" ]]; then
     echo "> Terminating local Conjur environment"
@@ -27,7 +32,11 @@ function main() {
 
   launchConjur
   configureConjur
-  runTerraform
+
+  runTerraformWithProviderVars
+  validateResults
+
+  runTerraformWithEnvVars
   validateResults
 }
 
@@ -57,8 +66,10 @@ function loadUtils() {
 function launchConjur() {
   echo "> Launching local Conjur environment"
 
+  echo ">> Pulling images (this may take a long time)"
   dockerCompose pull -q
 
+  echo ">> Starting Conjur/DAP server"
   dockerCompose up -d conjur-server
 
   echo ">> Creating account '$CONJUR_ACCOUNT'"
@@ -79,65 +90,111 @@ function launchConjur() {
   conjurExec $CONJUR_WAIT_COMMAND
 }
 
+function unexportConjurVars() {
+  export -n CONJUR_APPLIANCE_URL
+  export -n CONJUR_SSL_CERTIFICATE
+  export -n CONJUR_ACCOUNT
+  export -n CONJUR_AUTHN_LOGIN
+  export -n CONJUR_AUTHN_API_KEY
+}
+
 function configureConjur() {
   echo "> Configuring local Conjur environment"
 
+  export CONJUR_APPLIANCE_URL=https://conjur-server
+  export CONJUR_ACCOUNT="$CONJUR_ACCOUNT"
   export CONJUR_AUTHN_LOGIN="admin"
 
-  export CONJUR_APPLIANCE_URL=http://conjur-server
   if [[ "$TARGET" == "enterprise" ]]; then
-    export CONJUR_APPLIANCE_URL=https://conjur-server
-    export CONJUR_SSL_CERTIFICATE="$(conjurExec cat /opt/conjur/etc/ssl/conjur.pem)"
+    ssl_cert=$(conjurExec cat /opt/conjur/etc/ssl/conjur.pem)
+  else
+    ssl_cert=$(cat "test/https_config/ca.crt")
   fi
+  export CONJUR_SSL_CERTIFICATE="$ssl_cert"
 
   if [[ "$TARGET" == "oss" ]]; then
-    export CONJUR_AUTHN_API_KEY=$(conjurExec conjurctl role retrieve-key \
+    api_key=$(conjurExec conjurctl role retrieve-key \
       "$CONJUR_ACCOUNT:user:admin" | tr -d '\r')
+    export CONJUR_AUTHN_API_KEY="$api_key"
   fi
 
-  echo ">> Applying policies"
+  echo ">> Starting CLI"
   dockerCompose up -d client
 
   if [[ "$TARGET" == "enterprise" ]]; then
     echo ">> Logging in CLI to the server"
     clientExec conjur authn login -u admin -p "$CONJUR_AUTHN_PASSWORD"
-    export CONJUR_AUTHN_API_KEY=$(clientExec conjur user rotate_api_key)
+    api_key=$(clientExec conjur user rotate_api_key)
+    export CONJUR_AUTHN_API_KEY="$api_key"
   fi
 
   echo ">> Applying policies"
+
   # Policy files are mounted in docker-compose
   clientExec conjur policy load --replace root /test/policy.root.yml
   clientExec conjur policy load terraform-example /test/policy.example.yml
   clientExec conjur list
   clientExec conjur variable values add terraform-example/dbpass SECRETXcLhn23MJcimV
+
+  unexportConjurVars
 }
 
 function runTerraform() {
-  echo "> Planning and applying main.tf Terraform manifest"
+  target_dir=$1
+
+  echo ">> Planning and applying '$target_dir/main.tf' Terraform manifest"
 
-  export CONJUR_APPLIANCE_URL=http://conjur-server
-  export CONJUR_ACCOUNT="$CONJUR_ACCOUNT"
-  export CONJUR_AUTHN_LOGIN="admin"
   export TF_LOG=INFO
 
-  if [[ "$TARGET" == "enterprise" ]]; then
-    export CONJUR_APPLIANCE_URL=https://conjur-server
-    export CONJUR_SSL_CERTIFICATE="$(conjurExec cat /opt/conjur/etc/ssl/conjur.pem)"
-  fi
+  rm -f "$LOCAL_SECRET_FILE"
 
   dockerCompose up -d terraform
 
   terraformRun <<EOF
-    terraform init test/
-    terraform plan test/
-    terraform apply -auto-approve test/
+    terraform init $target_dir/
+    terraform plan $target_dir/
+    terraform apply -auto-approve $target_dir/
 EOF
+
+  docker-compose rm --force \
+    --stop \
+    -v \
+    terraform
+}
+
+function runTerraformWithProviderVars() {
+  echo "> Testing provider with tf-included vars"
+
+  unexportConjurVars
+
+  export TF_VAR_conjur_api_key="$api_key"
+  export TF_VAR_conjur_ssl_cert="$ssl_cert"
+
+  runTerraform "test/provider_vars"
+
+  export -n TF_VAR_conjur_api_key
+}
+
+function runTerraformWithEnvVars() {
+  echo "> Planning and applying env_vars/main.tf Terraform manifest"
+
+  unexportConjurVars
+
+  export CONJUR_APPLIANCE_URL=https://conjur-server
+  export CONJUR_SSL_CERTIFICATE="$ssl_cert"
+  export CONJUR_ACCOUNT="$CONJUR_ACCOUNT"
+  export CONJUR_AUTHN_LOGIN="admin"
+  export CONJUR_AUTHN_API_KEY="$api_key"
+
+  runTerraform "test/env_vars"
 }
 
 function validateResults() {
   local expectedValue="SECRETXcLhn23MJcimV"
   local actualValue=$(cat $LOCAL_SECRET_FILE)
 
+  rm -f "$LOCAL_SECRET_FILE"
+
   if [[ "$expectedValue" == "$actualValue" ]]; then
     echo "Secret succesfully retrieved!"
   else

bin/utils.sh

@@ -7,7 +7,11 @@ function dockerCompose() {
 }
 
 function conjurExec() {
-  dockerCompose exec -T conjur-server "$@"
+  if [[ "$TARGET" == "oss" ]]; then
+    dockerCompose exec -T conjur "$@"
+  else
+    dockerCompose exec -T conjur-server "$@"
+  fi
 }
 
 function clientExec() {

conjur/provider.go

@@ -61,6 +61,28 @@ func providerConfig(d *schema.ResourceData) (interface{}, error) {
 		return nil, err
 	}
 
+	// If server info has been specified in the schema, use it. Otherwise,
+	// assume the environment has everything needed.
+	appliance_url := d.Get("appliance_url").(string)
+	if appliance_url != "" {
+		config.ApplianceURL = appliance_url
+	}
+
+	account := d.Get("account").(string)
+	if account != "" {
+		config.Account = account
+	}
+
+	ssl_cert := d.Get("ssl_cert").(string)
+	if ssl_cert != "" {
+		config.SSLCert = ssl_cert
+	}
+
+	ssl_cert_path := d.Get("ssl_cert_path").(string)
+	if ssl_cert_path != "" {
+		config.SSLCertPath = ssl_cert_path
+	}
+
 	// If creds have been specified in the schema, use them. Otherwise,
 	// assume the environment has everything needed.
 	login := d.Get("login").(string)

docker-compose.oss.yml

@@ -10,7 +10,7 @@ services:
       timeout: 5s
       retries: 5
 
-  conjur-server:
+  conjur:
     image: cyberark/conjur:latest
     command: server
     environment:
@@ -20,3 +20,15 @@ services:
     ports:
       - "80"
 
+  conjur-server:
+    image: nginx:alpine
+    ports:
+      - 443
+    volumes:
+      - ./test/https_config/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./test/https_config/conjur.conf:/etc/nginx/sites-enabled/conjur.conf:ro
+      - ./test/https_config/dhparams.pem:/etc/nginx/dhparams.pem:ro
+      - ./test/https_config/conjur.crt:/cert/tls.crt:ro
+      - ./test/https_config/conjur.key:/cert/tls.key:ro
+      - ./test/https_config/ca.crt:/ca/tls.crt:ro
+    depends_on: [ conjur ]

docker-compose.yml

@@ -26,6 +26,8 @@ services:
       CONJUR_AUTHN_API_KEY:
       CONJUR_SSL_CERTIFICATE:
       TF_LOG: "${TF_LOG:-INFO}"
+      TF_VAR_conjur_api_key:
+      TF_VAR_conjur_ssl_cert:
     working_dir: /src
     volumes:
       - $PWD:/src

test/main.tf → test/env_vars/main.tf

@@ -1,10 +1,5 @@
 provider "conjur" {
-  # appliance_url = "http://localhost:8080"
-  # account = "quick-start"
-  # login = "test"
-  # api_key = "test"
-  # ssl_cert = "-----BEGIN CERTIFICATE-----..."
-  # ssl_cert_path = "/etc/conjur.pem"
+  # All variables for this tests are passed in through env vars
 }
 
 data "conjur_secret" "dbpass" {
@@ -18,5 +13,6 @@ output "dbpass-to-output" {
 
 resource "local_file" "dbpass-to-file" {
   content = data.conjur_secret.dbpass.value
-  filename = "${path.module}/dbpass"
+  filename = "${path.module}/../dbpass"
+  file_permission = "0664"
 }

test/https_config/README.md

@@ -0,0 +1,10 @@
+To regenerate certificates, use [this](https://github.com/conjurdemos/dap-intro/tree/master/tools/simple-certificates)
+tool:
+```sh-session
+$ ./generate_certificates 1 conjur-server
+```
+
+Copy the following:
+- `certificates/ca-chain.cert.pem` -> `ca.crt`
+- `certificates/nodes/conjur-server.mycompany.local/conjur-server.mycompany.local.cert.pem` -> `conjur.crt`
+- `certificates/nodes/conjur-server.mycompany.local/conjur-server.mycompany.local.key.pem` -> `conjur.key`