merge main

cyralinc · Jun 12, 2024 · 84dc008 · 84dc008
2 parents b02c3af + b1b6c73
commit 84dc008
Show file tree

Hide file tree

Showing 12 changed files with 301 additions and 142 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,66 @@
+## 4.11.0 (June 6, 2024)
+
+It is safe to use this version with all `v4` control planes as long
+as the new incompatible features are not used. These features require
+a minimum version of the control plane and are detailed below.
+
+The minimum control plane version required for full compatibility
+with all the features in this release is `v4.14`.
+
+Argument incompatible with control planes previous to `v4.14`:
+
+- `cyral_repository_user_account.auth_scheme.azure_key_vault`
+
+Argument incompatible with control planes previous to `v4.12`:
+
+- `cyral_repository.mongodb_settings.flavor`
+
+Resource incompatible with control planes previous to `v4.12`:
+
+- `cyral_access_token_settings`
+
+Data source incompatible with control planes previous to `v4.12`:
+
+- `cyral_access_token_settings`
+
+Arguments incompatible with control planes previous to `v4.10`:
+
+- `cyral_integration_logging.skip_validate`
+
+Resource incompatible with control planes previous to `v4.10`:
+
+- `cyral_integration_aws_iam`
+
+Data sources incompatible with control planes previous to `v4.10`:
+
+- `cyral_sidecar_health`
+- `cyral_sidecar_instance_stats`
+- `cyral_system_info`
+
+Arguments incompatible with control planes previous to `v4.8`:
+
+- `cyral_sidecar.activity_log_integration_id`
+- `cyral_sidecar.diagnostic_log_integration_id`
+
+Resource incompatible with control planes previous to `v4.7`:
+
+- `cyral_integration_logging`
+
+Argument incompatible with control planes previous to `v4.2`:
+
+- `cyral_repository.mongodb_settings.srv_record_name`
+
+See the list of incompatible resources with control planes `v3.x` and provider `v3.x` in the [`v4.0.0`](#400-january-27-2023) release documentation.
+
+### Documentation:
+
+- Improve examples for resources policy and policy_rules ([#545](https://github.com/cyralinc/terraform-provider-cyral/pull/545))
+
+### Improvements:
+
+- ENG-14083: Add Azure Key Vault user account auth scheme ([#542](https://github.com/cyralinc/terraform-provider-cyral/pull/542))
+- Bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 ([#544](https://github.com/cyralinc/terraform-provider-cyral/pull/544))
+
 ## 4.10.1 (May 31, 2024)
 
 It is safe to use this version with all `v4` control planes as long

diff --git a/cyral/internal/repository/useraccount/model.go b/cyral/internal/repository/useraccount/model.go
@@ -16,6 +16,7 @@ type AuthScheme struct {
 	EnvironmentVariable *AuthSchemeEnvironmentVariable `json:"environmentVariable"`
 	KubernetesSecret    *AuthSchemeKubernetesSecret    `json:"kubernetesSecret"`
 	GCPSecretManager    *AuthSchemeGCPSecretManager    `json:"gcpSecretManager"`
+	AzureKeyVault       *AuthSchemeAzureKeyVault       `json:"azureKeyVault"`
 }
 
 type AuthSchemeAWSIAM struct {
@@ -48,6 +49,10 @@ type AuthSchemeGCPSecretManager struct {
 	SecretName string `json:"secretName,omitempty"`
 }
 
+type AuthSchemeAzureKeyVault struct {
+	SecretURL string `json:"secretUrl,omitempty"`
+}
+
 type ApprovalConfig struct {
 	AutomaticGrant            bool   `json:"automaticGrant,omitempty"`
 	MaxAutomaticGrantDuration string `json:"maxAutomaticGrantDuration,omitempty"`
@@ -158,6 +163,16 @@ func (resource *UserAccountResource) WriteToSchema(d *schema.ResourceData) error
 				},
 			},
 		}
+	case resource.AuthScheme.AzureKeyVault != nil:
+		authScheme = []interface{}{
+			map[string]interface{}{
+				"azure_key_vault": []interface{}{
+					map[string]interface{}{
+						"secret_url": resource.AuthScheme.AzureKeyVault.SecretURL,
+					},
+				},
+			},
+		}
 	case resource.AuthScheme.HashicorpVault != nil:
 		authScheme = []interface{}{
 			map[string]interface{}{
@@ -279,6 +294,12 @@ func (userAccount *UserAccountResource) ReadFromSchema(d *schema.ResourceData) e
 					SecretName: m["secret_name"].(string),
 				},
 			}
+		case "azure_key_vault":
+			userAccount.AuthScheme = &AuthScheme{
+				AzureKeyVault: &AuthSchemeAzureKeyVault{
+					SecretURL: m["secret_url"].(string),
+				},
+			}
 		default:
 			return fmt.Errorf("unexpected auth_scheme [%s]", k)
 		}

diff --git a/cyral/internal/repository/useraccount/resource.go b/cyral/internal/repository/useraccount/resource.go
@@ -21,6 +21,7 @@ var allAuthSchemes = []string{
 	"environment_variable",
 	"kubernetes_secret",
 	"gcp_secrets_manager",
+	"azure_key_vault",
 }
 
 var urlFactory = func(d *schema.ResourceData, c *client.Client) string {
@@ -317,6 +318,24 @@ func resourceSchema() *schema.Resource {
 								},
 							},
 						},
+
+						"azure_key_vault": {
+							Description: "Credential option to set the repository user account from " +
+								"Azure Key Vault.",
+							Optional:     true,
+							Type:         schema.TypeSet,
+							ExactlyOneOf: authSchemeTypesFullScopes,
+							MaxItems:     1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"secret_url": {
+										Description: "The URL of the secret in the Azure Key Vault.",
+										Type:        schema.TypeString,
+										Required:    true,
+									},
+								},
+							},
+						},
 					},
 				},
 			},

diff --git a/cyral/internal/repository/useraccount/resource_test.go b/cyral/internal/repository/useraccount/resource_test.go
@@ -151,6 +151,14 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
 			},
 		},
 	}
+	azureKeyVault := useraccount.UserAccountResource{
+		Name: "azure-useracc",
+		AuthScheme: &useraccount.AuthScheme{
+			AzureKeyVault: &useraccount.AuthSchemeAzureKeyVault{
+				SecretURL: "https://vaultName.vault.azure.net/secrets/secretName",
+			},
+		},
+	}
 	awsIAMTest := setupRepositoryUserAccountTest(
 		"aws_iam_test", awsIAM)
 	awsSecretsManagerTest := setupRepositoryUserAccountTest(
@@ -165,6 +173,8 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
 		"kubernetes_secret_test", kubernetesSecret)
 	gcpSecretManagerTest := setupRepositoryUserAccountTest(
 		"gcp_secret_manager_test", gcpSecretManager)
+	azureKeyVaultTest := setupRepositoryUserAccountTest(
+		"azure_key_vault_test", azureKeyVault)
 
 	// Test with multiple user accounts
 	userAccount1ResName := "multiple_accounts_test_1"
@@ -216,6 +226,7 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
 			environmentVariableTest,
 			kubernetesSecretTest,
 			gcpSecretManagerTest,
+			azureKeyVaultTest,
 
 			// Test with multiple user accounts
 			multipleAccountsTest,
@@ -307,6 +318,11 @@ func setupRepositoryUserAccountCheck(resName string, userAccount useraccount.Use
 			resource.TestCheckResourceAttr(resFullName,
 				authSchemeScope+"gcp_secrets_manager.0.secret_name",
 				authScheme.GCPSecretManager.SecretName))
+	case authScheme.AzureKeyVault != nil:
+		checkFuncs = append(checkFuncs,
+			resource.TestCheckResourceAttr(resFullName,
+				authSchemeScope+"azure_key_vault.0.secret_url",
+				authScheme.AzureKeyVault.SecretURL))
 	case authScheme.HashicorpVault != nil:
 		checkFuncs = append(checkFuncs, []resource.TestCheckFunc{
 			resource.TestCheckResourceAttr(resFullName,
@@ -360,6 +376,11 @@ func setupRepositoryUserAccountConfig(resName string, userAccount useraccount.Us
 			gcp_secrets_manager {
 				secret_name = "%s"
 			}`, authScheme.GCPSecretManager.SecretName)
+	case authScheme.AzureKeyVault != nil:
+		authSchemeStr = fmt.Sprintf(`
+			azure_key_vault {
+				secret_url = "%s"
+			}`, authScheme.AzureKeyVault.SecretURL)
 	case authScheme.HashicorpVault != nil:
 		authSchemeStr = fmt.Sprintf(`
 			hashicorp_vault {

diff --git a/docs/resources/policy.md b/docs/resources/policy.md
@@ -13,13 +13,12 @@ Manages [policies](https://cyral.com/docs/reference/policy). See also: [Policy R
 ## Example Usage
 
 ```terraform
-resource "cyral_policy" "some_resource_name" {
-  name = ""
-  description = ""
+resource "cyral_policy" "this" {
+  name = "My first policy"
+  description = "This is my first policy"
   enabled = true
-  data = [""]
-  data_label_tags = [""]
-  tags = [""]
+  data = ["EMAIL"]
+  metadata_tags = ["Risk Level 1"]
 }
 ```
 

diff --git a/docs/resources/policy_rule.md b/docs/resources/policy_rule.md
@@ -9,51 +9,31 @@ Manages [policy rules](https://cyral.com/docs/reference/policy/#rules). See also
 ## Example Usage
 
 ```terraform
-resource "cyral_policy_rule" "some_resource_name" {
-    policy_id = ""
-    hosts = [""]
-    identities {
-        db_roles = [""]
-        groups = [""]
-        services = [""]
-        users = [""]
-    }
-    deletes {
-        additional_checks = ""
-        data = [""]
-        dataset_rewrites {
-            dataset = ""
-            repo = ""
-            substitution = ""
-            parameters = [""]
-        }
-        rows = 1
-        severity = "low"
-    }
-    reads {
-        additional_checks = ""
-        data = [""]
-        dataset_rewrites {
-            dataset = ""
-            repo = ""
-            substitution = ""
-            parameters = [""]
-        }
-        rows = 1
-        severity = "low"
-    }
-    updates {
-        additional_checks = ""
-        data = [""]
-        dataset_rewrites {
-            dataset = ""
-            repo = ""
-            substitution = ""
-            parameters = [""]
-        }
-        rows = 1
-        severity = "low"
-    }
+# An example of a policy and a policy rule with a rego policy
+# in `additional_checks`.
+resource "cyral_policy" "this" {
+  name = "My first policy"
+  description = "This is my first policy"
+  enabled = true
+  data = ["EMAIL"]
+  metadata_tags = ["Risk Level 1"]
+}
+
+resource "cyral_policy_rule" "this" {
+  policy_id = cyral_policy.this.id
+  deletes {
+    additional_checks = <<EOT
+is_valid_request {
+  filter := request.filters[_]
+  filter.field == "entity.user.is_real"
+  filter.op == "="
+  filter.value == false
+}
+EOT
+    data = ["EMAIL"]
+    rows = -1
+    severity = "low"
+  }
 }
 ```
 

diff --git a/docs/resources/repository_user_account.md b/docs/resources/repository_user_account.md
@@ -69,6 +69,18 @@ resource "cyral_repository_user_account" "gcp_secrets" {
   }
 }
 
+# cyral_repository_user_account with auth scheme azure_key_vault will be created
+resource "cyral_repository_user_account" "azure_key_vault" {
+  name          = "hbf_azure_key_vault"
+  repository_id = cyral_repository.tf_test_repo.id
+
+  auth_scheme {
+    azure_key_vault {
+      secret_url = "https://vaultName.vault.azure.net/secrets/secretName"
+    }
+  }
+}
+
 # cyral_repository_user_account with auth scheme hashicorp will be created
 resource "cyral_repository_user_account" "hashicorp" {
   name          = "hbf_hashicorp"
@@ -109,7 +121,8 @@ resource "cyral_repository_user_account" "kubernetes" {
     -   `hashicorp_vault`
     -   `environment_variable`
     -   `kubernetes_secret`
-    -   `gcp_secrets_manager` (see [below for nested schema](#nestedblock--auth_scheme))
+    -   `gcp_secrets_manager`
+    -   `azure_key_vault` (see [below for nested schema](#nestedblock--auth_scheme))
 -   `name` (String) The name of the User Account.
 -   `repository_id` (String) ID of the repository.
 
@@ -131,6 +144,7 @@ Optional:
 
 -   `aws_iam` (Block Set, Max: 1) Credential option to set the repository user account from AWS IAM. (see [below for nested schema](#nestedblock--auth_scheme--aws_iam))
 -   `aws_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from AWS Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--aws_secrets_manager))
+-   `azure_key_vault` (Block Set, Max: 1) Credential option to set the repository user account from Azure Key Vault. (see [below for nested schema](#nestedblock--auth_scheme--azure_key_vault))
 -   `cyral_storage` (Block Set, Max: 1) Credential option to set the repository user account from Cyral Storage. (see [below for nested schema](#nestedblock--auth_scheme--cyral_storage))
 -   `environment_variable` (Block Set, Max: 1) Credential option to set the repository user account from Environment Variable. (see [below for nested schema](#nestedblock--auth_scheme--environment_variable))
 -   `gcp_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from GCP Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--gcp_secrets_manager))
@@ -153,6 +167,14 @@ Required:
 
 -   `secret_arn` (String) The AWS Secrets Manager secretARN to gain access to the database.
 
+<a id="nestedblock--auth_scheme--azure_key_vault"></a>
+
+### Nested Schema for `auth_scheme.azure_key_vault`
+
+Required:
+
+-   `secret_url` (String) The URL of the secret in the Azure Key Vault.
+
 <a id="nestedblock--auth_scheme--cyral_storage"></a>
 
 ### Nested Schema for `auth_scheme.cyral_storage`

diff --git a/examples/resources/cyral_policy/resource.tf b/examples/resources/cyral_policy/resource.tf
@@ -1,8 +1,7 @@
-resource "cyral_policy" "some_resource_name" {
-  name = ""
-  description = ""
+resource "cyral_policy" "this" {
+  name = "My first policy"
+  description = "This is my first policy"
   enabled = true
-  data = [""]
-  data_label_tags = [""]
-  tags = [""]
+  data = ["EMAIL"]
+  metadata_tags = ["Risk Level 1"]
 }