Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ENG-14083: Add Azure Key Vault user account auth scheme #542

Merged
merged 5 commits into from
Jun 5, 2024
Merged

ENG-14083: Add Azure Key Vault user account auth scheme #542

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bd042cf
Add Azure Key Vault user account auth scheme
ccampo133 Jun 4, 2024
43d2155
Update model.go
ccampo133 Jun 4, 2024
8fdb971
Update model.go
ccampo133 Jun 4, 2024
e4e7549
Update docs
ccampo133 Jun 5, 2024
593fb65
Add tests
ccampo133 Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions cyral/internal/repository/useraccount/model.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ type AuthScheme struct {
EnvironmentVariable *AuthSchemeEnvironmentVariable `json:"environmentVariable"`
KubernetesSecret *AuthSchemeKubernetesSecret `json:"kubernetesSecret"`
GCPSecretManager *AuthSchemeGCPSecretManager `json:"gcpSecretManager"`
AzureKeyVault *AuthSchemeAzureKeyVault `json:"azureKeyVault"`
}

type AuthSchemeAWSIAM struct {
Expand Down Expand Up @@ -48,6 +49,10 @@ type AuthSchemeGCPSecretManager struct {
SecretName string `json:"secretName,omitempty"`
}

type AuthSchemeAzureKeyVault struct {
SecretURL string `json:"secretUrl,omitempty"`
}

type ApprovalConfig struct {
AutomaticGrant bool `json:"automaticGrant,omitempty"`
MaxAutomaticGrantDuration string `json:"maxAutomaticGrantDuration,omitempty"`
Expand Down Expand Up @@ -158,6 +163,16 @@ func (resource *UserAccountResource) WriteToSchema(d *schema.ResourceData) error
},
},
}
case resource.AuthScheme.AzureKeyVault != nil:
authScheme = []interface{}{
map[string]interface{}{
"azure_key_vault": []interface{}{
map[string]interface{}{
"secret_url": resource.AuthScheme.AzureKeyVault.SecretURL,
},
},
},
}
case resource.AuthScheme.HashicorpVault != nil:
authScheme = []interface{}{
map[string]interface{}{
Expand Down Expand Up @@ -279,6 +294,12 @@ func (userAccount *UserAccountResource) ReadFromSchema(d *schema.ResourceData) e
SecretName: m["secret_name"].(string),
},
}
case "azure_key_vault":
userAccount.AuthScheme = &AuthScheme{
AzureKeyVault: &AuthSchemeAzureKeyVault{
SecretURL: m["secret_url"].(string),
},
}
default:
return fmt.Errorf("unexpected auth_scheme [%s]", k)
}
Expand Down
19 changes: 19 additions & 0 deletions cyral/internal/repository/useraccount/resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ var allAuthSchemes = []string{
"environment_variable",
"kubernetes_secret",
"gcp_secrets_manager",
"azure_key_vault",
}

var urlFactory = func(d *schema.ResourceData, c *client.Client) string {
Expand Down Expand Up @@ -317,6 +318,24 @@ func resourceSchema() *schema.Resource {
},
},
},

"azure_key_vault": {
Description: "Credential option to set the repository user account from " +
"Azure Key Vault.",
Optional: true,
Type: schema.TypeSet,
ExactlyOneOf: authSchemeTypesFullScopes,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"secret_url": {
Description: "The URL of the secret in the Azure Key Vault.",
Type: schema.TypeString,
Required: true,
},
},
},
},
},
},
},
Expand Down
21 changes: 21 additions & 0 deletions cyral/internal/repository/useraccount/resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,14 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
},
},
}
azureKeyVault := useraccount.UserAccountResource{
Name: "azure-useracc",
AuthScheme: &useraccount.AuthScheme{
AzureKeyVault: &useraccount.AuthSchemeAzureKeyVault{
SecretURL: "https://vaultName.vault.azure.net/secrets/secretName",
},
},
}
awsIAMTest := setupRepositoryUserAccountTest(
"aws_iam_test", awsIAM)
awsSecretsManagerTest := setupRepositoryUserAccountTest(
Expand All @@ -165,6 +173,8 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
"kubernetes_secret_test", kubernetesSecret)
gcpSecretManagerTest := setupRepositoryUserAccountTest(
"gcp_secret_manager_test", gcpSecretManager)
azureKeyVaultTest := setupRepositoryUserAccountTest(
"azure_key_vault_test", azureKeyVault)

// Test with multiple user accounts
userAccount1ResName := "multiple_accounts_test_1"
Expand Down Expand Up @@ -216,6 +226,7 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
environmentVariableTest,
kubernetesSecretTest,
gcpSecretManagerTest,
azureKeyVaultTest,

// Test with multiple user accounts
multipleAccountsTest,
Expand Down Expand Up @@ -307,6 +318,11 @@ func setupRepositoryUserAccountCheck(resName string, userAccount useraccount.Use
resource.TestCheckResourceAttr(resFullName,
authSchemeScope+"gcp_secrets_manager.0.secret_name",
authScheme.GCPSecretManager.SecretName))
case authScheme.AzureKeyVault != nil:
checkFuncs = append(checkFuncs,
resource.TestCheckResourceAttr(resFullName,
authSchemeScope+"azure_key_vault.0.secret_url",
authScheme.AzureKeyVault.SecretURL))
case authScheme.HashicorpVault != nil:
checkFuncs = append(checkFuncs, []resource.TestCheckFunc{
resource.TestCheckResourceAttr(resFullName,
Expand Down Expand Up @@ -360,6 +376,11 @@ func setupRepositoryUserAccountConfig(resName string, userAccount useraccount.Us
gcp_secrets_manager {
secret_name = "%s"
}`, authScheme.GCPSecretManager.SecretName)
case authScheme.AzureKeyVault != nil:
authSchemeStr = fmt.Sprintf(`
azure_key_vault {
secret_url = "%s"
}`, authScheme.AzureKeyVault.SecretURL)
case authScheme.HashicorpVault != nil:
authSchemeStr = fmt.Sprintf(`
hashicorp_vault {
Expand Down
24 changes: 23 additions & 1 deletion docs/resources/repository_user_account.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,18 @@ resource "cyral_repository_user_account" "gcp_secrets" {
}
}

# cyral_repository_user_account with auth scheme azure_key_vault will be created
resource "cyral_repository_user_account" "azure_key_vault" {
name = "hbf_azure_key_vault"
repository_id = cyral_repository.tf_test_repo.id

auth_scheme {
azure_key_vault {
secret_url = "https://vaultName.vault.azure.net/secrets/secretName"
}
}
}

# cyral_repository_user_account with auth scheme hashicorp will be created
resource "cyral_repository_user_account" "hashicorp" {
name = "hbf_hashicorp"
Expand Down Expand Up @@ -109,7 +121,8 @@ resource "cyral_repository_user_account" "kubernetes" {
- `hashicorp_vault`
- `environment_variable`
- `kubernetes_secret`
- `gcp_secrets_manager` (see [below for nested schema](#nestedblock--auth_scheme))
- `gcp_secrets_manager`
- `azure_key_vault` (see [below for nested schema](#nestedblock--auth_scheme))
- `name` (String) The name of the User Account.
- `repository_id` (String) ID of the repository.

Expand All @@ -131,6 +144,7 @@ Optional:

- `aws_iam` (Block Set, Max: 1) Credential option to set the repository user account from AWS IAM. (see [below for nested schema](#nestedblock--auth_scheme--aws_iam))
- `aws_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from AWS Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--aws_secrets_manager))
- `azure_key_vault` (Block Set, Max: 1) Credential option to set the repository user account from Azure Key Vault. (see [below for nested schema](#nestedblock--auth_scheme--azure_key_vault))
- `cyral_storage` (Block Set, Max: 1) Credential option to set the repository user account from Cyral Storage. (see [below for nested schema](#nestedblock--auth_scheme--cyral_storage))
- `environment_variable` (Block Set, Max: 1) Credential option to set the repository user account from Environment Variable. (see [below for nested schema](#nestedblock--auth_scheme--environment_variable))
- `gcp_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from GCP Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--gcp_secrets_manager))
Expand All @@ -153,6 +167,14 @@ Required:

- `secret_arn` (String) The AWS Secrets Manager secretARN to gain access to the database.

<a id="nestedblock--auth_scheme--azure_key_vault"></a>

### Nested Schema for `auth_scheme.azure_key_vault`

Required:

- `secret_url` (String) The URL of the secret in the Azure Key Vault.

<a id="nestedblock--auth_scheme--cyral_storage"></a>

### Nested Schema for `auth_scheme.cyral_storage`
Expand Down
12 changes: 12 additions & 0 deletions examples/resources/cyral_repository_user_account/resource.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,18 @@ resource "cyral_repository_user_account" "gcp_secrets" {
}
}

# cyral_repository_user_account with auth scheme azure_key_vault will be created
resource "cyral_repository_user_account" "azure_key_vault" {
name = "hbf_azure_key_vault"
repository_id = cyral_repository.tf_test_repo.id

auth_scheme {
azure_key_vault {
secret_url = "https://vaultName.vault.azure.net/secrets/secretName"
}
}
}

# cyral_repository_user_account with auth scheme hashicorp will be created
resource "cyral_repository_user_account" "hashicorp" {
name = "hbf_hashicorp"
Expand Down
Loading