Add AZURE_KEYVAULT backend for databricks_secret_scope for Azure CLI authenticated environments (#381)

* Add AKV backend for databricks_secret_scope
* Implements issue #369
* minor changes

Co-authored-by: Serge Smertin <[email protected]>

Author: nfx

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## 0.2.8
 
+* Added [Azure Key Vault support](https://github.com/databrickslabs/terraform-provider-databricks/pull/381) for databricks_secret_scope for Azure CLI authenticated users
 * Added support for pinning clusters (issue #113)
 * Internal: API for retrieval of the cluster events
 

access/acceptance/secret_scope_test.go

@@ -11,13 +11,57 @@ import (
 
 	"github.com/databrickslabs/databricks-terraform/common"
 	"github.com/databrickslabs/databricks-terraform/internal/acceptance"
+	"github.com/databrickslabs/databricks-terraform/internal/qa"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+func TestAccRemoveScopes(t *testing.T) {
+	if _, ok := os.LookupEnv("VSCODE_PID"); !ok {
+		t.Skip("Cleaning up tests only from IDE")
+	}
+	client := common.CommonEnvironmentClient()
+	scopesAPI := NewSecretScopesAPI(client)
+	scopeList, err := scopesAPI.List()
+	require.NoError(t, err)
+	for _, scope := range scopeList {
+		assert.NoError(t, scopesAPI.Delete(scope.Name))
+	}
+}
+
+func TestAzureAccKeyVaultSimple(t *testing.T) {
+	resourceID := qa.GetEnvOrSkipTest(t, "TEST_KEY_VAULT_RESOURCE_ID")
+	DNSName := qa.GetEnvOrSkipTest(t, "TEST_KEY_VAULT_DNS_NAME")
+
+	client := common.CommonEnvironmentClient()
+	if client.AzureAuth.IsClientSecretSet() {
+		t.Skip("AKV scopes don't work for SP auth yet")
+	}
+	scopesAPI := NewSecretScopesAPI(client)
+	name := qa.RandomName("tf-scope-")
+
+	err := scopesAPI.Create(SecretScope{
+		Name: name,
+		KeyvaultMetadata: &KeyvaultMetadata{
+			ResourceID: resourceID,
+			DNSName:    DNSName,
+		},
+	})
+	require.NoError(t, err)
+	defer func() {
+		assert.NoError(t, scopesAPI.Delete(name))
+	}()
+
+	scope, err := scopesAPI.Read(name)
+	require.NoError(t, err)
+	require.Equal(t, "AZURE_KEYVAULT", scope.BackendType)
+	assert.Equal(t, resourceID, scope.KeyvaultMetadata.ResourceID)
+	assert.Equal(t, DNSName, scope.KeyvaultMetadata.DNSName)
+}
+
 func TestAccInitialManagePrincipals(t *testing.T) {
 	if _, ok := os.LookupEnv("CLOUD_ENV"); !ok {
 		t.Skip("Acceptance tests skipped unless env 'CLOUD_ENV' is set")
@@ -26,7 +70,7 @@ func TestAccInitialManagePrincipals(t *testing.T) {
 	scopesAPI := NewSecretScopesAPI(client)
 
 	scope := fmt.Sprintf("tf-%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))
-	err := scopesAPI.Create(scope, "")
+	err := scopesAPI.Create(SecretScope{Name: scope})
 	require.NoError(t, err)
 	defer func() {
 		assert.NoError(t, scopesAPI.Delete(scope))
@@ -51,7 +95,10 @@ func TestAccInitialManagePrincipalsGroup(t *testing.T) {
 	scopesAPI := NewSecretScopesAPI(client)
 
 	scope := fmt.Sprintf("tf-%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))
-	err := scopesAPI.Create(scope, "users")
+	err := scopesAPI.Create(SecretScope{
+		Name:                   scope,
+		InitialManagePrincipal: "users",
+	})
 	require.NoError(t, err)
 	defer func() {
 		assert.NoError(t, scopesAPI.Delete(scope))
@@ -69,9 +116,7 @@ func TestAccSecretScopeResource(t *testing.T) {
 		t.Skip("Acceptance tests skipped unless env 'CLOUD_ENV' is set")
 	}
 	var secretScope SecretScope
-
-	scope := fmt.Sprintf("tf-%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))
-
+	scope := qa.RandomName("tf-")
 	acceptance.AccTest(t, resource.TestCase{
 		CheckDestroy: testSecretScopeResourceDestroy,
 		Steps: []resource.TestStep{
@@ -86,7 +131,7 @@ func TestAccSecretScopeResource(t *testing.T) {
 					testSecretScopeValues(t, &secretScope, scope),
 					// verify local values
 					resource.TestCheckResourceAttr("databricks_secret_scope.my_scope", "name", scope),
-					resource.TestCheckResourceAttr("databricks_secret_scope.my_scope", "backend_type", string(ScopeBackendTypeDatabricks)),
+					resource.TestCheckResourceAttr("databricks_secret_scope.my_scope", "backend_type", "DATABRICKS"),
 					acceptance.ResourceCheck("databricks_secret_scope.my_scope",
 						func(client *common.DatabricksClient, id string) error {
 							secretACLAPI := NewSecretAclsAPI(client)
@@ -118,7 +163,7 @@ func TestAccSecretScopeResource(t *testing.T) {
 					testSecretScopeValues(t, &secretScope, scope),
 					// verify local values
 					resource.TestCheckResourceAttr("databricks_secret_scope.my_scope", "name", scope),
-					resource.TestCheckResourceAttr("databricks_secret_scope.my_scope", "backend_type", string(ScopeBackendTypeDatabricks)),
+					resource.TestCheckResourceAttr("databricks_secret_scope.my_scope", "backend_type", "DATABRICKS"),
 				),
 			},
 		},
@@ -143,7 +188,7 @@ func testSecretScopeResourceDestroy(s *terraform.State) error {
 func testSecretScopeValues(t *testing.T, secretScope *SecretScope, scope string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		assert.True(t, secretScope.Name == scope)
-		assert.True(t, secretScope.BackendType == ScopeBackendTypeDatabricks)
+		assert.True(t, secretScope.BackendType == "DATABRICKS")
 		return nil
 	}
 }
@@ -168,7 +213,6 @@ func testSecretScopeResourceExists(n string, secretScope *SecretScope, t *testin
 		// If no error, assign the response Widget attribute to the widget pointer
 		*secretScope = resp
 		return nil
-		//return fmt.Errorf("Token (%s) not found", rs.Primary.ID)
 	}
 }
 

access/resource_secret.go

@@ -10,25 +10,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-// ScopeBackendType is a custom type for the backend type for secret scopes
-type ScopeBackendType string
-
-// List of constants of ScopeBackendType
-const (
-	ScopeBackendTypeDatabricks ScopeBackendType = "DATABRICKS"
-)
-
-// SecretScopeList holds list of secret scopes
-type SecretScopeList struct {
-	Scopes []SecretScope `json:"scopes,omitempty"`
-}
-
-// SecretScope is a struct that encapsulates the secret scope
-type SecretScope struct {
-	Name        string           `json:"name,omitempty"`
-	BackendType ScopeBackendType `json:"backend_type,omitempty"`
-}
-
 // SecretsRequest ...
 type SecretsRequest struct {
 	StringValue string `json:"string_value,omitempty" mask:"true"`

access/resource_secret_acl_test.go

@@ -25,7 +25,10 @@ func TestSecretsScopesAclsIntegration(t *testing.T) {
 	// TODO: on random group
 	testPrincipal := "users"
 
-	err := NewSecretScopesAPI(client).Create(testScope, initialManagePrincipal)
+	err := NewSecretScopesAPI(client).Create(SecretScope{
+		Name:                   testScope,
+		InitialManagePrincipal: initialManagePrincipal,
+	})
 	assert.NoError(t, err, err)
 
 	defer func() {

access/resource_secret_scope.go

@@ -1,44 +1,85 @@
 package access
 
 import (
+	"context"
 	"fmt"
-	"log"
 	"net/http"
 
 	"github.com/databrickslabs/databricks-terraform/common"
+	"github.com/databrickslabs/databricks-terraform/internal"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
 // NewSecretScopesAPI creates SecretScopesAPI instance from provider meta
 func NewSecretScopesAPI(m interface{}) SecretScopesAPI {
-	return SecretScopesAPI{C: m.(*common.DatabricksClient)}
+	return SecretScopesAPI{client: m.(*common.DatabricksClient)}
 }
 
 // SecretScopesAPI exposes the Secret Scopes API
 type SecretScopesAPI struct {
-	C *common.DatabricksClient
+	client *common.DatabricksClient
+}
+
+// SecretScopeList holds list of secret scopes
+type SecretScopeList struct {
+	Scopes []SecretScope `json:"scopes,omitempty"`
+}
+
+// SecretScope is a struct that encapsulates the secret scope
+type SecretScope struct {
+	Name                   string            `json:"name"`
+	BackendType            string            `json:"backend_type,omitempty" tf:"computed"`
+	InitialManagePrincipal string            `json:"initial_manage_principal,omitempty"`
+	KeyvaultMetadata       *KeyvaultMetadata `json:"keyvault_metadata,omitempty"`
+}
+
+// KeyvaultMetadata Azure Key Vault metadata wrapper
+type KeyvaultMetadata struct {
+	// /subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/my-azure-kv
+	ResourceID string `json:"resource_id"`
+	// https://my-azure-kv.vault.azure.net/
+	DNSName string `json:"dns_name"`
+}
+
+type secretScopeRequest struct {
+	Scope                  string            `json:"scope,omitempty"`
+	BackendType            string            `json:"scope_backend_type,omitempty"`
+	InitialManagePrincipal string            `json:"initial_manage_principal,omitempty"`
+	BackendAzureKeyvault   *KeyvaultMetadata `json:"backend_azure_keyvault,omitempty"`
 }
 
 // Create creates a new secret scope
-func (a SecretScopesAPI) Create(scope string, initialManagePrincipal string) error {
-	req := map[string]string{"scope": scope}
-	if initialManagePrincipal != "" {
-		req["initial_manage_principal"] = initialManagePrincipal
+func (a SecretScopesAPI) Create(s SecretScope) error {
+	req := secretScopeRequest{
+		Scope:                  s.Name,
+		InitialManagePrincipal: s.InitialManagePrincipal,
+		BackendType:            "DATABRICKS",
 	}
-	return a.C.Post("/secrets/scopes/create", req, nil)
+	if s.KeyvaultMetadata != nil {
+		if !a.client.IsAzure() {
+			return fmt.Errorf("Azure KeyVault is not available")
+		}
+		if a.client.AzureAuth.IsClientSecretSet() {
+			return fmt.Errorf("Azure KeyVault cannot yet be configured for Service Principal authorization")
+		}
+		req.BackendType = "AZURE_KEYVAULT"
+		req.BackendAzureKeyvault = s.KeyvaultMetadata
+	}
+	return a.client.Post("/secrets/scopes/create", req, nil)
 }
 
 // Delete deletes a secret scope
 func (a SecretScopesAPI) Delete(scope string) error {
-	return a.C.Post("/secrets/scopes/delete", map[string]string{
+	return a.client.Post("/secrets/scopes/delete", map[string]string{
 		"scope": scope,
 	}, nil)
 }
 
 // List lists all secret scopes available in the workspace
 func (a SecretScopesAPI) List() ([]SecretScope, error) {
 	var listSecretScopesResponse SecretScopeList
-	err := a.C.Get("/secrets/scopes/list", nil, &listSecretScopesResponse)
+	err := a.client.Get("/secrets/scopes/list", nil, &listSecretScopesResponse)
 	return listSecretScopesResponse.Scopes, err
 }
 
@@ -62,69 +103,56 @@ func (a SecretScopesAPI) Read(scopeName string) (SecretScope, error) {
 	}
 }
 
+// ResourceSecretScope manages secret scopes
 func ResourceSecretScope() *schema.Resource {
+	s := internal.StructToSchema(SecretScope{}, func(s map[string]*schema.Schema) map[string]*schema.Schema {
+		// TODO: CustomDiffFunc for initial_manage_principal & importing
+		s["name"].ForceNew = true
+		s["initial_manage_principal"].ForceNew = true
+		s["keyvault_metadata"].ForceNew = true
+		return s
+	})
+	readContext := func(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+		scope, err := NewSecretScopesAPI(m).Read(d.Id())
+		if e, ok := err.(common.APIError); ok && e.IsMissing() {
+			d.SetId("")
+			return nil
+		}
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = internal.StructToData(scope, s, d)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		return nil
+	}
 	return &schema.Resource{
-		Create: resourceSecretScopeCreate,
-		Read:   resourceSecretScopeRead,
-		Delete: resourceSecretScopeDelete,
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
-		Schema: map[string]*schema.Schema{
-			"name": {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
-			},
-			"initial_manage_principal": {
-				Type:     schema.TypeString,
-				Optional: true,
-				ForceNew: true,
-			},
-			"backend_type": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
+		CreateContext: func(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+			var scope SecretScope
+			err := internal.DataToStructPointer(d, s, &scope)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+			err = NewSecretScopesAPI(m).Create(scope)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+			d.SetId(scope.Name)
+			return readContext(ctx, d, m)
 		},
-	}
-}
-
-func resourceSecretScopeCreate(d *schema.ResourceData, m interface{}) error {
-	client := m.(*common.DatabricksClient)
-	scopeName := d.Get("name").(string)
-	initialManagePrincipal := d.Get("initial_manage_principal").(string)
-	err := NewSecretScopesAPI(client).Create(scopeName, initialManagePrincipal)
-	if err != nil {
-		return err
-	}
-	d.SetId(scopeName)
-	return resourceSecretScopeRead(d, m)
-}
-
-func resourceSecretScopeRead(d *schema.ResourceData, m interface{}) error {
-	client := m.(*common.DatabricksClient)
-	id := d.Id()
-	scope, err := NewSecretScopesAPI(client).Read(id)
-	if err != nil {
-		if e, ok := err.(common.APIError); ok && e.IsMissing() {
-			log.Printf("[INFO] missing resource due to error: %v\n", e)
-			d.SetId("")
+		DeleteContext: func(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+			err := NewSecretScopesAPI(m).Delete(d.Id())
+			if err != nil {
+				return diag.FromErr(err)
+			}
 			return nil
-		}
-		return err
-	}
-	d.SetId(scope.Name)
-	err = d.Set("name", scope.Name)
-	if err != nil {
-		return err
+		},
+		ReadContext:   readContext,
+		SchemaVersion: 2,
+		Schema:        s,
 	}
-	err = d.Set("backend_type", scope.BackendType)
-	return err
-}
-
-func resourceSecretScopeDelete(d *schema.ResourceData, m interface{}) error {
-	client := m.(*common.DatabricksClient)
-	id := d.Id()
-	err := NewSecretScopesAPI(client).Delete(id)
-	return err
 }