Add binary_data attribute to kubernetes_secret (#1228)

* Add binary_data attribute to kubernetes_secret

* Make data a computed field

Author: jrhouston

kubernetes/resource_kubernetes_secret.go

@@ -29,8 +29,15 @@ func resourceKubernetesSecret() *schema.Resource {
 				Type:        schema.TypeMap,
 				Description: "A map of the secret data.",
 				Optional:    true,
+				Computed:    true,
 				Sensitive:   true,
 			},
+			"binary_data": {
+				Type:        schema.TypeMap,
+				Optional:    true,
+				Sensitive:   true,
+				Description: "A map of the secret data in base64 encoding. Use this for binary data.",
+			},
 			"type": {
 				Type:        schema.TypeString,
 				Description: "Type of secret",
@@ -51,7 +58,23 @@ func resourceKubernetesSecretCreate(ctx context.Context, d *schema.ResourceData,
 	metadata := expandMetadata(d.Get("metadata").([]interface{}))
 	secret := api.Secret{
 		ObjectMeta: metadata,
-		Data:       expandStringMapToByteMap(d.Get("data").(map[string]interface{})),
+	}
+
+	if v, ok := d.GetOk("data"); ok {
+		m := map[string]string{}
+		for k, v := range v.(map[string]interface{}) {
+			vv := v.(string)
+			m[k] = vv
+		}
+		secret.StringData = m
+	}
+
+	if v, ok := d.GetOk("binary_data"); ok {
+		m, err := base64DecodeStringMap(v.(map[string]interface{}))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		secret.Data = m
 	}
 
 	if v, ok := d.GetOk("type"); ok {
@@ -101,9 +124,21 @@ func resourceKubernetesSecretRead(ctx context.Context, d *schema.ResourceData, m
 		return diag.FromErr(err)
 	}
 
+	binaryDataKeys := []string{}
+	if v, ok := d.GetOk("binary_data"); ok {
+		binaryData := map[string][]byte{}
+		for k := range v.(map[string]interface{}) {
+			binaryData[k] = secret.Data[k]
+			binaryDataKeys = append(binaryDataKeys, k)
+		}
+		d.Set("binary_data", base64EncodeByteMap(binaryData))
+	}
+
+	for _, k := range binaryDataKeys {
+		delete(secret.Data, k)
+	}
 	d.Set("data", flattenByteMapToStringMap(secret.Data))
 	d.Set("type", secret.Type)
-
 	return nil
 }
 
@@ -119,17 +154,35 @@ func resourceKubernetesSecretUpdate(ctx context.Context, d *schema.ResourceData,
 	}
 
 	ops := patchMetadata("metadata.0.", "/metadata/", d)
-	if d.HasChange("data") {
-		oldV, newV := d.GetChange("data")
 
-		oldV = base64EncodeStringMap(oldV.(map[string]interface{}))
-		newV = base64EncodeStringMap(newV.(map[string]interface{}))
-
-		diffOps := diffStringMap("/data/", oldV.(map[string]interface{}), newV.(map[string]interface{}))
-
-		ops = append(ops, diffOps...)
+	newData := map[string]interface{}{}
+	if d.HasChange("data") {
+		_, new := d.GetChange("data")
+		new = base64EncodeStringMap(new.(map[string]interface{}))
+		for k, v := range new.(map[string]interface{}) {
+			newData[k] = v
+		}
+	} else if v, ok := d.GetOk("data"); ok {
+		for k, vv := range base64EncodeStringMap(v.(map[string]interface{})) {
+			newData[k] = vv
+		}
+	}
+	if d.HasChange("binary_data") {
+		_, new := d.GetChange("binary_data")
+		for k, v := range new.(map[string]interface{}) {
+			newData[k] = v
+		}
+	} else if v, ok := d.GetOk("binary_data"); ok {
+		for k, vv := range v.(map[string]interface{}) {
+			newData[k] = vv
+		}
 	}
 
+	ops = append(ops, &AddOperation{
+		Path:  "/data",
+		Value: newData,
+	})
+
 	data, err := ops.MarshalJSON()
 	if err != nil {
 		return diag.Errorf("Failed to marshal update operations: %s", err)

kubernetes/resource_kubernetes_secret_test.go

@@ -194,38 +194,41 @@ func TestAccKubernetesSecret_generatedName(t *testing.T) {
 	})
 }
 
-// Disabled - this test loads binary data from a file and passes it through configuration
-//            which is no longer supported in TF 0.12.
-//            Instead, the resource attribute should be adapted to transport base64 encoded
-//            data and decode it when constructing the API object for client-go.
-//
-// func TestAccKubernetesSecret_binaryData(t *testing.T) {
-//   var conf api.Secret
-//   prefix := "tf-acc-test-gen-"
-//
-//   resource.Test(t, resource.TestCase{
-//     PreCheck:      func() { testAccPreCheck(t) },
-//     IDRefreshName: "kubernetes_secret.test",
-//     ProviderFactories: testAccProviderFactories,
-//     CheckDestroy:  testAccCheckKubernetesSecretDestroy,
-//     Steps: []resource.TestStep{
-//       {
-//         Config: testAccKubernetesSecretConfig_binaryData(prefix),
-//         Check: resource.ComposeAggregateTestCheckFunc(
-//           testAccCheckKubernetesSecretExists("kubernetes_secret.test", &conf),
-//           resource.TestCheckResourceAttr("kubernetes_secret.test", "data.%", "1"),
-//         ),
-//       },
-//       {
-//         Config: testAccKubernetesSecretConfig_binaryData2(prefix),
-//         Check: resource.ComposeAggregateTestCheckFunc(
-//           testAccCheckKubernetesSecretExists("kubernetes_secret.test", &conf),
-//           resource.TestCheckResourceAttr("kubernetes_secret.test", "data.%", "2"),
-//         ),
-//       },
-//     },
-//   })
-// }
+func TestAccKubernetesSecret_binaryData(t *testing.T) {
+	var conf api.Secret
+	prefix := "tf-acc-test-gen-"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		IDRefreshName:     "kubernetes_secret.test",
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccCheckKubernetesSecretDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKubernetesSecretConfig_binaryData(prefix),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesSecretExists("kubernetes_secret.test", &conf),
+					resource.TestCheckResourceAttr("kubernetes_secret.test", "binary_data.%", "1"),
+				),
+			},
+			{
+				Config: testAccKubernetesSecretConfig_binaryData2(prefix),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesSecretExists("kubernetes_secret.test", &conf),
+					resource.TestCheckResourceAttr("kubernetes_secret.test", "binary_data.%", "2"),
+				),
+			},
+			{
+				Config: testAccKubernetesSecretConfig_binaryDataCombined(prefix),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckKubernetesSecretExists("kubernetes_secret.test", &conf),
+					resource.TestCheckResourceAttr("kubernetes_secret.test", "data.%", "2"),
+					resource.TestCheckResourceAttr("kubernetes_secret.test", "binary_data.%", "2"),
+				),
+			},
+		},
+	})
+}
 
 func testAccCheckSecretData(m *api.Secret, expected map[string]string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -382,6 +385,8 @@ func testAccKubernetesSecretConfig_noData(name string) string {
   metadata {
     name = "%s"
   }
+
+  data = {}
 }
 `, name)
 }
@@ -422,11 +427,8 @@ func testAccKubernetesSecretConfig_binaryData(prefix string) string {
     generate_name = "%s"
   }
 
-  data = {
-    one = <<EOF
-"${filebase64("./test-fixtures/binary.data")}"
-EOF
-
+  binary_data = {
+    one = filebase64("./test-fixtures/binary.data")
   }
 }
 `, prefix)
@@ -438,15 +440,28 @@ func testAccKubernetesSecretConfig_binaryData2(prefix string) string {
     generate_name = "%s"
   }
 
-  data = {
-    one = <<EOF
-"${filebase64("./test-fixtures/binary2.data")}"
-EOF
+  binary_data = {
+    one = filebase64("./test-fixtures/binary.data")
+    two = filebase64("./test-fixtures/binary2.data")
+  }
+}
+`, prefix)
+}
+
+func testAccKubernetesSecretConfig_binaryDataCombined(prefix string) string {
+	return fmt.Sprintf(`resource "kubernetes_secret" "test" {
+  metadata {
+    generate_name = "%s"
+  }
 
-    two = <<EOF
-"${filebase64("./test-fixtures/binary.data")}"
-EOF
+  data = {
+	  "HOST" = "127.0.0.1"
+	  "PORT" = "80"
+  }
 
+  binary_data = {
+    one = filebase64("./test-fixtures/binary.data")
+    two = filebase64("./test-fixtures/binary2.data")
   }
 }
 `, prefix)

kubernetes/structures.go

@@ -218,6 +218,26 @@ func base64EncodeStringMap(m map[string]interface{}) map[string]interface{} {
 	return result
 }
 
+func base64EncodeByteMap(m map[string][]byte) map[string]interface{} {
+	result := map[string]interface{}{}
+	for k, v := range m {
+		result[k] = base64.StdEncoding.EncodeToString(v)
+	}
+	return result
+}
+
+func base64DecodeStringMap(m map[string]interface{}) (map[string][]byte, error) {
+	mm := map[string][]byte{}
+	for k, v := range m {
+		d, err := base64.StdEncoding.DecodeString(v.(string))
+		if err != nil {
+			return nil, err
+		}
+		mm[k] = []byte(d)
+	}
+	return mm, nil
+}
+
 func flattenResourceList(l api.ResourceList) map[string]string {
 	m := make(map[string]string)
 	for k, v := range l {

website/docs/r/secret.html.markdown

@@ -99,6 +99,7 @@ resource "kubernetes_secret" "example" {
 The following arguments are supported:
 
 * `data` - (Optional) A map of the secret data.
+* `binary_data` - (Optional) A map base64 encoded map of the secret data.
 * `metadata` - (Required) Standard secret's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
 * `type` - (Optional) The secret type. Defaults to `Opaque`. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/c7151dd8dd7e487e96e5ce34c6a416bb3b037609/contributors/design-proposals/auth/secrets.md#proposed-design)