Skip to content

[TF-28671] Add HYOK configuration resources #1841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: helenjw/TF-28672/oidc-configurations
Choose a base branch
from
Open

[TF-28671] Add HYOK configuration resources #1841

wants to merge 6 commits into from
+764 −1

Conversation

helenjw
Copy link

@helenjw helenjw commented Sep 15, 2025
edited
Loading

Description

Describe why you're making this change.

Remember to:

Testing plan

  1. Using a version of go-tfe with HYOK support and using an organization with access to HYOK
  2. Use the following terraform configuration to add HYOK resources via terraform plan and terraform apply
  3. Try to update these values and apply them (updating attributes, with the exception of OIDC config relationships, should not destroy and replace the resources)
  4. Revoke the HYOK configuration you created from the UI
  5. Run terraform destroy on these resources to make sure they can be deleted
resource "tfe_hyok_configuration" "aws_hyok_config" {
  organization = "YOUR-ORG"
  name = "aws_hyok_config"
  kek_id = "YOUR-KEK-IO"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  aws_oidc_configuration_id = "YOUR-OIDC-CONFIG-ID"

  kms_options {
    key_region = "us-east-1"
  }
}

resource "tfe_hyok_configuration" "azure_hyok_config" {
  organization = "YOUR-ORG"
  name = "azure_hyok_config"
  kek_id = "YOUR-KEK-IO"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  azure_oidc_configuration_id = "YOUR-OIDC-CONFIG-ID"
}

resource "tfe_hyok_configuration" "vault_hyok_config" {
  organization = "YOUR-ORG"
  name = "vault_hyok_config"
  kek_id = "YOUR-KEK-IO"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  vault_oidc_configuration_id = "YOUR-OIDC-CONFIG-ID"
}

resource "tfe_hyok_configuration" "gcp_hyok_config" {
  organization = "YOUR-ORG"
  name = "gcp_hyok_config"
  kek_id = "YOUR-KEK-IO"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  gcp_oidc_configuration_id = "YOUR-OIDC-CONFIG-ID"

  kms_options {
    key_ring_id = "YOUR-KEY-RING-ID"
    key_location = "global"
  }
}

External links

Include any links here that might be helpful for people reviewing your PR. If there are none, feel free to delete this section.

Output from acceptance tests

Please run applicable acceptance tests locally and include the output here. See testing.md to learn how to run acceptance tests.

If you are an external contributor, your contribution(s) will first be reviewed before running them against the project's CI pipeline.

TESTARGS="-run TestAccTFEHYOKConfiguration" envchain local make testacc              14:42:08   36ms
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKConfiguration -timeout 15m
?   	github.com/hashicorp/terraform-provider-tfe	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/client	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/logging	(cached) [no tests to run]
=== RUN   TestAccTFEHYOKConfiguration_basic
--- PASS: TestAccTFEHYOKConfiguration_basic (21.41s)
PASS

Rollback Plan

Changes to Security Controls

@helenjw helenjw changed the base branch from main to helenjw/TF-28672/oidc-configurations September 15, 2025 18:12
@helenjw helenjw requested a review from a team September 15, 2025 18:54
@helenjw helenjw marked this pull request as ready for review September 15, 2025 18:54
@helenjw helenjw requested a review from a team as a code owner September 15, 2025 18:55
@helenjw helenjw force-pushed the helenjw/TF-28672/oidc-configurations branch 2 times, most recently from cbe2506 to 944abc1 Compare September 17, 2025 17:39
@helenjw
First draft of resource_tfe_aws_oidc_configuration.go
99097c7 
resource_tfe_aws_oidc_configuration.go and basic test

resource_tfe_gcp_oidc_configuration.go and test

resource_tfe_azure_oidc_configuration.go_oidc_configuration.go and test

resource_tfe_vault_oidc_configuration.go and tests

Add HYOK_ORGANIATION_NAME environment variable to testing.md

Add documentation for resources

Add to CHANGELOG.md

update basic usage in vault_oidc_configuration.html.markdown

Do not require replace for everything

Update documentation and default value of auth_path

skipIfEnterprise

update pricing info

Implement resource_tfe_hyok_configuration.go

Add hyok_configuration.html.markdown

fix bug where aws configs recognized as gcp configs

Add in acceptance tests

Wait for revoked status during acceptance test

Add CHANGELOG.md
dominic-retli-hashi
dominic-retli-hashi reviewed Sep 17, 2025
View reviewed changes
internal/provider/resource_tfe_hyok_configuration.go

AgentPoolID types.String `tfsdk:"agent_pool_id"`
Organization types.String `tfsdk:"organization"`
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What was the reasoning behind using AWSOIDCConfigurationID, GCPOIDCConfigurationID, VaultOIDCConfigurationID, and AzureOIDCConfigurationID

instead of

oidc_configuration_id and oidc_configuration_type like the HyokConfigurations model and database schema uses?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's also a valid way to approach it. At the end of the day, it just needs to populate the tfe.OIDCConfigurationTypeChoice object that looks like:

type OIDCConfigurationTypeChoice struct {
	AWSOIDCConfiguration   *AWSOIDCConfiguration
	GCPOIDCConfiguration   *GCPOIDCConfiguration
	AzureOIDCConfiguration *AzureOIDCConfiguration
	VaultOIDCConfiguration *VaultOIDCConfiguration
}

I don't really have strong feelings about this, but I think having an explicit type could shorten the code a little.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this works well, I was just curious if there was a technical reason or constraint. Thanks!

@helenjw helenjw force-pushed the helenjw/TF-28671/hyok-configurations branch from 41375cb to 99097c7 Compare September 17, 2025 17:49
@helenjw
Merge branch 'helenjw/TF-28672/oidc-configurations' into helenjw/TF-2…
a525dbf 
…8671/hyok-configurations

# Conflicts:
#	CHANGELOG.md
#	internal/provider/provider_next.go
#	internal/provider/resource_tfe_aws_oidc_configuration.go
#	internal/provider/resource_tfe_aws_oidc_configuration_test.go
#	internal/provider/resource_tfe_azure_oidc_configuration.go
#	internal/provider/resource_tfe_azure_oidc_configuration_test.go
#	internal/provider/resource_tfe_gcp_oidc_configuration.go
#	internal/provider/resource_tfe_gcp_oidc_configuration_test.go
#	internal/provider/resource_tfe_vault_oidc_configuration.go
#	internal/provider/resource_tfe_vault_oidc_configuration_test.go
@helenjw
Merge branch 'helenjw/TF-28672/oidc-configurations' into helenjw/TF-2…
7b15fba 
…8671/hyok-configurations
@helenjw
Merge branch 'helenjw/TF-28672/oidc-configurations' into helenjw/TF-2…
10a47e9 
…8671/hyok-configurations
@helenjw
Use ProtoV6ProviderFactories
90fa3af
@helenjw
use oidc_configuration_type and oidc_configuration_id
0c0b305
dominic-retli-hashi
dominic-retli-hashi approved these changes Sep 18, 2025
View reviewed changes
Copy link

@dominic-retli-hashi dominic-retli-hashi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested locally, good stuff!

@iuri-slywitch-hashicorp
Copy link

tested for AWS config. I was able to plan, apply and destroy (after revoking the key):

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tfe_aws_oidc_configuration.aws_oidc_tfe_provider: Refreshing state... [id=(redacted)]
tfe_hyok_configuration.aws_hyok_config: Refreshing state... [id=(redacted)]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tfe_aws_oidc_configuration.aws_oidc_tfe_provider will be destroyed
  - resource "tfe_aws_oidc_configuration" "aws_oidc_tfe_provider" {
      - id           = "(redacted)" -> null
      - organization = "(redacted)" -> null
      - role_arn     = "(redacted)" -> null
    }

  # tfe_hyok_configuration.aws_hyok_config will be destroyed
  - resource "tfe_hyok_configuration" "aws_hyok_config" {
      - agent_pool_id           = "(redacted)" -> null
      - id                      = "(redacted)" -> null
      - kek_id                  = "(redacted)" -> null
      - name                    = "aws_hyok_config" -> null
      - oidc_configuration_id   = "(redacted)" -> null
      - oidc_configuration_type = "aws" -> null
      - organization            = "(redacted)" -> null

      - kms_options {
          - key_region = "us-east-1" -> null
        }
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

tfe_hyok_configuration.aws_hyok_config: Destroying... [id=(redacted)]
tfe_hyok_configuration.aws_hyok_config: Destruction complete after 0s
tfe_aws_oidc_configuration.aws_oidc_tfe_provider: Destroying... [id=(redacted)]
tfe_aws_oidc_configuration.aws_oidc_tfe_provider: Destruction complete after 1s

Destroy complete! Resources: 2 destroyed.

@iuri-slywitch-hashicorp
Copy link

gcp test:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider: Refreshing state... [id=(redacted)]
tfe_hyok_configuration.gcp_hyok_config: Refreshing state... [id=(redacted)]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider will be destroyed
  - resource "tfe_gcp_oidc_configuration" "gcp_oidc_tfe_provider" {
      - id                     = "(redacted)" -> null
      - organization           = "(redacted)" -> null
      - project_number         = "(redacted)" -> null
      - service_account_email  = "(redacted)" -> null
      - workload_provider_name = "(redacted)" -> null
    }

  # tfe_hyok_configuration.gcp_hyok_config will be destroyed
  - resource "tfe_hyok_configuration" "gcp_hyok_config" {
      - agent_pool_id           = "(redacted)" -> null
      - id                      = "(redacted)" -> null
      - kek_id                  = "(redacted)" -> null
      - name                    = "gcp_hyok_config" -> null
      - oidc_configuration_id   = "(redacted)" -> null
      - oidc_configuration_type = "gcp" -> null
      - organization            = "(redacted)" -> null

      - kms_options {
          - key_location = "global" -> null
          - key_ring_id  = "(redacted)" -> null
        }
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

tfe_hyok_configuration.gcp_hyok_config: Destroying... [id=(redacted)]
tfe_hyok_configuration.gcp_hyok_config: Destruction complete after 1s
tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider: Destroying... [id=(redacted)]
tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

@iuri-slywitch-hashicorp
Copy link

azure test:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tfe_azure_oidc_configuration.azure_oidc_tfe_provider: Refreshing state... [id=(redacted)]
tfe_hyok_configuration.azure_hyok_config: Refreshing state... [id=(redacted)]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tfe_azure_oidc_configuration.azure_oidc_tfe_provider will be destroyed
  - resource "tfe_azure_oidc_configuration" "azure_oidc_tfe_provider" {
      - client_id       = "(redacted)" -> null
      - id              = "(redacted)" -> null
      - organization    = "(redacted)" -> null
      - subscription_id = "(redacted)" -> null
      - tenant_id       = "(redacted)" -> null
    }

  # tfe_hyok_configuration.azure_hyok_config will be destroyed
  - resource "tfe_hyok_configuration" "azure_hyok_config" {
      - agent_pool_id           = "(redacted)" -> null
      - id                      = "(redacted)" -> null
      - kek_id                  = "(redacted)" -> null
      - name                    = "azure_hyok_config" -> null
      - oidc_configuration_id   = "(redacted)" -> null
      - oidc_configuration_type = "azure" -> null
      - organization            = "(redacted)" -> null
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

tfe_hyok_configuration.azure_hyok_config: Destroying... [id=(redacted)]
tfe_hyok_configuration.azure_hyok_config: Destruction complete after 1s
tfe_azure_oidc_configuration.azure_oidc_tfe_provider: Destroying... [id=(redacted)]
tfe_azure_oidc_configuration.azure_oidc_tfe_provider: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

@iuri-slywitch-hashicorp
Copy link

vault test:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tfe_vault_oidc_configuration.vault_oidc_tfe_provider: Refreshing state... [id=(redacted)]
tfe_hyok_configuration.vault_hyok_config: Refreshing state... [id=(redacted)]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tfe_hyok_configuration.vault_hyok_config will be destroyed
  - resource "tfe_hyok_configuration" "vault_hyok_config" {
      - agent_pool_id           = "(redacted)" -> null
      - id                      = "(redacted)" -> null
      - kek_id                  = "(redacted)" -> null
      - name                    = "vault_hyok_config" -> null
      - oidc_configuration_id   = "(redacted)" -> null
      - oidc_configuration_type = "vault" -> null
      - organization            = "(redacted)" -> null
    }

  # tfe_vault_oidc_configuration.vault_oidc_tfe_provider will be destroyed
  - resource "tfe_vault_oidc_configuration" "vault_oidc_tfe_provider" {
      - address      = "(redacted)" -> null
      - auth_path    = "(redacted)" -> null
      - id           = "(redacted)" -> null
      - namespace    = "(redacted)" -> null
      - organization = "(redacted)" -> null
      - role_name    = "(redacted)" -> null
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

tfe_hyok_configuration.vault_hyok_config: Destroying... [id=(redacted)]
tfe_hyok_configuration.vault_hyok_config: Destruction complete after 0s
tfe_vault_oidc_configuration.vault_oidc_tfe_provider: Destroying... [id=(redacted)]
tfe_vault_oidc_configuration.vault_oidc_tfe_provider: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

iuri-slywitch-hashicorp
iuri-slywitch-hashicorp reviewed Sep 19, 2025
View reviewed changes
internal/provider/resource_tfe_hyok_configuration.go
KMSOptions: kmsOptions,
}

if p.OIDCConfiguration.AWSOIDCConfiguration != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since were doing a switch-case on the top of the file, I'd suggest we do a switch-case here as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iuri-slywitch-hashicorp iuri-slywitch-hashicorp iuri-slywitch-hashicorp left review comments

@dominic-retli-hashi dominic-retli-hashi dominic-retli-hashi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@helenjw @iuri-slywitch-hashicorp @dominic-retli-hashi