Skip to content

[TF-28671] Add HYOK configuration resources #1841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 25, 2025
Merged

[TF-28671] Add HYOK configuration resources #1841

merged 7 commits into from
Sep 25, 2025

Conversation

helenjw
Copy link

@helenjw helenjw commented Sep 15, 2025
edited
Loading

Description

Describe why you're making this change.

Remember to:

Testing plan

  1. Using a version of go-tfe with HYOK support and using an organization with access to HYOK
  2. Use the following terraform configuration to add HYOK resources via terraform plan and terraform apply
  3. Try to update these values and apply them (updating attributes, with the exception of OIDC config relationships, should not destroy and replace the resources)
  4. Revoke the HYOK configuration you created from the UI
  5. Run terraform destroy on these resources to make sure they can be deleted
resource "tfe_hyok_configuration" "aws_hyok_config" {
  organization = "YOUR-ORG"
  name = "aws_hyok_config"
  kek_id = "YOUR-KEK-IO"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  aws_oidc_configuration_id = "YOUR-OIDC-CONFIG-ID"

  kms_options {
    key_region = "us-east-1"
  }
}

resource "tfe_hyok_configuration" "azure_hyok_config" {
  organization = "YOUR-ORG"
  name = "azure_hyok_config"
  kek_id = "YOUR-KEK-IO"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  azure_oidc_configuration_id = "YOUR-OIDC-CONFIG-ID"
}

resource "tfe_hyok_configuration" "vault_hyok_config" {
  organization = "YOUR-ORG"
  name = "vault_hyok_config"
  kek_id = "YOUR-KEK-IO"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  vault_oidc_configuration_id = "YOUR-OIDC-CONFIG-ID"
}

resource "tfe_hyok_configuration" "gcp_hyok_config" {
  organization = "YOUR-ORG"
  name = "gcp_hyok_config"
  kek_id = "YOUR-KEK-IO"
  agent_pool_id = "YOUR-AGENT-POOL-ID"
  gcp_oidc_configuration_id = "YOUR-OIDC-CONFIG-ID"

  kms_options {
    key_ring_id = "YOUR-KEY-RING-ID"
    key_location = "global"
  }
}

External links

Include any links here that might be helpful for people reviewing your PR. If there are none, feel free to delete this section.

Output from acceptance tests

Please run applicable acceptance tests locally and include the output here. See testing.md to learn how to run acceptance tests.

If you are an external contributor, your contribution(s) will first be reviewed before running them against the project's CI pipeline.

TESTARGS="-run TestAccTFEHYOKConfiguration" envchain local make testacc              14:42:08   36ms
TF_ACC=1 TF_LOG_SDK_PROTO=OFF go test $(go list ./... |grep -v 'vendor') -v -run TestAccTFEHYOKConfiguration -timeout 15m
?   	github.com/hashicorp/terraform-provider-tfe	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/client	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-tfe/internal/logging	(cached) [no tests to run]
=== RUN   TestAccTFEHYOKConfiguration_basic
--- PASS: TestAccTFEHYOKConfiguration_basic (21.41s)
PASS

Rollback Plan

Changes to Security Controls

@helenjw helenjw changed the base branch from main to helenjw/TF-28672/oidc-configurations September 15, 2025 18:12
@helenjw helenjw requested a review from a team September 15, 2025 18:54
@helenjw helenjw marked this pull request as ready for review September 15, 2025 18:54
@helenjw helenjw requested a review from a team as a code owner September 15, 2025 18:55
@helenjw helenjw force-pushed the helenjw/TF-28672/oidc-configurations branch 2 times, most recently from cbe2506 to 944abc1 Compare September 17, 2025 17:39
dominic-retli-hashi
dominic-retli-hashi reviewed Sep 17, 2025
View reviewed changes
internal/provider/resource_tfe_hyok_configuration.go

AgentPoolID types.String `tfsdk:"agent_pool_id"`
Organization types.String `tfsdk:"organization"`
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What was the reasoning behind using AWSOIDCConfigurationID, GCPOIDCConfigurationID, VaultOIDCConfigurationID, and AzureOIDCConfigurationID

instead of

oidc_configuration_id and oidc_configuration_type like the HyokConfigurations model and database schema uses?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's also a valid way to approach it. At the end of the day, it just needs to populate the tfe.OIDCConfigurationTypeChoice object that looks like:

type OIDCConfigurationTypeChoice struct {
	AWSOIDCConfiguration   *AWSOIDCConfiguration
	GCPOIDCConfiguration   *GCPOIDCConfiguration
	AzureOIDCConfiguration *AzureOIDCConfiguration
	VaultOIDCConfiguration *VaultOIDCConfiguration
}

I don't really have strong feelings about this, but I think having an explicit type could shorten the code a little.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this works well, I was just curious if there was a technical reason or constraint. Thanks!

@helenjw helenjw force-pushed the helenjw/TF-28671/hyok-configurations branch from 41375cb to 99097c7 Compare September 17, 2025 17:49
dominic-retli-hashi
dominic-retli-hashi approved these changes Sep 18, 2025
View reviewed changes
Copy link

@dominic-retli-hashi dominic-retli-hashi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested locally, good stuff!

@iuri-slywitch-hashicorp
Copy link

tested for AWS config. I was able to plan, apply and destroy (after revoking the key):

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tfe_aws_oidc_configuration.aws_oidc_tfe_provider: Refreshing state... [id=(redacted)]
tfe_hyok_configuration.aws_hyok_config: Refreshing state... [id=(redacted)]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tfe_aws_oidc_configuration.aws_oidc_tfe_provider will be destroyed
  - resource "tfe_aws_oidc_configuration" "aws_oidc_tfe_provider" {
      - id           = "(redacted)" -> null
      - organization = "(redacted)" -> null
      - role_arn     = "(redacted)" -> null
    }

  # tfe_hyok_configuration.aws_hyok_config will be destroyed
  - resource "tfe_hyok_configuration" "aws_hyok_config" {
      - agent_pool_id           = "(redacted)" -> null
      - id                      = "(redacted)" -> null
      - kek_id                  = "(redacted)" -> null
      - name                    = "aws_hyok_config" -> null
      - oidc_configuration_id   = "(redacted)" -> null
      - oidc_configuration_type = "aws" -> null
      - organization            = "(redacted)" -> null

      - kms_options {
          - key_region = "us-east-1" -> null
        }
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

tfe_hyok_configuration.aws_hyok_config: Destroying... [id=(redacted)]
tfe_hyok_configuration.aws_hyok_config: Destruction complete after 0s
tfe_aws_oidc_configuration.aws_oidc_tfe_provider: Destroying... [id=(redacted)]
tfe_aws_oidc_configuration.aws_oidc_tfe_provider: Destruction complete after 1s

Destroy complete! Resources: 2 destroyed.

@iuri-slywitch-hashicorp
Copy link

gcp test:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider: Refreshing state... [id=(redacted)]
tfe_hyok_configuration.gcp_hyok_config: Refreshing state... [id=(redacted)]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider will be destroyed
  - resource "tfe_gcp_oidc_configuration" "gcp_oidc_tfe_provider" {
      - id                     = "(redacted)" -> null
      - organization           = "(redacted)" -> null
      - project_number         = "(redacted)" -> null
      - service_account_email  = "(redacted)" -> null
      - workload_provider_name = "(redacted)" -> null
    }

  # tfe_hyok_configuration.gcp_hyok_config will be destroyed
  - resource "tfe_hyok_configuration" "gcp_hyok_config" {
      - agent_pool_id           = "(redacted)" -> null
      - id                      = "(redacted)" -> null
      - kek_id                  = "(redacted)" -> null
      - name                    = "gcp_hyok_config" -> null
      - oidc_configuration_id   = "(redacted)" -> null
      - oidc_configuration_type = "gcp" -> null
      - organization            = "(redacted)" -> null

      - kms_options {
          - key_location = "global" -> null
          - key_ring_id  = "(redacted)" -> null
        }
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

tfe_hyok_configuration.gcp_hyok_config: Destroying... [id=(redacted)]
tfe_hyok_configuration.gcp_hyok_config: Destruction complete after 1s
tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider: Destroying... [id=(redacted)]
tfe_gcp_oidc_configuration.gcp_oidc_tfe_provider: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

@iuri-slywitch-hashicorp
Copy link

azure test:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tfe_azure_oidc_configuration.azure_oidc_tfe_provider: Refreshing state... [id=(redacted)]
tfe_hyok_configuration.azure_hyok_config: Refreshing state... [id=(redacted)]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tfe_azure_oidc_configuration.azure_oidc_tfe_provider will be destroyed
  - resource "tfe_azure_oidc_configuration" "azure_oidc_tfe_provider" {
      - client_id       = "(redacted)" -> null
      - id              = "(redacted)" -> null
      - organization    = "(redacted)" -> null
      - subscription_id = "(redacted)" -> null
      - tenant_id       = "(redacted)" -> null
    }

  # tfe_hyok_configuration.azure_hyok_config will be destroyed
  - resource "tfe_hyok_configuration" "azure_hyok_config" {
      - agent_pool_id           = "(redacted)" -> null
      - id                      = "(redacted)" -> null
      - kek_id                  = "(redacted)" -> null
      - name                    = "azure_hyok_config" -> null
      - oidc_configuration_id   = "(redacted)" -> null
      - oidc_configuration_type = "azure" -> null
      - organization            = "(redacted)" -> null
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

tfe_hyok_configuration.azure_hyok_config: Destroying... [id=(redacted)]
tfe_hyok_configuration.azure_hyok_config: Destruction complete after 1s
tfe_azure_oidc_configuration.azure_oidc_tfe_provider: Destroying... [id=(redacted)]
tfe_azure_oidc_configuration.azure_oidc_tfe_provider: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

@iuri-slywitch-hashicorp
Copy link

vault test:

iurislywitch@Iuris-MacBook-Pro test-tf-provider-tfe % terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/tfe in /Users/iurislywitch/Desktop/terraform-provider-tfe
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
tfe_vault_oidc_configuration.vault_oidc_tfe_provider: Refreshing state... [id=(redacted)]
tfe_hyok_configuration.vault_hyok_config: Refreshing state... [id=(redacted)]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # tfe_hyok_configuration.vault_hyok_config will be destroyed
  - resource "tfe_hyok_configuration" "vault_hyok_config" {
      - agent_pool_id           = "(redacted)" -> null
      - id                      = "(redacted)" -> null
      - kek_id                  = "(redacted)" -> null
      - name                    = "vault_hyok_config" -> null
      - oidc_configuration_id   = "(redacted)" -> null
      - oidc_configuration_type = "vault" -> null
      - organization            = "(redacted)" -> null
    }

  # tfe_vault_oidc_configuration.vault_oidc_tfe_provider will be destroyed
  - resource "tfe_vault_oidc_configuration" "vault_oidc_tfe_provider" {
      - address      = "(redacted)" -> null
      - auth_path    = "(redacted)" -> null
      - id           = "(redacted)" -> null
      - namespace    = "(redacted)" -> null
      - organization = "(redacted)" -> null
      - role_name    = "(redacted)" -> null
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

tfe_hyok_configuration.vault_hyok_config: Destroying... [id=(redacted)]
tfe_hyok_configuration.vault_hyok_config: Destruction complete after 0s
tfe_vault_oidc_configuration.vault_oidc_tfe_provider: Destroying... [id=(redacted)]
tfe_vault_oidc_configuration.vault_oidc_tfe_provider: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

iuri-slywitch-hashicorp
iuri-slywitch-hashicorp reviewed Sep 19, 2025
View reviewed changes
internal/provider/resource_tfe_hyok_configuration.go Outdated
KMSOptions: kmsOptions,
}

if p.OIDCConfiguration.AWSOIDCConfiguration != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since were doing a switch-case on the top of the file, I'd suggest we do a switch-case here as well?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I am not really sure how a switch statement would work here. Each p.OIDCConfiguration is of type OIDCConfigurationTypeChoice:

type OIDCConfigurationTypeChoice struct {
	AWSOIDCConfiguration   *AWSOIDCConfiguration
	GCPOIDCConfiguration   *GCPOIDCConfiguration
	AzureOIDCConfiguration *AzureOIDCConfiguration
	VaultOIDCConfiguration *VaultOIDCConfiguration
}

So one of these pointers will be non-nil.

Because of this, I'm not sure which expression to put as the switch, unlike the stuff that uses switch statements above, switching on m.OIDCConfigurationType.ValueString() - which can be either "aws", "vault", "gcp" or "azure".

I might be blanking here, so if you think of how to use a switch statement, I'll be more than happy to make those changes

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is what I mean:

    switch {
	case p.OIDCConfiguration.AWSOIDCConfiguration != nil:
		model.OIDCConfigurationID = types.StringValue(p.OIDCConfiguration.AWSOIDCConfiguration.ID)
		model.OIDCConfigurationType = types.StringValue(OIDCConfigurationTypeAWS)
	case p.OIDCConfiguration.GCPOIDCConfiguration != nil:
		model.OIDCConfigurationID = types.StringValue(p.OIDCConfiguration.GCPOIDCConfiguration.ID)
		model.OIDCConfigurationType = types.StringValue(OIDCConfigurationTypeGCP)
	case p.OIDCConfiguration.AzureOIDCConfiguration != nil:
		model.OIDCConfigurationID = types.StringValue(p.OIDCConfiguration.AzureOIDCConfiguration.ID)
		model.OIDCConfigurationType = types.StringValue(OIDCConfigurationTypeAzure)
	case p.OIDCConfiguration.VaultOIDCConfiguration != nil:
		model.OIDCConfigurationID = types.StringValue(p.OIDCConfiguration.VaultOIDCConfiguration.ID)
		model.OIDCConfigurationType = types.StringValue(OIDCConfigurationTypeVault)
	}

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested and this worked locally for me.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion! I applied them

@helenjw helenjw force-pushed the helenjw/TF-28672/oidc-configurations branch from 6dbdfa5 to ca44c18 Compare September 24, 2025 19:28
Base automatically changed from helenjw/TF-28672/oidc-configurations to feature/hyok September 25, 2025 19:34
Maed223
Maed223 approved these changes Sep 25, 2025
View reviewed changes
Copy link
Contributor

@Maed223 Maed223 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, I agree with @iuri-slywitch-hashicorp on his preference for a switch statement in modelFromTFEHYOKConfiguration but it's non-blocking for me

@helenjw
First draft of resource_tfe_aws_oidc_configuration.go
5c864b4 
resource_tfe_aws_oidc_configuration.go and basic test

resource_tfe_gcp_oidc_configuration.go and test

resource_tfe_azure_oidc_configuration.go_oidc_configuration.go and test

resource_tfe_vault_oidc_configuration.go and tests

Add HYOK_ORGANIATION_NAME environment variable to testing.md

Add documentation for resources

Add to CHANGELOG.md

update basic usage in vault_oidc_configuration.html.markdown

Do not require replace for everything

Update documentation and default value of auth_path

skipIfEnterprise

update pricing info

Implement resource_tfe_hyok_configuration.go

Add hyok_configuration.html.markdown

fix bug where aws configs recognized as gcp configs

Add in acceptance tests

Wait for revoked status during acceptance test

Add CHANGELOG.md
@helenjw
Use ProtoV6ProviderFactories
21f5d8b
@helenjw
use oidc_configuration_type and oidc_configuration_id
3f238a7
@helenjw
remove t.skip if HYOK_ORGANIZATION_NAME not set
fbad6a4
@helenjw
Fix linting issues
d7815ba
@helenjw
Use switch statement
b28648a
@helenjw helenjw force-pushed the helenjw/TF-28671/hyok-configurations branch from a875389 to b28648a Compare September 25, 2025 19:43
@helenjw helenjw merged commit c83b4ba into feature/hyok Sep 25, 2025
21 checks passed
@helenjw helenjw deleted the helenjw/TF-28671/hyok-configurations branch September 25, 2025 20:24
@iuri-slywitch-hashicorp iuri-slywitch-hashicorp mentioned this pull request Sep 26, 2025
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maed223 Maed223 Maed223 approved these changes

@iuri-slywitch-hashicorp iuri-slywitch-hashicorp iuri-slywitch-hashicorp approved these changes

@dominic-retli-hashi dominic-retli-hashi dominic-retli-hashi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@helenjw @iuri-slywitch-hashicorp @Maed223 @dominic-retli-hashi