fix: upstream api changed secret handling

Author: henryde

CHANGELOG.md

@@ -1,4 +1,11 @@
+## v0.15.1
+
+FIXES:
+
+- Changes to meshPlatform API.
+
 ## v0.15.0
+
 FEATURES:
 
 - Support multi select building block inputs.

client/platform.go

@@ -39,6 +39,11 @@ type MeshPlatformSpec struct {
 	QuotaDefinitions       []QuotaDefinition    `json:"quotaDefinitions" tfsdk:"quota_definitions"`
 }
 
+type SecretEmbedded struct {
+	Plaintext *string `json:"plaintext,omitempty" tfsdk:"plaintext"`
+	// TODO: add Hash field
+}
+
 type QuotaDefinition struct {
 	QuotaKey              string `json:"quotaKey" tfsdk:"quota_key"`
 	MinValue              int    `json:"minValue" tfsdk:"min_value"`

client/platform_config_aks.go

@@ -8,7 +8,7 @@ type AksPlatformConfig struct {
 }
 
 type AksReplicationConfig struct {
-	AccessToken             string                    `json:"accessToken" tfsdk:"access_token"`
+	AccessToken             SecretEmbedded            `json:"accessToken" tfsdk:"access_token"`
 	NamespaceNamePattern    string                    `json:"namespaceNamePattern" tfsdk:"namespace_name_pattern"`
 	GroupNamePattern        string                    `json:"groupNamePattern" tfsdk:"group_name_pattern"`
 	ServicePrincipal        AksServicePrincipalConfig `json:"servicePrincipal" tfsdk:"service_principal"`
@@ -17,16 +17,15 @@ type AksReplicationConfig struct {
 	AksResourceGroup        string                    `json:"aksResourceGroup" tfsdk:"aks_resource_group"`
 	RedirectUrl             *string                   `json:"redirectUrl,omitempty" tfsdk:"redirect_url"`
 	SendAzureInvitationMail bool                      `json:"sendAzureInvitationMail" tfsdk:"send_azure_invitation_mail"`
-	UserLookUpStrategy      string                    `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+	UserLookupStrategy      string                    `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
 	AdministrativeUnitId    *string                   `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
 }
 
 type AksServicePrincipalConfig struct {
-	ClientId                    string  `json:"clientId" tfsdk:"client_id"`
-	AuthType                    string  `json:"authType" tfsdk:"auth_type"`
-	CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
-	EntraTenant                 string  `json:"entraTenant" tfsdk:"entra_tenant"`
-	ObjectId                    string  `json:"objectId" tfsdk:"object_id"`
+	EntraTenant string          `json:"entraTenant" tfsdk:"entra_tenant"`
+	ObjectId    string          `json:"objectId" tfsdk:"object_id"`
+	ClientId    string          `json:"clientId" tfsdk:"client_id"`
+	Auth        AzureAuthConfig `json:"auth" tfsdk:"auth"`
 }
 
 type AksMeteringConfig struct {

client/platform_config_aws.go

@@ -24,26 +24,31 @@ type AwsReplicationConfig struct {
 }
 
 type AwsAccessConfig struct {
-	OrganizationRootAccountRole       string                     `json:"organizationRootAccountRole" tfsdk:"organization_root_account_role"`
-	OrganizationRootAccountExternalId *string                    `json:"organizationRootAccountExternalId,omitempty" tfsdk:"organization_root_account_external_id"`
-	ServiceUserConfig                 *AwsServiceUserConfig      `json:"serviceUserConfig,omitempty" tfsdk:"service_user_config"`
-	WorkloadIdentityConfig            *AwsWorkloadIdentityConfig `json:"workloadIdentityConfig,omitempty" tfsdk:"workload_identity_config"`
+	OrganizationRootAccountRole       string  `json:"organizationRootAccountRole" tfsdk:"organization_root_account_role"`
+	OrganizationRootAccountExternalId *string `json:"organizationRootAccountExternalId,omitempty" tfsdk:"organization_root_account_external_id"`
+	Auth                              AwsAuth `json:"auth" tfsdk:"auth"`
 }
 
-type AwsServiceUserConfig struct {
-	AccessKey string `json:"accessKey" tfsdk:"access_key"`
-	SecretKey string `json:"secretKey" tfsdk:"secret_key"`
+type AwsAuth struct {
+	Type             string                         `json:"type" tfsdk:"type"`
+	Credential       *AwsServiceUserCredential      `json:"credential,omitempty" tfsdk:"credential"`
+	WorkloadIdentity *AwsWorkloadIdentityCredential `json:"workloadIdentity,omitempty" tfsdk:"workload_identity"`
 }
 
-type AwsWorkloadIdentityConfig struct {
+type AwsServiceUserCredential struct {
+	AccessKey string         `json:"accessKey" tfsdk:"access_key"`
+	SecretKey SecretEmbedded `json:"secretKey" tfsdk:"secret_key"`
+}
+
+type AwsWorkloadIdentityCredential struct {
 	RoleArn string `json:"roleArn" tfsdk:"role_arn"`
 }
 
 type AwsSsoConfig struct {
 	ScimEndpoint     string              `json:"scimEndpoint" tfsdk:"scim_endpoint"`
 	Arn              string              `json:"arn" tfsdk:"arn"`
 	GroupNamePattern string              `json:"groupNamePattern" tfsdk:"group_name_pattern"`
-	SsoAccessToken   string              `json:"ssoAccessToken" tfsdk:"sso_access_token"`
+	SsoAccessToken   SecretEmbedded      `json:"ssoAccessToken" tfsdk:"sso_access_token"`
 	AwsRoleMappings  []AwsSsoRoleMapping `json:"awsRoleMappings" tfsdk:"aws_role_mappings"`
 	SignInUrl        string              `json:"signInUrl" tfsdk:"sign_in_url"`
 }

client/platform_config_azure.go

@@ -16,23 +16,26 @@ type AzureReplicationConfig struct {
 	BlueprintLocation                          string                               `json:"blueprintLocation" tfsdk:"blueprint_location"`
 	AzureRoleMappings                          []AzureRoleMapping                   `json:"azureRoleMappings" tfsdk:"azure_role_mappings"`
 	TenantTags                                 *MeshTenantTags                      `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
-	UserLookUpStrategy                         string                               `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+	UserLookUpStrategy                         string                               `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
 	SkipUserGroupPermissionCleanup             bool                                 `json:"skipUserGroupPermissionCleanup" tfsdk:"skip_user_group_permission_cleanup"`
 	AdministrativeUnitId                       *string                              `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
 	AllowHierarchicalManagementGroupAssignment bool                                 `json:"allowHierarchicalManagementGroupAssignment" tfsdk:"allow_hierarchical_management_group_assignment"`
 }
 
 type AzureServicePrincipalConfig struct {
-	ClientId                    string  `json:"clientId" tfsdk:"client_id"`
-	AuthType                    string  `json:"authType" tfsdk:"auth_type"`
-	CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
-	ObjectId                    string  `json:"objectId" tfsdk:"object_id"`
+	ClientId string          `json:"clientId" tfsdk:"client_id"`
+	ObjectId string          `json:"objectId" tfsdk:"object_id"`
+	Auth     AzureAuthConfig `json:"auth" tfsdk:"auth"`
+}
+
+type AzureAuthConfig struct {
+	Type       string          `json:"type" tfsdk:"type"`
+	Credential *SecretEmbedded `json:"credential,omitempty" tfsdk:"credential"`
 }
 
 type AzureGraphApiCredentials struct {
-	ClientId                    string  `json:"clientId" tfsdk:"client_id"`
-	AuthType                    string  `json:"authType" tfsdk:"auth_type"`
-	CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
+	ClientId string          `json:"clientId" tfsdk:"client_id"`
+	Auth     AzureAuthConfig `json:"auth" tfsdk:"auth"`
 }
 
 type AzureSubscriptionProvisioningConfig struct {

client/platform_config_azurerg.go

@@ -11,7 +11,7 @@ type AzureRgReplicationConfig struct {
 	ResourceGroupNamePattern                   string                      `json:"resourceGroupNamePattern" tfsdk:"resource_group_name_pattern"`
 	UserGroupNamePattern                       string                      `json:"userGroupNamePattern" tfsdk:"user_group_name_pattern"`
 	B2bUserInvitation                          *AzureInviteB2BUserConfig   `json:"b2bUserInvitation,omitempty" tfsdk:"b2b_user_invitation"`
-	UserLookUpStrategy                         string                      `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+	UserLookUpStrategy                         string                      `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
 	TenantTags                                 *MeshTenantTags             `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
 	SkipUserGroupPermissionCleanup             bool                        `json:"skipUserGroupPermissionCleanup" tfsdk:"skip_user_group_permission_cleanup"`
 	AdministrativeUnitId                       *string                     `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`

client/platform_config_gcp.go

@@ -6,7 +6,7 @@ type GcpPlatformConfig struct {
 }
 
 type GcpReplicationConfig struct {
-	ServiceAccountConfig              GcpServiceAccountConfig  `json:"serviceAccountConfig" tfsdk:"service_account_config"`
+	ServiceAccount                    GcpServiceAccountConfig  `json:"serviceAccount" tfsdk:"service_account"`
 	Domain                            string                   `json:"domain" tfsdk:"domain"`
 	CustomerId                        string                   `json:"customerId" tfsdk:"customer_id"`
 	GroupNamePattern                  string                   `json:"groupNamePattern" tfsdk:"group_name_pattern"`
@@ -22,12 +22,9 @@ type GcpReplicationConfig struct {
 }
 
 type GcpServiceAccountConfig struct {
-	ServiceAccountCredentialsConfig      *GcpServiceAccountCredentialsConfig      `json:"serviceAccountCredentialsConfig,omitempty" tfsdk:"service_account_credentials_config"`
-	ServiceAccountWorkloadIdentityConfig *GcpServiceAccountWorkloadIdentityConfig `json:"serviceAccountWorkloadIdentityConfig,omitempty" tfsdk:"service_account_workload_identity_config"`
-}
-
-type GcpServiceAccountCredentialsConfig struct {
-	ServiceAccountCredentialsB64 string `json:"serviceAccountCredentialsB64" tfsdk:"service_account_credentials_b64"`
+	Type             string                                   `json:"type" tfsdk:"type"`
+	Credential       *SecretEmbedded                          `json:"credential,omitempty" tfsdk:"credential"`
+	WorkloadIdentity *GcpServiceAccountWorkloadIdentityConfig `json:"workloadIdentity,omitempty" tfsdk:"workload_identity"`
 }
 
 type GcpServiceAccountWorkloadIdentityConfig struct {
@@ -41,7 +38,7 @@ type GcpPlatformRoleMapping struct {
 }
 
 type GcpMeteringConfig struct {
-	ServiceAccountConfig                    GcpServiceAccountConfig              `json:"serviceAccountConfig" tfsdk:"service_account_config"`
+	ServiceAccount                          GcpServiceAccountConfig              `json:"serviceAccount" tfsdk:"service_account"`
 	BigqueryTable                           string                               `json:"bigqueryTable" tfsdk:"bigquery_table"`
 	BigqueryTableForCarbonFootprint         *string                              `json:"bigqueryTableForCarbonFootprint,omitempty" tfsdk:"bigquery_table_for_carbon_footprint"`
 	CarbonFootprintDataCollectionStartMonth *string                              `json:"carbonFootprintDataCollectionStartMonth,omitempty" tfsdk:"carbon_footprint_data_collection_start_month"`

client/platform_config_kubernetes.go

@@ -13,7 +13,7 @@ type KubernetesReplicationConfig struct {
 }
 
 type KubernetesClientConfig struct {
-	AccessToken string `json:"accessToken" tfsdk:"access_token"`
+	AccessToken SecretEmbedded `json:"accessToken" tfsdk:"access_token"`
 }
 
 type KubernetesMeteringConfig struct {

client/platform_config_openshift.go

@@ -12,7 +12,7 @@ type OpenShiftReplicationConfig struct {
 	WebConsoleUrl               *string                        `json:"webConsoleUrl,omitempty" tfsdk:"web_console_url"`
 	ProjectNamePattern          string                         `json:"projectNamePattern" tfsdk:"project_name_pattern"`
 	EnableTemplateInstantiation bool                           `json:"enableTemplateInstantiation" tfsdk:"enable_template_instantiation"`
-	OpenShiftRoleMappings       []OpenShiftPlatformRoleMapping `json:"openshiftRoleMappings" tfsdk:"openshift_role_mappings"`
+	OpenshiftRoleMappings       []OpenShiftPlatformRoleMapping `json:"openshiftRoleMappings" tfsdk:"openshift_role_mappings"`
 	IdentityProviderName        string                         `json:"identityProviderName" tfsdk:"identity_provider_name"`
 	TenantTags                  *MeshTenantTags                `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
 }
@@ -24,5 +24,5 @@ type OpenShiftMeteringConfig struct {
 
 type OpenShiftPlatformRoleMapping struct {
 	MeshProjectRoleRef MeshProjectRoleRefV2 `json:"projectRoleRef" tfsdk:"project_role_ref"`
-	OpenShiftRole      string               `json:"openshiftRole" tfsdk:"openshift_role"`
+	OpenshiftRole      string               `json:"openshiftRole" tfsdk:"openshift_role"`
 }

docs/data-sources/platform.md

@@ -139,7 +139,7 @@ Read-Only:
 - `redirect_url` (String) This is the URL that Azure’s consent experience redirects users to after they accept their invitation.
 - `send_azure_invitation_mail` (Boolean) Flag to send Azure invitation emails. When true, meshStack instructs Azure to send out Invitation mails to invited users.
 - `service_principal` (Attributes) Service principal configuration for AKS (see [below for nested schema](#nestedatt--spec--config--aks--replication--service_principal))
-- `user_look_up_strategy` (String) Strategy for user lookup in Azure (`userPrincipalName` or `email`)
+- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`userPrincipalName` or `email`)
 
 <a id="nestedatt--spec--config--aks--replication--service_principal"></a>
 ### Nested Schema for `spec.config.aks.replication.service_principal`
@@ -380,7 +380,7 @@ Read-Only:
 - `skip_user_group_permission_cleanup` (Boolean) Flag to skip user group permission cleanup. For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.
 - `subscription_name_pattern` (String) Configures the pattern that defines the desired name of Azure Subscriptions managed by meshStack.
 - `tenant_tags` (Attributes) Tenant tagging configuration. (see [below for nested schema](#nestedatt--spec--config--azure--replication--tenant_tags))
-- `user_look_up_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
 
 <a id="nestedatt--spec--config--azure--replication--azure_role_mappings"></a>
 ### Nested Schema for `spec.config.azure.replication.azure_role_mappings`
@@ -526,7 +526,7 @@ Read-Only:
 - `subscription` (String) The Subscription that will contain all the created Resource Groups. Once you set the Subscription, you must not change it.
 - `tenant_tags` (Attributes) Tenant tags configuration (see [below for nested schema](#nestedatt--spec--config--azurerg--replication--tenant_tags))
 - `user_group_name_pattern` (String) Configures the pattern that defines the desired name of AAD groups managed by meshStack. It follows the usual replicator string pattern features and provides the additional replacement 'platformGroupAlias', which contains the role name suffix. This suffix is configurable via Role Mappings in this platform config.
-- `user_look_up_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
 
 <a id="nestedatt--spec--config--azurerg--replication--b2b_user_invitation"></a>
 ### Nested Schema for `spec.config.azurerg.replication.b2b_user_invitation`