Add support for Secrets Management Service

Author: abhilash-av

CHANGELOG.md

@@ -5,6 +5,7 @@
 - Support for Oracle Big Data Service
 - Support for application definition parameters update in dataflow application
 - Support for Cross Region Replication
+- Support for Secrets Management Service's `oci_vault_secret` and `oci_vault_secret_version` datasources
 
 ## 3.68.0 (March 25, 2020)
 

examples/secret/main.tf

@@ -0,0 +1,28 @@
+// Copyright (c) 2017, 2019, 2020, Oracle and/or its affiliates. All rights reserved.
+
+variable "tenancy_ocid" {}
+variable "user_ocid" {}
+variable "fingerprint" {}
+variable "private_key_path" {}
+variable "region" {}
+variable "compartment_ocid" {}
+variable "secret_id" {}
+variable "vault_id" {}
+
+provider "oci" {
+  tenancy_ocid     = "${var.tenancy_ocid}"
+  user_ocid        = "${var.user_ocid}"
+  fingerprint      = "${var.fingerprint}"
+  private_key_path = "${var.private_key_path}"
+  region           = "${var.region}"
+}
+
+data "oci_vault_secret" "test_secret" {
+  secret_id = "${var.secret_id}"
+}
+
+data "oci_vault_secret" "test_secret" {
+  compartment_id = "${var.compartment_ocid}"
+  state          = "Active"
+  vault_id       = "${var.vault_id}"
+}

oci/oci_dependency_graph.go

@@ -69,6 +69,7 @@ func initDependencyGraph() {
 	DependencyGraph["key"] = append(DependencyGraph["key"], "KmsEncryptedData")
 	DependencyGraph["key"] = append(DependencyGraph["key"], "KmsGeneratedKey")
 	DependencyGraph["key"] = append(DependencyGraph["key"], "KmsKeyVersion")
+	DependencyGraph["key"] = append(DependencyGraph["key"], "VaultSecret")
 	DependencyGraph["kmsKey"] = append(DependencyGraph["kmsKey"], "ContainerengineCluster")
 	DependencyGraph["kmsKey"] = append(DependencyGraph["kmsKey"], "CoreBootVolume")
 	DependencyGraph["kmsKey"] = append(DependencyGraph["kmsKey"], "CoreVolume")
@@ -122,6 +123,7 @@ func initDependencyGraph() {
 	DependencyGraph["user"] = append(DependencyGraph["user"], "IdentitySwiftPassword")
 	DependencyGraph["user"] = append(DependencyGraph["user"], "IdentityUiPassword")
 	DependencyGraph["user"] = append(DependencyGraph["user"], "IdentityUserGroupMembership")
+	DependencyGraph["vault"] = append(DependencyGraph["vault"], "VaultSecret")
 	DependencyGraph["vcn"] = append(DependencyGraph["vcn"], "ContainerengineCluster")
 	DependencyGraph["vcn"] = append(DependencyGraph["vcn"], "CoreDhcpOptions")
 	DependencyGraph["vcn"] = append(DependencyGraph["vcn"], "CoreDrgAttachment")

oci/provider_clients.go

@@ -36,6 +36,7 @@ import (
 	oci_osmanagement "github.com/oracle/oci-go-sdk/osmanagement"
 	oci_resourcemanager "github.com/oracle/oci-go-sdk/resourcemanager"
 	oci_streaming "github.com/oracle/oci-go-sdk/streaming"
+	oci_vault "github.com/oracle/oci-go-sdk/vault"
 	oci_waas "github.com/oracle/oci-go-sdk/waas"
 	oci_work_requests "github.com/oracle/oci-go-sdk/workrequests"
 
@@ -86,6 +87,7 @@ type OracleClients struct {
 	redirectClient                 *oci_waas.RedirectClient
 	resourceManagerClient          *oci_resourcemanager.ResourceManagerClient
 	streamAdminClient              *oci_streaming.StreamAdminClient
+	vaultsClient                   *oci_vault.VaultsClient
 	virtualNetworkClient           *oci_core.VirtualNetworkClient
 	waasClient                     *oci_waas.WaasClient
 	gatewayWorkRequestsClient      *oci_apigateway.WorkRequestsClient
@@ -547,6 +549,16 @@ func createSDKClients(clients *OracleClients, configProvider oci_common.Configur
 	}
 	clients.streamAdminClient = &streamAdminClient
 
+	vaultsClient, err := oci_vault.NewVaultsClientWithConfigurationProvider(configProvider)
+	if err != nil {
+		return
+	}
+	err = configureClient(&vaultsClient.BaseClient)
+	if err != nil {
+		return
+	}
+	clients.vaultsClient = &vaultsClient
+
 	virtualNetworkClient, err := oci_core.NewVirtualNetworkClientWithConfigurationProvider(configProvider)
 	if err != nil {
 		return

oci/vault_secret_data_source.go

@@ -0,0 +1,256 @@
+// Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
+
+package oci
+
+import (
+	"context"
+	"log"
+	"strconv"
+
+	"github.com/hashicorp/terraform/helper/schema"
+	oci_common "github.com/oracle/oci-go-sdk/common"
+	oci_vault "github.com/oracle/oci-go-sdk/vault"
+)
+
+func init() {
+	RegisterDatasource("oci_vault_secret", VaultSecretDataSource())
+}
+
+func VaultSecretDataSource() *schema.Resource {
+	return &schema.Resource{
+		Read: readSingularVaultSecret,
+		Schema: map[string]*schema.Schema{
+			"secret_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			// Computed
+			"compartment_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"current_version_number": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"defined_tags": {
+				Type:     schema.TypeMap,
+				Computed: true,
+				Elem:     schema.TypeString,
+			},
+			"description": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"freeform_tags": {
+				Type:     schema.TypeMap,
+				Computed: true,
+				Elem:     schema.TypeString,
+			},
+			"key_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"lifecycle_details": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"metadata": {
+				Type:     schema.TypeMap,
+				Computed: true,
+				Elem:     schema.TypeString,
+			},
+			"secret_name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"secret_rules": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						// Required
+
+						// Optional
+
+						// Computed
+						"is_enforced_on_deleted_secret_versions": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"is_secret_content_retrieval_blocked_on_expiry": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
+						"rule_type": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"secret_version_expiry_interval": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"time_of_absolute_expiry": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
+			"state": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"time_created": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"time_of_current_version_expiry": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"time_of_deletion": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"vault_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func readSingularVaultSecret(d *schema.ResourceData, m interface{}) error {
+	sync := &VaultSecretDataSourceCrud{}
+	sync.D = d
+	sync.Client = m.(*OracleClients).vaultsClient
+
+	return ReadResource(sync)
+}
+
+type VaultSecretDataSourceCrud struct {
+	D      *schema.ResourceData
+	Client *oci_vault.VaultsClient
+	Res    *oci_vault.GetSecretResponse
+}
+
+func (s *VaultSecretDataSourceCrud) VoidState() {
+	s.D.SetId("")
+}
+
+func (s *VaultSecretDataSourceCrud) Get() error {
+	request := oci_vault.GetSecretRequest{}
+
+	if secretId, ok := s.D.GetOkExists("secret_id"); ok {
+		tmp := secretId.(string)
+		request.SecretId = &tmp
+	}
+
+	request.RequestMetadata.RetryPolicy = getRetryPolicy(false, "vault")
+
+	response, err := s.Client.GetSecret(context.Background(), request)
+	if err != nil {
+		return err
+	}
+
+	s.Res = &response
+	return nil
+}
+
+func (s *VaultSecretDataSourceCrud) SetData() error {
+	if s.Res == nil {
+		return nil
+	}
+
+	s.D.SetId(*s.Res.Id)
+
+	if s.Res.CompartmentId != nil {
+		s.D.Set("compartment_id", *s.Res.CompartmentId)
+	}
+
+	if s.Res.CurrentVersionNumber != nil {
+		s.D.Set("current_version_number", strconv.FormatInt(*s.Res.CurrentVersionNumber, 10))
+	}
+
+	if s.Res.DefinedTags != nil {
+		s.D.Set("defined_tags", definedTagsToMap(s.Res.DefinedTags))
+	}
+
+	if s.Res.Description != nil {
+		s.D.Set("description", *s.Res.Description)
+	}
+
+	s.D.Set("freeform_tags", s.Res.FreeformTags)
+
+	if s.Res.KeyId != nil {
+		s.D.Set("key_id", *s.Res.KeyId)
+	}
+
+	if s.Res.LifecycleDetails != nil {
+		s.D.Set("lifecycle_details", *s.Res.LifecycleDetails)
+	}
+
+	s.D.Set("metadata", s.Res.Metadata)
+
+	if s.Res.SecretName != nil {
+		s.D.Set("secret_name", *s.Res.SecretName)
+	}
+
+	secretRules := []interface{}{}
+	for _, item := range s.Res.SecretRules {
+		secretRules = append(secretRules, SecretRuleToMap(item))
+	}
+	s.D.Set("secret_rules", secretRules)
+
+	s.D.Set("state", s.Res.LifecycleState)
+
+	if s.Res.TimeCreated != nil {
+		s.D.Set("time_created", s.Res.TimeCreated.String())
+	}
+
+	if s.Res.TimeOfCurrentVersionExpiry != nil {
+		s.D.Set("time_of_current_version_expiry", s.Res.TimeOfCurrentVersionExpiry.String())
+	}
+
+	if s.Res.TimeOfDeletion != nil {
+		s.D.Set("time_of_deletion", s.Res.TimeOfDeletion.String())
+	}
+
+	if s.Res.VaultId != nil {
+		s.D.Set("vault_id", *s.Res.VaultId)
+	}
+
+	return nil
+}
+
+func SecretRuleToMap(obj oci_vault.SecretRule) map[string]interface{} {
+	result := map[string]interface{}{}
+	switch v := (obj).(type) {
+	case oci_vault.SecretExpiryRule:
+		result["rule_type"] = "SECRET_EXPIRY_RULE"
+
+		if v.IsSecretContentRetrievalBlockedOnExpiry != nil {
+			result["is_secret_content_retrieval_blocked_on_expiry"] = bool(*v.IsSecretContentRetrievalBlockedOnExpiry)
+		}
+
+		if v.SecretVersionExpiryInterval != nil {
+			result["secret_version_expiry_interval"] = string(*v.SecretVersionExpiryInterval)
+		}
+
+		if v.TimeOfAbsoluteExpiry != nil {
+			result["time_of_absolute_expiry"] = oci_common.SDKTime(*v.TimeOfAbsoluteExpiry)
+		}
+	case oci_vault.SecretReuseRule:
+		result["rule_type"] = "SECRET_REUSE_RULE"
+
+		if v.IsEnforcedOnDeletedSecretVersions != nil {
+			result["is_enforced_on_deleted_secret_versions"] = bool(*v.IsEnforcedOnDeletedSecretVersions)
+		}
+	default:
+		log.Printf("[WARN] Received 'rule_type' of unknown type %v", obj)
+		return nil
+	}
+
+	return result
+}