feat(jobs): support secret manager references in serverless jobs definitions

Author: Gnoale

cmd/tftemplate/main.go

@@ -6,9 +6,8 @@ import (
 	"log"
 	"text/template"
 
-	"tftemplate/models"
-
 	"github.com/AlecAivazis/survey/v2"
+	"tftemplate/models"
 )
 
 var (

internal/services/jobs/definition.go

@@ -2,6 +2,7 @@ package jobs
 
 import (
 	"context"
+	"regexp"
 	"time"
 
 	"github.com/hashicorp/go-cty/cty"
@@ -90,6 +91,43 @@ func ResourceDefinition() *schema.Resource {
 			},
 			"region":     regional.Schema(),
 			"project_id": account.ProjectIDSchema(),
+			"secret_reference": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Description: "A reference to a Secret Manager secret.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"secret_id": {
+							Type:         schema.TypeString,
+							Description:  "The secret UUID.",
+							Required:     true,
+							ValidateFunc: validation.IsUUID,
+						},
+						"secret_reference_id": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The secret reference UUID",
+						},
+						"secret_version": {
+							Type:        schema.TypeString,
+							Description: "The secret version, default to Latest.",
+							Required:    true,
+						},
+						"file": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							Description:  "The absolute file path where the secret will be mounted.",
+							ValidateFunc: validation.StringMatch(regexp.MustCompile(`^(/[^/]+)+$`), "must be an absolute path to the file"),
+						},
+						"environment": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							Description:  "An environment variable containing the secret value.",
+							ValidateFunc: validation.StringMatch(regexp.MustCompile(`^[A-Z]+(_[A-Z]+)*$`), "environment variable must be composed of uppercase letters separated by an underscore"),
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -132,6 +170,12 @@ func ResourceJobDefinitionCreate(ctx context.Context, d *schema.ResourceData, m
 		return diag.FromErr(err)
 	}
 
+	if rawSecretReference, ok := d.GetOk("secret_reference"); ok {
+		if err := CreateJobDefinitionSecret(rawSecretReference, api, region, definition.ID); err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
 	d.SetId(regional.NewIDString(region, definition.ID))
 
 	return ResourceJobDefinitionRead(ctx, d, m)
@@ -157,6 +201,33 @@ func ResourceJobDefinitionRead(ctx context.Context, d *schema.ResourceData, m in
 		return diag.FromErr(err)
 	}
 
+	rawSecretRefs, err := api.ListJobDefinitionSecrets(&jobs.ListJobDefinitionSecretsRequest{
+		Region:          region,
+		JobDefinitionID: id,
+	})
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	secretRefs := make([]interface{}, len(rawSecretRefs.Secrets))
+
+	for i, secret := range rawSecretRefs.Secrets {
+		secretRef := make(map[string]interface{})
+		secretRef["secret_id"] = secret.SecretManagerID
+		secretRef["secret_reference_id"] = secret.SecretID
+		secretRef["secret_version"] = secret.SecretManagerVersion
+
+		if secret.File != nil {
+			secretRef["file"] = secret.File.Path
+		}
+
+		if secret.EnvVar != nil {
+			secretRef["environment"] = secret.EnvVar.Name
+		}
+
+		secretRefs[i] = secretRef
+	}
+
 	_ = d.Set("name", definition.Name)
 	_ = d.Set("cpu_limit", int(definition.CPULimit))
 	_ = d.Set("memory_limit", int(definition.MemoryLimit))
@@ -168,6 +239,7 @@ func ResourceJobDefinitionRead(ctx context.Context, d *schema.ResourceData, m in
 	_ = d.Set("cron", flattenJobDefinitionCron(definition.CronSchedule))
 	_ = d.Set("region", definition.Region)
 	_ = d.Set("project_id", definition.ProjectID)
+	_ = d.Set("secret_reference", secretRefs)
 
 	return nil
 }
@@ -231,6 +303,27 @@ func ResourceJobDefinitionUpdate(ctx context.Context, d *schema.ResourceData, m
 		req.CronSchedule = expandJobDefinitionCron(d.Get("cron")).ToUpdateRequest()
 	}
 
+	if d.HasChange("secret_reference") {
+		oldRawSecretRefs, _ := d.GetChange("secret_reference")
+		oldSecretRefs := expandJobDefinitionSecret(oldRawSecretRefs)
+
+		for _, oldSecretRef := range oldSecretRefs {
+			if err := api.DeleteJobDefinitionSecret(&jobs.DeleteJobDefinitionSecretRequest{
+				Region:          region,
+				JobDefinitionID: id,
+				SecretID:        oldSecretRef.SecretReferenceID,
+			}); err != nil {
+				return diag.FromErr(err)
+			}
+		}
+
+		if rawSecretReference, ok := d.GetOk("secret_reference"); ok {
+			if err := CreateJobDefinitionSecret(rawSecretReference, api, region, id); err != nil {
+				return diag.FromErr(err)
+			}
+		}
+	}
+
 	if _, err := api.UpdateJobDefinition(req, scw.WithContext(ctx)); err != nil {
 		return diag.FromErr(err)
 	}

internal/services/jobs/definition_test.go

@@ -2,6 +2,7 @@ package jobs_test
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -160,6 +161,169 @@ func TestAccJobDefinition_Cron(t *testing.T) {
 	})
 }
 
+func TestAccJobDefinition_SecretReference(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:      testAccCheckJobDefinitionDestroy(tt),
+		Steps: []resource.TestStep{
+			{
+				Config: `
+					resource "scaleway_secret" "main" {
+					  name = "job-secret"
+					  path = "/one"
+					}
+					resource "scaleway_secret_version" "main" {
+  					  secret_id   = scaleway_secret.main.id
+					  data        = "your_secret"
+					}
+					locals {
+						parts = split("/", scaleway_secret.main.id)
+						secret_uuid = local.parts[1]
+					}
+
+					resource scaleway_job_definition main {
+						name = "test-jobs-job-definition-secret"
+						cpu_limit = 120
+						memory_limit = 256
+						image_uri = "docker.io/alpine:latest"
+						secret_reference {
+							secret_id = local.secret_uuid
+							secret_version = "latest"
+							file = "/home/dev/env"
+						}
+						secret_reference {
+							secret_id = local.secret_uuid
+							secret_version = "latest"
+							environment = "SOME_ENV"
+						}
+					}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckJobDefinitionExists(tt, "scaleway_job_definition.main"),
+					acctest.CheckResourceAttrUUID("scaleway_job_definition.main", "id"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "name", "test-jobs-job-definition-secret"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.#", "2"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.0.file", "/home/dev/env"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.1.environment", "SOME_ENV"),
+				),
+			},
+			{
+				Config: `
+					resource "scaleway_secret" "main" {
+					  name = "job-secret"
+					  path = "/one"
+					}
+					resource "scaleway_secret_version" "main" {
+  					  secret_id   = scaleway_secret.main.id
+					  data        = "your_secret"
+					}
+					locals {
+						parts = split("/", scaleway_secret.main.id)
+						secret_uuid = local.parts[1]
+					}
+
+					resource scaleway_job_definition main {
+						name = "test-jobs-job-definition-secret"
+						cpu_limit = 120
+						memory_limit = 256
+						image_uri = "docker.io/alpine:latest"
+						secret_reference {
+							secret_id = local.secret_uuid
+							secret_version = "latest"
+							file = "/home/dev/new_env"
+						}
+						secret_reference {
+							secret_id = local.secret_uuid
+							secret_version = "latest"
+							environment = "SOME_ENV"
+						}
+					}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckJobDefinitionExists(tt, "scaleway_job_definition.main"),
+					acctest.CheckResourceAttrUUID("scaleway_job_definition.main", "id"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "name", "test-jobs-job-definition-secret"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.#", "2"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.0.file", "/home/dev/new_env"),
+					resource.TestCheckResourceAttr("scaleway_job_definition.main", "secret_reference.1.environment", "SOME_ENV"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccJobDefinition_WrongSecretReference(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:      testAccCheckJobDefinitionDestroy(tt),
+		Steps: []resource.TestStep{
+			{
+				Config: `
+					resource "scaleway_secret" "main" {
+					  name    = "job-secret"
+					}
+					resource "scaleway_secret_version" "main" {
+  					  secret_id   = scaleway_secret.main.id
+					  data        = "your_secret"
+					}
+					locals {
+						parts = split("/", scaleway_secret.main.id)
+						secret_uuid = local.parts[1]
+					}
+
+					resource scaleway_job_definition main {
+						name = "test-jobs-job-definition-secret"
+						cpu_limit = 120
+						memory_limit = 256
+						image_uri = "docker.io/alpine:latest"
+						secret_reference {
+							secret_id = local.secret_uuid
+							secret_version = "1"
+						}
+					}
+				`,
+				ExpectError: regexp.MustCompile(`the secret .+ is missing a mount point.+`),
+			},
+			{
+				Config: `
+					resource "scaleway_secret" "main" {
+					  name    = "job-secret"
+					}
+					resource "scaleway_secret_version" "main" {
+		  			  secret_id   = scaleway_secret.main.id
+					  data        = "your_secret"
+					}
+					locals {
+						parts = split("/", scaleway_secret.main.id)
+						secret_uuid = local.parts[1]
+					}
+		
+					resource scaleway_job_definition main {
+						name = "test-jobs-job-definition-secret"
+						cpu_limit = 120
+						memory_limit = 256
+						image_uri = "docker.io/alpine:latest"
+						secret_reference {
+							secret_id = local.secret_uuid
+							secret_version = "1"
+							environment = "SOME_ENV"
+							file = "/home/dev/env"
+						}
+					}
+				`,
+				ExpectError: regexp.MustCompile(`the secret .+ must have exactly one mount point.+`),
+			},
+		},
+	})
+}
+
 func testAccCheckJobDefinitionExists(tt *acctest.TestTools, n string) resource.TestCheckFunc {
 	return func(state *terraform.State) error {
 		rs, ok := state.RootModule().Resources[n]