-
Notifications
You must be signed in to change notification settings - Fork 540
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Active Directory secret engine support (#902)
* Add Active Directory secret engine support * Add optional to backend * Update vault/resource_ad_secret_roles.go Co-authored-by: Theron Voran <[email protected]> * Add deprecated flag for length and formatter * Add library support * Update documentation * Update vault/resource_ad_secret_backend.go Co-authored-by: Tom Proctor <[email protected]> * Remove optional from description * Fix typo in library doc * Move documentation back * Update vault/resource_ad_secret_backend.go Co-authored-by: Theron Voran <[email protected]> * Update vault/resource_ad_secret_backend.go Co-authored-by: Theron Voran <[email protected]> * Update ttl description * Add note about seconds to ttl Co-authored-by: Theron Voran <[email protected]> Co-authored-by: Tom Proctor <[email protected]>
- Loading branch information
1 parent
5476967
commit e97b888
Showing
25 changed files
with
2,009 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
dn: CN=Bob,CN=Users,DC=corp,DC=example,DC=net | ||
objectClass: top | ||
objectClass: person | ||
objectClass: organizationalPerson | ||
objectClass: user | ||
cn: Bob | ||
description: test account | ||
name: Bob | ||
sAMAccountName: Bob | ||
distinguishedName: CN=Bob,CN=Users,DC=corp,DC=example,DC=net | ||
userPrincipalName: Bob |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
package vault | ||
|
||
import ( | ||
"fmt" | ||
"github.com/hashicorp/terraform-plugin-sdk/helper/schema" | ||
"github.com/hashicorp/vault/api" | ||
"log" | ||
) | ||
|
||
func adAccessCredentialsDataSource() *schema.Resource { | ||
return &schema.Resource{ | ||
Read: readCredsResource, | ||
Schema: map[string]*schema.Schema{ | ||
"backend": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
Description: "AD Secret Backend to read credentials from.", | ||
}, | ||
"role": { | ||
Type: schema.TypeString, | ||
Required: true, | ||
ForceNew: true, | ||
Description: "Name of the role.", | ||
}, | ||
"current_password": { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
Description: "Password for the service account.", | ||
}, | ||
"last_password": { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
Description: "Last known password for the service account.", | ||
}, | ||
"username": { | ||
Type: schema.TypeString, | ||
Computed: true, | ||
Description: "Name of the service account.", | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func readCredsResource(d *schema.ResourceData, meta interface{}) error { | ||
client := meta.(*api.Client) | ||
backend := d.Get("backend").(string) | ||
role := d.Get("role").(string) | ||
path := fmt.Sprintf("%s/creds/%s", backend, role) | ||
|
||
secret, err := client.Logical().Read(path) | ||
if err != nil { | ||
return fmt.Errorf("error reading from Vault: %s", err) | ||
} | ||
log.Printf("[DEBUG] Read %q from Vault", path) | ||
|
||
if secret == nil { | ||
return fmt.Errorf("no role found at %q", path) | ||
} | ||
|
||
currentPassword := secret.Data["current_password"].(string) | ||
if currentPassword == "" { | ||
return fmt.Errorf("current_password is not set in response") | ||
} | ||
|
||
username := secret.Data["username"].(string) | ||
if username == "" { | ||
return fmt.Errorf("username is not set in response") | ||
} | ||
|
||
// When first set this could be empty. | ||
if lastPassword, ok := secret.Data["last_password"].(string); ok { | ||
d.Set("last_password", lastPassword) | ||
} | ||
|
||
d.SetId(username) | ||
d.Set("username", username) | ||
d.Set("current_password", currentPassword) | ||
|
||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
package vault | ||
|
||
import ( | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/helper/acctest" | ||
"github.com/hashicorp/terraform-plugin-sdk/helper/resource" | ||
"github.com/terraform-providers/terraform-provider-vault/util" | ||
) | ||
|
||
func TestAccDataSourceADAccessCredentials_basic(t *testing.T) { | ||
backend := acctest.RandomWithPrefix("tf-test-ad") | ||
bindDN, bindPass, url := util.GetTestADCreds(t) | ||
|
||
resource.Test(t, resource.TestCase{ | ||
Providers: testProviders, | ||
PreCheck: func() { util.TestAccPreCheck(t) }, | ||
Steps: []resource.TestStep{ | ||
{ | ||
Config: testAccDataSourceADAccessCredentialsConfig(backend, bindDN, bindPass, url, "bob", "Bob", 60), | ||
Check: resource.ComposeTestCheckFunc( | ||
resource.TestCheckResourceAttrSet("data.vault_ad_access_credentials.creds", "current_password"), | ||
resource.TestCheckResourceAttr("data.vault_ad_access_credentials.creds", "username", "Bob"), | ||
), | ||
}, | ||
}, | ||
}) | ||
} | ||
|
||
func testAccDataSourceADAccessCredentialsConfig(backend, bindDN, bindPass, url, role, serviceAccountName string, ttl int) string { | ||
return fmt.Sprintf(` | ||
resource "vault_ad_secret_backend" "config" { | ||
backend = "%s" | ||
description = "test description" | ||
default_lease_ttl_seconds = "3600" | ||
max_lease_ttl_seconds = "7200" | ||
binddn = "%s" | ||
bindpass = "%s" | ||
url = "%s" | ||
insecure_tls = "true" | ||
userdn = "CN=Users,DC=corp,DC=example,DC=net" | ||
} | ||
resource "vault_ad_secret_role" "role" { | ||
backend = "${vault_ad_secret_backend.config.backend}" | ||
role = "%s" | ||
service_account_name = "%s" | ||
ttl = %d | ||
} | ||
data "vault_ad_access_credentials" "creds" { | ||
backend = "${vault_ad_secret_backend.config.backend}" | ||
role = "${vault_ad_secret_role.role.role}" | ||
} | ||
`, backend, bindDN, bindPass, url, role, serviceAccountName, ttl) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.