Add Nomad secret backend #923
Conversation
ghost
added
jasonodonnell
force-pushed
the
nomad-backend
branch
from
1e79c31
to
d9e8686
Compare
vault/provider.go
Outdated
| @@ -466,6 +470,18 @@ var ( | |||
| Resource: ldapAuthBackendGroupResource(), | |||
| PathInventory: []string{"/auth/ldap/groups/{name}"}, | |||
| }, | |||
| "vault_nomad_secret_backend": { | |||
| Resource: nomadSecretAccessBackendResource(), | |||
| PathInventory: []string{"/nomad"}, | |||
There was a problem hiding this comment.
Should /nomad/config/access be part of PathInventory here?
There was a problem hiding this comment.
@calvn Good question! Throughout the provider the mount and the config are the same resource. We derive the full path nomad/config/access from the backend. Since we derive it, /nomad is the default.
There was a problem hiding this comment.
nomad/config/lease is slightly different so I didn't add it to this resource. We could but it felt different enough to have a separate resource.
There was a problem hiding this comment.
@calvn Having thought about combining nomad/config/lease with the other configs, I decided to keep them as two separate resources. This is simply to reduce the amount of operations create/update/read need to do for all three paths (/nomad, /nomad/config/access and /nomad/config/lease).
There was a problem hiding this comment.
Is PathInventory used for routing? Or is is just for documentation purposes?
To Calvin's question this function does seem to cover the /nomad/config/access endpoint?
There was a problem hiding this comment.
I can try in the morning having both but pointing to the same resource handler, maybe that won't cause issues.
There was a problem hiding this comment.
Update: both can't be present because the resource name is the key and you can't duplicate it.
I changed the PathInventory to be /nomad/config/access. This did not have any regressions on the resources and is probably a better self-documenting change.
There was a problem hiding this comment.
PathInventory is a list, so it could also be this:
"vault_nomad_secret_backend": {
Resource: nomadSecretAccessBackendResource(),
PathInventory: []string{
"/nomad",
"/nomad/config/access",
},But I think setting it to just "/nomad/config/access" makes sense 👍
There was a problem hiding this comment.
Oh derp, yeah, that did work! Good call!
There was a problem hiding this comment.
/nomad, /nomad/config/access and /nomad/config/lease are merged into a single resource vault_nomad_secret_backend.
vault/provider.go
Outdated
| @@ -466,6 +470,18 @@ var ( | |||
| Resource: ldapAuthBackendGroupResource(), | |||
| PathInventory: []string{"/auth/ldap/groups/{name}"}, | |||
| }, | |||
| "vault_nomad_secret_backend": { | |||
| Resource: nomadSecretAccessBackendResource(), | |||
| PathInventory: []string{"/nomad"}, | |||
There was a problem hiding this comment.
Is PathInventory used for routing? Or is is just for documentation purposes?
To Calvin's question this function does seem to cover the /nomad/config/access endpoint?
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
| return fmt.Errorf("secret_id is not set in response") | ||
| } | ||
|
|
||
| d.SetId(accessorID) |
There was a problem hiding this comment.
Why not use path here? Granted, we aren't using the ID at all that I can see
There was a problem hiding this comment.
Each call to this endpoint generates a new token, so we want the ID to be the unique identifier of that specific generated token. Path would be too generic I think?
| return nil | ||
| } | ||
|
|
||
| if val, ok := resp.Data["address"]; ok { |
There was a problem hiding this comment.
I think these values should be read and update the state regardless if they are set in the response. If we use this resource to set them, and then out-of-band the backend is destroyed and recreated at the same address but without these values, we'll fail to detect the drift here.
There was a problem hiding this comment.
This is Required: true, so you would get an error if you didn't set it. Thoughts?
| tune := api.MountConfigInput{} | ||
| data := map[string]interface{}{} | ||
|
|
||
| if defaultTTL != 0 { |
There was a problem hiding this comment.
I believe this prevents us from initially setting a default lease to something that is not the default system lease, and then removing it, e.g. we can't set it to something non-standard and then try to later adapt the system defaults implicitly by removing our non-standard value.
Example:
- System default is
5m - We use
default_lease_ttl_secondsto set it to6minstead - Later we decide we want to use the system defaults, so we remove our
default_lease_ttl_seconds - No change is detected here, because the new value would be the zero value, right?
- No update happens, and the default least ttl remains at
6m
Is my assumption correct here?
There was a problem hiding this comment.
Agreed, fixed.
* Add Nomad secret backend * Update vault/resource_nomad_secret_backend.go Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> * Update vault/resource_nomad_secret_role.go Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> * Change PathInventory to config/access * Add more paths to inventory * Merge lease config with backend resource * Fix updating mount parameters * Remove required flag from token/address * Remove commented code Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
This PR adds support for the Nomad secret engine. The following endpoints are supported.
"/nomad/config/access"as a resource"/nomad/config/lease"as a resource"/nomad/role/<role name>"as a resource"/nomad/creds/<role name>"as a data sourceCurrently automated acceptance testing isn't integrated with CircleCI because to run Nomad in a container, it needs to run as
privileged. When we update the CI for other integrated testing (such as AD) this should be added and is being tracked internally.To manually test this, you can use the following script: https://gist.github.com/jasonodonnell/1a2cfaaa376592c170ad5fa2eab7e423. This script assumes you have
vaultandnomadinstalled.To run the acceptance tests, here's a setup script you can run from the project root: https://gist.github.com/jasonodonnell/e40a9b63eb8e9cd3556d221fd2e16494. This script assumes you have
vaultandnomadinstalled.If you want to test this via
terraformbinary, here's an example resource:Related test output
Closes #831.