Merge pull request #105 from rundeck/secureOptions

Secure options
rundeck · Oct 7, 2023 · 7ae5c51 · 7ae5c51
2 parents 71b19b4 + 6bc4943
commit 7ae5c51
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 5 deletions.
diff --git a/rundeck/resource_job.go b/rundeck/resource_job.go
@@ -276,6 +276,10 @@ func resourceRundeckJob() *schema.Resource {
 							Type:     schema.TypeBool,
 							Optional: true,
 						},
+						"storage_path": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
 					},
 				},
 			},
@@ -681,6 +685,13 @@ func jobFromResourceData(d *schema.ResourceData) (*JobDetail, error) {
 				MultiValueDelimiter:     optionMap["multi_value_delimiter"].(string),
 				ObscureInput:            optionMap["obscure_input"].(bool),
 				ValueIsExposedToScripts: optionMap["exposed_to_scripts"].(bool),
+				StoragePath:             optionMap["storage_path"].(string),
+			}
+			if option.StoragePath != "" && option.ObscureInput == false {
+				return nil, fmt.Errorf("Argument \"obscure_input\" must be set to `true` when \"storage_path\" is not empty.")
+			}
+			if option.ValueIsExposedToScripts && option.ObscureInput == false {
+				return nil, fmt.Errorf("Argument \"obscure_input\" must be set to `true` when \"exposed_to_scripts\" is set to true.")
 			}
 
 			for _, iv := range optionMap["value_choices"].([]interface{}) {
@@ -912,6 +923,7 @@ func jobToResourceData(job *JobDetail, d *schema.ResourceData) error {
 				"multi_value_delimiter":     option.MultiValueDelimiter,
 				"obscure_input":             option.ObscureInput,
 				"exposed_to_scripts":        option.ValueIsExposedToScripts,
+				"storage_path":              option.StoragePath,
 			}
 			optionConfigsI = append(optionConfigsI, optionConfigI)
 		}

diff --git a/rundeck/resource_job_test.go b/rundeck/resource_job_test.go
@@ -171,6 +171,22 @@ func TestAccJobOptions_empty_choice(t *testing.T) {
 	})
 }
 
+func TestAccJobOptions_secure_choice(t *testing.T) {
+	var job JobDetail
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccJobCheckDestroy(&job),
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccJobOptions_secure_options,
+				ExpectError: regexp.MustCompile("argument \"value_choices\" can not have empty values; try \"required\""),
+			},
+		},
+	})
+}
+
 const testAccJobConfig_basic = `
 resource "rundeck_project" "test" {
   name = "terraform-acc-test-job"
@@ -413,6 +429,38 @@ resource "rundeck_job" "test" {
 	default_value = "bar"
 	value_choices = ["", "foo"]
   }
+
+  command {
+    description = "Prints Hello World"
+    shell_command = "echo Hello World"
+  }
+}
+`
+
+const testAccJobOptions_secure_options = `
+resource "rundeck_project" "test" {
+  name = "terraform-acc-test-job-option-choices-empty"
+  description = "parent project for job acceptance tests"
+
+  resource_model_source {
+    type = "file"
+    config = {
+        format = "resourcexml"
+        file = "/tmp/terraform-acc-tests.xml"
+    }
+  }
+}
+resource "rundeck_job" "test" {
+  project_name = "${rundeck_project.test.name}"
+  name = "basic-job"
+  description = "A basic job"
+
+  option {
+    name = "foo_secure"
+	obscure_input = true
+	storage_path = "/keys/test/path/"
+  }
+
   command {
     description = "Prints Hello World"
     shell_command = "echo Hello World"

diff --git a/website/docs/r/job.html.md b/website/docs/r/job.html.md
@@ -121,9 +121,6 @@ The following arguments are supported:
 * `nodes_selected_by_default`: (Optional) Boolean controlling whether nodes that match the node_query_filter are
   selected by default or not.
 
-* `option`: (Optional) Nested block defining an option a user may set when executing this job. A
-  job may have any number of options. The structure of this nested block is described below.
-
 * `command`: (Required) Nested block defining one step in the job workflow. A job must have one or
   more commands. The structure of this nested block is described below.
 
@@ -134,6 +131,9 @@ The following arguments are supported:
 * `notification`: (Optional) Nested block defining notifications on the job workflow. The structure of this nested block
   is described below.
 
+* `option`: (Optional) Nested block defining an option a user may set when executing this job. A
+  job may have any number of options. The structure of this nested block is described below.
+
 `option` blocks have the following structure:
 
 * `name`: (Required) Unique name that will be shown in the UI when entering values and used as
@@ -170,10 +170,16 @@ The following arguments are supported:
 
 * `obscure_input`: (Optional) Boolean controlling whether the value of this option should be obscured
   during entry and in execution logs. Defaults to `false`, but should be set to `true` when the
-  requested value is a password, private key or any other secret value.
+  requested value is a password, private key or any other secret value. This must be set to `true` when
+  `storage_path` is not null.
 
 * `exposed_to_scripts`: (Optional) Boolean controlling whether the value of this option is available
-  to scripts executed by job commands. Defaults to `false`.
+  to scripts executed by job commands. Defaults to `false`. When `true`, `obscure_input` must also be set
+  to `true`.
+
+* `storage_path`: (Optional) String of the path where the key is stored on rundeck. `obscure_input` must be set to
+  `true` when using this. This results in `Secure Remote Authentication` input type. Setting `exposed_to_scripts` also
+  `true` results in `Secure` input type.
 
 `command` blocks must have any one of the following combinations of arguments as contents: