feat(secret): add ephemeral policy configuration (#2691)

Codelax · web-flow · commit d6965c43d3a1 · 2024-08-09T09:14:01.000Z
* feat(secret): add ephemeral policy configuration

* add resource doc

* update doc

* set ttl to optional and test its removal

* remove extra code
diff --git a/docs/resources/secret.md b/docs/resources/secret.md
@@ -20,6 +20,19 @@ resource "scaleway_secret" "main" {
 }
 ```
 
+### Ephemeral Policy
+
+```terraform
+resource "scaleway_secret" "ephemeral" {
+  name = "foo"
+  ephemeral_policy {
+    ttl = "24h"
+    expires_once_accessed = true
+    action = "disable"
+  }
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -29,6 +42,10 @@ The following arguments are supported:
 - `protected` - (Optional) True if secret protection is enabled on the secret. A protected secret cannot be deleted, terraform will fail to destroy unless this is set to false.
 - `description` - (Optional) Description of the secret (e.g. `my-new-description`).
 - `tags` - (Optional) Tags of the secret (e.g. `["tag", "secret"]`).
+- `ephemeral_policy` - (Optional) Ephemeral policy of the secret. Policy that defines whether/when a secret's versions expire. By default, the policy is applied to all the secret's versions.
+    - `ttl` - (Optional) Time frame, from one second and up to one year, during which the secret's versions are valid. Has to be specified in [Go Duration format](https://pkg.go.dev/time#ParseDuration) (ex: "30m", "24h").
+    - `expires_once_accessed` - (Optional) True if the secret version expires after a single user access.
+    - `action` - (Required) Action to perform when the version of a secret expires. Available values can be found in [SDK constants](https://pkg.go.dev/github.com/scaleway/scaleway-sdk-go@master/api/secret/v1beta1#pkg-constants).
 - `region` - (Defaults to [provider](../index.md#region) `region`) The [region](../guides/regions_and_zones.md#regions)
   in which the resource exists.
 - `project_id` - (Optional) The project ID containing is the secret.
diff --git a/internal/services/secret/helpers.go b/internal/services/secret/helpers.go
@@ -12,6 +12,7 @@ import (
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/regional"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/meta"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
 )
 
 const (
@@ -126,3 +127,43 @@ func updateSecretProtection(api *secret.API, region scw.Region, secretID string,
 
 	return nil
 }
+
+func expandEphemeralPolicy(rawSchemaPolicy any) (*secret.EphemeralPolicy, error) {
+	rawList := rawSchemaPolicy.([]interface{})
+	if len(rawList) != 1 {
+		return nil, fmt.Errorf("expected 1 policy, found %d", len(rawList))
+	}
+	rawPolicy := rawList[0].(map[string]interface{})
+
+	ttl, err := types.ExpandDuration(rawPolicy["ttl"])
+	if err != nil {
+		return nil, fmt.Errorf("error parsing ttl: %s", err)
+	}
+
+	policy := &secret.EphemeralPolicy{
+		ExpiresOnceAccessed: types.ExpandBoolPtr(rawPolicy["expires_once_accessed"]),
+		Action:              secret.EphemeralPolicyAction(rawPolicy["action"].(string)),
+	}
+
+	if ttl != nil {
+		policy.TimeToLive = scw.NewDurationFromTimeDuration(*ttl)
+	}
+
+	return policy, nil
+}
+
+func flattenEphemeralPolicy(policy *secret.EphemeralPolicy) []map[string]interface{} {
+	if policy == nil {
+		return nil
+	}
+	policyElem := map[string]interface{}{}
+	if policy.TimeToLive != nil {
+		policyElem["ttl"] = types.FlattenDuration(policy.TimeToLive.ToTimeDuration())
+	}
+	if policy.ExpiresOnceAccessed != nil {
+		policyElem["expires_once_accessed"] = types.FlattenBoolPtr(policy.ExpiresOnceAccessed)
+	}
+	policyElem["action"] = policy.Action
+
+	return []map[string]interface{}{policyElem}
+}
diff --git a/internal/services/secret/secret.go b/internal/services/secret/secret.go
@@ -8,10 +8,12 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	secret "github.com/scaleway/scaleway-sdk-go/api/secret/v1beta1"
 	"github.com/scaleway/scaleway-sdk-go/scw"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/dsf"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/httperrors"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/locality/regional"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/services/account"
 	"github.com/scaleway/terraform-provider-scaleway/v2/internal/types"
+	"github.com/scaleway/terraform-provider-scaleway/v2/internal/verify"
 )
 
 func ResourceSecret() *schema.Resource {
@@ -80,6 +82,32 @@ func ResourceSecret() *schema.Resource {
 				Optional:    true,
 				Description: "True if secret protection is enabled on a given secret. A protected secret cannot be deleted.",
 			},
+			"ephemeral_policy": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"ttl": {
+							Optional:         true,
+							Type:             schema.TypeString,
+							DiffSuppressFunc: dsf.Duration,
+							ValidateFunc:     verify.IsDuration(),
+							Description:      "Time frame, from one second and up to one year, during which the secret's versions are valid. Has to be specified in Go Duration format",
+						},
+						"expires_once_accessed": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: "True if the secret version expires after a single user access.",
+						},
+						"action": {
+							Type:             schema.TypeString,
+							Required:         true,
+							ValidateDiagFunc: verify.ValidateEnum[secret.EphemeralPolicyAction](),
+							Description:      "Action to perform when the version of a secret expires.",
+						},
+					},
+				},
+			},
 			"region":     regional.Schema(),
 			"project_id": account.ProjectIDSchema(),
 		},
@@ -114,6 +142,14 @@ func ResourceSecretCreate(ctx context.Context, d *schema.ResourceData, m interfa
 		secretCreateRequest.Path = types.ExpandStringPtr(rawPath)
 	}
 
+	rawEphemeralPolicy, policyExists := d.GetOk("ephemeral_policy")
+	if policyExists {
+		secretCreateRequest.EphemeralPolicy, err = expandEphemeralPolicy(rawEphemeralPolicy)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
 	secretResponse, err := api.CreateSecret(secretCreateRequest, scw.WithContext(ctx))
 	if err != nil {
 		return diag.FromErr(err)
@@ -156,6 +192,7 @@ func ResourceSecretRead(ctx context.Context, d *schema.ResourceData, m interface
 	_ = d.Set("project_id", secretResponse.ProjectID)
 	_ = d.Set("path", secretResponse.Path)
 	_ = d.Set("protected", secretResponse.Protected)
+	_ = d.Set("ephemeral_policy", flattenEphemeralPolicy(secretResponse.EphemeralPolicy))
 
 	return nil
 }
@@ -193,6 +230,14 @@ func ResourceSecretUpdate(ctx context.Context, d *schema.ResourceData, m interfa
 		hasChanged = true
 	}
 
+	if d.HasChange("ephemeral_policy") {
+		updateRequest.EphemeralPolicy, err = expandEphemeralPolicy(d.Get("ephemeral_policy"))
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		hasChanged = true
+	}
+
 	if hasChanged {
 		_, err := api.UpdateSecret(updateRequest, scw.WithContext(ctx))
 		if err != nil {
diff --git a/internal/services/secret/secret_test.go b/internal/services/secret/secret_test.go
@@ -42,6 +42,7 @@ func TestAccSecret_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("scaleway_secret.main", "tags.1", "provider"),
 					resource.TestCheckResourceAttr("scaleway_secret.main", "tags.2", "terraform"),
 					resource.TestCheckResourceAttr("scaleway_secret.main", "tags.#", "3"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.#", "0"),
 					resource.TestCheckResourceAttrSet("scaleway_secret.main", "updated_at"),
 					resource.TestCheckResourceAttrSet("scaleway_secret.main", "created_at"),
 					acctest.CheckResourceAttrUUID("scaleway_secret.main", "id"),
@@ -211,6 +212,83 @@ func TestAccSecret_Protected(t *testing.T) {
 	})
 }
 
+func TestAccSecret_EphemeralPolicy(t *testing.T) {
+	tt := acctest.NewTestTools(t)
+	defer tt.Cleanup()
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:          func() { acctest.PreCheck(t) },
+		ProviderFactories: tt.ProviderFactories,
+		CheckDestroy:      testAccCheckSecretDestroy(tt),
+		Steps: []resource.TestStep{
+			{
+				Config: `
+				resource "scaleway_secret" "main" {
+					name = "test-secret-policy-secret"
+					ephemeral_policy {
+						ttl = "30m"
+						action = "disable"
+					}
+				}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckSecretExists(tt, "scaleway_secret.main"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "name", "test-secret-policy-secret"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "path", "/"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.ttl", "30m0s"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.action", "disable"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.expires_once_accessed", "false"),
+					acctest.CheckResourceAttrUUID("scaleway_secret.main", "id"),
+				),
+			},
+			{
+				Config: `
+				resource "scaleway_secret" "main" {
+					name = "test-secret-policy-secret"
+					ephemeral_policy {
+						ttl = "5h"
+						action = "delete"
+						expires_once_accessed = true
+					}
+				}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckSecretExists(tt, "scaleway_secret.main"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "name", "test-secret-policy-secret"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "path", "/"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.ttl", "5h0m0s"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.action", "delete"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.expires_once_accessed", "true"),
+					acctest.CheckResourceAttrUUID("scaleway_secret.main", "id"),
+				),
+			},
+			{
+				Config: `
+				resource "scaleway_secret" "main" {
+					name = "test-secret-policy-secret"
+					ephemeral_policy {
+						action = "delete"
+						expires_once_accessed = true
+					}
+				}
+				`,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckSecretExists(tt, "scaleway_secret.main"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "name", "test-secret-policy-secret"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "path", "/"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.#", "1"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.ttl", ""),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.action", "delete"),
+					resource.TestCheckResourceAttr("scaleway_secret.main", "ephemeral_policy.0.expires_once_accessed", "true"),
+					acctest.CheckResourceAttrUUID("scaleway_secret.main", "id"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckSecretExists(tt *acctest.TestTools, n string) resource.TestCheckFunc {
 	return func(state *terraform.State) error {
 		rs, ok := state.RootModule().Resources[n]
diff --git a/internal/services/secret/testdata/secret-ephemeral-policy.cassette.yaml b/internal/services/secret/testdata/secret-ephemeral-policy.cassette.yaml
