Merge pull request #96 from arnaud-dfns/fix/invalid-instance

Author: arnaud-dfns

docs/data-sources/kubernetes.md

@@ -58,9 +58,9 @@ resource "postgresql_database" "my_db" {
 
 Optional:
 
-- `client_certificate` (String) PEM-encoded client certificate for TLS authentication.
-- `client_key` (String) PEM-encoded client certificate key for TLS authentication.
-- `cluster_ca_certificate` (String) PEM-encoded root certificates bundle for TLS authentication.
+- `client_certificate` (String, Sensitive) PEM-encoded client certificate for TLS authentication.
+- `client_key` (String, Sensitive) PEM-encoded client certificate key for TLS authentication.
+- `cluster_ca_certificate` (String, Sensitive) PEM-encoded root certificates bundle for TLS authentication.
 - `config_context` (String) Context to choose from the config file. Can be sourced from KUBE_CTX.
 - `config_context_auth_info` (String) Authentication info context of the kube config (name of the kubeconfig user, --user flag in kubectl). Can be sourced from KUBE_CTX_AUTH_INFO.
 - `config_context_cluster` (String) Cluster context of the kube config (name of the kubeconfig cluster, --cluster flag in kubectl). Can be sourced from KUBE_CTX_CLUSTER.
@@ -69,10 +69,10 @@ Optional:
 - `exec` (Attributes) Exec configuration for Kubernetes authentication (see [below for nested schema](#nestedatt--kubernetes--exec))
 - `host` (String) The hostname (in form of URI) of kubernetes master
 - `insecure` (Boolean) Whether server should be accessed without verifying the TLS certificate.
-- `password` (String) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint.
+- `password` (String, Sensitive) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint.
 - `proxy_url` (String) URL to the proxy to be used for all API requests.
 - `tls_server_name` (String) Server name passed to the server for SNI and is used in the client to check server certificates against.
-- `token` (String) Token to authenticate a service account.
+- `token` (String, Sensitive) Token to authenticate a service account.
 - `username` (String) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint
 
 <a id="nestedatt--kubernetes--exec"></a>
@@ -85,5 +85,5 @@ Required:
 
 Optional:
 
-- `args` (List of String) Arguments for the exec plugin
-- `env` (Map of String) Environment variables for the exec plugin
+- `args` (List of String, Sensitive) Arguments for the exec plugin
+- `env` (Map of String, Sensitive) Environment variables for the exec plugin

docs/ephemeral-resources/kubernetes.md

@@ -58,9 +58,9 @@ resource "postgresql_database" "my_db" {
 
 Optional:
 
-- `client_certificate` (String) PEM-encoded client certificate for TLS authentication.
-- `client_key` (String) PEM-encoded client certificate key for TLS authentication.
-- `cluster_ca_certificate` (String) PEM-encoded root certificates bundle for TLS authentication.
+- `client_certificate` (String, Sensitive) PEM-encoded client certificate for TLS authentication.
+- `client_key` (String, Sensitive) PEM-encoded client certificate key for TLS authentication.
+- `cluster_ca_certificate` (String, Sensitive) PEM-encoded root certificates bundle for TLS authentication.
 - `config_context` (String) Context to choose from the config file. Can be sourced from KUBE_CTX.
 - `config_context_auth_info` (String) Authentication info context of the kube config (name of the kubeconfig user, --user flag in kubectl). Can be sourced from KUBE_CTX_AUTH_INFO.
 - `config_context_cluster` (String) Cluster context of the kube config (name of the kubeconfig cluster, --cluster flag in kubectl). Can be sourced from KUBE_CTX_CLUSTER.
@@ -69,10 +69,10 @@ Optional:
 - `exec` (Attributes) Exec configuration for Kubernetes authentication (see [below for nested schema](#nestedatt--kubernetes--exec))
 - `host` (String) The hostname (in form of URI) of kubernetes master
 - `insecure` (Boolean) Whether server should be accessed without verifying the TLS certificate.
-- `password` (String) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint.
+- `password` (String, Sensitive) The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint.
 - `proxy_url` (String) URL to the proxy to be used for all API requests.
 - `tls_server_name` (String) Server name passed to the server for SNI and is used in the client to check server certificates against.
-- `token` (String) Token to authenticate a service account.
+- `token` (String, Sensitive) Token to authenticate a service account.
 - `username` (String) The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint
 
 <a id="nestedatt--kubernetes--exec"></a>
@@ -85,5 +85,5 @@ Required:
 
 Optional:
 
-- `args` (List of String) Arguments for the exec plugin
-- `env` (Map of String) Environment variables for the exec plugin
+- `args` (List of String, Sensitive) Arguments for the exec plugin
+- `env` (Map of String, Sensitive) Environment variables for the exec plugin

internal/provider/data_source_kubernetes.go

@@ -61,7 +61,6 @@ func (d *KubernetesDataSource) Schema(ctx context.Context, req datasource.Schema
 			},
 			"kubernetes": schema.SingleNestedAttribute{
 				Optional:    true,
-				Computed:    true,
 				Description: "Kubernetes Configuration",
 				Attributes: map[string]schema.Attribute{
 					"host": schema.StringAttribute{
@@ -74,6 +73,7 @@ func (d *KubernetesDataSource) Schema(ctx context.Context, req datasource.Schema
 					},
 					"password": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint.",
 					},
 					"insecure": schema.BoolAttribute{
@@ -86,14 +86,17 @@ func (d *KubernetesDataSource) Schema(ctx context.Context, req datasource.Schema
 					},
 					"client_certificate": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "PEM-encoded client certificate for TLS authentication.",
 					},
 					"client_key": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "PEM-encoded client certificate key for TLS authentication.",
 					},
 					"cluster_ca_certificate": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "PEM-encoded root certificates bundle for TLS authentication.",
 					},
 					"config_paths": schema.ListAttribute{
@@ -119,6 +122,7 @@ func (d *KubernetesDataSource) Schema(ctx context.Context, req datasource.Schema
 					},
 					"token": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "Token to authenticate a service account.",
 					},
 					"proxy_url": schema.StringAttribute{
@@ -139,11 +143,13 @@ func (d *KubernetesDataSource) Schema(ctx context.Context, req datasource.Schema
 							},
 							"env": schema.MapAttribute{
 								Optional:    true,
+								Sensitive:   true,
 								ElementType: types.StringType,
 								Description: "Environment variables for the exec plugin",
 							},
 							"args": schema.ListAttribute{
 								Optional:    true,
+								Sensitive:   true,
 								ElementType: types.StringType,
 								Description: "Arguments for the exec plugin",
 							},
@@ -245,8 +251,5 @@ func (d *KubernetesDataSource) Read(ctx context.Context, req datasource.ReadRequ
 		return
 	}
 
-	// Clear the sensitive Kubernetes configuration from the state
-	data.Kubernetes = nil
-
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }

internal/provider/ephemeral_kubernetes.go

@@ -89,7 +89,6 @@ func (d *KubernetesEphemeral) Schema(ctx context.Context, req ephemeral.SchemaRe
 			},
 			"kubernetes": schema.SingleNestedAttribute{
 				Optional:    true,
-				Computed:    true,
 				Description: "Kubernetes Configuration",
 				Attributes: map[string]schema.Attribute{
 					"host": schema.StringAttribute{
@@ -102,6 +101,7 @@ func (d *KubernetesEphemeral) Schema(ctx context.Context, req ephemeral.SchemaRe
 					},
 					"password": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint.",
 					},
 					"insecure": schema.BoolAttribute{
@@ -114,14 +114,17 @@ func (d *KubernetesEphemeral) Schema(ctx context.Context, req ephemeral.SchemaRe
 					},
 					"client_certificate": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "PEM-encoded client certificate for TLS authentication.",
 					},
 					"client_key": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "PEM-encoded client certificate key for TLS authentication.",
 					},
 					"cluster_ca_certificate": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "PEM-encoded root certificates bundle for TLS authentication.",
 					},
 					"config_paths": schema.ListAttribute{
@@ -147,6 +150,7 @@ func (d *KubernetesEphemeral) Schema(ctx context.Context, req ephemeral.SchemaRe
 					},
 					"token": schema.StringAttribute{
 						Optional:    true,
+						Sensitive:   true,
 						Description: "Token to authenticate a service account.",
 					},
 					"proxy_url": schema.StringAttribute{
@@ -167,11 +171,13 @@ func (d *KubernetesEphemeral) Schema(ctx context.Context, req ephemeral.SchemaRe
 							},
 							"env": schema.MapAttribute{
 								Optional:    true,
+								Sensitive:   true,
 								ElementType: types.StringType,
 								Description: "Environment variables for the exec plugin",
 							},
 							"args": schema.ListAttribute{
 								Optional:    true,
+								Sensitive:   true,
 								ElementType: types.StringType,
 								Description: "Arguments for the exec plugin",
 							},
@@ -273,9 +279,6 @@ func (d *KubernetesEphemeral) Open(ctx context.Context, req ephemeral.OpenReques
 		return
 	}
 
-	// Clear the sensitive Kubernetes configuration from the result
-	data.Kubernetes = nil
-
 	resp.Diagnostics.Append(resp.Result.Set(ctx, &data)...)
 	resp.Private.SetKey(ctx, "tunnel_pid", []byte(strconv.Itoa(cmd.Process.Pid)))
 }