Add support for sync resource in HCP Vault Secrets

Author: rodrigo-hcp

.changelog/1196.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+Add support for sync resource in HCP Vault Secrets
+```

examples/resources/hcp_vault_secrets_sync/resource.tf

@@ -0,0 +1,5 @@
+# the provider is derived from the integration name
+resource "hcp_vault_secrets_sync" "example_aws_sync" {
+  name = "my-aws-1"
+  integration_name = "my-integration-1"
+}

internal/provider/provider.go

@@ -157,6 +157,7 @@ func (p *ProviderFramework) Resources(ctx context.Context) []func() resource.Res
 		vaultsecrets.NewVaultSecretsIntegrationResource,
 		vaultsecrets.NewVaultSecretsDynamicSecretResource,
 		vaultsecrets.NewVaultSecretsRotatingSecretResource,
+		vaultsecrets.NewVaultSecretsSyncResource,
 		// Vault Secrets Deprecated
 		vaultsecrets.NewVaultSecretsIntegrationAWSResource,
 		vaultsecrets.NewVaultSecretsIntegrationAzureResource,

internal/provider/vaultsecrets/resource_vault_secrets_app.go

@@ -10,11 +10,13 @@ import (
 
 	"github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/client/secret_service"
 	secretmodels "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/models"
+	"github.com/hashicorp/terraform-plugin-framework-validators/listvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/listplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
@@ -30,6 +32,7 @@ type App struct {
 	ProjectID      types.String `tfsdk:"project_id"`
 	OrganizationID types.String `tfsdk:"organization_id"`
 	ResourceName   types.String `tfsdk:"resource_name"`
+	SyncNames      types.Set    `tfsdk:"sync_names"`
 }
 
 var _ resource.Resource = &resourceVaultSecretsApp{}
@@ -90,7 +93,17 @@ func (r *resourceVaultSecretsApp) Schema(_ context.Context, _ resource.SchemaReq
 				Computed:    true,
 				Description: "The app's resource name in the format secrets/project/<project ID>/app/<app Name>.",
 			},
-		},
+			"sync_names": schema.ListAttribute{
+				Description: "List of sync names to associate with this app.",
+				Optional:    true,
+				ElementType: types.StringType,
+				PlanModifiers: []planmodifier.List{
+					listplanmodifier.RequiresReplace(),
+				},
+				Validators: []validator.List{
+					listvalidator.UniqueValues(),
+				},
+			}},
 	}
 }
 
@@ -120,10 +133,13 @@ func (r *resourceVaultSecretsApp) Create(ctx context.Context, req resource.Creat
 			return nil, fmt.Errorf("invalid resource type, expected *App, got: %T, this is a bug on the provider", i)
 		}
 
+		syncNames := make([]string, len(app.SyncNames.Elements()))
+
 		response, err := r.client.VaultSecrets.CreateApp(&secret_service.CreateAppParams{
 			Body: &secretmodels.SecretServiceCreateAppBody{
 				Name:        app.AppName.ValueString(),
 				Description: app.Description.ValueString(),
+				SyncNames:   syncNames,
 			},
 			OrganizationID: app.OrganizationID.ValueString(),
 			ProjectID:      app.ProjectID.ValueString(),

internal/provider/vaultsecrets/resource_vault_secrets_app_test.go

@@ -6,6 +6,7 @@ package vaultsecrets_test
 import (
 	"fmt"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-secrets/stable/2023-11-28/client/secret_service"
@@ -17,11 +18,15 @@ import (
 )
 
 func TestAccVaultSecretsResourceApp(t *testing.T) {
-	appName1 := generateRandomSlug()
-	appName2 := generateRandomSlug()
-
-	description1 := "my description 1"
-	description2 := "my description 2"
+	var (
+		integrationName1 = generateRandomSlug()
+		appName1         = generateRandomSlug()
+		appName2         = generateRandomSlug()
+		description1     = "my description 1"
+		description2     = "my description 2"
+		syncName         = generateRandomSlug()
+		gitLabToken      = checkRequiredEnvVarOrFail(t, "GITLAB_ACCESS_TOKEN")
+	)
 
 	resource.Test(t, resource.TestCase{
 		ProtoV6ProviderFactories: acctest.ProtoV6ProviderFactories,
@@ -30,21 +35,50 @@ func TestAccVaultSecretsResourceApp(t *testing.T) {
 			{
 				Config: appConfig(appName1, description1),
 				Check: resource.ComposeTestCheckFunc(
-					appCheckFunc(appName1, description1)...,
+					appCheckFunc(appName1, description1, nil)...,
 				),
 			},
 			// Changing an immutable field causes a recreation
 			{
 				Config: appConfig(appName2, description1),
 				Check: resource.ComposeTestCheckFunc(
-					appCheckFunc(appName2, description1)...,
+					appCheckFunc(appName2, description1, nil)...,
 				),
 			},
 			// Changing mutable fields causes an update
 			{
 				Config: appConfig(appName2, description2),
 				Check: resource.ComposeTestCheckFunc(
-					appCheckFunc(appName2, description2)...,
+					appCheckFunc(appName2, description2, nil)...,
+				),
+			},
+			// Changing the sync_names causes an update
+			{
+				Config: fmt.Sprintf(`
+					resource "hcp_vault_secrets_integration" "acc_test" {
+						name = %q
+						capabilities = ["SYNC"]
+						provider_type = "gitlab"
+						gitlab_access = {
+							token = %q
+						}
+					}
+					resource "hcp_vault_secrets_sync" "gitlab_sync" {
+						name = %q
+    					integration_name = hcp_vault_secrets_integration.acc_test.name
+    					gitlab_config {
+    					    scope = "PROJECT"
+    					    project_id = "1234"
+    					}
+					}
+					resource "hcp_vault_secrets_app" "acc_test_app" {
+						app_name    = %q
+						description = %q
+						sync_names = [hcp_vault_secrets_sync.gitlab_sync.name]
+					}
+				`, integrationName1, gitLabToken, syncName, appName2, description2),
+				Check: resource.ComposeTestCheckFunc(
+					appCheckFunc(appName2, description2, []string{syncName})...,
 				),
 			},
 			// Deleting the app out of band causes a recreation
@@ -63,7 +97,7 @@ func TestAccVaultSecretsResourceApp(t *testing.T) {
 				},
 				Config: appConfig(appName2, description2),
 				Check: resource.ComposeTestCheckFunc(
-					appCheckFunc(appName2, description2)...,
+					appCheckFunc(appName2, description2, nil)...,
 				),
 				PlanOnly:           true,
 				ExpectNonEmptyPlan: true,
@@ -87,7 +121,7 @@ func TestAccVaultSecretsResourceApp(t *testing.T) {
 				},
 				Config: appConfig(appName2, description2),
 				Check: resource.ComposeTestCheckFunc(
-					appCheckFunc(appName2, description2)...,
+					appCheckFunc(appName2, description2, nil)...,
 				),
 				ResourceName:  "hcp_vault_secrets_app.acc_test_app",
 				ImportStateId: appName2,
@@ -114,14 +148,19 @@ func appConfig(appName, description string) string {
    }`, appName, description)
 }
 
-func appCheckFunc(appName, description string) []resource.TestCheckFunc {
+func appCheckFunc(appName, description string, syncNames []string) []resource.TestCheckFunc {
+	formattedSyncs := ""
+	if len(syncNames) > 0 {
+		formattedSyncs = fmt.Sprintf("[%s]", strings.Join(syncNames, ","))
+	}
 	return []resource.TestCheckFunc{
 		resource.TestCheckResourceAttrSet("hcp_vault_secrets_app.acc_test_app", "organization_id"),
 		resource.TestCheckResourceAttrSet("hcp_vault_secrets_app.acc_test_app", "id"),
 		resource.TestCheckResourceAttrSet("hcp_vault_secrets_app.acc_test_app", "resource_name"),
 		resource.TestCheckResourceAttr("hcp_vault_secrets_app.acc_test_app", "project_id", os.Getenv("HCP_PROJECT_ID")),
 		resource.TestCheckResourceAttr("hcp_vault_secrets_app.acc_test_app", "app_name", appName),
 		resource.TestCheckResourceAttr("hcp_vault_secrets_app.acc_test_app", "description", description),
+		resource.TestCheckResourceAttr("hcp_vault_secrets_app.acc_test_app", "sync_names", formattedSyncs),
 	}
 }