VAULT-43393 Initial implementation for config control group resource#2840
VAULT-43393 Initial implementation for config control group resource#2840johnjosephg wants to merge 3 commits intomainfrom
Conversation
Balaji2198
left a comment
Balaji2198
left a comment
There was a problem hiding this comment.
Thanks for working on this. This resource implementation is currently developed in the SDKv2, but new resources should be built using the Terraform Plugin Framework. Please update the implementation accordingly. You can get the reference from the internal/vault/sys/password_policy.go
Balaji2198
left a comment
Balaji2198
left a comment
There was a problem hiding this comment.
Thanks for working on this, I’ve added a few comments.
|
|
||
| func (r *ControlGroupConfigResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) { | ||
| resp.Schema = schema.Schema{ | ||
| MarkdownDescription: "Manages the singleton control group configuration. Requires Vault Enterprise 1.10.0 or later.", |
There was a problem hiding this comment.
I don't think we need to mention the version requirement, because TFVP itself is supported from vault version 1.15.x.
| Attributes: map[string]schema.Attribute{ | ||
| consts.FieldMaxTTL: schema.StringAttribute{ | ||
| Optional: true, | ||
| MarkdownDescription: "The maximum ttl for a control group wrapping token. This can be provided in seconds or duration (for example, 2h). Requires Vault Enterprise 1.10.0 or later.", |
There was a problem hiding this comment.
I don't think we need to mention the version requirement, because TFVP itself is supported from vault version 1.15.x.
| // featureSupported checks if the Vault server supports control group configuration. | ||
| // This feature requires Vault Enterprise 1.10.0 or later. | ||
| // The function takes an error callback to allow flexible error reporting across different contexts. | ||
| func (r *ControlGroupConfigResource) featureSupported(addError func(summary string, detail string)) bool { |
There was a problem hiding this comment.
I don't think we need version gating, because TFVP itself is supported from vault version 1.15.x.
| } | ||
|
|
||
| // Check if Vault is Enterprise edition (control groups are an Enterprise feature) | ||
| if !provider.IsEnterpriseSupported(r.Meta()) { |
There was a problem hiding this comment.
We don't have to check if its enterprise supported as well. These kind of validations are already in vault and we can let that take care of it.
| MarkdownDescription: "Manages the singleton control group configuration. Requires Vault Enterprise 1.10.0 or later.", | ||
| Attributes: map[string]schema.Attribute{ | ||
| consts.FieldMaxTTL: schema.StringAttribute{ | ||
| Optional: true, |
There was a problem hiding this comment.
Should we make this as Required field, because without this we are getting error as max_ttl must be greater than 0 right ?
| } | ||
|
|
||
| // Normalize the max_ttl to seconds (e.g., "2h" becomes "7200") | ||
| maxTTL, err := normalizeMaxTTL(data.MaxTTL.ValueString()) |
There was a problem hiding this comment.
There is no need of normalization, as the api accepts string field itself.
| }, | ||
| } | ||
|
|
||
| base.MustAddLegacyBaseSchema(&resp.Schema) |
There was a problem hiding this comment.
We can use MustAddBaseSchema instead of this because we are not migrating from the old SDK V2.
For ID field, you can have a computed ID field added to the schema.
| return | ||
| } | ||
|
|
||
| if err := r.readIntoModel(ctx, vaultClient, &data); err != nil { |
There was a problem hiding this comment.
Instead of using this, can we reuse the Read function which already have these logic ?
| return | ||
| } | ||
|
|
||
| if err := r.readIntoModel(ctx, vaultClient, &data); err != nil { |
There was a problem hiding this comment.
Instead of using this, can we reuse the Read function which already have these logic ?
|
|
||
| // createOrUpdate is a shared helper function for Create and Update operations. | ||
| // The isCreate parameter determines which error message to use for write failures. | ||
| func (r *ControlGroupConfigResource) createOrUpdate(ctx context.Context, req interface{}, resp interface{}, isCreate bool) { |
There was a problem hiding this comment.
I see that you are trying to call the same function for create and update for reusability, but still you see it has separate control flow for create and update.
My thought was to use the same code for both Create and Update
Also I can see that Read can also be reused.
I've attached the sample code that I generated, which reused Create, update and read code. This will show you what I really mean. But I have not tested this code, probably it might have some issues. Just attaching it for your reference.
| The `namespace` is always relative to the provider's configured [namespace](/docs/providers/vault#namespace). | ||
| *Available only for Vault Enterprise*. | ||
|
|
||
| * `max_ttl` - (Optional) The maximum TTL for a control group wrapping token. This value can be specified as a duration string (e.g., "24h", "1h30m") or as an integer number of seconds (e.g., "86400"). |
There was a problem hiding this comment.
Max ttl is required as per the schema defenition.
johnjosephg
force-pushed
the
VAULT-43393-config-control-group
branch
from
ee1bfbf to
32d3827
Compare
Removed duplicate sysconfig.NewControlGroupConfigResource entry from the resource list.
3 participants
Description
Initial implementation for the vault_config_control_group resource in /sys/config/control-group.
Checklist
Output from acceptance testing:
Community Note
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.