-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathresource.go
More file actions
347 lines (298 loc) · 9.98 KB
/
resource.go
File metadata and controls
347 lines (298 loc) · 9.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
package jwk
import (
"context"
"encoding/json"
"fmt"
"strings"
"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/schema/validator"
"github.com/hashicorp/terraform-plugin-framework/types"
ory "github.com/ory/client-go"
"github.com/ory/terraform-provider-ory/internal/client"
)
// Ensure provider defined types fully satisfy framework interfaces.
var (
_ resource.Resource = &JWKResource{}
_ resource.ResourceWithConfigure = &JWKResource{}
_ resource.ResourceWithImportState = &JWKResource{}
)
// NewResource returns a new JWK resource.
func NewResource() resource.Resource {
return &JWKResource{}
}
// JWKResource defines the resource implementation.
type JWKResource struct {
client *client.OryClient
}
// JWKResourceModel describes the resource data model.
type JWKResourceModel struct {
ID types.String `tfsdk:"id"`
ProjectID types.String `tfsdk:"project_id"`
SetID types.String `tfsdk:"set_id"`
KeyID types.String `tfsdk:"key_id"`
Algorithm types.String `tfsdk:"algorithm"`
Use types.String `tfsdk:"use"`
Keys types.String `tfsdk:"keys"`
}
func (r *JWKResource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
resp.TypeName = req.ProviderTypeName + "_json_web_key_set"
}
const jwkMarkdownDescription = `
Manages an Ory Network JSON Web Key Set (JWKS).
JSON Web Keys are used for signing and encrypting tokens. This resource allows you to
generate and manage custom key sets for your Ory project.
## Example Usage
### Generate RSA Key for Signing
` + "```hcl" + `
resource "ory_json_web_key_set" "signing" {
project_id = var.ory_project_id
set_id = "my-signing-keys"
key_id = "sig-key-1"
algorithm = "RS256"
use = "sig"
}
` + "```" + `
### Generate EC Key for Encryption
` + "```hcl" + `
resource "ory_json_web_key_set" "encryption" {
set_id = "my-encryption-keys"
key_id = "enc-key-1"
algorithm = "ES256"
use = "enc"
}
` + "```" + `
## Import
JWK sets can be imported using the format ` + "`project_id/set_id`" + ` or just ` + "`set_id`" + `:
` + "```shell" + `
terraform import ory_json_web_key_set.signing <project-id>/my-signing-keys
terraform import ory_json_web_key_set.signing my-signing-keys
` + "```" + `
`
func (r *JWKResource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
resp.Schema = schema.Schema{
Description: "Manages an Ory Network JSON Web Key Set.",
MarkdownDescription: jwkMarkdownDescription,
Attributes: map[string]schema.Attribute{
"id": schema.StringAttribute{
Description: "Internal Terraform ID (same as set_id).",
Computed: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.UseStateForUnknown(),
},
},
"project_id": schema.StringAttribute{
Description: "The project ID. If not set, uses the provider's project_id.",
Optional: true,
Computed: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.UseStateForUnknown(),
stringplanmodifier.RequiresReplace(),
},
},
"set_id": schema.StringAttribute{
Description: "The ID of the JSON Web Key Set.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"key_id": schema.StringAttribute{
Description: "The Key ID (kid) for the generated key.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"algorithm": schema.StringAttribute{
Description: "The algorithm for the key: RS256, ES256, ES512, HS256, HS512.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
Validators: []validator.String{
stringvalidator.OneOf("RS256", "ES256", "ES512", "HS256", "HS512"),
},
},
"use": schema.StringAttribute{
Description: "The intended use: sig (signature) or enc (encryption).",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
Validators: []validator.String{
stringvalidator.OneOf("sig", "enc"),
},
},
"keys": schema.StringAttribute{
Description: "The JSON Web Key Set as a JSON string (public parts only).",
Computed: true,
Sensitive: true,
},
},
}
}
func (r *JWKResource) Configure(ctx context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
if req.ProviderData == nil {
return
}
oryClient, ok := req.ProviderData.(*client.OryClient)
if !ok {
resp.Diagnostics.AddError(
"Unexpected Resource Configure Type",
fmt.Sprintf("Expected *client.OryClient, got: %T. Please report this issue to the provider developers.", req.ProviderData),
)
return
}
r.client = oryClient
}
func (r *JWKResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
var plan JWKResourceModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
projectID := r.resolveProjectID(plan.ProjectID)
projectClient, err := r.resolveProjectClient(ctx, projectID)
if err != nil {
resp.Diagnostics.AddError(
"Error Resolving Project",
err.Error(),
)
return
}
body := ory.CreateJsonWebKeySet{
Alg: plan.Algorithm.ValueString(),
Kid: plan.KeyID.ValueString(),
Use: plan.Use.ValueString(),
}
jwks, err := projectClient.CreateJsonWebKeySet(ctx, plan.SetID.ValueString(), body)
if err != nil {
resp.Diagnostics.AddError(
"Error Creating JSON Web Key Set",
"Could not create JWK set: "+err.Error(),
)
return
}
plan.ID = types.StringValue(plan.SetID.ValueString())
plan.ProjectID = types.StringValue(projectID)
// Serialize the keys to JSON
if len(jwks.Keys) > 0 {
keysJSON, err := json.Marshal(jwks)
if err == nil {
plan.Keys = types.StringValue(string(keysJSON))
}
}
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *JWKResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
var state JWKResourceModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
projectID := r.resolveProjectID(state.ProjectID)
projectClient, err := r.resolveProjectClient(ctx, projectID)
if err != nil {
resp.Diagnostics.AddError(
"Error Resolving Project",
err.Error(),
)
return
}
jwks, err := projectClient.GetJsonWebKeySet(ctx, state.SetID.ValueString())
if err != nil {
resp.Diagnostics.AddError(
"Error Reading JSON Web Key Set",
"Could not read JWK set "+state.SetID.ValueString()+": "+err.Error(),
)
return
}
if len(jwks.Keys) == 0 {
resp.State.RemoveResource(ctx)
return
}
state.ProjectID = types.StringValue(projectID)
// Serialize the keys to JSON
keysJSON, err := json.Marshal(jwks)
if err == nil {
state.Keys = types.StringValue(string(keysJSON))
}
// Try to extract algorithm and use from the first key
if len(jwks.Keys) > 0 {
firstKey := jwks.Keys[0]
state.Algorithm = types.StringValue(firstKey.Alg)
state.Use = types.StringValue(firstKey.Use)
state.KeyID = types.StringValue(firstKey.Kid)
}
resp.Diagnostics.Append(resp.State.Set(ctx, &state)...)
}
func (r *JWKResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
// JWK sets are immutable - all changes require replacement
// This is handled by RequiresReplace on all fields
resp.Diagnostics.AddError(
"Update Not Supported",
"JSON Web Key Sets cannot be updated. Changes require resource replacement.",
)
}
func (r *JWKResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
var state JWKResourceModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
projectID := r.resolveProjectID(state.ProjectID)
projectClient, err := r.resolveProjectClient(ctx, projectID)
if err != nil {
resp.Diagnostics.AddError(
"Error Resolving Project",
err.Error(),
)
return
}
err = projectClient.DeleteJsonWebKeySet(ctx, state.SetID.ValueString())
if err != nil {
resp.Diagnostics.AddError(
"Error Deleting JSON Web Key Set",
"Could not delete JWK set: "+err.Error(),
)
return
}
}
func (r *JWKResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
// Import ID format: project_id/set_id or just set_id (uses provider's project_id)
id := req.ID
var projectID, setID string
if strings.Contains(id, "/") {
parts := strings.SplitN(id, "/", 2)
projectID = parts[0]
setID = parts[1]
} else {
setID = id
}
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("set_id"), setID)...)
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("id"), setID)...)
if projectID != "" {
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("project_id"), projectID)...)
}
}
// resolveProjectID returns the project ID from the resource attribute or falls back to the provider's project_id.
func (r *JWKResource) resolveProjectID(tfProjectID types.String) string {
if !tfProjectID.IsNull() && !tfProjectID.IsUnknown() {
return tfProjectID.ValueString()
}
return r.client.ProjectID()
}
// resolveProjectClient returns a client configured for the given project.
// If project_id is provided, it resolves the slug via the console API.
// Otherwise, it falls back to the provider's project credentials.
func (r *JWKResource) resolveProjectClient(ctx context.Context, projectID string) (*client.OryClient, error) {
if projectID != "" {
return r.client.ProjectClientForProject(ctx, projectID)
}
return r.client, nil
}