Add ydb_secret resource with inherit_permissions support (#60)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: kprokopenko

.github/workflows/lint.yml

@@ -17,7 +17,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.1.6
+          version: v2.11.4
   autoformatter:
     name: autoformat check
     concurrency:
@@ -30,7 +30,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22
+          go-version: 1.25.x
 
       - name: Install utilities
         run: |

.github/workflows/tests.yml

@@ -14,7 +14,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.21.x, 1.22.x]
+        go-version: [1.25.x, 1.26.x]
         os: [ubuntu, windows, macOS]
     env:
       OS: ${{ matrix.os }}-latest

README.md

@@ -7,4 +7,7 @@ This provider can be used for managing YDB schema resources in managed or on-pre
 ## Available resources
 - [ydb_table](./internal/resources/table/README.md)
 - [ydb_table_index](./internal/resources/table/index/README.md)
-- [ydb_table_changefeed](./internal/resources/changefeed/README.md)
+- [ydb_table_changefeed](./internal/resources/changefeed/README.md)
+- [ydb_external_data_source](./internal/resources/externaldatasource/README.md)
+- [ydb_external_table](./internal/resources/externaltable/README.md)
+- [ydb_secret](./internal/resources/secret/README.md)

go.mod

@@ -1,12 +1,13 @@
 module github.com/ydb-platform/terraform-provider-ydb
 
-go 1.24.0
+go 1.24.13
 
 require (
 	github.com/golang/mock v1.6.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.14.0
 	github.com/stretchr/testify v1.10.0
 	github.com/ydb-platform/ydb-go-sdk/v3 v3.134.0
+	golang.org/x/crypto v0.48.0
 )
 
 require google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
@@ -52,10 +53,10 @@ require (
 	github.com/vmihailenco/tagparser v0.1.1 // indirect
 	github.com/ydb-platform/ydb-go-genproto v0.0.0-20260311095541-ebbf792c1180
 	github.com/zclconf/go-cty v1.10.0 // indirect
-	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.39.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/grpc v1.78.0
 	google.golang.org/protobuf v1.36.10

go.sum

@@ -203,6 +203,8 @@ golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -227,8 +229,8 @@ golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -255,8 +257,8 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -265,8 +267,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=

internal/helpers/dataproxy.go

@@ -7,6 +7,7 @@ type ResourceDataProxy interface {
 	GetOk(key string) (interface{}, bool)
 
 	// GetOkExists and methods below are bypassed (i.e. call schema.ResourceData directly)
+	//
 	// Deprecated: calls a deprecated method
 	GetOkExists(key string) (interface{}, bool)
 

internal/helpers/helpers.go

@@ -51,6 +51,14 @@ func ParseYDBDatabaseEndpoint(endpoint string) (baseEP, databasePath string, use
 	return parts[2], dbSplit[1], useTLS, nil
 }
 
+func EscapeYQLString(s string) string {
+	return strings.ReplaceAll(s, "'", "\\'")
+}
+
+func EscapeYQLIdentifier(s string) string {
+	return strings.ReplaceAll(s, "`", "``")
+}
+
 func AppendWithEscape(buf []byte, s string) []byte {
 	for i := 0; i < len(s); i++ {
 		if s[i] == '"' || s[i] == '/' {

internal/resources/secret/README.md

@@ -0,0 +1,41 @@
+# ydb_secret resource
+
+`ydb_secret` resource is used to manage YDB secret objects.
+
+## Example
+
+### Static value
+
+```tf
+resource "ydb_secret" "secret" {
+    connection_string   = "grpc://localhost:2136/?database=/local"
+    name                = "my_secret"
+    value               = "s3cr3t_v4lue"
+    inherit_permissions = true
+}
+```
+
+### Value from command
+
+```tf
+resource "ydb_secret" "from_script" {
+    connection_string = "grpc://localhost:2136/?database=/local"
+    name              = "my_secret"
+
+    command {
+        path = "/usr/bin/bash"
+        args = ["-c", "cat /run/secrets/db_password"]
+    }
+}
+```
+
+## Argument Reference
+
+- `connection_string` (Required) - Connection string for YDB database.
+- `name` (Required) - Secret name.
+- `value` (Optional, Sensitive) - Secret value. Stored as a scrypt hash in Terraform state. Mutually exclusive with `command`.
+- `command` (Optional) - Command to execute to generate the secret value. The command's stdout is used as the value. Mutually exclusive with `value`.
+  - `path` (Required) - Path to the executable.
+  - `args` (Optional) - List of arguments to pass to the command.
+  - `env` (Optional) - Map of environment variables to set for the command.
+- `inherit_permissions` (Optional, Default: `false`) - If `true`, the secret inherits access rights from its parent directory. If `false`, only `DESCRIBE SCHEMA` permission is inherited.

internal/resources/secret/command.go

@@ -0,0 +1,53 @@
+package secret
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os/exec"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resolveSecretValue(ctx context.Context, d *schema.ResourceData) (string, error) {
+	if v, ok := d.GetOk("value"); ok {
+		return v.(string), nil
+	}
+
+	cmdList := d.Get("command").([]interface{})
+	if len(cmdList) == 0 {
+		return "", fmt.Errorf("either 'value' or 'command' must be specified")
+	}
+
+	cmdMap := cmdList[0].(map[string]interface{})
+	return runCommand(ctx, cmdMap)
+}
+
+func runCommand(ctx context.Context, cmdMap map[string]interface{}) (string, error) {
+	path := cmdMap["path"].(string)
+
+	var args []string
+	if rawArgs, ok := cmdMap["args"].([]interface{}); ok {
+		for _, a := range rawArgs {
+			args = append(args, a.(string))
+		}
+	}
+
+	cmd := exec.CommandContext(ctx, path, args...)
+
+	if rawEnv, ok := cmdMap["env"].(map[string]interface{}); ok {
+		for k, v := range rawEnv {
+			cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", k, v.(string)))
+		}
+	}
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("command %q failed: %w\nstdout: %s\nstderr: %s", path, err, stdout.String(), stderr.String())
+	}
+
+	return stdout.String(), nil
+}

internal/resources/secret/create.go

@@ -0,0 +1,53 @@
+package secret
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/ydb-platform/terraform-provider-ydb/internal/helpers"
+	tbl "github.com/ydb-platform/terraform-provider-ydb/internal/table"
+)
+
+func (h *handler) Create(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	connectionString := d.Get("connection_string").(string)
+	name := d.Get("name").(string)
+	inheritPermissions := d.Get("inherit_permissions").(bool)
+
+	value, err := resolveSecretValue(ctx, d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	db, err := tbl.CreateDBConnection(ctx, tbl.ClientParams{
+		DatabaseEndpoint: connectionString,
+		AuthCreds:        h.authCreds,
+	})
+	if err != nil {
+		return diag.Diagnostics{
+			{Severity: diag.Error, Summary: "failed to initialize DB connection", Detail: err.Error()},
+		}
+	}
+	defer func() {
+		_ = db.Close(ctx)
+	}()
+
+	escapedName := helpers.EscapeYQLIdentifier(name)
+	escapedValue := helpers.EscapeYQLString(value)
+	q := fmt.Sprintf("CREATE SECRET `%s` WITH (value = '%s')", escapedName, escapedValue)
+	if inheritPermissions {
+		q = fmt.Sprintf("CREATE SECRET `%s` WITH (value = '%s', inherit_permissions = True)", escapedName, escapedValue)
+	}
+	err = db.Query().Exec(ctx, q)
+	if err != nil {
+		return diag.Diagnostics{
+			{Severity: diag.Error, Summary: "failed to executing `" + q + "`", Detail: err.Error()},
+		}
+	}
+
+	d.SetId(connectionString + "?path=" + name)
+
+	return h.Read(ctx, d, meta)
+}