Add terraform-provider-litellmvaultsecret implementation
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine on Vault/OpenBao via the Vault API. - Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget, ttl/max_ttl in seconds, metadata) - Unit tests against a mock Vault API - End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres, and runs a real terraform apply/destroy asserting key generation works - Makefile, woodpecker CI (build/test/pre-commit), examples, README
This commit is contained in:
@@ -0,0 +1,144 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
vault "github.com/hashicorp/vault/api"
|
||||
)
|
||||
|
||||
// vaultClient wraps the Vault/OpenBao API client with the operations this
|
||||
// provider needs to manage the LiteLLM secrets engine.
|
||||
type vaultClient struct {
|
||||
api *vault.Client
|
||||
}
|
||||
|
||||
func newVaultClient(address, token string) (*vaultClient, error) {
|
||||
cfg := vault.DefaultConfig()
|
||||
if cfg.Error != nil {
|
||||
return nil, cfg.Error
|
||||
}
|
||||
if address != "" {
|
||||
cfg.Address = address
|
||||
}
|
||||
c, err := vault.NewClient(cfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if token != "" {
|
||||
c.SetToken(token)
|
||||
}
|
||||
return &vaultClient{api: c}, nil
|
||||
}
|
||||
|
||||
// mountConfig holds the tunable options applied when enabling the engine.
|
||||
type mountConfig struct {
|
||||
DefaultLeaseTTL string
|
||||
MaxLeaseTTL string
|
||||
}
|
||||
|
||||
// enableMount mounts the secrets engine of the given plugin type at path.
|
||||
func (c *vaultClient) enableMount(ctx context.Context, path, pluginType, description string, cfg mountConfig) error {
|
||||
input := &vault.MountInput{
|
||||
Type: pluginType,
|
||||
Description: description,
|
||||
Config: vault.MountConfigInput{
|
||||
DefaultLeaseTTL: cfg.DefaultLeaseTTL,
|
||||
MaxLeaseTTL: cfg.MaxLeaseTTL,
|
||||
},
|
||||
}
|
||||
return c.api.Sys().MountWithContext(ctx, path, input)
|
||||
}
|
||||
|
||||
// tuneMount updates tunable options of an existing mount (e.g. description).
|
||||
func (c *vaultClient) tuneMount(ctx context.Context, path, description string, cfg mountConfig) error {
|
||||
input := vault.MountConfigInput{
|
||||
Description: &description,
|
||||
DefaultLeaseTTL: cfg.DefaultLeaseTTL,
|
||||
MaxLeaseTTL: cfg.MaxLeaseTTL,
|
||||
}
|
||||
return c.api.Sys().TuneMountWithContext(ctx, path, input)
|
||||
}
|
||||
|
||||
// mountInfo returns the mount at the given path, or nil if it does not exist.
|
||||
func (c *vaultClient) mountInfo(ctx context.Context, path string) (*vault.MountOutput, error) {
|
||||
mounts, err := c.api.Sys().ListMountsWithContext(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
key := strings.TrimRight(path, "/") + "/"
|
||||
if m, ok := mounts[key]; ok {
|
||||
return m, nil
|
||||
}
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// disableMount unmounts the secrets engine at path.
|
||||
func (c *vaultClient) disableMount(ctx context.Context, path string) error {
|
||||
return c.api.Sys().UnmountWithContext(ctx, path)
|
||||
}
|
||||
|
||||
// writeConfig writes the LiteLLM connection config for the given backend mount.
|
||||
func (c *vaultClient) writeConfig(ctx context.Context, backend string, data map[string]interface{}) error {
|
||||
_, err := c.api.Logical().WriteWithContext(ctx, backend+"/config", data)
|
||||
return err
|
||||
}
|
||||
|
||||
// readConfig reads the LiteLLM connection config, returning nil if absent.
|
||||
func (c *vaultClient) readConfig(ctx context.Context, backend string) (map[string]interface{}, error) {
|
||||
secret, err := c.api.Logical().ReadWithContext(ctx, backend+"/config")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if secret == nil {
|
||||
return nil, nil
|
||||
}
|
||||
return secret.Data, nil
|
||||
}
|
||||
|
||||
// writeRole creates or updates a role on the given backend mount.
|
||||
func (c *vaultClient) writeRole(ctx context.Context, backend, name string, data map[string]interface{}) error {
|
||||
_, err := c.api.Logical().WriteWithContext(ctx, rolePath(backend, name), data)
|
||||
return err
|
||||
}
|
||||
|
||||
// readRole reads a role, returning nil if it does not exist.
|
||||
func (c *vaultClient) readRole(ctx context.Context, backend, name string) (map[string]interface{}, error) {
|
||||
secret, err := c.api.Logical().ReadWithContext(ctx, rolePath(backend, name))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if secret == nil {
|
||||
return nil, nil
|
||||
}
|
||||
return secret.Data, nil
|
||||
}
|
||||
|
||||
// deleteRole removes a role from the backend mount.
|
||||
func (c *vaultClient) deleteRole(ctx context.Context, backend, name string) error {
|
||||
_, err := c.api.Logical().DeleteWithContext(ctx, rolePath(backend, name))
|
||||
return err
|
||||
}
|
||||
|
||||
func rolePath(backend, name string) string {
|
||||
return fmt.Sprintf("%s/roles/%s", strings.TrimRight(backend, "/"), name)
|
||||
}
|
||||
|
||||
// isMountAlreadyExists reports whether the error is Vault's "path is already in
|
||||
// use" response, so callers can surface a friendlier message.
|
||||
func isMountAlreadyExists(err error) bool {
|
||||
if err == nil {
|
||||
return false
|
||||
}
|
||||
var respErr *vault.ResponseError
|
||||
if errors.As(err, &respErr) {
|
||||
for _, e := range respErr.Errors {
|
||||
if strings.Contains(e, "path is already in use") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
@@ -0,0 +1,238 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"sync"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// mockVault is a minimal in-memory fake of the Vault/OpenBao HTTP API covering
|
||||
// the endpoints this provider uses.
|
||||
type mockVault struct {
|
||||
server *httptest.Server
|
||||
|
||||
mu sync.Mutex
|
||||
mounts map[string]map[string]interface{} // "litellm/" -> mount output
|
||||
configs map[string]map[string]interface{} // backend -> config data
|
||||
roles map[string]map[string]interface{} // "backend/roles/name" -> role data
|
||||
}
|
||||
|
||||
func newMockVault(t *testing.T) (*mockVault, *vaultClient) {
|
||||
t.Helper()
|
||||
m := &mockVault{
|
||||
mounts: map[string]map[string]interface{}{},
|
||||
configs: map[string]map[string]interface{}{},
|
||||
roles: map[string]map[string]interface{}{},
|
||||
}
|
||||
m.server = httptest.NewServer(http.HandlerFunc(m.handle))
|
||||
t.Cleanup(m.server.Close)
|
||||
|
||||
client, err := newVaultClient(m.server.URL, "test-token")
|
||||
if err != nil {
|
||||
t.Fatalf("newVaultClient: %v", err)
|
||||
}
|
||||
return m, client
|
||||
}
|
||||
|
||||
func (m *mockVault) handle(w http.ResponseWriter, r *http.Request) {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
path := strings.TrimPrefix(r.URL.Path, "/v1/")
|
||||
|
||||
switch {
|
||||
case path == "sys/mounts" && r.Method == http.MethodGet:
|
||||
writeSecret(w, map[string]interface{}{"data": toIface(m.mounts)})
|
||||
|
||||
case strings.HasPrefix(path, "sys/mounts/"):
|
||||
mp := strings.TrimPrefix(path, "sys/mounts/")
|
||||
key := strings.TrimRight(mp, "/") + "/"
|
||||
switch r.Method {
|
||||
case http.MethodPost, http.MethodPut:
|
||||
var body map[string]interface{}
|
||||
_ = json.NewDecoder(r.Body).Decode(&body)
|
||||
// Store the mount *output* shape (Vault returns int TTLs, not the
|
||||
// string TTLs it accepts on input).
|
||||
m.mounts[key] = map[string]interface{}{
|
||||
"type": body["type"],
|
||||
"description": body["description"],
|
||||
"config": map[string]interface{}{},
|
||||
}
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
case http.MethodDelete:
|
||||
delete(m.mounts, key)
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
|
||||
case strings.HasSuffix(path, "/config"):
|
||||
backend := strings.TrimSuffix(path, "/config")
|
||||
switch r.Method {
|
||||
case http.MethodPost, http.MethodPut:
|
||||
var body map[string]interface{}
|
||||
_ = json.NewDecoder(r.Body).Decode(&body)
|
||||
m.configs[backend] = body
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
case http.MethodGet:
|
||||
cfg, ok := m.configs[backend]
|
||||
if !ok {
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
// The real backend never returns master_key.
|
||||
out := map[string]interface{}{}
|
||||
for k, v := range cfg {
|
||||
if k == "master_key" {
|
||||
continue
|
||||
}
|
||||
out[k] = v
|
||||
}
|
||||
writeSecret(w, map[string]interface{}{"data": out})
|
||||
}
|
||||
|
||||
case strings.Contains(path, "/roles/"):
|
||||
switch r.Method {
|
||||
case http.MethodPost, http.MethodPut:
|
||||
var body map[string]interface{}
|
||||
_ = json.NewDecoder(r.Body).Decode(&body)
|
||||
m.roles[path] = body
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
case http.MethodGet:
|
||||
role, ok := m.roles[path]
|
||||
if !ok {
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
writeSecret(w, map[string]interface{}{"data": role})
|
||||
case http.MethodDelete:
|
||||
delete(m.roles, path)
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
|
||||
default:
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
}
|
||||
}
|
||||
|
||||
func toIface(m map[string]map[string]interface{}) map[string]interface{} {
|
||||
out := map[string]interface{}{}
|
||||
for k, v := range m {
|
||||
out[k] = v
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func writeSecret(w http.ResponseWriter, body map[string]interface{}) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
_ = json.NewEncoder(w).Encode(body)
|
||||
}
|
||||
|
||||
func TestClient_MountLifecycle(t *testing.T) {
|
||||
_, c := newMockVault(t)
|
||||
ctx := context.Background()
|
||||
|
||||
if err := c.enableMount(ctx, "litellm", "vault-plugin-secrets-litellm", "desc", mountConfig{}); err != nil {
|
||||
t.Fatalf("enableMount: %v", err)
|
||||
}
|
||||
info, err := c.mountInfo(ctx, "litellm")
|
||||
if err != nil {
|
||||
t.Fatalf("mountInfo: %v", err)
|
||||
}
|
||||
if info == nil {
|
||||
t.Fatal("expected mount to exist")
|
||||
}
|
||||
if info.Type != "vault-plugin-secrets-litellm" {
|
||||
t.Fatalf("unexpected mount type: %q", info.Type)
|
||||
}
|
||||
|
||||
if err := c.disableMount(ctx, "litellm"); err != nil {
|
||||
t.Fatalf("disableMount: %v", err)
|
||||
}
|
||||
info, err = c.mountInfo(ctx, "litellm")
|
||||
if err != nil {
|
||||
t.Fatalf("mountInfo after delete: %v", err)
|
||||
}
|
||||
if info != nil {
|
||||
t.Fatal("expected mount to be gone")
|
||||
}
|
||||
}
|
||||
|
||||
func TestClient_ConfigRoundTrip(t *testing.T) {
|
||||
m, c := newMockVault(t)
|
||||
ctx := context.Background()
|
||||
|
||||
err := c.writeConfig(ctx, "litellm", map[string]interface{}{
|
||||
"base_url": "http://litellm:4000",
|
||||
"master_key": "sk-secret",
|
||||
"request_timeout_seconds": 30,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("writeConfig: %v", err)
|
||||
}
|
||||
|
||||
cfg, err := c.readConfig(ctx, "litellm")
|
||||
if err != nil {
|
||||
t.Fatalf("readConfig: %v", err)
|
||||
}
|
||||
if cfg["base_url"] != "http://litellm:4000" {
|
||||
t.Fatalf("unexpected base_url: %v", cfg["base_url"])
|
||||
}
|
||||
if _, leaked := cfg["master_key"]; leaked {
|
||||
t.Fatal("master_key must not be returned by read")
|
||||
}
|
||||
_ = m
|
||||
}
|
||||
|
||||
func TestClient_ReadConfigMissing(t *testing.T) {
|
||||
_, c := newMockVault(t)
|
||||
cfg, err := c.readConfig(context.Background(), "litellm")
|
||||
if err != nil {
|
||||
t.Fatalf("readConfig: %v", err)
|
||||
}
|
||||
if cfg != nil {
|
||||
t.Fatalf("expected nil config, got %v", cfg)
|
||||
}
|
||||
}
|
||||
|
||||
func TestClient_RoleLifecycle(t *testing.T) {
|
||||
_, c := newMockVault(t)
|
||||
ctx := context.Background()
|
||||
|
||||
err := c.writeRole(ctx, "litellm", "team-a", map[string]interface{}{
|
||||
"models": []string{"gpt-4"},
|
||||
"max_budget": 25.0,
|
||||
"ttl": 3600,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("writeRole: %v", err)
|
||||
}
|
||||
|
||||
role, err := c.readRole(ctx, "litellm", "team-a")
|
||||
if err != nil {
|
||||
t.Fatalf("readRole: %v", err)
|
||||
}
|
||||
if role == nil {
|
||||
t.Fatal("expected role to exist")
|
||||
}
|
||||
|
||||
if err := c.deleteRole(ctx, "litellm", "team-a"); err != nil {
|
||||
t.Fatalf("deleteRole: %v", err)
|
||||
}
|
||||
role, err = c.readRole(ctx, "litellm", "team-a")
|
||||
if err != nil {
|
||||
t.Fatalf("readRole after delete: %v", err)
|
||||
}
|
||||
if role != nil {
|
||||
t.Fatal("expected role to be gone")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRolePath(t *testing.T) {
|
||||
if got := rolePath("litellm/", "team-a"); got != "litellm/roles/team-a" {
|
||||
t.Fatalf("unexpected role path: %q", got)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,171 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/attr"
|
||||
"github.com/hashicorp/terraform-plugin-framework/diag"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
// roleData builds the request payload for writing a role to the backend.
|
||||
func roleData(ctx context.Context, m secretBackendRoleModel) (map[string]interface{}, diag.Diagnostics) {
|
||||
var diags diag.Diagnostics
|
||||
data := map[string]interface{}{}
|
||||
|
||||
if !m.Models.IsNull() && !m.Models.IsUnknown() {
|
||||
var models []string
|
||||
diags.Append(m.Models.ElementsAs(ctx, &models, false)...)
|
||||
if diags.HasError() {
|
||||
return nil, diags
|
||||
}
|
||||
data["models"] = models
|
||||
} else {
|
||||
data["models"] = []string{}
|
||||
}
|
||||
|
||||
if !m.MaxBudget.IsNull() && !m.MaxBudget.IsUnknown() {
|
||||
data["max_budget"] = m.MaxBudget.ValueFloat64()
|
||||
}
|
||||
if !m.KeyAliasPrefix.IsNull() && !m.KeyAliasPrefix.IsUnknown() {
|
||||
data["key_alias_prefix"] = m.KeyAliasPrefix.ValueString()
|
||||
}
|
||||
if !m.TTL.IsNull() && !m.TTL.IsUnknown() {
|
||||
data["ttl"] = m.TTL.ValueInt64()
|
||||
}
|
||||
if !m.MaxTTL.IsNull() && !m.MaxTTL.IsUnknown() {
|
||||
data["max_ttl"] = m.MaxTTL.ValueInt64()
|
||||
}
|
||||
if !m.Metadata.IsNull() && !m.Metadata.IsUnknown() {
|
||||
var meta map[string]string
|
||||
diags.Append(m.Metadata.ElementsAs(ctx, &meta, false)...)
|
||||
if diags.HasError() {
|
||||
return nil, diags
|
||||
}
|
||||
data["metadata"] = meta
|
||||
}
|
||||
|
||||
return data, diags
|
||||
}
|
||||
|
||||
// applyRoleData refreshes a model from a role read out of the backend.
|
||||
func applyRoleData(ctx context.Context, m *secretBackendRoleModel, role map[string]interface{}) diag.Diagnostics {
|
||||
var diags diag.Diagnostics
|
||||
|
||||
models := toStringSlice(role["models"])
|
||||
if len(models) == 0 {
|
||||
m.Models = types.SetNull(types.StringType)
|
||||
} else {
|
||||
set, d := types.SetValueFrom(ctx, types.StringType, models)
|
||||
diags.Append(d...)
|
||||
m.Models = set
|
||||
}
|
||||
|
||||
if budget, ok := toFloat64(role["max_budget"]); ok && budget != 0 {
|
||||
m.MaxBudget = types.Float64Value(budget)
|
||||
} else if m.MaxBudget.IsUnknown() {
|
||||
m.MaxBudget = types.Float64Null()
|
||||
}
|
||||
|
||||
if prefix, ok := role["key_alias_prefix"].(string); ok {
|
||||
m.KeyAliasPrefix = types.StringValue(prefix)
|
||||
}
|
||||
|
||||
if ttl, ok := toInt64(role["ttl"]); ok && ttl != 0 {
|
||||
m.TTL = types.Int64Value(ttl)
|
||||
} else if m.TTL.IsUnknown() {
|
||||
m.TTL = types.Int64Null()
|
||||
}
|
||||
if maxTTL, ok := toInt64(role["max_ttl"]); ok && maxTTL != 0 {
|
||||
m.MaxTTL = types.Int64Value(maxTTL)
|
||||
} else if m.MaxTTL.IsUnknown() {
|
||||
m.MaxTTL = types.Int64Null()
|
||||
}
|
||||
|
||||
meta := toStringMap(role["metadata"])
|
||||
if len(meta) == 0 {
|
||||
m.Metadata = types.MapNull(types.StringType)
|
||||
} else {
|
||||
mp, d := types.MapValueFrom(ctx, types.StringType, meta)
|
||||
diags.Append(d...)
|
||||
m.Metadata = mp
|
||||
}
|
||||
|
||||
return diags
|
||||
}
|
||||
|
||||
func toStringSlice(v interface{}) []string {
|
||||
raw, ok := v.([]interface{})
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
out := make([]string, 0, len(raw))
|
||||
for _, e := range raw {
|
||||
if s, ok := e.(string); ok {
|
||||
out = append(out, s)
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func toStringMap(v interface{}) map[string]string {
|
||||
raw, ok := v.(map[string]interface{})
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
out := make(map[string]string, len(raw))
|
||||
for k, e := range raw {
|
||||
if s, ok := e.(string); ok {
|
||||
out[k] = s
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// toInt64 coerces the numeric shapes Vault returns (json.Number, float64, int)
|
||||
// into an int64.
|
||||
func toInt64(v interface{}) (int64, bool) {
|
||||
switch n := v.(type) {
|
||||
case json.Number:
|
||||
i, err := n.Int64()
|
||||
if err != nil {
|
||||
f, ferr := n.Float64()
|
||||
if ferr != nil {
|
||||
return 0, false
|
||||
}
|
||||
return int64(f), true
|
||||
}
|
||||
return i, true
|
||||
case float64:
|
||||
return int64(n), true
|
||||
case int64:
|
||||
return n, true
|
||||
case int:
|
||||
return int64(n), true
|
||||
default:
|
||||
return 0, false
|
||||
}
|
||||
}
|
||||
|
||||
func toFloat64(v interface{}) (float64, bool) {
|
||||
switch n := v.(type) {
|
||||
case json.Number:
|
||||
f, err := n.Float64()
|
||||
if err != nil {
|
||||
return 0, false
|
||||
}
|
||||
return f, true
|
||||
case float64:
|
||||
return n, true
|
||||
case int64:
|
||||
return float64(n), true
|
||||
case int:
|
||||
return float64(n), true
|
||||
default:
|
||||
return 0, false
|
||||
}
|
||||
}
|
||||
|
||||
// ensure attr is referenced (kept for future typed conversions).
|
||||
var _ = attr.Value(nil)
|
||||
@@ -0,0 +1,166 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
func TestRoleData_FullRoundTrip(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
models, _ := types.SetValueFrom(ctx, types.StringType, []string{"gpt-4", "gpt-3.5-turbo"})
|
||||
meta, _ := types.MapValueFrom(ctx, types.StringType, map[string]string{"team": "a"})
|
||||
|
||||
m := secretBackendRoleModel{
|
||||
Backend: types.StringValue("litellm"),
|
||||
Name: types.StringValue("team-a"),
|
||||
Models: models,
|
||||
MaxBudget: types.Float64Value(50),
|
||||
KeyAliasPrefix: types.StringValue("vault"),
|
||||
TTL: types.Int64Value(3600),
|
||||
MaxTTL: types.Int64Value(86400),
|
||||
Metadata: meta,
|
||||
}
|
||||
|
||||
data, diags := roleData(ctx, m)
|
||||
if diags.HasError() {
|
||||
t.Fatalf("roleData diags: %v", diags)
|
||||
}
|
||||
if got := data["max_budget"].(float64); got != 50 {
|
||||
t.Fatalf("max_budget: %v", got)
|
||||
}
|
||||
if got := data["ttl"].(int64); got != 3600 {
|
||||
t.Fatalf("ttl: %v", got)
|
||||
}
|
||||
if got := data["models"].([]string); len(got) != 2 {
|
||||
t.Fatalf("models: %v", got)
|
||||
}
|
||||
if got := data["metadata"].(map[string]string); got["team"] != "a" {
|
||||
t.Fatalf("metadata: %v", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRoleData_OmitsUnsetOptionals(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
m := secretBackendRoleModel{
|
||||
Backend: types.StringValue("litellm"),
|
||||
Name: types.StringValue("minimal"),
|
||||
Models: types.SetNull(types.StringType),
|
||||
MaxBudget: types.Float64Null(),
|
||||
KeyAliasPrefix: types.StringValue("vault"),
|
||||
TTL: types.Int64Null(),
|
||||
MaxTTL: types.Int64Null(),
|
||||
Metadata: types.MapNull(types.StringType),
|
||||
}
|
||||
data, diags := roleData(ctx, m)
|
||||
if diags.HasError() {
|
||||
t.Fatalf("diags: %v", diags)
|
||||
}
|
||||
if _, ok := data["max_budget"]; ok {
|
||||
t.Fatal("max_budget should be omitted when null")
|
||||
}
|
||||
if _, ok := data["ttl"]; ok {
|
||||
t.Fatal("ttl should be omitted when null")
|
||||
}
|
||||
// models is always sent (empty list = unrestricted).
|
||||
if got, ok := data["models"].([]string); !ok || len(got) != 0 {
|
||||
t.Fatalf("expected empty models slice, got %v", data["models"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyRoleData(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
m := &secretBackendRoleModel{
|
||||
Models: types.SetNull(types.StringType),
|
||||
MaxBudget: types.Float64Null(),
|
||||
TTL: types.Int64Null(),
|
||||
MaxTTL: types.Int64Null(),
|
||||
Metadata: types.MapNull(types.StringType),
|
||||
}
|
||||
|
||||
// Simulate what Vault returns (numbers arrive as json.Number).
|
||||
role := map[string]interface{}{
|
||||
"models": []interface{}{"gpt-4"},
|
||||
"max_budget": json.Number("50"),
|
||||
"key_alias_prefix": "vault",
|
||||
"ttl": json.Number("3600"),
|
||||
"max_ttl": json.Number("86400"),
|
||||
"metadata": map[string]interface{}{"team": "a"},
|
||||
}
|
||||
|
||||
diags := applyRoleData(ctx, m, role)
|
||||
if diags.HasError() {
|
||||
t.Fatalf("applyRoleData diags: %v", diags)
|
||||
}
|
||||
if m.TTL.ValueInt64() != 3600 {
|
||||
t.Fatalf("ttl: %v", m.TTL)
|
||||
}
|
||||
if m.MaxTTL.ValueInt64() != 86400 {
|
||||
t.Fatalf("max_ttl: %v", m.MaxTTL)
|
||||
}
|
||||
if m.MaxBudget.ValueFloat64() != 50 {
|
||||
t.Fatalf("max_budget: %v", m.MaxBudget)
|
||||
}
|
||||
if m.KeyAliasPrefix.ValueString() != "vault" {
|
||||
t.Fatalf("prefix: %v", m.KeyAliasPrefix)
|
||||
}
|
||||
var models []string
|
||||
m.Models.ElementsAs(ctx, &models, false)
|
||||
if len(models) != 1 || models[0] != "gpt-4" {
|
||||
t.Fatalf("models: %v", models)
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyRoleData_EmptyModelsBecomesNull(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
m := &secretBackendRoleModel{
|
||||
Models: types.SetValueMust(types.StringType, nil),
|
||||
Metadata: types.MapNull(types.StringType),
|
||||
}
|
||||
role := map[string]interface{}{"models": []interface{}{}}
|
||||
if diags := applyRoleData(ctx, m, role); diags.HasError() {
|
||||
t.Fatalf("diags: %v", diags)
|
||||
}
|
||||
if !m.Models.IsNull() {
|
||||
t.Fatalf("expected null models, got %v", m.Models)
|
||||
}
|
||||
}
|
||||
|
||||
func TestToInt64(t *testing.T) {
|
||||
cases := []struct {
|
||||
in interface{}
|
||||
want int64
|
||||
ok bool
|
||||
}{
|
||||
{json.Number("3600"), 3600, true},
|
||||
{float64(42), 42, true},
|
||||
{int64(7), 7, true},
|
||||
{int(9), 9, true},
|
||||
{"nope", 0, false},
|
||||
{nil, 0, false},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
got, ok := toInt64(tc.in)
|
||||
if ok != tc.ok || got != tc.want {
|
||||
t.Fatalf("toInt64(%v) = (%d,%v), want (%d,%v)", tc.in, got, ok, tc.want, tc.ok)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSplitRoleID(t *testing.T) {
|
||||
backend, name, ok := splitRoleID("litellm/roles/team-a")
|
||||
if !ok || backend != "litellm" || name != "team-a" {
|
||||
t.Fatalf("got backend=%q name=%q ok=%v", backend, name, ok)
|
||||
}
|
||||
if _, _, ok := splitRoleID("nonsense"); ok {
|
||||
t.Fatal("expected failure on malformed id")
|
||||
}
|
||||
// Nested mount paths must still split on the final /roles/.
|
||||
b, n, ok := splitRoleID("team/litellm/roles/x")
|
||||
if !ok || b != "team/litellm" || n != "x" {
|
||||
t.Fatalf("nested split: backend=%q name=%q ok=%v", b, n, ok)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,97 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"os"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/datasource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/provider"
|
||||
"github.com/hashicorp/terraform-plugin-framework/provider/schema"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
var _ provider.Provider = &litellmProvider{}
|
||||
|
||||
type litellmProvider struct {
|
||||
version string
|
||||
}
|
||||
|
||||
type litellmProviderModel struct {
|
||||
Address types.String `tfsdk:"address"`
|
||||
Token types.String `tfsdk:"token"`
|
||||
}
|
||||
|
||||
func New(version string) func() provider.Provider {
|
||||
return func() provider.Provider {
|
||||
return &litellmProvider{version: version}
|
||||
}
|
||||
}
|
||||
|
||||
func (p *litellmProvider) Metadata(_ context.Context, _ provider.MetadataRequest, resp *provider.MetadataResponse) {
|
||||
resp.TypeName = "litellmvaultsecret"
|
||||
resp.Version = p.version
|
||||
}
|
||||
|
||||
func (p *litellmProvider) Schema(_ context.Context, _ provider.SchemaRequest, resp *provider.SchemaResponse) {
|
||||
resp.Schema = schema.Schema{
|
||||
Description: "Manage the LiteLLM dynamic secrets engine (config and roles) on HashiCorp Vault or OpenBao.",
|
||||
Attributes: map[string]schema.Attribute{
|
||||
"address": schema.StringAttribute{
|
||||
Description: "Address of the Vault/OpenBao server. Falls back to the VAULT_ADDR environment variable.",
|
||||
Optional: true,
|
||||
},
|
||||
"token": schema.StringAttribute{
|
||||
Description: "Token used to authenticate to Vault/OpenBao. Falls back to the VAULT_TOKEN environment variable.",
|
||||
Optional: true,
|
||||
Sensitive: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (p *litellmProvider) Configure(ctx context.Context, req provider.ConfigureRequest, resp *provider.ConfigureResponse) {
|
||||
var config litellmProviderModel
|
||||
resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
address := os.Getenv("VAULT_ADDR")
|
||||
if !config.Address.IsNull() && config.Address.ValueString() != "" {
|
||||
address = config.Address.ValueString()
|
||||
}
|
||||
|
||||
token := os.Getenv("VAULT_TOKEN")
|
||||
if !config.Token.IsNull() && config.Token.ValueString() != "" {
|
||||
token = config.Token.ValueString()
|
||||
}
|
||||
|
||||
if address == "" {
|
||||
resp.Diagnostics.AddError(
|
||||
"missing Vault address",
|
||||
"Set the provider \"address\" attribute or the VAULT_ADDR environment variable.",
|
||||
)
|
||||
return
|
||||
}
|
||||
|
||||
client, err := newVaultClient(address, token)
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to create Vault client", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
resp.DataSourceData = client
|
||||
resp.ResourceData = client
|
||||
}
|
||||
|
||||
func (p *litellmProvider) Resources(_ context.Context) []func() resource.Resource {
|
||||
return []func() resource.Resource{
|
||||
NewSecretBackendResource,
|
||||
NewSecretBackendRoleResource,
|
||||
}
|
||||
}
|
||||
|
||||
func (p *litellmProvider) DataSources(_ context.Context) []func() datasource.DataSource {
|
||||
return nil
|
||||
}
|
||||
@@ -0,0 +1,225 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/path"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
var (
|
||||
_ resource.Resource = &secretBackendResource{}
|
||||
_ resource.ResourceWithImportState = &secretBackendResource{}
|
||||
)
|
||||
|
||||
const defaultPluginType = "vault-plugin-secrets-litellm"
|
||||
|
||||
type secretBackendResource struct {
|
||||
client *vaultClient
|
||||
}
|
||||
|
||||
type secretBackendModel struct {
|
||||
Path types.String `tfsdk:"path"`
|
||||
Plugin types.String `tfsdk:"plugin"`
|
||||
Description types.String `tfsdk:"description"`
|
||||
BaseURL types.String `tfsdk:"base_url"`
|
||||
MasterKey types.String `tfsdk:"master_key"`
|
||||
RequestTimeoutSeconds types.Int64 `tfsdk:"request_timeout_seconds"`
|
||||
}
|
||||
|
||||
func NewSecretBackendResource() resource.Resource {
|
||||
return &secretBackendResource{}
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
|
||||
resp.TypeName = req.ProviderTypeName + "_secret_backend"
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
|
||||
resp.Schema = schema.Schema{
|
||||
Description: "Mounts the LiteLLM secrets engine and writes its connection config.",
|
||||
Attributes: map[string]schema.Attribute{
|
||||
"path": schema.StringAttribute{
|
||||
Description: "Mount path for the LiteLLM secrets engine (e.g. \"litellm\").",
|
||||
Required: true,
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"plugin": schema.StringAttribute{
|
||||
Description: "Registered plugin name/type to mount.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: stringdefault.StaticString(defaultPluginType),
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"description": schema.StringAttribute{
|
||||
Description: "Human-readable description of the mount.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: stringdefault.StaticString(""),
|
||||
},
|
||||
"base_url": schema.StringAttribute{
|
||||
Description: "Base URL of the LiteLLM proxy (e.g. http://litellm:4000).",
|
||||
Required: true,
|
||||
},
|
||||
"master_key": schema.StringAttribute{
|
||||
Description: "LiteLLM master key used to manage virtual keys.",
|
||||
Required: true,
|
||||
Sensitive: true,
|
||||
},
|
||||
"request_timeout_seconds": schema.Int64Attribute{
|
||||
Description: "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: int64default.StaticInt64(30),
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
|
||||
if req.ProviderData == nil {
|
||||
return
|
||||
}
|
||||
client, ok := req.ProviderData.(*vaultClient)
|
||||
if !ok {
|
||||
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
|
||||
return
|
||||
}
|
||||
r.client = client
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
|
||||
var plan secretBackendModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
mountPath := strings.Trim(plan.Path.ValueString(), "/")
|
||||
|
||||
err := r.client.enableMount(ctx, mountPath, plan.Plugin.ValueString(), plan.Description.ValueString(), mountConfig{})
|
||||
if err != nil {
|
||||
if isMountAlreadyExists(err) {
|
||||
resp.Diagnostics.AddError(
|
||||
"mount path already in use",
|
||||
fmt.Sprintf("A secrets engine is already mounted at %q. Import it or choose another path.", mountPath),
|
||||
)
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.AddError("failed to enable litellm secrets engine", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
|
||||
// Roll back the mount so we don't leave a half-configured engine.
|
||||
_ = r.client.disableMount(ctx, mountPath)
|
||||
resp.Diagnostics.AddError("failed to write litellm config", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
plan.Path = types.StringValue(mountPath)
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
|
||||
var state secretBackendModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
mountPath := strings.Trim(state.Path.ValueString(), "/")
|
||||
|
||||
mount, err := r.client.mountInfo(ctx, mountPath)
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to read mount", err.Error())
|
||||
return
|
||||
}
|
||||
if mount == nil {
|
||||
resp.State.RemoveResource(ctx)
|
||||
return
|
||||
}
|
||||
state.Description = types.StringValue(mount.Description)
|
||||
if mount.Type != "" {
|
||||
state.Plugin = types.StringValue(mount.Type)
|
||||
}
|
||||
|
||||
cfg, err := r.client.readConfig(ctx, mountPath)
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to read litellm config", err.Error())
|
||||
return
|
||||
}
|
||||
if cfg != nil {
|
||||
if v, ok := cfg["base_url"].(string); ok {
|
||||
state.BaseURL = types.StringValue(v)
|
||||
}
|
||||
if n, ok := toInt64(cfg["request_timeout_seconds"]); ok {
|
||||
state.RequestTimeoutSeconds = types.Int64Value(n)
|
||||
}
|
||||
}
|
||||
// master_key is never returned by the backend; preserve the state value.
|
||||
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
|
||||
var plan, state secretBackendModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
mountPath := strings.Trim(state.Path.ValueString(), "/")
|
||||
|
||||
if !plan.Description.Equal(state.Description) {
|
||||
if err := r.client.tuneMount(ctx, mountPath, plan.Description.ValueString(), mountConfig{}); err != nil {
|
||||
resp.Diagnostics.AddError("failed to tune mount description", err.Error())
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
|
||||
resp.Diagnostics.AddError("failed to update litellm config", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
plan.Path = types.StringValue(mountPath)
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
|
||||
var state secretBackendModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
if err := r.client.disableMount(ctx, strings.Trim(state.Path.ValueString(), "/")); err != nil {
|
||||
resp.Diagnostics.AddError("failed to disable litellm secrets engine", err.Error())
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
|
||||
resource.ImportStatePassthroughID(ctx, path.Root("path"), req, resp)
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) configData(m secretBackendModel) map[string]interface{} {
|
||||
return map[string]interface{}{
|
||||
"base_url": m.BaseURL.ValueString(),
|
||||
"master_key": m.MasterKey.ValueString(),
|
||||
"request_timeout_seconds": m.RequestTimeoutSeconds.ValueInt64(),
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,235 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/diag"
|
||||
"github.com/hashicorp/terraform-plugin-framework/path"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
var (
|
||||
_ resource.Resource = &secretBackendRoleResource{}
|
||||
_ resource.ResourceWithImportState = &secretBackendRoleResource{}
|
||||
)
|
||||
|
||||
type secretBackendRoleResource struct {
|
||||
client *vaultClient
|
||||
}
|
||||
|
||||
type secretBackendRoleModel struct {
|
||||
Backend types.String `tfsdk:"backend"`
|
||||
Name types.String `tfsdk:"name"`
|
||||
Models types.Set `tfsdk:"models"`
|
||||
MaxBudget types.Float64 `tfsdk:"max_budget"`
|
||||
KeyAliasPrefix types.String `tfsdk:"key_alias_prefix"`
|
||||
TTL types.Int64 `tfsdk:"ttl"`
|
||||
MaxTTL types.Int64 `tfsdk:"max_ttl"`
|
||||
Metadata types.Map `tfsdk:"metadata"`
|
||||
}
|
||||
|
||||
func NewSecretBackendRoleResource() resource.Resource {
|
||||
return &secretBackendRoleResource{}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
|
||||
resp.TypeName = req.ProviderTypeName + "_secret_backend_role"
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
|
||||
resp.Schema = schema.Schema{
|
||||
Description: "Manages a role on the LiteLLM secrets engine that constrains generated virtual keys.",
|
||||
Attributes: map[string]schema.Attribute{
|
||||
"backend": schema.StringAttribute{
|
||||
Description: "Mount path of the LiteLLM secrets engine.",
|
||||
Required: true,
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"name": schema.StringAttribute{
|
||||
Description: "Name of the role.",
|
||||
Required: true,
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"models": schema.SetAttribute{
|
||||
Description: "Models a generated key may access. Empty means unrestricted.",
|
||||
ElementType: types.StringType,
|
||||
Optional: true,
|
||||
},
|
||||
"max_budget": schema.Float64Attribute{
|
||||
Description: "Spending limit applied to each generated key. 0 means unlimited.",
|
||||
Optional: true,
|
||||
},
|
||||
"key_alias_prefix": schema.StringAttribute{
|
||||
Description: "Prefix for the auto-generated key alias.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: stringdefault.StaticString("vault"),
|
||||
},
|
||||
"ttl": schema.Int64Attribute{
|
||||
Description: "Default lease TTL in seconds for keys generated from this role.",
|
||||
Optional: true,
|
||||
},
|
||||
"max_ttl": schema.Int64Attribute{
|
||||
Description: "Maximum lease TTL in seconds for keys generated from this role.",
|
||||
Optional: true,
|
||||
},
|
||||
"metadata": schema.MapAttribute{
|
||||
Description: "Metadata attached to each generated key.",
|
||||
ElementType: types.StringType,
|
||||
Optional: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
|
||||
if req.ProviderData == nil {
|
||||
return
|
||||
}
|
||||
client, ok := req.ProviderData.(*vaultClient)
|
||||
if !ok {
|
||||
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
|
||||
return
|
||||
}
|
||||
r.client = client
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
|
||||
var plan secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
data, diags := roleData(ctx, plan)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
|
||||
resp.Diagnostics.AddError("failed to create litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
|
||||
var state secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
role, err := r.client.readRole(ctx, state.Backend.ValueString(), state.Name.ValueString())
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to read litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
if role == nil {
|
||||
resp.State.RemoveResource(ctx)
|
||||
return
|
||||
}
|
||||
|
||||
diags := applyRoleData(ctx, &state, role)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
|
||||
var plan secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
data, diags := roleData(ctx, plan)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
|
||||
resp.Diagnostics.AddError("failed to update litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
|
||||
var state secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
if err := r.client.deleteRole(ctx, state.Backend.ValueString(), state.Name.ValueString()); err != nil {
|
||||
resp.Diagnostics.AddError("failed to delete litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
|
||||
// Import ID format: "<backend>/roles/<name>".
|
||||
backend, name, ok := splitRoleID(req.ID)
|
||||
if !ok {
|
||||
resp.Diagnostics.AddError(
|
||||
"invalid import ID",
|
||||
fmt.Sprintf("expected \"<backend>/roles/<name>\", got %q", req.ID),
|
||||
)
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("backend"), backend)...)
|
||||
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), name)...)
|
||||
}
|
||||
|
||||
// readInto refreshes the model in place from the backend after a write, so
|
||||
// computed fields (e.g. key_alias_prefix default) reflect stored values.
|
||||
func (r *secretBackendRoleResource) readInto(ctx context.Context, m *secretBackendRoleModel) diag.Diagnostics {
|
||||
var diags diag.Diagnostics
|
||||
role, err := r.client.readRole(ctx, m.Backend.ValueString(), m.Name.ValueString())
|
||||
if err != nil {
|
||||
diags.AddError("failed to read back litellm role", err.Error())
|
||||
return diags
|
||||
}
|
||||
if role == nil {
|
||||
diags.AddError("role missing after write", "the role was not found immediately after being written")
|
||||
return diags
|
||||
}
|
||||
return applyRoleData(ctx, m, role)
|
||||
}
|
||||
|
||||
func splitRoleID(id string) (backend, name string, ok bool) {
|
||||
marker := "/roles/"
|
||||
idx := strings.LastIndex(id, marker)
|
||||
if idx <= 0 {
|
||||
return "", "", false
|
||||
}
|
||||
backend = id[:idx]
|
||||
name = id[idx+len(marker):]
|
||||
if backend == "" || name == "" {
|
||||
return "", "", false
|
||||
}
|
||||
return backend, name, true
|
||||
}
|
||||
Reference in New Issue
Block a user