Add terraform-provider-litellmvaultsecret implementation

Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM
dynamic secrets engine on Vault/OpenBao via the Vault API.

- Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend
  (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget,
  ttl/max_ttl in seconds, metadata)
- Unit tests against a mock Vault API
- End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres,
  and runs a real terraform apply/destroy asserting key generation works
- Makefile, woodpecker CI (build/test/pre-commit), examples, README
This commit is contained in:
2026-07-02 23:23:13 +10:00
commit 8ca6c39c66
24 changed files with 2004 additions and 0 deletions
+144
View File
@@ -0,0 +1,144 @@
package provider
import (
"context"
"errors"
"fmt"
"strings"
vault "github.com/hashicorp/vault/api"
)
// vaultClient wraps the Vault/OpenBao API client with the operations this
// provider needs to manage the LiteLLM secrets engine.
type vaultClient struct {
api *vault.Client
}
func newVaultClient(address, token string) (*vaultClient, error) {
cfg := vault.DefaultConfig()
if cfg.Error != nil {
return nil, cfg.Error
}
if address != "" {
cfg.Address = address
}
c, err := vault.NewClient(cfg)
if err != nil {
return nil, err
}
if token != "" {
c.SetToken(token)
}
return &vaultClient{api: c}, nil
}
// mountConfig holds the tunable options applied when enabling the engine.
type mountConfig struct {
DefaultLeaseTTL string
MaxLeaseTTL string
}
// enableMount mounts the secrets engine of the given plugin type at path.
func (c *vaultClient) enableMount(ctx context.Context, path, pluginType, description string, cfg mountConfig) error {
input := &vault.MountInput{
Type: pluginType,
Description: description,
Config: vault.MountConfigInput{
DefaultLeaseTTL: cfg.DefaultLeaseTTL,
MaxLeaseTTL: cfg.MaxLeaseTTL,
},
}
return c.api.Sys().MountWithContext(ctx, path, input)
}
// tuneMount updates tunable options of an existing mount (e.g. description).
func (c *vaultClient) tuneMount(ctx context.Context, path, description string, cfg mountConfig) error {
input := vault.MountConfigInput{
Description: &description,
DefaultLeaseTTL: cfg.DefaultLeaseTTL,
MaxLeaseTTL: cfg.MaxLeaseTTL,
}
return c.api.Sys().TuneMountWithContext(ctx, path, input)
}
// mountInfo returns the mount at the given path, or nil if it does not exist.
func (c *vaultClient) mountInfo(ctx context.Context, path string) (*vault.MountOutput, error) {
mounts, err := c.api.Sys().ListMountsWithContext(ctx)
if err != nil {
return nil, err
}
key := strings.TrimRight(path, "/") + "/"
if m, ok := mounts[key]; ok {
return m, nil
}
return nil, nil
}
// disableMount unmounts the secrets engine at path.
func (c *vaultClient) disableMount(ctx context.Context, path string) error {
return c.api.Sys().UnmountWithContext(ctx, path)
}
// writeConfig writes the LiteLLM connection config for the given backend mount.
func (c *vaultClient) writeConfig(ctx context.Context, backend string, data map[string]interface{}) error {
_, err := c.api.Logical().WriteWithContext(ctx, backend+"/config", data)
return err
}
// readConfig reads the LiteLLM connection config, returning nil if absent.
func (c *vaultClient) readConfig(ctx context.Context, backend string) (map[string]interface{}, error) {
secret, err := c.api.Logical().ReadWithContext(ctx, backend+"/config")
if err != nil {
return nil, err
}
if secret == nil {
return nil, nil
}
return secret.Data, nil
}
// writeRole creates or updates a role on the given backend mount.
func (c *vaultClient) writeRole(ctx context.Context, backend, name string, data map[string]interface{}) error {
_, err := c.api.Logical().WriteWithContext(ctx, rolePath(backend, name), data)
return err
}
// readRole reads a role, returning nil if it does not exist.
func (c *vaultClient) readRole(ctx context.Context, backend, name string) (map[string]interface{}, error) {
secret, err := c.api.Logical().ReadWithContext(ctx, rolePath(backend, name))
if err != nil {
return nil, err
}
if secret == nil {
return nil, nil
}
return secret.Data, nil
}
// deleteRole removes a role from the backend mount.
func (c *vaultClient) deleteRole(ctx context.Context, backend, name string) error {
_, err := c.api.Logical().DeleteWithContext(ctx, rolePath(backend, name))
return err
}
func rolePath(backend, name string) string {
return fmt.Sprintf("%s/roles/%s", strings.TrimRight(backend, "/"), name)
}
// isMountAlreadyExists reports whether the error is Vault's "path is already in
// use" response, so callers can surface a friendlier message.
func isMountAlreadyExists(err error) bool {
if err == nil {
return false
}
var respErr *vault.ResponseError
if errors.As(err, &respErr) {
for _, e := range respErr.Errors {
if strings.Contains(e, "path is already in use") {
return true
}
}
}
return false
}
+238
View File
@@ -0,0 +1,238 @@
package provider
import (
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"strings"
"sync"
"testing"
)
// mockVault is a minimal in-memory fake of the Vault/OpenBao HTTP API covering
// the endpoints this provider uses.
type mockVault struct {
server *httptest.Server
mu sync.Mutex
mounts map[string]map[string]interface{} // "litellm/" -> mount output
configs map[string]map[string]interface{} // backend -> config data
roles map[string]map[string]interface{} // "backend/roles/name" -> role data
}
func newMockVault(t *testing.T) (*mockVault, *vaultClient) {
t.Helper()
m := &mockVault{
mounts: map[string]map[string]interface{}{},
configs: map[string]map[string]interface{}{},
roles: map[string]map[string]interface{}{},
}
m.server = httptest.NewServer(http.HandlerFunc(m.handle))
t.Cleanup(m.server.Close)
client, err := newVaultClient(m.server.URL, "test-token")
if err != nil {
t.Fatalf("newVaultClient: %v", err)
}
return m, client
}
func (m *mockVault) handle(w http.ResponseWriter, r *http.Request) {
m.mu.Lock()
defer m.mu.Unlock()
path := strings.TrimPrefix(r.URL.Path, "/v1/")
switch {
case path == "sys/mounts" && r.Method == http.MethodGet:
writeSecret(w, map[string]interface{}{"data": toIface(m.mounts)})
case strings.HasPrefix(path, "sys/mounts/"):
mp := strings.TrimPrefix(path, "sys/mounts/")
key := strings.TrimRight(mp, "/") + "/"
switch r.Method {
case http.MethodPost, http.MethodPut:
var body map[string]interface{}
_ = json.NewDecoder(r.Body).Decode(&body)
// Store the mount *output* shape (Vault returns int TTLs, not the
// string TTLs it accepts on input).
m.mounts[key] = map[string]interface{}{
"type": body["type"],
"description": body["description"],
"config": map[string]interface{}{},
}
w.WriteHeader(http.StatusNoContent)
case http.MethodDelete:
delete(m.mounts, key)
w.WriteHeader(http.StatusNoContent)
}
case strings.HasSuffix(path, "/config"):
backend := strings.TrimSuffix(path, "/config")
switch r.Method {
case http.MethodPost, http.MethodPut:
var body map[string]interface{}
_ = json.NewDecoder(r.Body).Decode(&body)
m.configs[backend] = body
w.WriteHeader(http.StatusNoContent)
case http.MethodGet:
cfg, ok := m.configs[backend]
if !ok {
w.WriteHeader(http.StatusNotFound)
return
}
// The real backend never returns master_key.
out := map[string]interface{}{}
for k, v := range cfg {
if k == "master_key" {
continue
}
out[k] = v
}
writeSecret(w, map[string]interface{}{"data": out})
}
case strings.Contains(path, "/roles/"):
switch r.Method {
case http.MethodPost, http.MethodPut:
var body map[string]interface{}
_ = json.NewDecoder(r.Body).Decode(&body)
m.roles[path] = body
w.WriteHeader(http.StatusNoContent)
case http.MethodGet:
role, ok := m.roles[path]
if !ok {
w.WriteHeader(http.StatusNotFound)
return
}
writeSecret(w, map[string]interface{}{"data": role})
case http.MethodDelete:
delete(m.roles, path)
w.WriteHeader(http.StatusNoContent)
}
default:
w.WriteHeader(http.StatusNotFound)
}
}
func toIface(m map[string]map[string]interface{}) map[string]interface{} {
out := map[string]interface{}{}
for k, v := range m {
out[k] = v
}
return out
}
func writeSecret(w http.ResponseWriter, body map[string]interface{}) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
_ = json.NewEncoder(w).Encode(body)
}
func TestClient_MountLifecycle(t *testing.T) {
_, c := newMockVault(t)
ctx := context.Background()
if err := c.enableMount(ctx, "litellm", "vault-plugin-secrets-litellm", "desc", mountConfig{}); err != nil {
t.Fatalf("enableMount: %v", err)
}
info, err := c.mountInfo(ctx, "litellm")
if err != nil {
t.Fatalf("mountInfo: %v", err)
}
if info == nil {
t.Fatal("expected mount to exist")
}
if info.Type != "vault-plugin-secrets-litellm" {
t.Fatalf("unexpected mount type: %q", info.Type)
}
if err := c.disableMount(ctx, "litellm"); err != nil {
t.Fatalf("disableMount: %v", err)
}
info, err = c.mountInfo(ctx, "litellm")
if err != nil {
t.Fatalf("mountInfo after delete: %v", err)
}
if info != nil {
t.Fatal("expected mount to be gone")
}
}
func TestClient_ConfigRoundTrip(t *testing.T) {
m, c := newMockVault(t)
ctx := context.Background()
err := c.writeConfig(ctx, "litellm", map[string]interface{}{
"base_url": "http://litellm:4000",
"master_key": "sk-secret",
"request_timeout_seconds": 30,
})
if err != nil {
t.Fatalf("writeConfig: %v", err)
}
cfg, err := c.readConfig(ctx, "litellm")
if err != nil {
t.Fatalf("readConfig: %v", err)
}
if cfg["base_url"] != "http://litellm:4000" {
t.Fatalf("unexpected base_url: %v", cfg["base_url"])
}
if _, leaked := cfg["master_key"]; leaked {
t.Fatal("master_key must not be returned by read")
}
_ = m
}
func TestClient_ReadConfigMissing(t *testing.T) {
_, c := newMockVault(t)
cfg, err := c.readConfig(context.Background(), "litellm")
if err != nil {
t.Fatalf("readConfig: %v", err)
}
if cfg != nil {
t.Fatalf("expected nil config, got %v", cfg)
}
}
func TestClient_RoleLifecycle(t *testing.T) {
_, c := newMockVault(t)
ctx := context.Background()
err := c.writeRole(ctx, "litellm", "team-a", map[string]interface{}{
"models": []string{"gpt-4"},
"max_budget": 25.0,
"ttl": 3600,
})
if err != nil {
t.Fatalf("writeRole: %v", err)
}
role, err := c.readRole(ctx, "litellm", "team-a")
if err != nil {
t.Fatalf("readRole: %v", err)
}
if role == nil {
t.Fatal("expected role to exist")
}
if err := c.deleteRole(ctx, "litellm", "team-a"); err != nil {
t.Fatalf("deleteRole: %v", err)
}
role, err = c.readRole(ctx, "litellm", "team-a")
if err != nil {
t.Fatalf("readRole after delete: %v", err)
}
if role != nil {
t.Fatal("expected role to be gone")
}
}
func TestRolePath(t *testing.T) {
if got := rolePath("litellm/", "team-a"); got != "litellm/roles/team-a" {
t.Fatalf("unexpected role path: %q", got)
}
}
+171
View File
@@ -0,0 +1,171 @@
package provider
import (
"context"
"encoding/json"
"github.com/hashicorp/terraform-plugin-framework/attr"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/types"
)
// roleData builds the request payload for writing a role to the backend.
func roleData(ctx context.Context, m secretBackendRoleModel) (map[string]interface{}, diag.Diagnostics) {
var diags diag.Diagnostics
data := map[string]interface{}{}
if !m.Models.IsNull() && !m.Models.IsUnknown() {
var models []string
diags.Append(m.Models.ElementsAs(ctx, &models, false)...)
if diags.HasError() {
return nil, diags
}
data["models"] = models
} else {
data["models"] = []string{}
}
if !m.MaxBudget.IsNull() && !m.MaxBudget.IsUnknown() {
data["max_budget"] = m.MaxBudget.ValueFloat64()
}
if !m.KeyAliasPrefix.IsNull() && !m.KeyAliasPrefix.IsUnknown() {
data["key_alias_prefix"] = m.KeyAliasPrefix.ValueString()
}
if !m.TTL.IsNull() && !m.TTL.IsUnknown() {
data["ttl"] = m.TTL.ValueInt64()
}
if !m.MaxTTL.IsNull() && !m.MaxTTL.IsUnknown() {
data["max_ttl"] = m.MaxTTL.ValueInt64()
}
if !m.Metadata.IsNull() && !m.Metadata.IsUnknown() {
var meta map[string]string
diags.Append(m.Metadata.ElementsAs(ctx, &meta, false)...)
if diags.HasError() {
return nil, diags
}
data["metadata"] = meta
}
return data, diags
}
// applyRoleData refreshes a model from a role read out of the backend.
func applyRoleData(ctx context.Context, m *secretBackendRoleModel, role map[string]interface{}) diag.Diagnostics {
var diags diag.Diagnostics
models := toStringSlice(role["models"])
if len(models) == 0 {
m.Models = types.SetNull(types.StringType)
} else {
set, d := types.SetValueFrom(ctx, types.StringType, models)
diags.Append(d...)
m.Models = set
}
if budget, ok := toFloat64(role["max_budget"]); ok && budget != 0 {
m.MaxBudget = types.Float64Value(budget)
} else if m.MaxBudget.IsUnknown() {
m.MaxBudget = types.Float64Null()
}
if prefix, ok := role["key_alias_prefix"].(string); ok {
m.KeyAliasPrefix = types.StringValue(prefix)
}
if ttl, ok := toInt64(role["ttl"]); ok && ttl != 0 {
m.TTL = types.Int64Value(ttl)
} else if m.TTL.IsUnknown() {
m.TTL = types.Int64Null()
}
if maxTTL, ok := toInt64(role["max_ttl"]); ok && maxTTL != 0 {
m.MaxTTL = types.Int64Value(maxTTL)
} else if m.MaxTTL.IsUnknown() {
m.MaxTTL = types.Int64Null()
}
meta := toStringMap(role["metadata"])
if len(meta) == 0 {
m.Metadata = types.MapNull(types.StringType)
} else {
mp, d := types.MapValueFrom(ctx, types.StringType, meta)
diags.Append(d...)
m.Metadata = mp
}
return diags
}
func toStringSlice(v interface{}) []string {
raw, ok := v.([]interface{})
if !ok {
return nil
}
out := make([]string, 0, len(raw))
for _, e := range raw {
if s, ok := e.(string); ok {
out = append(out, s)
}
}
return out
}
func toStringMap(v interface{}) map[string]string {
raw, ok := v.(map[string]interface{})
if !ok {
return nil
}
out := make(map[string]string, len(raw))
for k, e := range raw {
if s, ok := e.(string); ok {
out[k] = s
}
}
return out
}
// toInt64 coerces the numeric shapes Vault returns (json.Number, float64, int)
// into an int64.
func toInt64(v interface{}) (int64, bool) {
switch n := v.(type) {
case json.Number:
i, err := n.Int64()
if err != nil {
f, ferr := n.Float64()
if ferr != nil {
return 0, false
}
return int64(f), true
}
return i, true
case float64:
return int64(n), true
case int64:
return n, true
case int:
return int64(n), true
default:
return 0, false
}
}
func toFloat64(v interface{}) (float64, bool) {
switch n := v.(type) {
case json.Number:
f, err := n.Float64()
if err != nil {
return 0, false
}
return f, true
case float64:
return n, true
case int64:
return float64(n), true
case int:
return float64(n), true
default:
return 0, false
}
}
// ensure attr is referenced (kept for future typed conversions).
var _ = attr.Value(nil)
+166
View File
@@ -0,0 +1,166 @@
package provider
import (
"context"
"encoding/json"
"testing"
"github.com/hashicorp/terraform-plugin-framework/types"
)
func TestRoleData_FullRoundTrip(t *testing.T) {
ctx := context.Background()
models, _ := types.SetValueFrom(ctx, types.StringType, []string{"gpt-4", "gpt-3.5-turbo"})
meta, _ := types.MapValueFrom(ctx, types.StringType, map[string]string{"team": "a"})
m := secretBackendRoleModel{
Backend: types.StringValue("litellm"),
Name: types.StringValue("team-a"),
Models: models,
MaxBudget: types.Float64Value(50),
KeyAliasPrefix: types.StringValue("vault"),
TTL: types.Int64Value(3600),
MaxTTL: types.Int64Value(86400),
Metadata: meta,
}
data, diags := roleData(ctx, m)
if diags.HasError() {
t.Fatalf("roleData diags: %v", diags)
}
if got := data["max_budget"].(float64); got != 50 {
t.Fatalf("max_budget: %v", got)
}
if got := data["ttl"].(int64); got != 3600 {
t.Fatalf("ttl: %v", got)
}
if got := data["models"].([]string); len(got) != 2 {
t.Fatalf("models: %v", got)
}
if got := data["metadata"].(map[string]string); got["team"] != "a" {
t.Fatalf("metadata: %v", got)
}
}
func TestRoleData_OmitsUnsetOptionals(t *testing.T) {
ctx := context.Background()
m := secretBackendRoleModel{
Backend: types.StringValue("litellm"),
Name: types.StringValue("minimal"),
Models: types.SetNull(types.StringType),
MaxBudget: types.Float64Null(),
KeyAliasPrefix: types.StringValue("vault"),
TTL: types.Int64Null(),
MaxTTL: types.Int64Null(),
Metadata: types.MapNull(types.StringType),
}
data, diags := roleData(ctx, m)
if diags.HasError() {
t.Fatalf("diags: %v", diags)
}
if _, ok := data["max_budget"]; ok {
t.Fatal("max_budget should be omitted when null")
}
if _, ok := data["ttl"]; ok {
t.Fatal("ttl should be omitted when null")
}
// models is always sent (empty list = unrestricted).
if got, ok := data["models"].([]string); !ok || len(got) != 0 {
t.Fatalf("expected empty models slice, got %v", data["models"])
}
}
func TestApplyRoleData(t *testing.T) {
ctx := context.Background()
m := &secretBackendRoleModel{
Models: types.SetNull(types.StringType),
MaxBudget: types.Float64Null(),
TTL: types.Int64Null(),
MaxTTL: types.Int64Null(),
Metadata: types.MapNull(types.StringType),
}
// Simulate what Vault returns (numbers arrive as json.Number).
role := map[string]interface{}{
"models": []interface{}{"gpt-4"},
"max_budget": json.Number("50"),
"key_alias_prefix": "vault",
"ttl": json.Number("3600"),
"max_ttl": json.Number("86400"),
"metadata": map[string]interface{}{"team": "a"},
}
diags := applyRoleData(ctx, m, role)
if diags.HasError() {
t.Fatalf("applyRoleData diags: %v", diags)
}
if m.TTL.ValueInt64() != 3600 {
t.Fatalf("ttl: %v", m.TTL)
}
if m.MaxTTL.ValueInt64() != 86400 {
t.Fatalf("max_ttl: %v", m.MaxTTL)
}
if m.MaxBudget.ValueFloat64() != 50 {
t.Fatalf("max_budget: %v", m.MaxBudget)
}
if m.KeyAliasPrefix.ValueString() != "vault" {
t.Fatalf("prefix: %v", m.KeyAliasPrefix)
}
var models []string
m.Models.ElementsAs(ctx, &models, false)
if len(models) != 1 || models[0] != "gpt-4" {
t.Fatalf("models: %v", models)
}
}
func TestApplyRoleData_EmptyModelsBecomesNull(t *testing.T) {
ctx := context.Background()
m := &secretBackendRoleModel{
Models: types.SetValueMust(types.StringType, nil),
Metadata: types.MapNull(types.StringType),
}
role := map[string]interface{}{"models": []interface{}{}}
if diags := applyRoleData(ctx, m, role); diags.HasError() {
t.Fatalf("diags: %v", diags)
}
if !m.Models.IsNull() {
t.Fatalf("expected null models, got %v", m.Models)
}
}
func TestToInt64(t *testing.T) {
cases := []struct {
in interface{}
want int64
ok bool
}{
{json.Number("3600"), 3600, true},
{float64(42), 42, true},
{int64(7), 7, true},
{int(9), 9, true},
{"nope", 0, false},
{nil, 0, false},
}
for _, tc := range cases {
got, ok := toInt64(tc.in)
if ok != tc.ok || got != tc.want {
t.Fatalf("toInt64(%v) = (%d,%v), want (%d,%v)", tc.in, got, ok, tc.want, tc.ok)
}
}
}
func TestSplitRoleID(t *testing.T) {
backend, name, ok := splitRoleID("litellm/roles/team-a")
if !ok || backend != "litellm" || name != "team-a" {
t.Fatalf("got backend=%q name=%q ok=%v", backend, name, ok)
}
if _, _, ok := splitRoleID("nonsense"); ok {
t.Fatal("expected failure on malformed id")
}
// Nested mount paths must still split on the final /roles/.
b, n, ok := splitRoleID("team/litellm/roles/x")
if !ok || b != "team/litellm" || n != "x" {
t.Fatalf("nested split: backend=%q name=%q ok=%v", b, n, ok)
}
}
+97
View File
@@ -0,0 +1,97 @@
package provider
import (
"context"
"os"
"github.com/hashicorp/terraform-plugin-framework/datasource"
"github.com/hashicorp/terraform-plugin-framework/provider"
"github.com/hashicorp/terraform-plugin-framework/provider/schema"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/types"
)
var _ provider.Provider = &litellmProvider{}
type litellmProvider struct {
version string
}
type litellmProviderModel struct {
Address types.String `tfsdk:"address"`
Token types.String `tfsdk:"token"`
}
func New(version string) func() provider.Provider {
return func() provider.Provider {
return &litellmProvider{version: version}
}
}
func (p *litellmProvider) Metadata(_ context.Context, _ provider.MetadataRequest, resp *provider.MetadataResponse) {
resp.TypeName = "litellmvaultsecret"
resp.Version = p.version
}
func (p *litellmProvider) Schema(_ context.Context, _ provider.SchemaRequest, resp *provider.SchemaResponse) {
resp.Schema = schema.Schema{
Description: "Manage the LiteLLM dynamic secrets engine (config and roles) on HashiCorp Vault or OpenBao.",
Attributes: map[string]schema.Attribute{
"address": schema.StringAttribute{
Description: "Address of the Vault/OpenBao server. Falls back to the VAULT_ADDR environment variable.",
Optional: true,
},
"token": schema.StringAttribute{
Description: "Token used to authenticate to Vault/OpenBao. Falls back to the VAULT_TOKEN environment variable.",
Optional: true,
Sensitive: true,
},
},
}
}
func (p *litellmProvider) Configure(ctx context.Context, req provider.ConfigureRequest, resp *provider.ConfigureResponse) {
var config litellmProviderModel
resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
if resp.Diagnostics.HasError() {
return
}
address := os.Getenv("VAULT_ADDR")
if !config.Address.IsNull() && config.Address.ValueString() != "" {
address = config.Address.ValueString()
}
token := os.Getenv("VAULT_TOKEN")
if !config.Token.IsNull() && config.Token.ValueString() != "" {
token = config.Token.ValueString()
}
if address == "" {
resp.Diagnostics.AddError(
"missing Vault address",
"Set the provider \"address\" attribute or the VAULT_ADDR environment variable.",
)
return
}
client, err := newVaultClient(address, token)
if err != nil {
resp.Diagnostics.AddError("failed to create Vault client", err.Error())
return
}
resp.DataSourceData = client
resp.ResourceData = client
}
func (p *litellmProvider) Resources(_ context.Context) []func() resource.Resource {
return []func() resource.Resource{
NewSecretBackendResource,
NewSecretBackendRoleResource,
}
}
func (p *litellmProvider) DataSources(_ context.Context) []func() datasource.DataSource {
return nil
}
@@ -0,0 +1,225 @@
package provider
import (
"context"
"fmt"
"strings"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/types"
)
var (
_ resource.Resource = &secretBackendResource{}
_ resource.ResourceWithImportState = &secretBackendResource{}
)
const defaultPluginType = "vault-plugin-secrets-litellm"
type secretBackendResource struct {
client *vaultClient
}
type secretBackendModel struct {
Path types.String `tfsdk:"path"`
Plugin types.String `tfsdk:"plugin"`
Description types.String `tfsdk:"description"`
BaseURL types.String `tfsdk:"base_url"`
MasterKey types.String `tfsdk:"master_key"`
RequestTimeoutSeconds types.Int64 `tfsdk:"request_timeout_seconds"`
}
func NewSecretBackendResource() resource.Resource {
return &secretBackendResource{}
}
func (r *secretBackendResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
resp.TypeName = req.ProviderTypeName + "_secret_backend"
}
func (r *secretBackendResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
resp.Schema = schema.Schema{
Description: "Mounts the LiteLLM secrets engine and writes its connection config.",
Attributes: map[string]schema.Attribute{
"path": schema.StringAttribute{
Description: "Mount path for the LiteLLM secrets engine (e.g. \"litellm\").",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"plugin": schema.StringAttribute{
Description: "Registered plugin name/type to mount.",
Optional: true,
Computed: true,
Default: stringdefault.StaticString(defaultPluginType),
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"description": schema.StringAttribute{
Description: "Human-readable description of the mount.",
Optional: true,
Computed: true,
Default: stringdefault.StaticString(""),
},
"base_url": schema.StringAttribute{
Description: "Base URL of the LiteLLM proxy (e.g. http://litellm:4000).",
Required: true,
},
"master_key": schema.StringAttribute{
Description: "LiteLLM master key used to manage virtual keys.",
Required: true,
Sensitive: true,
},
"request_timeout_seconds": schema.Int64Attribute{
Description: "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy.",
Optional: true,
Computed: true,
Default: int64default.StaticInt64(30),
},
},
}
}
func (r *secretBackendResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
if req.ProviderData == nil {
return
}
client, ok := req.ProviderData.(*vaultClient)
if !ok {
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
return
}
r.client = client
}
func (r *secretBackendResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
var plan secretBackendModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
mountPath := strings.Trim(plan.Path.ValueString(), "/")
err := r.client.enableMount(ctx, mountPath, plan.Plugin.ValueString(), plan.Description.ValueString(), mountConfig{})
if err != nil {
if isMountAlreadyExists(err) {
resp.Diagnostics.AddError(
"mount path already in use",
fmt.Sprintf("A secrets engine is already mounted at %q. Import it or choose another path.", mountPath),
)
return
}
resp.Diagnostics.AddError("failed to enable litellm secrets engine", err.Error())
return
}
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
// Roll back the mount so we don't leave a half-configured engine.
_ = r.client.disableMount(ctx, mountPath)
resp.Diagnostics.AddError("failed to write litellm config", err.Error())
return
}
plan.Path = types.StringValue(mountPath)
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
var state secretBackendModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
mountPath := strings.Trim(state.Path.ValueString(), "/")
mount, err := r.client.mountInfo(ctx, mountPath)
if err != nil {
resp.Diagnostics.AddError("failed to read mount", err.Error())
return
}
if mount == nil {
resp.State.RemoveResource(ctx)
return
}
state.Description = types.StringValue(mount.Description)
if mount.Type != "" {
state.Plugin = types.StringValue(mount.Type)
}
cfg, err := r.client.readConfig(ctx, mountPath)
if err != nil {
resp.Diagnostics.AddError("failed to read litellm config", err.Error())
return
}
if cfg != nil {
if v, ok := cfg["base_url"].(string); ok {
state.BaseURL = types.StringValue(v)
}
if n, ok := toInt64(cfg["request_timeout_seconds"]); ok {
state.RequestTimeoutSeconds = types.Int64Value(n)
}
}
// master_key is never returned by the backend; preserve the state value.
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
}
func (r *secretBackendResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
var plan, state secretBackendModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
mountPath := strings.Trim(state.Path.ValueString(), "/")
if !plan.Description.Equal(state.Description) {
if err := r.client.tuneMount(ctx, mountPath, plan.Description.ValueString(), mountConfig{}); err != nil {
resp.Diagnostics.AddError("failed to tune mount description", err.Error())
return
}
}
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
resp.Diagnostics.AddError("failed to update litellm config", err.Error())
return
}
plan.Path = types.StringValue(mountPath)
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
var state secretBackendModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.disableMount(ctx, strings.Trim(state.Path.ValueString(), "/")); err != nil {
resp.Diagnostics.AddError("failed to disable litellm secrets engine", err.Error())
return
}
}
func (r *secretBackendResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
resource.ImportStatePassthroughID(ctx, path.Root("path"), req, resp)
}
func (r *secretBackendResource) configData(m secretBackendModel) map[string]interface{} {
return map[string]interface{}{
"base_url": m.BaseURL.ValueString(),
"master_key": m.MasterKey.ValueString(),
"request_timeout_seconds": m.RequestTimeoutSeconds.ValueInt64(),
}
}
@@ -0,0 +1,235 @@
package provider
import (
"context"
"fmt"
"strings"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/types"
)
var (
_ resource.Resource = &secretBackendRoleResource{}
_ resource.ResourceWithImportState = &secretBackendRoleResource{}
)
type secretBackendRoleResource struct {
client *vaultClient
}
type secretBackendRoleModel struct {
Backend types.String `tfsdk:"backend"`
Name types.String `tfsdk:"name"`
Models types.Set `tfsdk:"models"`
MaxBudget types.Float64 `tfsdk:"max_budget"`
KeyAliasPrefix types.String `tfsdk:"key_alias_prefix"`
TTL types.Int64 `tfsdk:"ttl"`
MaxTTL types.Int64 `tfsdk:"max_ttl"`
Metadata types.Map `tfsdk:"metadata"`
}
func NewSecretBackendRoleResource() resource.Resource {
return &secretBackendRoleResource{}
}
func (r *secretBackendRoleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
resp.TypeName = req.ProviderTypeName + "_secret_backend_role"
}
func (r *secretBackendRoleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
resp.Schema = schema.Schema{
Description: "Manages a role on the LiteLLM secrets engine that constrains generated virtual keys.",
Attributes: map[string]schema.Attribute{
"backend": schema.StringAttribute{
Description: "Mount path of the LiteLLM secrets engine.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"name": schema.StringAttribute{
Description: "Name of the role.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"models": schema.SetAttribute{
Description: "Models a generated key may access. Empty means unrestricted.",
ElementType: types.StringType,
Optional: true,
},
"max_budget": schema.Float64Attribute{
Description: "Spending limit applied to each generated key. 0 means unlimited.",
Optional: true,
},
"key_alias_prefix": schema.StringAttribute{
Description: "Prefix for the auto-generated key alias.",
Optional: true,
Computed: true,
Default: stringdefault.StaticString("vault"),
},
"ttl": schema.Int64Attribute{
Description: "Default lease TTL in seconds for keys generated from this role.",
Optional: true,
},
"max_ttl": schema.Int64Attribute{
Description: "Maximum lease TTL in seconds for keys generated from this role.",
Optional: true,
},
"metadata": schema.MapAttribute{
Description: "Metadata attached to each generated key.",
ElementType: types.StringType,
Optional: true,
},
},
}
}
func (r *secretBackendRoleResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
if req.ProviderData == nil {
return
}
client, ok := req.ProviderData.(*vaultClient)
if !ok {
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
return
}
r.client = client
}
func (r *secretBackendRoleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
var plan secretBackendRoleModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
data, diags := roleData(ctx, plan)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
resp.Diagnostics.AddError("failed to create litellm role", err.Error())
return
}
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendRoleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
var state secretBackendRoleModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
role, err := r.client.readRole(ctx, state.Backend.ValueString(), state.Name.ValueString())
if err != nil {
resp.Diagnostics.AddError("failed to read litellm role", err.Error())
return
}
if role == nil {
resp.State.RemoveResource(ctx)
return
}
diags := applyRoleData(ctx, &state, role)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
}
func (r *secretBackendRoleResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
var plan secretBackendRoleModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
data, diags := roleData(ctx, plan)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
resp.Diagnostics.AddError("failed to update litellm role", err.Error())
return
}
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendRoleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
var state secretBackendRoleModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.deleteRole(ctx, state.Backend.ValueString(), state.Name.ValueString()); err != nil {
resp.Diagnostics.AddError("failed to delete litellm role", err.Error())
return
}
}
func (r *secretBackendRoleResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
// Import ID format: "<backend>/roles/<name>".
backend, name, ok := splitRoleID(req.ID)
if !ok {
resp.Diagnostics.AddError(
"invalid import ID",
fmt.Sprintf("expected \"<backend>/roles/<name>\", got %q", req.ID),
)
return
}
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("backend"), backend)...)
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), name)...)
}
// readInto refreshes the model in place from the backend after a write, so
// computed fields (e.g. key_alias_prefix default) reflect stored values.
func (r *secretBackendRoleResource) readInto(ctx context.Context, m *secretBackendRoleModel) diag.Diagnostics {
var diags diag.Diagnostics
role, err := r.client.readRole(ctx, m.Backend.ValueString(), m.Name.ValueString())
if err != nil {
diags.AddError("failed to read back litellm role", err.Error())
return diags
}
if role == nil {
diags.AddError("role missing after write", "the role was not found immediately after being written")
return diags
}
return applyRoleData(ctx, m, role)
}
func splitRoleID(id string) (backend, name string, ok bool) {
marker := "/roles/"
idx := strings.LastIndex(id, marker)
if idx <= 0 {
return "", "", false
}
backend = id[:idx]
name = id[idx+len(marker):]
if backend == "" || name == "" {
return "", "", false
}
return backend, name, true
}