Add terraform-provider-litellmvaultsecret implementation
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine on Vault/OpenBao via the Vault API. - Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget, ttl/max_ttl in seconds, metadata) - Unit tests against a mock Vault API - End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres, and runs a real terraform apply/destroy asserting key generation works - Makefile, woodpecker CI (build/test/pre-commit), examples, README
This commit is contained in:
@@ -0,0 +1,235 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/diag"
|
||||
"github.com/hashicorp/terraform-plugin-framework/path"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
var (
|
||||
_ resource.Resource = &secretBackendRoleResource{}
|
||||
_ resource.ResourceWithImportState = &secretBackendRoleResource{}
|
||||
)
|
||||
|
||||
type secretBackendRoleResource struct {
|
||||
client *vaultClient
|
||||
}
|
||||
|
||||
type secretBackendRoleModel struct {
|
||||
Backend types.String `tfsdk:"backend"`
|
||||
Name types.String `tfsdk:"name"`
|
||||
Models types.Set `tfsdk:"models"`
|
||||
MaxBudget types.Float64 `tfsdk:"max_budget"`
|
||||
KeyAliasPrefix types.String `tfsdk:"key_alias_prefix"`
|
||||
TTL types.Int64 `tfsdk:"ttl"`
|
||||
MaxTTL types.Int64 `tfsdk:"max_ttl"`
|
||||
Metadata types.Map `tfsdk:"metadata"`
|
||||
}
|
||||
|
||||
func NewSecretBackendRoleResource() resource.Resource {
|
||||
return &secretBackendRoleResource{}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
|
||||
resp.TypeName = req.ProviderTypeName + "_secret_backend_role"
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
|
||||
resp.Schema = schema.Schema{
|
||||
Description: "Manages a role on the LiteLLM secrets engine that constrains generated virtual keys.",
|
||||
Attributes: map[string]schema.Attribute{
|
||||
"backend": schema.StringAttribute{
|
||||
Description: "Mount path of the LiteLLM secrets engine.",
|
||||
Required: true,
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"name": schema.StringAttribute{
|
||||
Description: "Name of the role.",
|
||||
Required: true,
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"models": schema.SetAttribute{
|
||||
Description: "Models a generated key may access. Empty means unrestricted.",
|
||||
ElementType: types.StringType,
|
||||
Optional: true,
|
||||
},
|
||||
"max_budget": schema.Float64Attribute{
|
||||
Description: "Spending limit applied to each generated key. 0 means unlimited.",
|
||||
Optional: true,
|
||||
},
|
||||
"key_alias_prefix": schema.StringAttribute{
|
||||
Description: "Prefix for the auto-generated key alias.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: stringdefault.StaticString("vault"),
|
||||
},
|
||||
"ttl": schema.Int64Attribute{
|
||||
Description: "Default lease TTL in seconds for keys generated from this role.",
|
||||
Optional: true,
|
||||
},
|
||||
"max_ttl": schema.Int64Attribute{
|
||||
Description: "Maximum lease TTL in seconds for keys generated from this role.",
|
||||
Optional: true,
|
||||
},
|
||||
"metadata": schema.MapAttribute{
|
||||
Description: "Metadata attached to each generated key.",
|
||||
ElementType: types.StringType,
|
||||
Optional: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
|
||||
if req.ProviderData == nil {
|
||||
return
|
||||
}
|
||||
client, ok := req.ProviderData.(*vaultClient)
|
||||
if !ok {
|
||||
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
|
||||
return
|
||||
}
|
||||
r.client = client
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
|
||||
var plan secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
data, diags := roleData(ctx, plan)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
|
||||
resp.Diagnostics.AddError("failed to create litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
|
||||
var state secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
role, err := r.client.readRole(ctx, state.Backend.ValueString(), state.Name.ValueString())
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to read litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
if role == nil {
|
||||
resp.State.RemoveResource(ctx)
|
||||
return
|
||||
}
|
||||
|
||||
diags := applyRoleData(ctx, &state, role)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
|
||||
var plan secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
data, diags := roleData(ctx, plan)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
|
||||
resp.Diagnostics.AddError("failed to update litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
|
||||
var state secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
if err := r.client.deleteRole(ctx, state.Backend.ValueString(), state.Name.ValueString()); err != nil {
|
||||
resp.Diagnostics.AddError("failed to delete litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
|
||||
// Import ID format: "<backend>/roles/<name>".
|
||||
backend, name, ok := splitRoleID(req.ID)
|
||||
if !ok {
|
||||
resp.Diagnostics.AddError(
|
||||
"invalid import ID",
|
||||
fmt.Sprintf("expected \"<backend>/roles/<name>\", got %q", req.ID),
|
||||
)
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("backend"), backend)...)
|
||||
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), name)...)
|
||||
}
|
||||
|
||||
// readInto refreshes the model in place from the backend after a write, so
|
||||
// computed fields (e.g. key_alias_prefix default) reflect stored values.
|
||||
func (r *secretBackendRoleResource) readInto(ctx context.Context, m *secretBackendRoleModel) diag.Diagnostics {
|
||||
var diags diag.Diagnostics
|
||||
role, err := r.client.readRole(ctx, m.Backend.ValueString(), m.Name.ValueString())
|
||||
if err != nil {
|
||||
diags.AddError("failed to read back litellm role", err.Error())
|
||||
return diags
|
||||
}
|
||||
if role == nil {
|
||||
diags.AddError("role missing after write", "the role was not found immediately after being written")
|
||||
return diags
|
||||
}
|
||||
return applyRoleData(ctx, m, role)
|
||||
}
|
||||
|
||||
func splitRoleID(id string) (backend, name string, ok bool) {
|
||||
marker := "/roles/"
|
||||
idx := strings.LastIndex(id, marker)
|
||||
if idx <= 0 {
|
||||
return "", "", false
|
||||
}
|
||||
backend = id[:idx]
|
||||
name = id[idx+len(marker):]
|
||||
if backend == "" || name == "" {
|
||||
return "", "", false
|
||||
}
|
||||
return backend, name, true
|
||||
}
|
||||
Reference in New Issue
Block a user