2 Commits

Author SHA1 Message Date
unkinben c43e1bf5d4 Base on repository initial commit 2026-07-02 23:23:13 +10:00
unkinben 8ca6c39c66 Add terraform-provider-litellmvaultsecret implementation
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM
dynamic secrets engine on Vault/OpenBao via the Vault API.

- Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend
  (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget,
  ttl/max_ttl in seconds, metadata)
- Unit tests against a mock Vault API
- End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres,
  and runs a real terraform apply/destroy asserting key generation works
- Makefile, woodpecker CI (build/test/pre-commit), examples, README
2026-07-02 23:23:13 +10:00
24 changed files with 2002 additions and 1 deletions
+14
View File
@@ -0,0 +1,14 @@
/terraform-provider-litellmvaultsecret
*.zip
*.out
*.test
dist/
.terraform/
.terraform.lock.hcl
*.tfstate
*.tfstate.backup
.env
# e2e artifacts
test/plugins/
test/dev.tfrc
+15
View File
@@ -0,0 +1,15 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-added-large-files
- repo: https://github.com/dnephin/pre-commit-golang
rev: v0.5.1
hooks:
- id: go-fmt
- id: go-vet
- id: go-mod-tidy
+8
View File
@@ -0,0 +1,8 @@
when:
- event: pull_request
steps:
- name: build
image: golang:1.25
commands:
- make build
+18
View File
@@ -0,0 +1,18 @@
when:
- event: pull_request
steps:
- name: pre-commit
image: git.unkin.net/unkin/almalinux9-gobuilder:20260606
commands:
- uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+13
View File
@@ -0,0 +1,13 @@
when:
- event: pull_request
steps:
- name: lint
image: golang:1.25
commands:
- make lint
- name: test
image: golang:1.25
commands:
- make test
+65
View File
@@ -0,0 +1,65 @@
.PHONY: build install test lint fmt clean tidy package e2e patch minor major check-go
BINARY := terraform-provider-litellmvaultsecret
VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo "0.0.0-dev")
OS_ARCH := linux_amd64
INSTALL_VERSION := $(shell echo $(VERSION) | sed 's/^v//')
INSTALL_DIR := ~/.terraform.d/plugins/git.unkin.net/unkin/litellmvaultsecret/$(INSTALL_VERSION)/$(OS_ARCH)
ZIP := $(BINARY)_$(INSTALL_VERSION)_$(OS_ARCH).zip
GO_VERSION_REQUIRED := 1.25
GO_VERSION_ACTUAL := $(shell go version | sed 's/go version go\([0-9]*\.[0-9]*\).*/\1/')
check-go:
@if [ "$$(printf '%s\n%s' "$(GO_VERSION_REQUIRED)" "$(GO_VERSION_ACTUAL)" | sort -V | head -1)" != "$(GO_VERSION_REQUIRED)" ]; then \
echo "ERROR: Go >= $(GO_VERSION_REQUIRED) required, found $(GO_VERSION_ACTUAL)"; exit 1; \
fi
build: check-go tidy
go build -ldflags="-s -w -X main.version=$(VERSION)" -o $(BINARY)
install: build
mkdir -p $(INSTALL_DIR)
cp $(BINARY) $(INSTALL_DIR)/
test: check-go
go test -race -count=1 ./...
lint: check-go
go vet ./...
fmt: check-go
gofmt -w .
package: build
cp $(BINARY) $(BINARY)_v$(INSTALL_VERSION)
python3 -c "import zipfile,sys; z=zipfile.ZipFile(sys.argv[1],'w',zipfile.ZIP_DEFLATED); z.write(sys.argv[2]); z.close()" $(ZIP) $(BINARY)_v$(INSTALL_VERSION)
rm $(BINARY)_v$(INSTALL_VERSION)
# End-to-end: boots Vault + LiteLLM + the plugin and applies real terraform.
e2e:
./scripts/e2e.sh
clean:
rm -f $(BINARY) *.zip
tidy:
go mod tidy
_LATEST := $(shell git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$$' | head -1)
_BASE := $(if $(_LATEST),$(_LATEST),v0.0.0)
_MAJ := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f1)
_MIN := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f2)
_PAT := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f3)
patch:
@NEW=v$(_MAJ).$(_MIN).$(shell expr $(_PAT) + 1); \
git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW
minor:
@NEW=v$(_MAJ).$(shell expr $(_MIN) + 1).0; \
git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW
major:
@NEW=v$(shell expr $(_MAJ) + 1).0.0; \
git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW
+102 -1
View File
@@ -1,3 +1,104 @@
# terraform-provider-litellmvaultsecret
Terraform provider for the Vault/OpenBao LiteLLM dynamic secrets engine (litellmvaultsecret)
A Terraform/OpenTofu provider that manages the **LiteLLM dynamic secrets engine**
(the [`vault-plugin-secrets-litellm`](https://git.unkin.net/unkin/vault-plugin-secrets-litellm)
plugin) on HashiCorp Vault or OpenBao.
It lets you declare, as code, the LiteLLM secrets-engine mount, its connection
config, and the roles that scope generated virtual keys — for use from
`terraform-vault`.
## Provider
```hcl
terraform {
required_providers {
litellmvaultsecret = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
address = "https://vault.example.com" # or VAULT_ADDR
token = var.vault_token # or VAULT_TOKEN
}
```
## Resources
### `litellmvaultsecret_secret_backend`
Mounts the engine and writes its connection config.
| Attribute | Required | Description |
| ------------------------- | -------- | ---------------------------------------------------- |
| `path` | yes | Mount path (e.g. `litellm`). Forces replacement. |
| `base_url` | yes | LiteLLM proxy URL the plugin calls. |
| `master_key` | yes | LiteLLM master key (sensitive, never read back). |
| `plugin` | no | Registered plugin name (default `vault-plugin-secrets-litellm`). |
| `description` | no | Mount description. |
| `request_timeout_seconds` | no | Plugin→LiteLLM HTTP timeout (default 30). |
### `litellmvaultsecret_secret_backend_role`
Manages a role that constrains generated keys.
| Attribute | Required | Description |
| ------------------ | -------- | ---------------------------------------------- |
| `backend` | yes | Mount path of the engine. Forces replacement. |
| `name` | yes | Role name. Forces replacement. |
| `models` | no | Allowed models (set); empty = unrestricted. |
| `max_budget` | no | Spending limit per key; 0 = unlimited. |
| `ttl` | no | Default lease TTL, in **seconds**. |
| `max_ttl` | no | Maximum lease TTL, in **seconds**. |
| `key_alias_prefix` | no | Prefix for the key alias (default `vault`). |
| `metadata` | no | Metadata attached to each key (map). |
## Example
```hcl
resource "litellmvaultsecret_secret_backend" "litellm" {
path = "litellm"
base_url = "http://litellm.litellm.svc:4000"
master_key = var.litellm_master_key
}
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo", "gpt-4"]
max_budget = 50
ttl = 3600
max_ttl = 86400
}
```
Consumers then read `litellm/creds/team-a` from Vault to obtain a scoped,
budgeted, lease-bound virtual key.
## Import
```sh
terraform import litellmvaultsecret_secret_backend.litellm litellm
terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a
```
## Development
```sh
make build # build the provider binary
make install # install into ~/.terraform.d/plugins for local use
make test # unit tests (race-enabled)
make lint # go vet
make fmt # gofmt
make e2e # end-to-end: real Vault + LiteLLM + plugin, terraform apply
```
### End-to-end tests
`make e2e` builds the sibling `vault-plugin-secrets-litellm` plugin, boots Vault +
LiteLLM + Postgres in Docker, installs this provider locally, then runs a real
`terraform apply` that mounts the engine and creates a role, and asserts that a
working virtual key can be generated from it. Requires Docker; bind mounts use
`:z` for SELinux.
@@ -0,0 +1,24 @@
terraform {
required_providers {
litellmvaultsecret = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
# address and token fall back to VAULT_ADDR / VAULT_TOKEN
address = "https://vault.example.com"
}
resource "litellmvaultsecret_secret_backend" "litellm" {
path = "litellm"
description = "LiteLLM dynamic virtual keys"
base_url = "http://litellm.litellm.svc:4000"
master_key = var.litellm_master_key
}
variable "litellm_master_key" {
type = string
sensitive = true
}
@@ -0,0 +1,14 @@
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo", "gpt-4"]
max_budget = 50
ttl = 3600 # seconds (1h)
max_ttl = 86400 # seconds (24h)
metadata = {
team = "a"
env = "prod"
}
}
+49
View File
@@ -0,0 +1,49 @@
module git.unkin.net/unkin/terraform-provider-litellmvaultsecret
go 1.25
require (
github.com/hashicorp/terraform-plugin-framework v1.15.0
github.com/hashicorp/vault/api v1.15.0
)
require (
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/fatih/color v1.16.0 // indirect
github.com/go-jose/go-jose/v4 v4.0.4 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-hclog v1.6.3 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-plugin v1.6.3 // indirect
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/terraform-plugin-go v0.27.0 // indirect
github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
github.com/hashicorp/terraform-registry-address v0.2.5 // indirect
github.com/hashicorp/terraform-svchost v0.1.1 // indirect
github.com/hashicorp/yamux v0.1.1 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/oklog/run v1.0.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
golang.org/x/crypto v0.37.0 // indirect
golang.org/x/net v0.39.0 // indirect
golang.org/x/sys v0.32.0 // indirect
golang.org/x/text v0.24.0 // indirect
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
google.golang.org/grpc v1.72.1 // indirect
google.golang.org/protobuf v1.36.6 // indirect
)
+147
View File
@@ -0,0 +1,147 @@
github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8=
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
github.com/hashicorp/go-plugin v1.6.3 h1:xgHB+ZUSYeuJi96WtxEjzi23uh7YQpznjGh0U0UUrwg=
github.com/hashicorp/go-plugin v1.6.3/go.mod h1:MRobyh+Wc/nYy1V4KAXUiYfzxoYhs7V1mlH1Z7iY2h0=
github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ=
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/hashicorp/terraform-plugin-framework v1.15.0 h1:LQ2rsOfmDLxcn5EeIwdXFtr03FVsNktbbBci8cOKdb4=
github.com/hashicorp/terraform-plugin-framework v1.15.0/go.mod h1:hxrNI/GY32KPISpWqlCoTLM9JZsGH3CyYlir09bD/fI=
github.com/hashicorp/terraform-plugin-go v0.27.0 h1:ujykws/fWIdsi6oTUT5Or4ukvEan4aN9lY+LOxVP8EE=
github.com/hashicorp/terraform-plugin-go v0.27.0/go.mod h1:FDa2Bb3uumkTGSkTFpWSOwWJDwA7bf3vdP3ltLDTH6o=
github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0=
github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow=
github.com/hashicorp/terraform-registry-address v0.2.5 h1:2GTftHqmUhVOeuu9CW3kwDkRe4pcBDq0uuK5VJngU1M=
github.com/hashicorp/terraform-registry-address v0.2.5/go.mod h1:PpzXWINwB5kuVS5CA7m1+eO2f1jKb5ZDIxrOPfpnGkg=
github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ=
github.com/hashicorp/terraform-svchost v0.1.1/go.mod h1:mNsjQfZyf/Jhz35v6/0LWcv26+X7JPS+buii2c9/ctc=
github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA=
github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8=
github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI=
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+144
View File
@@ -0,0 +1,144 @@
package provider
import (
"context"
"errors"
"fmt"
"strings"
vault "github.com/hashicorp/vault/api"
)
// vaultClient wraps the Vault/OpenBao API client with the operations this
// provider needs to manage the LiteLLM secrets engine.
type vaultClient struct {
api *vault.Client
}
func newVaultClient(address, token string) (*vaultClient, error) {
cfg := vault.DefaultConfig()
if cfg.Error != nil {
return nil, cfg.Error
}
if address != "" {
cfg.Address = address
}
c, err := vault.NewClient(cfg)
if err != nil {
return nil, err
}
if token != "" {
c.SetToken(token)
}
return &vaultClient{api: c}, nil
}
// mountConfig holds the tunable options applied when enabling the engine.
type mountConfig struct {
DefaultLeaseTTL string
MaxLeaseTTL string
}
// enableMount mounts the secrets engine of the given plugin type at path.
func (c *vaultClient) enableMount(ctx context.Context, path, pluginType, description string, cfg mountConfig) error {
input := &vault.MountInput{
Type: pluginType,
Description: description,
Config: vault.MountConfigInput{
DefaultLeaseTTL: cfg.DefaultLeaseTTL,
MaxLeaseTTL: cfg.MaxLeaseTTL,
},
}
return c.api.Sys().MountWithContext(ctx, path, input)
}
// tuneMount updates tunable options of an existing mount (e.g. description).
func (c *vaultClient) tuneMount(ctx context.Context, path, description string, cfg mountConfig) error {
input := vault.MountConfigInput{
Description: &description,
DefaultLeaseTTL: cfg.DefaultLeaseTTL,
MaxLeaseTTL: cfg.MaxLeaseTTL,
}
return c.api.Sys().TuneMountWithContext(ctx, path, input)
}
// mountInfo returns the mount at the given path, or nil if it does not exist.
func (c *vaultClient) mountInfo(ctx context.Context, path string) (*vault.MountOutput, error) {
mounts, err := c.api.Sys().ListMountsWithContext(ctx)
if err != nil {
return nil, err
}
key := strings.TrimRight(path, "/") + "/"
if m, ok := mounts[key]; ok {
return m, nil
}
return nil, nil
}
// disableMount unmounts the secrets engine at path.
func (c *vaultClient) disableMount(ctx context.Context, path string) error {
return c.api.Sys().UnmountWithContext(ctx, path)
}
// writeConfig writes the LiteLLM connection config for the given backend mount.
func (c *vaultClient) writeConfig(ctx context.Context, backend string, data map[string]interface{}) error {
_, err := c.api.Logical().WriteWithContext(ctx, backend+"/config", data)
return err
}
// readConfig reads the LiteLLM connection config, returning nil if absent.
func (c *vaultClient) readConfig(ctx context.Context, backend string) (map[string]interface{}, error) {
secret, err := c.api.Logical().ReadWithContext(ctx, backend+"/config")
if err != nil {
return nil, err
}
if secret == nil {
return nil, nil
}
return secret.Data, nil
}
// writeRole creates or updates a role on the given backend mount.
func (c *vaultClient) writeRole(ctx context.Context, backend, name string, data map[string]interface{}) error {
_, err := c.api.Logical().WriteWithContext(ctx, rolePath(backend, name), data)
return err
}
// readRole reads a role, returning nil if it does not exist.
func (c *vaultClient) readRole(ctx context.Context, backend, name string) (map[string]interface{}, error) {
secret, err := c.api.Logical().ReadWithContext(ctx, rolePath(backend, name))
if err != nil {
return nil, err
}
if secret == nil {
return nil, nil
}
return secret.Data, nil
}
// deleteRole removes a role from the backend mount.
func (c *vaultClient) deleteRole(ctx context.Context, backend, name string) error {
_, err := c.api.Logical().DeleteWithContext(ctx, rolePath(backend, name))
return err
}
func rolePath(backend, name string) string {
return fmt.Sprintf("%s/roles/%s", strings.TrimRight(backend, "/"), name)
}
// isMountAlreadyExists reports whether the error is Vault's "path is already in
// use" response, so callers can surface a friendlier message.
func isMountAlreadyExists(err error) bool {
if err == nil {
return false
}
var respErr *vault.ResponseError
if errors.As(err, &respErr) {
for _, e := range respErr.Errors {
if strings.Contains(e, "path is already in use") {
return true
}
}
}
return false
}
+238
View File
@@ -0,0 +1,238 @@
package provider
import (
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"strings"
"sync"
"testing"
)
// mockVault is a minimal in-memory fake of the Vault/OpenBao HTTP API covering
// the endpoints this provider uses.
type mockVault struct {
server *httptest.Server
mu sync.Mutex
mounts map[string]map[string]interface{} // "litellm/" -> mount output
configs map[string]map[string]interface{} // backend -> config data
roles map[string]map[string]interface{} // "backend/roles/name" -> role data
}
func newMockVault(t *testing.T) (*mockVault, *vaultClient) {
t.Helper()
m := &mockVault{
mounts: map[string]map[string]interface{}{},
configs: map[string]map[string]interface{}{},
roles: map[string]map[string]interface{}{},
}
m.server = httptest.NewServer(http.HandlerFunc(m.handle))
t.Cleanup(m.server.Close)
client, err := newVaultClient(m.server.URL, "test-token")
if err != nil {
t.Fatalf("newVaultClient: %v", err)
}
return m, client
}
func (m *mockVault) handle(w http.ResponseWriter, r *http.Request) {
m.mu.Lock()
defer m.mu.Unlock()
path := strings.TrimPrefix(r.URL.Path, "/v1/")
switch {
case path == "sys/mounts" && r.Method == http.MethodGet:
writeSecret(w, map[string]interface{}{"data": toIface(m.mounts)})
case strings.HasPrefix(path, "sys/mounts/"):
mp := strings.TrimPrefix(path, "sys/mounts/")
key := strings.TrimRight(mp, "/") + "/"
switch r.Method {
case http.MethodPost, http.MethodPut:
var body map[string]interface{}
_ = json.NewDecoder(r.Body).Decode(&body)
// Store the mount *output* shape (Vault returns int TTLs, not the
// string TTLs it accepts on input).
m.mounts[key] = map[string]interface{}{
"type": body["type"],
"description": body["description"],
"config": map[string]interface{}{},
}
w.WriteHeader(http.StatusNoContent)
case http.MethodDelete:
delete(m.mounts, key)
w.WriteHeader(http.StatusNoContent)
}
case strings.HasSuffix(path, "/config"):
backend := strings.TrimSuffix(path, "/config")
switch r.Method {
case http.MethodPost, http.MethodPut:
var body map[string]interface{}
_ = json.NewDecoder(r.Body).Decode(&body)
m.configs[backend] = body
w.WriteHeader(http.StatusNoContent)
case http.MethodGet:
cfg, ok := m.configs[backend]
if !ok {
w.WriteHeader(http.StatusNotFound)
return
}
// The real backend never returns master_key.
out := map[string]interface{}{}
for k, v := range cfg {
if k == "master_key" {
continue
}
out[k] = v
}
writeSecret(w, map[string]interface{}{"data": out})
}
case strings.Contains(path, "/roles/"):
switch r.Method {
case http.MethodPost, http.MethodPut:
var body map[string]interface{}
_ = json.NewDecoder(r.Body).Decode(&body)
m.roles[path] = body
w.WriteHeader(http.StatusNoContent)
case http.MethodGet:
role, ok := m.roles[path]
if !ok {
w.WriteHeader(http.StatusNotFound)
return
}
writeSecret(w, map[string]interface{}{"data": role})
case http.MethodDelete:
delete(m.roles, path)
w.WriteHeader(http.StatusNoContent)
}
default:
w.WriteHeader(http.StatusNotFound)
}
}
func toIface(m map[string]map[string]interface{}) map[string]interface{} {
out := map[string]interface{}{}
for k, v := range m {
out[k] = v
}
return out
}
func writeSecret(w http.ResponseWriter, body map[string]interface{}) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
_ = json.NewEncoder(w).Encode(body)
}
func TestClient_MountLifecycle(t *testing.T) {
_, c := newMockVault(t)
ctx := context.Background()
if err := c.enableMount(ctx, "litellm", "vault-plugin-secrets-litellm", "desc", mountConfig{}); err != nil {
t.Fatalf("enableMount: %v", err)
}
info, err := c.mountInfo(ctx, "litellm")
if err != nil {
t.Fatalf("mountInfo: %v", err)
}
if info == nil {
t.Fatal("expected mount to exist")
}
if info.Type != "vault-plugin-secrets-litellm" {
t.Fatalf("unexpected mount type: %q", info.Type)
}
if err := c.disableMount(ctx, "litellm"); err != nil {
t.Fatalf("disableMount: %v", err)
}
info, err = c.mountInfo(ctx, "litellm")
if err != nil {
t.Fatalf("mountInfo after delete: %v", err)
}
if info != nil {
t.Fatal("expected mount to be gone")
}
}
func TestClient_ConfigRoundTrip(t *testing.T) {
m, c := newMockVault(t)
ctx := context.Background()
err := c.writeConfig(ctx, "litellm", map[string]interface{}{
"base_url": "http://litellm:4000",
"master_key": "sk-secret",
"request_timeout_seconds": 30,
})
if err != nil {
t.Fatalf("writeConfig: %v", err)
}
cfg, err := c.readConfig(ctx, "litellm")
if err != nil {
t.Fatalf("readConfig: %v", err)
}
if cfg["base_url"] != "http://litellm:4000" {
t.Fatalf("unexpected base_url: %v", cfg["base_url"])
}
if _, leaked := cfg["master_key"]; leaked {
t.Fatal("master_key must not be returned by read")
}
_ = m
}
func TestClient_ReadConfigMissing(t *testing.T) {
_, c := newMockVault(t)
cfg, err := c.readConfig(context.Background(), "litellm")
if err != nil {
t.Fatalf("readConfig: %v", err)
}
if cfg != nil {
t.Fatalf("expected nil config, got %v", cfg)
}
}
func TestClient_RoleLifecycle(t *testing.T) {
_, c := newMockVault(t)
ctx := context.Background()
err := c.writeRole(ctx, "litellm", "team-a", map[string]interface{}{
"models": []string{"gpt-4"},
"max_budget": 25.0,
"ttl": 3600,
})
if err != nil {
t.Fatalf("writeRole: %v", err)
}
role, err := c.readRole(ctx, "litellm", "team-a")
if err != nil {
t.Fatalf("readRole: %v", err)
}
if role == nil {
t.Fatal("expected role to exist")
}
if err := c.deleteRole(ctx, "litellm", "team-a"); err != nil {
t.Fatalf("deleteRole: %v", err)
}
role, err = c.readRole(ctx, "litellm", "team-a")
if err != nil {
t.Fatalf("readRole after delete: %v", err)
}
if role != nil {
t.Fatal("expected role to be gone")
}
}
func TestRolePath(t *testing.T) {
if got := rolePath("litellm/", "team-a"); got != "litellm/roles/team-a" {
t.Fatalf("unexpected role path: %q", got)
}
}
+171
View File
@@ -0,0 +1,171 @@
package provider
import (
"context"
"encoding/json"
"github.com/hashicorp/terraform-plugin-framework/attr"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/types"
)
// roleData builds the request payload for writing a role to the backend.
func roleData(ctx context.Context, m secretBackendRoleModel) (map[string]interface{}, diag.Diagnostics) {
var diags diag.Diagnostics
data := map[string]interface{}{}
if !m.Models.IsNull() && !m.Models.IsUnknown() {
var models []string
diags.Append(m.Models.ElementsAs(ctx, &models, false)...)
if diags.HasError() {
return nil, diags
}
data["models"] = models
} else {
data["models"] = []string{}
}
if !m.MaxBudget.IsNull() && !m.MaxBudget.IsUnknown() {
data["max_budget"] = m.MaxBudget.ValueFloat64()
}
if !m.KeyAliasPrefix.IsNull() && !m.KeyAliasPrefix.IsUnknown() {
data["key_alias_prefix"] = m.KeyAliasPrefix.ValueString()
}
if !m.TTL.IsNull() && !m.TTL.IsUnknown() {
data["ttl"] = m.TTL.ValueInt64()
}
if !m.MaxTTL.IsNull() && !m.MaxTTL.IsUnknown() {
data["max_ttl"] = m.MaxTTL.ValueInt64()
}
if !m.Metadata.IsNull() && !m.Metadata.IsUnknown() {
var meta map[string]string
diags.Append(m.Metadata.ElementsAs(ctx, &meta, false)...)
if diags.HasError() {
return nil, diags
}
data["metadata"] = meta
}
return data, diags
}
// applyRoleData refreshes a model from a role read out of the backend.
func applyRoleData(ctx context.Context, m *secretBackendRoleModel, role map[string]interface{}) diag.Diagnostics {
var diags diag.Diagnostics
models := toStringSlice(role["models"])
if len(models) == 0 {
m.Models = types.SetNull(types.StringType)
} else {
set, d := types.SetValueFrom(ctx, types.StringType, models)
diags.Append(d...)
m.Models = set
}
if budget, ok := toFloat64(role["max_budget"]); ok && budget != 0 {
m.MaxBudget = types.Float64Value(budget)
} else if m.MaxBudget.IsUnknown() {
m.MaxBudget = types.Float64Null()
}
if prefix, ok := role["key_alias_prefix"].(string); ok {
m.KeyAliasPrefix = types.StringValue(prefix)
}
if ttl, ok := toInt64(role["ttl"]); ok && ttl != 0 {
m.TTL = types.Int64Value(ttl)
} else if m.TTL.IsUnknown() {
m.TTL = types.Int64Null()
}
if maxTTL, ok := toInt64(role["max_ttl"]); ok && maxTTL != 0 {
m.MaxTTL = types.Int64Value(maxTTL)
} else if m.MaxTTL.IsUnknown() {
m.MaxTTL = types.Int64Null()
}
meta := toStringMap(role["metadata"])
if len(meta) == 0 {
m.Metadata = types.MapNull(types.StringType)
} else {
mp, d := types.MapValueFrom(ctx, types.StringType, meta)
diags.Append(d...)
m.Metadata = mp
}
return diags
}
func toStringSlice(v interface{}) []string {
raw, ok := v.([]interface{})
if !ok {
return nil
}
out := make([]string, 0, len(raw))
for _, e := range raw {
if s, ok := e.(string); ok {
out = append(out, s)
}
}
return out
}
func toStringMap(v interface{}) map[string]string {
raw, ok := v.(map[string]interface{})
if !ok {
return nil
}
out := make(map[string]string, len(raw))
for k, e := range raw {
if s, ok := e.(string); ok {
out[k] = s
}
}
return out
}
// toInt64 coerces the numeric shapes Vault returns (json.Number, float64, int)
// into an int64.
func toInt64(v interface{}) (int64, bool) {
switch n := v.(type) {
case json.Number:
i, err := n.Int64()
if err != nil {
f, ferr := n.Float64()
if ferr != nil {
return 0, false
}
return int64(f), true
}
return i, true
case float64:
return int64(n), true
case int64:
return n, true
case int:
return int64(n), true
default:
return 0, false
}
}
func toFloat64(v interface{}) (float64, bool) {
switch n := v.(type) {
case json.Number:
f, err := n.Float64()
if err != nil {
return 0, false
}
return f, true
case float64:
return n, true
case int64:
return float64(n), true
case int:
return float64(n), true
default:
return 0, false
}
}
// ensure attr is referenced (kept for future typed conversions).
var _ = attr.Value(nil)
+166
View File
@@ -0,0 +1,166 @@
package provider
import (
"context"
"encoding/json"
"testing"
"github.com/hashicorp/terraform-plugin-framework/types"
)
func TestRoleData_FullRoundTrip(t *testing.T) {
ctx := context.Background()
models, _ := types.SetValueFrom(ctx, types.StringType, []string{"gpt-4", "gpt-3.5-turbo"})
meta, _ := types.MapValueFrom(ctx, types.StringType, map[string]string{"team": "a"})
m := secretBackendRoleModel{
Backend: types.StringValue("litellm"),
Name: types.StringValue("team-a"),
Models: models,
MaxBudget: types.Float64Value(50),
KeyAliasPrefix: types.StringValue("vault"),
TTL: types.Int64Value(3600),
MaxTTL: types.Int64Value(86400),
Metadata: meta,
}
data, diags := roleData(ctx, m)
if diags.HasError() {
t.Fatalf("roleData diags: %v", diags)
}
if got := data["max_budget"].(float64); got != 50 {
t.Fatalf("max_budget: %v", got)
}
if got := data["ttl"].(int64); got != 3600 {
t.Fatalf("ttl: %v", got)
}
if got := data["models"].([]string); len(got) != 2 {
t.Fatalf("models: %v", got)
}
if got := data["metadata"].(map[string]string); got["team"] != "a" {
t.Fatalf("metadata: %v", got)
}
}
func TestRoleData_OmitsUnsetOptionals(t *testing.T) {
ctx := context.Background()
m := secretBackendRoleModel{
Backend: types.StringValue("litellm"),
Name: types.StringValue("minimal"),
Models: types.SetNull(types.StringType),
MaxBudget: types.Float64Null(),
KeyAliasPrefix: types.StringValue("vault"),
TTL: types.Int64Null(),
MaxTTL: types.Int64Null(),
Metadata: types.MapNull(types.StringType),
}
data, diags := roleData(ctx, m)
if diags.HasError() {
t.Fatalf("diags: %v", diags)
}
if _, ok := data["max_budget"]; ok {
t.Fatal("max_budget should be omitted when null")
}
if _, ok := data["ttl"]; ok {
t.Fatal("ttl should be omitted when null")
}
// models is always sent (empty list = unrestricted).
if got, ok := data["models"].([]string); !ok || len(got) != 0 {
t.Fatalf("expected empty models slice, got %v", data["models"])
}
}
func TestApplyRoleData(t *testing.T) {
ctx := context.Background()
m := &secretBackendRoleModel{
Models: types.SetNull(types.StringType),
MaxBudget: types.Float64Null(),
TTL: types.Int64Null(),
MaxTTL: types.Int64Null(),
Metadata: types.MapNull(types.StringType),
}
// Simulate what Vault returns (numbers arrive as json.Number).
role := map[string]interface{}{
"models": []interface{}{"gpt-4"},
"max_budget": json.Number("50"),
"key_alias_prefix": "vault",
"ttl": json.Number("3600"),
"max_ttl": json.Number("86400"),
"metadata": map[string]interface{}{"team": "a"},
}
diags := applyRoleData(ctx, m, role)
if diags.HasError() {
t.Fatalf("applyRoleData diags: %v", diags)
}
if m.TTL.ValueInt64() != 3600 {
t.Fatalf("ttl: %v", m.TTL)
}
if m.MaxTTL.ValueInt64() != 86400 {
t.Fatalf("max_ttl: %v", m.MaxTTL)
}
if m.MaxBudget.ValueFloat64() != 50 {
t.Fatalf("max_budget: %v", m.MaxBudget)
}
if m.KeyAliasPrefix.ValueString() != "vault" {
t.Fatalf("prefix: %v", m.KeyAliasPrefix)
}
var models []string
m.Models.ElementsAs(ctx, &models, false)
if len(models) != 1 || models[0] != "gpt-4" {
t.Fatalf("models: %v", models)
}
}
func TestApplyRoleData_EmptyModelsBecomesNull(t *testing.T) {
ctx := context.Background()
m := &secretBackendRoleModel{
Models: types.SetValueMust(types.StringType, nil),
Metadata: types.MapNull(types.StringType),
}
role := map[string]interface{}{"models": []interface{}{}}
if diags := applyRoleData(ctx, m, role); diags.HasError() {
t.Fatalf("diags: %v", diags)
}
if !m.Models.IsNull() {
t.Fatalf("expected null models, got %v", m.Models)
}
}
func TestToInt64(t *testing.T) {
cases := []struct {
in interface{}
want int64
ok bool
}{
{json.Number("3600"), 3600, true},
{float64(42), 42, true},
{int64(7), 7, true},
{int(9), 9, true},
{"nope", 0, false},
{nil, 0, false},
}
for _, tc := range cases {
got, ok := toInt64(tc.in)
if ok != tc.ok || got != tc.want {
t.Fatalf("toInt64(%v) = (%d,%v), want (%d,%v)", tc.in, got, ok, tc.want, tc.ok)
}
}
}
func TestSplitRoleID(t *testing.T) {
backend, name, ok := splitRoleID("litellm/roles/team-a")
if !ok || backend != "litellm" || name != "team-a" {
t.Fatalf("got backend=%q name=%q ok=%v", backend, name, ok)
}
if _, _, ok := splitRoleID("nonsense"); ok {
t.Fatal("expected failure on malformed id")
}
// Nested mount paths must still split on the final /roles/.
b, n, ok := splitRoleID("team/litellm/roles/x")
if !ok || b != "team/litellm" || n != "x" {
t.Fatalf("nested split: backend=%q name=%q ok=%v", b, n, ok)
}
}
+97
View File
@@ -0,0 +1,97 @@
package provider
import (
"context"
"os"
"github.com/hashicorp/terraform-plugin-framework/datasource"
"github.com/hashicorp/terraform-plugin-framework/provider"
"github.com/hashicorp/terraform-plugin-framework/provider/schema"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/types"
)
var _ provider.Provider = &litellmProvider{}
type litellmProvider struct {
version string
}
type litellmProviderModel struct {
Address types.String `tfsdk:"address"`
Token types.String `tfsdk:"token"`
}
func New(version string) func() provider.Provider {
return func() provider.Provider {
return &litellmProvider{version: version}
}
}
func (p *litellmProvider) Metadata(_ context.Context, _ provider.MetadataRequest, resp *provider.MetadataResponse) {
resp.TypeName = "litellmvaultsecret"
resp.Version = p.version
}
func (p *litellmProvider) Schema(_ context.Context, _ provider.SchemaRequest, resp *provider.SchemaResponse) {
resp.Schema = schema.Schema{
Description: "Manage the LiteLLM dynamic secrets engine (config and roles) on HashiCorp Vault or OpenBao.",
Attributes: map[string]schema.Attribute{
"address": schema.StringAttribute{
Description: "Address of the Vault/OpenBao server. Falls back to the VAULT_ADDR environment variable.",
Optional: true,
},
"token": schema.StringAttribute{
Description: "Token used to authenticate to Vault/OpenBao. Falls back to the VAULT_TOKEN environment variable.",
Optional: true,
Sensitive: true,
},
},
}
}
func (p *litellmProvider) Configure(ctx context.Context, req provider.ConfigureRequest, resp *provider.ConfigureResponse) {
var config litellmProviderModel
resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
if resp.Diagnostics.HasError() {
return
}
address := os.Getenv("VAULT_ADDR")
if !config.Address.IsNull() && config.Address.ValueString() != "" {
address = config.Address.ValueString()
}
token := os.Getenv("VAULT_TOKEN")
if !config.Token.IsNull() && config.Token.ValueString() != "" {
token = config.Token.ValueString()
}
if address == "" {
resp.Diagnostics.AddError(
"missing Vault address",
"Set the provider \"address\" attribute or the VAULT_ADDR environment variable.",
)
return
}
client, err := newVaultClient(address, token)
if err != nil {
resp.Diagnostics.AddError("failed to create Vault client", err.Error())
return
}
resp.DataSourceData = client
resp.ResourceData = client
}
func (p *litellmProvider) Resources(_ context.Context) []func() resource.Resource {
return []func() resource.Resource{
NewSecretBackendResource,
NewSecretBackendRoleResource,
}
}
func (p *litellmProvider) DataSources(_ context.Context) []func() datasource.DataSource {
return nil
}
@@ -0,0 +1,225 @@
package provider
import (
"context"
"fmt"
"strings"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/types"
)
var (
_ resource.Resource = &secretBackendResource{}
_ resource.ResourceWithImportState = &secretBackendResource{}
)
const defaultPluginType = "vault-plugin-secrets-litellm"
type secretBackendResource struct {
client *vaultClient
}
type secretBackendModel struct {
Path types.String `tfsdk:"path"`
Plugin types.String `tfsdk:"plugin"`
Description types.String `tfsdk:"description"`
BaseURL types.String `tfsdk:"base_url"`
MasterKey types.String `tfsdk:"master_key"`
RequestTimeoutSeconds types.Int64 `tfsdk:"request_timeout_seconds"`
}
func NewSecretBackendResource() resource.Resource {
return &secretBackendResource{}
}
func (r *secretBackendResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
resp.TypeName = req.ProviderTypeName + "_secret_backend"
}
func (r *secretBackendResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
resp.Schema = schema.Schema{
Description: "Mounts the LiteLLM secrets engine and writes its connection config.",
Attributes: map[string]schema.Attribute{
"path": schema.StringAttribute{
Description: "Mount path for the LiteLLM secrets engine (e.g. \"litellm\").",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"plugin": schema.StringAttribute{
Description: "Registered plugin name/type to mount.",
Optional: true,
Computed: true,
Default: stringdefault.StaticString(defaultPluginType),
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"description": schema.StringAttribute{
Description: "Human-readable description of the mount.",
Optional: true,
Computed: true,
Default: stringdefault.StaticString(""),
},
"base_url": schema.StringAttribute{
Description: "Base URL of the LiteLLM proxy (e.g. http://litellm:4000).",
Required: true,
},
"master_key": schema.StringAttribute{
Description: "LiteLLM master key used to manage virtual keys.",
Required: true,
Sensitive: true,
},
"request_timeout_seconds": schema.Int64Attribute{
Description: "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy.",
Optional: true,
Computed: true,
Default: int64default.StaticInt64(30),
},
},
}
}
func (r *secretBackendResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
if req.ProviderData == nil {
return
}
client, ok := req.ProviderData.(*vaultClient)
if !ok {
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
return
}
r.client = client
}
func (r *secretBackendResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
var plan secretBackendModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
mountPath := strings.Trim(plan.Path.ValueString(), "/")
err := r.client.enableMount(ctx, mountPath, plan.Plugin.ValueString(), plan.Description.ValueString(), mountConfig{})
if err != nil {
if isMountAlreadyExists(err) {
resp.Diagnostics.AddError(
"mount path already in use",
fmt.Sprintf("A secrets engine is already mounted at %q. Import it or choose another path.", mountPath),
)
return
}
resp.Diagnostics.AddError("failed to enable litellm secrets engine", err.Error())
return
}
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
// Roll back the mount so we don't leave a half-configured engine.
_ = r.client.disableMount(ctx, mountPath)
resp.Diagnostics.AddError("failed to write litellm config", err.Error())
return
}
plan.Path = types.StringValue(mountPath)
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
var state secretBackendModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
mountPath := strings.Trim(state.Path.ValueString(), "/")
mount, err := r.client.mountInfo(ctx, mountPath)
if err != nil {
resp.Diagnostics.AddError("failed to read mount", err.Error())
return
}
if mount == nil {
resp.State.RemoveResource(ctx)
return
}
state.Description = types.StringValue(mount.Description)
if mount.Type != "" {
state.Plugin = types.StringValue(mount.Type)
}
cfg, err := r.client.readConfig(ctx, mountPath)
if err != nil {
resp.Diagnostics.AddError("failed to read litellm config", err.Error())
return
}
if cfg != nil {
if v, ok := cfg["base_url"].(string); ok {
state.BaseURL = types.StringValue(v)
}
if n, ok := toInt64(cfg["request_timeout_seconds"]); ok {
state.RequestTimeoutSeconds = types.Int64Value(n)
}
}
// master_key is never returned by the backend; preserve the state value.
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
}
func (r *secretBackendResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
var plan, state secretBackendModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
mountPath := strings.Trim(state.Path.ValueString(), "/")
if !plan.Description.Equal(state.Description) {
if err := r.client.tuneMount(ctx, mountPath, plan.Description.ValueString(), mountConfig{}); err != nil {
resp.Diagnostics.AddError("failed to tune mount description", err.Error())
return
}
}
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
resp.Diagnostics.AddError("failed to update litellm config", err.Error())
return
}
plan.Path = types.StringValue(mountPath)
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
var state secretBackendModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.disableMount(ctx, strings.Trim(state.Path.ValueString(), "/")); err != nil {
resp.Diagnostics.AddError("failed to disable litellm secrets engine", err.Error())
return
}
}
func (r *secretBackendResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
resource.ImportStatePassthroughID(ctx, path.Root("path"), req, resp)
}
func (r *secretBackendResource) configData(m secretBackendModel) map[string]interface{} {
return map[string]interface{}{
"base_url": m.BaseURL.ValueString(),
"master_key": m.MasterKey.ValueString(),
"request_timeout_seconds": m.RequestTimeoutSeconds.ValueInt64(),
}
}
@@ -0,0 +1,235 @@
package provider
import (
"context"
"fmt"
"strings"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/types"
)
var (
_ resource.Resource = &secretBackendRoleResource{}
_ resource.ResourceWithImportState = &secretBackendRoleResource{}
)
type secretBackendRoleResource struct {
client *vaultClient
}
type secretBackendRoleModel struct {
Backend types.String `tfsdk:"backend"`
Name types.String `tfsdk:"name"`
Models types.Set `tfsdk:"models"`
MaxBudget types.Float64 `tfsdk:"max_budget"`
KeyAliasPrefix types.String `tfsdk:"key_alias_prefix"`
TTL types.Int64 `tfsdk:"ttl"`
MaxTTL types.Int64 `tfsdk:"max_ttl"`
Metadata types.Map `tfsdk:"metadata"`
}
func NewSecretBackendRoleResource() resource.Resource {
return &secretBackendRoleResource{}
}
func (r *secretBackendRoleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
resp.TypeName = req.ProviderTypeName + "_secret_backend_role"
}
func (r *secretBackendRoleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
resp.Schema = schema.Schema{
Description: "Manages a role on the LiteLLM secrets engine that constrains generated virtual keys.",
Attributes: map[string]schema.Attribute{
"backend": schema.StringAttribute{
Description: "Mount path of the LiteLLM secrets engine.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"name": schema.StringAttribute{
Description: "Name of the role.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"models": schema.SetAttribute{
Description: "Models a generated key may access. Empty means unrestricted.",
ElementType: types.StringType,
Optional: true,
},
"max_budget": schema.Float64Attribute{
Description: "Spending limit applied to each generated key. 0 means unlimited.",
Optional: true,
},
"key_alias_prefix": schema.StringAttribute{
Description: "Prefix for the auto-generated key alias.",
Optional: true,
Computed: true,
Default: stringdefault.StaticString("vault"),
},
"ttl": schema.Int64Attribute{
Description: "Default lease TTL in seconds for keys generated from this role.",
Optional: true,
},
"max_ttl": schema.Int64Attribute{
Description: "Maximum lease TTL in seconds for keys generated from this role.",
Optional: true,
},
"metadata": schema.MapAttribute{
Description: "Metadata attached to each generated key.",
ElementType: types.StringType,
Optional: true,
},
},
}
}
func (r *secretBackendRoleResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
if req.ProviderData == nil {
return
}
client, ok := req.ProviderData.(*vaultClient)
if !ok {
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
return
}
r.client = client
}
func (r *secretBackendRoleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
var plan secretBackendRoleModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
data, diags := roleData(ctx, plan)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
resp.Diagnostics.AddError("failed to create litellm role", err.Error())
return
}
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendRoleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
var state secretBackendRoleModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
role, err := r.client.readRole(ctx, state.Backend.ValueString(), state.Name.ValueString())
if err != nil {
resp.Diagnostics.AddError("failed to read litellm role", err.Error())
return
}
if role == nil {
resp.State.RemoveResource(ctx)
return
}
diags := applyRoleData(ctx, &state, role)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
}
func (r *secretBackendRoleResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
var plan secretBackendRoleModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
data, diags := roleData(ctx, plan)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
resp.Diagnostics.AddError("failed to update litellm role", err.Error())
return
}
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendRoleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
var state secretBackendRoleModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.deleteRole(ctx, state.Backend.ValueString(), state.Name.ValueString()); err != nil {
resp.Diagnostics.AddError("failed to delete litellm role", err.Error())
return
}
}
func (r *secretBackendRoleResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
// Import ID format: "<backend>/roles/<name>".
backend, name, ok := splitRoleID(req.ID)
if !ok {
resp.Diagnostics.AddError(
"invalid import ID",
fmt.Sprintf("expected \"<backend>/roles/<name>\", got %q", req.ID),
)
return
}
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("backend"), backend)...)
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), name)...)
}
// readInto refreshes the model in place from the backend after a write, so
// computed fields (e.g. key_alias_prefix default) reflect stored values.
func (r *secretBackendRoleResource) readInto(ctx context.Context, m *secretBackendRoleModel) diag.Diagnostics {
var diags diag.Diagnostics
role, err := r.client.readRole(ctx, m.Backend.ValueString(), m.Name.ValueString())
if err != nil {
diags.AddError("failed to read back litellm role", err.Error())
return diags
}
if role == nil {
diags.AddError("role missing after write", "the role was not found immediately after being written")
return diags
}
return applyRoleData(ctx, m, role)
}
func splitRoleID(id string) (backend, name string, ok bool) {
marker := "/roles/"
idx := strings.LastIndex(id, marker)
if idx <= 0 {
return "", "", false
}
backend = id[:idx]
name = id[idx+len(marker):]
if backend == "" || name == "" {
return "", "", false
}
return backend, name, true
}
+28
View File
@@ -0,0 +1,28 @@
package main
import (
"context"
"flag"
"log"
"github.com/hashicorp/terraform-plugin-framework/providerserver"
"git.unkin.net/unkin/terraform-provider-litellmvaultsecret/internal/provider"
)
var version = "0.0.1"
func main() {
var debug bool
flag.BoolVar(&debug, "debug", false, "enable debug mode")
flag.Parse()
opts := providerserver.ServeOpts{
Address: "git.unkin.net/unkin/litellmvaultsecret",
Debug: debug,
}
if err := providerserver.Serve(context.Background(), provider.New(version), opts); err != nil {
log.Fatal(err)
}
}
Executable
+122
View File
@@ -0,0 +1,122 @@
#!/usr/bin/env bash
#
# End-to-end test for terraform-provider-litellmvaultsecret.
#
# Builds the sibling litellm plugin and this provider, boots Vault + LiteLLM +
# Postgres in Docker, then runs a real `terraform apply` through the provider to
# mount the engine and create a role, and asserts a working virtual key can be
# generated from it. Finally `terraform destroy` and verify the mount is gone.
#
set -euo pipefail
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
PLUGIN_REPO="${PLUGIN_REPO:-${ROOT_DIR}/../vault-plugin-secrets-litellm}"
COMPOSE_FILE="${ROOT_DIR}/test/docker-compose.yml"
COMPOSE="docker compose -f ${COMPOSE_FILE}"
TF="${TF:-terraform}"
E2E_DIR="${ROOT_DIR}/test/e2e"
PLUGIN_BIN="vault-plugin-secrets-litellm"
PROVIDER_BIN="terraform-provider-litellmvaultsecret"
MASTER_KEY="sk-master-e2e-1234"
LITELLM_ADDR="http://127.0.0.1:4000"
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="root"
red() { printf '\033[31m%s\033[0m\n' "$*"; }
green() { printf '\033[32m%s\033[0m\n' "$*"; }
blue() { printf '\033[34m==> %s\033[0m\n' "$*"; }
fail() { red "FAIL: $*"; exit 1; }
cleanup() {
blue "Cleaning up"
if [ -d "${E2E_DIR}" ]; then
(cd "${E2E_DIR}" && TF_CLI_CONFIG_FILE="${ROOT_DIR}/test/dev.tfrc" "${TF}" destroy -auto-approve >/dev/null 2>&1 || true)
rm -f "${E2E_DIR}"/terraform.tfstate* "${E2E_DIR}"/.terraform.lock.hcl
rm -rf "${E2E_DIR}/.terraform"
fi
${COMPOSE} down -v >/dev/null 2>&1 || true
}
trap cleanup EXIT
wait_for() {
local desc="$1"; shift
local retries="${WAIT_RETRIES:-90}" i=0
until "$@" >/dev/null 2>&1; do
i=$((i + 1))
[ "$i" -ge "$retries" ] && fail "timed out waiting for ${desc}"
sleep 2
done
green "ready: ${desc}"
}
chat_code() {
curl -s -o /dev/null -w '%{http_code}' \
-H "Authorization: Bearer $1" -H 'Content-Type: application/json' \
-d "{\"model\":\"$2\",\"messages\":[{\"role\":\"user\",\"content\":\"hi\"}]}" \
"${LITELLM_ADDR}/chat/completions"
}
# ---------------------------------------------------------------------------
blue "Building litellm plugin from ${PLUGIN_REPO}"
[ -d "${PLUGIN_REPO}" ] || fail "plugin repo not found at ${PLUGIN_REPO} (set PLUGIN_REPO)"
mkdir -p "${ROOT_DIR}/test/plugins"
( cd "${PLUGIN_REPO}" && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-s -w" \
-o "${ROOT_DIR}/test/plugins/${PLUGIN_BIN}" ./cmd/vault-plugin-secrets-litellm )
blue "Building the provider"
( cd "${ROOT_DIR}" && go build -o "${PROVIDER_BIN}" . )
blue "Writing terraform dev_overrides config"
cat > "${ROOT_DIR}/test/dev.tfrc" <<EOF
provider_installation {
dev_overrides {
"git.unkin.net/unkin/litellmvaultsecret" = "${ROOT_DIR}"
}
direct {}
}
EOF
export TF_CLI_CONFIG_FILE="${ROOT_DIR}/test/dev.tfrc"
blue "Starting Docker stack"
${COMPOSE} up -d --build
wait_for "litellm" curl -fsS "${LITELLM_ADDR}/health/liveliness"
wait_for "vault" ${COMPOSE} exec -T vault vault status -address=http://127.0.0.1:8200
blue "Registering the litellm plugin in Vault"
SHA="$(sha256sum "${ROOT_DIR}/test/plugins/${PLUGIN_BIN}" | awk '{print $1}')"
${COMPOSE} exec -T vault vault plugin register -sha256="${SHA}" secret "${PLUGIN_BIN}" >/dev/null
# ---------------------------------------------------------------------------
blue "terraform apply (mount engine + create role via the provider)"
( cd "${E2E_DIR}" && "${TF}" apply -auto-approve )
green "apply succeeded"
blue "Verifying the mount and role exist"
${COMPOSE} exec -T vault vault secrets list 2>/dev/null | grep -q '^litellm/' \
|| fail "litellm mount not found after apply"
${COMPOSE} exec -T vault vault read litellm/roles/team-a >/dev/null \
|| fail "role team-a not found after apply"
green "mount + role present"
blue "Generating a virtual key from the terraform-managed role"
KEY="$(${COMPOSE} exec -T vault vault read -field=key litellm/creds/team-a)"
[ -n "${KEY}" ] || fail "no key generated"
green "issued key ${KEY:0:12}..."
code="$(chat_code "${KEY}" gpt-3.5-turbo)"
[ "${code}" = "200" ] || fail "allowed model returned HTTP ${code}, expected 200"
green "allowed model (gpt-3.5-turbo) accepted"
code="$(chat_code "${KEY}" gpt-4)"
[ "${code}" != "200" ] || fail "disallowed model unexpectedly succeeded"
green "disallowed model (gpt-4) rejected (HTTP ${code})"
# ---------------------------------------------------------------------------
blue "terraform destroy (unmount engine)"
( cd "${E2E_DIR}" && "${TF}" destroy -auto-approve )
${COMPOSE} exec -T vault vault secrets list 2>/dev/null | grep -q '^litellm/' \
&& fail "litellm mount still present after destroy" || true
green "mount removed by destroy"
green "ALL PROVIDER END-TO-END CHECKS PASSED"
+57
View File
@@ -0,0 +1,57 @@
# E2E stack for the provider: Postgres + LiteLLM + a Vault dev server with the
# litellm plugin mounted. Bind mounts use ":z" for SELinux (Fedora/RHEL).
services:
postgres:
image: postgres:16-alpine
environment:
POSTGRES_USER: litellm
POSTGRES_PASSWORD: litellm
POSTGRES_DB: litellm
healthcheck:
test: ["CMD-SHELL", "pg_isready -U litellm"]
interval: 3s
timeout: 3s
retries: 20
litellm:
image: ghcr.io/berriai/litellm:main-stable
depends_on:
postgres:
condition: service_healthy
environment:
LITELLM_MASTER_KEY: sk-master-e2e-1234
DATABASE_URL: postgresql://litellm:litellm@postgres:5432/litellm
STORE_MODEL_IN_DB: "True"
command: ["--config", "/app/config.yaml", "--port", "4000"]
volumes:
- ./litellm/config.yaml:/app/config.yaml:ro,z
ports:
- "4000:4000"
healthcheck:
test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:4000/health/liveliness').status==200 else 1)"]
interval: 5s
timeout: 5s
retries: 40
vault:
image: hashicorp/vault:1.18
depends_on:
litellm:
condition: service_healthy
cap_add:
- IPC_LOCK
environment:
VAULT_DEV_ROOT_TOKEN_ID: root
VAULT_ADDR: http://127.0.0.1:8200
VAULT_TOKEN: root
command: ["server", "-dev", "-dev-listen-address=0.0.0.0:8200", "-config=/vault/vault.hcl"]
volumes:
- ./plugins:/vault/plugins:ro,z
- ./vault/vault.hcl:/vault/vault.hcl:ro,z
ports:
- "8200:8200"
healthcheck:
test: ["CMD", "vault", "status", "-address=http://127.0.0.1:8200"]
interval: 3s
timeout: 3s
retries: 20
+29
View File
@@ -0,0 +1,29 @@
terraform {
required_providers {
litellmvaultsecret = {
source = "git.unkin.net/unkin/litellmvaultsecret"
}
}
}
provider "litellmvaultsecret" {
address = "http://127.0.0.1:8200"
token = "root"
}
resource "litellmvaultsecret_secret_backend" "litellm" {
path = "litellm"
description = "LiteLLM dynamic virtual keys (e2e)"
# Reachable from inside the vault container, where the plugin runs.
base_url = "http://litellm:4000"
master_key = "sk-master-e2e-1234"
}
resource "litellmvaultsecret_secret_backend_role" "team_a" {
backend = litellmvaultsecret_secret_backend.litellm.path
name = "team-a"
models = ["gpt-3.5-turbo"]
max_budget = 10
ttl = 3600
max_ttl = 86400
}
+17
View File
@@ -0,0 +1,17 @@
model_list:
- model_name: gpt-3.5-turbo
litellm_params:
model: openai/gpt-3.5-turbo
api_key: sk-fake-openai-key
mock_response: "hello from the mock model"
- model_name: gpt-4
litellm_params:
model: openai/gpt-4
api_key: sk-fake-openai-key
mock_response: "hello from the mock model"
general_settings:
master_key: sk-master-e2e-1234
litellm_settings:
drop_params: true
+4
View File
@@ -0,0 +1,4 @@
# Combined with `-dev` so the dev server has a plugin_directory to register the
# litellm plugin binary mounted from ./plugins.
plugin_directory = "/vault/plugins"
api_addr = "http://127.0.0.1:8200"