Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| c43e1bf5d4 | |||
| 8ca6c39c66 |
+14
@@ -0,0 +1,14 @@
|
||||
/terraform-provider-litellmvaultsecret
|
||||
*.zip
|
||||
*.out
|
||||
*.test
|
||||
dist/
|
||||
.terraform/
|
||||
.terraform.lock.hcl
|
||||
*.tfstate
|
||||
*.tfstate.backup
|
||||
.env
|
||||
|
||||
# e2e artifacts
|
||||
test/plugins/
|
||||
test/dev.tfrc
|
||||
@@ -0,0 +1,15 @@
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v5.0.0
|
||||
hooks:
|
||||
- id: trailing-whitespace
|
||||
- id: end-of-file-fixer
|
||||
- id: check-yaml
|
||||
- id: check-added-large-files
|
||||
|
||||
- repo: https://github.com/dnephin/pre-commit-golang
|
||||
rev: v0.5.1
|
||||
hooks:
|
||||
- id: go-fmt
|
||||
- id: go-vet
|
||||
- id: go-mod-tidy
|
||||
@@ -0,0 +1,8 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: build
|
||||
image: golang:1.25
|
||||
commands:
|
||||
- make build
|
||||
@@ -0,0 +1,18 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: pre-commit
|
||||
image: git.unkin.net/unkin/almalinux9-gobuilder:20260606
|
||||
commands:
|
||||
- uvx pre-commit run --all-files
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: default
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -0,0 +1,13 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: lint
|
||||
image: golang:1.25
|
||||
commands:
|
||||
- make lint
|
||||
|
||||
- name: test
|
||||
image: golang:1.25
|
||||
commands:
|
||||
- make test
|
||||
@@ -0,0 +1,65 @@
|
||||
.PHONY: build install test lint fmt clean tidy package e2e patch minor major check-go
|
||||
|
||||
BINARY := terraform-provider-litellmvaultsecret
|
||||
VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo "0.0.0-dev")
|
||||
OS_ARCH := linux_amd64
|
||||
INSTALL_VERSION := $(shell echo $(VERSION) | sed 's/^v//')
|
||||
INSTALL_DIR := ~/.terraform.d/plugins/git.unkin.net/unkin/litellmvaultsecret/$(INSTALL_VERSION)/$(OS_ARCH)
|
||||
ZIP := $(BINARY)_$(INSTALL_VERSION)_$(OS_ARCH).zip
|
||||
|
||||
GO_VERSION_REQUIRED := 1.25
|
||||
GO_VERSION_ACTUAL := $(shell go version | sed 's/go version go\([0-9]*\.[0-9]*\).*/\1/')
|
||||
|
||||
check-go:
|
||||
@if [ "$$(printf '%s\n%s' "$(GO_VERSION_REQUIRED)" "$(GO_VERSION_ACTUAL)" | sort -V | head -1)" != "$(GO_VERSION_REQUIRED)" ]; then \
|
||||
echo "ERROR: Go >= $(GO_VERSION_REQUIRED) required, found $(GO_VERSION_ACTUAL)"; exit 1; \
|
||||
fi
|
||||
|
||||
build: check-go tidy
|
||||
go build -ldflags="-s -w -X main.version=$(VERSION)" -o $(BINARY)
|
||||
|
||||
install: build
|
||||
mkdir -p $(INSTALL_DIR)
|
||||
cp $(BINARY) $(INSTALL_DIR)/
|
||||
|
||||
test: check-go
|
||||
go test -race -count=1 ./...
|
||||
|
||||
lint: check-go
|
||||
go vet ./...
|
||||
|
||||
fmt: check-go
|
||||
gofmt -w .
|
||||
|
||||
package: build
|
||||
cp $(BINARY) $(BINARY)_v$(INSTALL_VERSION)
|
||||
python3 -c "import zipfile,sys; z=zipfile.ZipFile(sys.argv[1],'w',zipfile.ZIP_DEFLATED); z.write(sys.argv[2]); z.close()" $(ZIP) $(BINARY)_v$(INSTALL_VERSION)
|
||||
rm $(BINARY)_v$(INSTALL_VERSION)
|
||||
|
||||
# End-to-end: boots Vault + LiteLLM + the plugin and applies real terraform.
|
||||
e2e:
|
||||
./scripts/e2e.sh
|
||||
|
||||
clean:
|
||||
rm -f $(BINARY) *.zip
|
||||
|
||||
tidy:
|
||||
go mod tidy
|
||||
|
||||
_LATEST := $(shell git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$$' | head -1)
|
||||
_BASE := $(if $(_LATEST),$(_LATEST),v0.0.0)
|
||||
_MAJ := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f1)
|
||||
_MIN := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f2)
|
||||
_PAT := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f3)
|
||||
|
||||
patch:
|
||||
@NEW=v$(_MAJ).$(_MIN).$(shell expr $(_PAT) + 1); \
|
||||
git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW
|
||||
|
||||
minor:
|
||||
@NEW=v$(_MAJ).$(shell expr $(_MIN) + 1).0; \
|
||||
git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW
|
||||
|
||||
major:
|
||||
@NEW=v$(shell expr $(_MAJ) + 1).0.0; \
|
||||
git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW
|
||||
@@ -1,3 +1,104 @@
|
||||
# terraform-provider-litellmvaultsecret
|
||||
|
||||
Terraform provider for the Vault/OpenBao LiteLLM dynamic secrets engine (litellmvaultsecret)
|
||||
A Terraform/OpenTofu provider that manages the **LiteLLM dynamic secrets engine**
|
||||
(the [`vault-plugin-secrets-litellm`](https://git.unkin.net/unkin/vault-plugin-secrets-litellm)
|
||||
plugin) on HashiCorp Vault or OpenBao.
|
||||
|
||||
It lets you declare, as code, the LiteLLM secrets-engine mount, its connection
|
||||
config, and the roles that scope generated virtual keys — for use from
|
||||
`terraform-vault`.
|
||||
|
||||
## Provider
|
||||
|
||||
```hcl
|
||||
terraform {
|
||||
required_providers {
|
||||
litellmvaultsecret = {
|
||||
source = "git.unkin.net/unkin/litellmvaultsecret"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "litellmvaultsecret" {
|
||||
address = "https://vault.example.com" # or VAULT_ADDR
|
||||
token = var.vault_token # or VAULT_TOKEN
|
||||
}
|
||||
```
|
||||
|
||||
## Resources
|
||||
|
||||
### `litellmvaultsecret_secret_backend`
|
||||
|
||||
Mounts the engine and writes its connection config.
|
||||
|
||||
| Attribute | Required | Description |
|
||||
| ------------------------- | -------- | ---------------------------------------------------- |
|
||||
| `path` | yes | Mount path (e.g. `litellm`). Forces replacement. |
|
||||
| `base_url` | yes | LiteLLM proxy URL the plugin calls. |
|
||||
| `master_key` | yes | LiteLLM master key (sensitive, never read back). |
|
||||
| `plugin` | no | Registered plugin name (default `vault-plugin-secrets-litellm`). |
|
||||
| `description` | no | Mount description. |
|
||||
| `request_timeout_seconds` | no | Plugin→LiteLLM HTTP timeout (default 30). |
|
||||
|
||||
### `litellmvaultsecret_secret_backend_role`
|
||||
|
||||
Manages a role that constrains generated keys.
|
||||
|
||||
| Attribute | Required | Description |
|
||||
| ------------------ | -------- | ---------------------------------------------- |
|
||||
| `backend` | yes | Mount path of the engine. Forces replacement. |
|
||||
| `name` | yes | Role name. Forces replacement. |
|
||||
| `models` | no | Allowed models (set); empty = unrestricted. |
|
||||
| `max_budget` | no | Spending limit per key; 0 = unlimited. |
|
||||
| `ttl` | no | Default lease TTL, in **seconds**. |
|
||||
| `max_ttl` | no | Maximum lease TTL, in **seconds**. |
|
||||
| `key_alias_prefix` | no | Prefix for the key alias (default `vault`). |
|
||||
| `metadata` | no | Metadata attached to each key (map). |
|
||||
|
||||
## Example
|
||||
|
||||
```hcl
|
||||
resource "litellmvaultsecret_secret_backend" "litellm" {
|
||||
path = "litellm"
|
||||
base_url = "http://litellm.litellm.svc:4000"
|
||||
master_key = var.litellm_master_key
|
||||
}
|
||||
|
||||
resource "litellmvaultsecret_secret_backend_role" "team_a" {
|
||||
backend = litellmvaultsecret_secret_backend.litellm.path
|
||||
name = "team-a"
|
||||
models = ["gpt-3.5-turbo", "gpt-4"]
|
||||
max_budget = 50
|
||||
ttl = 3600
|
||||
max_ttl = 86400
|
||||
}
|
||||
```
|
||||
|
||||
Consumers then read `litellm/creds/team-a` from Vault to obtain a scoped,
|
||||
budgeted, lease-bound virtual key.
|
||||
|
||||
## Import
|
||||
|
||||
```sh
|
||||
terraform import litellmvaultsecret_secret_backend.litellm litellm
|
||||
terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a
|
||||
```
|
||||
|
||||
## Development
|
||||
|
||||
```sh
|
||||
make build # build the provider binary
|
||||
make install # install into ~/.terraform.d/plugins for local use
|
||||
make test # unit tests (race-enabled)
|
||||
make lint # go vet
|
||||
make fmt # gofmt
|
||||
make e2e # end-to-end: real Vault + LiteLLM + plugin, terraform apply
|
||||
```
|
||||
|
||||
### End-to-end tests
|
||||
|
||||
`make e2e` builds the sibling `vault-plugin-secrets-litellm` plugin, boots Vault +
|
||||
LiteLLM + Postgres in Docker, installs this provider locally, then runs a real
|
||||
`terraform apply` that mounts the engine and creates a role, and asserts that a
|
||||
working virtual key can be generated from it. Requires Docker; bind mounts use
|
||||
`:z` for SELinux.
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
terraform {
|
||||
required_providers {
|
||||
litellmvaultsecret = {
|
||||
source = "git.unkin.net/unkin/litellmvaultsecret"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "litellmvaultsecret" {
|
||||
# address and token fall back to VAULT_ADDR / VAULT_TOKEN
|
||||
address = "https://vault.example.com"
|
||||
}
|
||||
|
||||
resource "litellmvaultsecret_secret_backend" "litellm" {
|
||||
path = "litellm"
|
||||
description = "LiteLLM dynamic virtual keys"
|
||||
base_url = "http://litellm.litellm.svc:4000"
|
||||
master_key = var.litellm_master_key
|
||||
}
|
||||
|
||||
variable "litellm_master_key" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
resource "litellmvaultsecret_secret_backend_role" "team_a" {
|
||||
backend = litellmvaultsecret_secret_backend.litellm.path
|
||||
name = "team-a"
|
||||
|
||||
models = ["gpt-3.5-turbo", "gpt-4"]
|
||||
max_budget = 50
|
||||
ttl = 3600 # seconds (1h)
|
||||
max_ttl = 86400 # seconds (24h)
|
||||
|
||||
metadata = {
|
||||
team = "a"
|
||||
env = "prod"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,49 @@
|
||||
module git.unkin.net/unkin/terraform-provider-litellmvaultsecret
|
||||
|
||||
go 1.25
|
||||
|
||||
require (
|
||||
github.com/hashicorp/terraform-plugin-framework v1.15.0
|
||||
github.com/hashicorp/vault/api v1.15.0
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
|
||||
github.com/fatih/color v1.16.0 // indirect
|
||||
github.com/go-jose/go-jose/v4 v4.0.4 // indirect
|
||||
github.com/golang/protobuf v1.5.4 // indirect
|
||||
github.com/hashicorp/errwrap v1.1.0 // indirect
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
|
||||
github.com/hashicorp/go-hclog v1.6.3 // indirect
|
||||
github.com/hashicorp/go-multierror v1.1.1 // indirect
|
||||
github.com/hashicorp/go-plugin v1.6.3 // indirect
|
||||
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
|
||||
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
|
||||
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
|
||||
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
|
||||
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
|
||||
github.com/hashicorp/go-uuid v1.0.3 // indirect
|
||||
github.com/hashicorp/hcl v1.0.0 // indirect
|
||||
github.com/hashicorp/terraform-plugin-go v0.27.0 // indirect
|
||||
github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
|
||||
github.com/hashicorp/terraform-registry-address v0.2.5 // indirect
|
||||
github.com/hashicorp/terraform-svchost v0.1.1 // indirect
|
||||
github.com/hashicorp/yamux v0.1.1 // indirect
|
||||
github.com/mattn/go-colorable v0.1.13 // indirect
|
||||
github.com/mattn/go-isatty v0.0.20 // indirect
|
||||
github.com/mitchellh/go-homedir v1.1.0 // indirect
|
||||
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
|
||||
github.com/mitchellh/mapstructure v1.5.0 // indirect
|
||||
github.com/oklog/run v1.0.0 // indirect
|
||||
github.com/ryanuber/go-glob v1.0.0 // indirect
|
||||
github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
|
||||
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
|
||||
golang.org/x/crypto v0.37.0 // indirect
|
||||
golang.org/x/net v0.39.0 // indirect
|
||||
golang.org/x/sys v0.32.0 // indirect
|
||||
golang.org/x/text v0.24.0 // indirect
|
||||
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
|
||||
google.golang.org/grpc v1.72.1 // indirect
|
||||
google.golang.org/protobuf v1.36.6 // indirect
|
||||
)
|
||||
@@ -0,0 +1,147 @@
|
||||
github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
|
||||
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
|
||||
github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
|
||||
github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8=
|
||||
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
|
||||
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
|
||||
github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
|
||||
github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
|
||||
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
|
||||
github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
|
||||
github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
|
||||
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
|
||||
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
|
||||
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
|
||||
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
|
||||
github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
|
||||
github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
|
||||
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
|
||||
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
|
||||
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
|
||||
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
|
||||
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
|
||||
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
|
||||
github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
|
||||
github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
|
||||
github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
|
||||
github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
|
||||
github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
|
||||
github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
|
||||
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
|
||||
github.com/hashicorp/go-plugin v1.6.3 h1:xgHB+ZUSYeuJi96WtxEjzi23uh7YQpznjGh0U0UUrwg=
|
||||
github.com/hashicorp/go-plugin v1.6.3/go.mod h1:MRobyh+Wc/nYy1V4KAXUiYfzxoYhs7V1mlH1Z7iY2h0=
|
||||
github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
|
||||
github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
|
||||
github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
|
||||
github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
|
||||
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ=
|
||||
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
|
||||
github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
|
||||
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
|
||||
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
|
||||
github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
|
||||
github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
|
||||
github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
|
||||
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
|
||||
github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
|
||||
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
|
||||
github.com/hashicorp/terraform-plugin-framework v1.15.0 h1:LQ2rsOfmDLxcn5EeIwdXFtr03FVsNktbbBci8cOKdb4=
|
||||
github.com/hashicorp/terraform-plugin-framework v1.15.0/go.mod h1:hxrNI/GY32KPISpWqlCoTLM9JZsGH3CyYlir09bD/fI=
|
||||
github.com/hashicorp/terraform-plugin-go v0.27.0 h1:ujykws/fWIdsi6oTUT5Or4ukvEan4aN9lY+LOxVP8EE=
|
||||
github.com/hashicorp/terraform-plugin-go v0.27.0/go.mod h1:FDa2Bb3uumkTGSkTFpWSOwWJDwA7bf3vdP3ltLDTH6o=
|
||||
github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0=
|
||||
github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow=
|
||||
github.com/hashicorp/terraform-registry-address v0.2.5 h1:2GTftHqmUhVOeuu9CW3kwDkRe4pcBDq0uuK5VJngU1M=
|
||||
github.com/hashicorp/terraform-registry-address v0.2.5/go.mod h1:PpzXWINwB5kuVS5CA7m1+eO2f1jKb5ZDIxrOPfpnGkg=
|
||||
github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ=
|
||||
github.com/hashicorp/terraform-svchost v0.1.1/go.mod h1:mNsjQfZyf/Jhz35v6/0LWcv26+X7JPS+buii2c9/ctc=
|
||||
github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA=
|
||||
github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8=
|
||||
github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
|
||||
github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
|
||||
github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
|
||||
github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
|
||||
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
|
||||
github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
|
||||
github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
|
||||
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
|
||||
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
|
||||
github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
|
||||
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
|
||||
github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
|
||||
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
|
||||
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
|
||||
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
|
||||
github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
|
||||
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
|
||||
github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
|
||||
github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
|
||||
github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
|
||||
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
|
||||
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
|
||||
github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
|
||||
github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
|
||||
github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
|
||||
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
|
||||
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||
github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
|
||||
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
|
||||
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
|
||||
github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
|
||||
github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
|
||||
github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
|
||||
github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
|
||||
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
|
||||
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
|
||||
go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
|
||||
go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
|
||||
go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
|
||||
go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
|
||||
go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
|
||||
go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
|
||||
go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
|
||||
go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
|
||||
go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
|
||||
golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
|
||||
golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
|
||||
golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
|
||||
golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
|
||||
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
|
||||
golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
|
||||
golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
|
||||
golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
|
||||
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI=
|
||||
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
|
||||
google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
|
||||
google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
|
||||
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
|
||||
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
@@ -0,0 +1,144 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
vault "github.com/hashicorp/vault/api"
|
||||
)
|
||||
|
||||
// vaultClient wraps the Vault/OpenBao API client with the operations this
|
||||
// provider needs to manage the LiteLLM secrets engine.
|
||||
type vaultClient struct {
|
||||
api *vault.Client
|
||||
}
|
||||
|
||||
func newVaultClient(address, token string) (*vaultClient, error) {
|
||||
cfg := vault.DefaultConfig()
|
||||
if cfg.Error != nil {
|
||||
return nil, cfg.Error
|
||||
}
|
||||
if address != "" {
|
||||
cfg.Address = address
|
||||
}
|
||||
c, err := vault.NewClient(cfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if token != "" {
|
||||
c.SetToken(token)
|
||||
}
|
||||
return &vaultClient{api: c}, nil
|
||||
}
|
||||
|
||||
// mountConfig holds the tunable options applied when enabling the engine.
|
||||
type mountConfig struct {
|
||||
DefaultLeaseTTL string
|
||||
MaxLeaseTTL string
|
||||
}
|
||||
|
||||
// enableMount mounts the secrets engine of the given plugin type at path.
|
||||
func (c *vaultClient) enableMount(ctx context.Context, path, pluginType, description string, cfg mountConfig) error {
|
||||
input := &vault.MountInput{
|
||||
Type: pluginType,
|
||||
Description: description,
|
||||
Config: vault.MountConfigInput{
|
||||
DefaultLeaseTTL: cfg.DefaultLeaseTTL,
|
||||
MaxLeaseTTL: cfg.MaxLeaseTTL,
|
||||
},
|
||||
}
|
||||
return c.api.Sys().MountWithContext(ctx, path, input)
|
||||
}
|
||||
|
||||
// tuneMount updates tunable options of an existing mount (e.g. description).
|
||||
func (c *vaultClient) tuneMount(ctx context.Context, path, description string, cfg mountConfig) error {
|
||||
input := vault.MountConfigInput{
|
||||
Description: &description,
|
||||
DefaultLeaseTTL: cfg.DefaultLeaseTTL,
|
||||
MaxLeaseTTL: cfg.MaxLeaseTTL,
|
||||
}
|
||||
return c.api.Sys().TuneMountWithContext(ctx, path, input)
|
||||
}
|
||||
|
||||
// mountInfo returns the mount at the given path, or nil if it does not exist.
|
||||
func (c *vaultClient) mountInfo(ctx context.Context, path string) (*vault.MountOutput, error) {
|
||||
mounts, err := c.api.Sys().ListMountsWithContext(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
key := strings.TrimRight(path, "/") + "/"
|
||||
if m, ok := mounts[key]; ok {
|
||||
return m, nil
|
||||
}
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// disableMount unmounts the secrets engine at path.
|
||||
func (c *vaultClient) disableMount(ctx context.Context, path string) error {
|
||||
return c.api.Sys().UnmountWithContext(ctx, path)
|
||||
}
|
||||
|
||||
// writeConfig writes the LiteLLM connection config for the given backend mount.
|
||||
func (c *vaultClient) writeConfig(ctx context.Context, backend string, data map[string]interface{}) error {
|
||||
_, err := c.api.Logical().WriteWithContext(ctx, backend+"/config", data)
|
||||
return err
|
||||
}
|
||||
|
||||
// readConfig reads the LiteLLM connection config, returning nil if absent.
|
||||
func (c *vaultClient) readConfig(ctx context.Context, backend string) (map[string]interface{}, error) {
|
||||
secret, err := c.api.Logical().ReadWithContext(ctx, backend+"/config")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if secret == nil {
|
||||
return nil, nil
|
||||
}
|
||||
return secret.Data, nil
|
||||
}
|
||||
|
||||
// writeRole creates or updates a role on the given backend mount.
|
||||
func (c *vaultClient) writeRole(ctx context.Context, backend, name string, data map[string]interface{}) error {
|
||||
_, err := c.api.Logical().WriteWithContext(ctx, rolePath(backend, name), data)
|
||||
return err
|
||||
}
|
||||
|
||||
// readRole reads a role, returning nil if it does not exist.
|
||||
func (c *vaultClient) readRole(ctx context.Context, backend, name string) (map[string]interface{}, error) {
|
||||
secret, err := c.api.Logical().ReadWithContext(ctx, rolePath(backend, name))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if secret == nil {
|
||||
return nil, nil
|
||||
}
|
||||
return secret.Data, nil
|
||||
}
|
||||
|
||||
// deleteRole removes a role from the backend mount.
|
||||
func (c *vaultClient) deleteRole(ctx context.Context, backend, name string) error {
|
||||
_, err := c.api.Logical().DeleteWithContext(ctx, rolePath(backend, name))
|
||||
return err
|
||||
}
|
||||
|
||||
func rolePath(backend, name string) string {
|
||||
return fmt.Sprintf("%s/roles/%s", strings.TrimRight(backend, "/"), name)
|
||||
}
|
||||
|
||||
// isMountAlreadyExists reports whether the error is Vault's "path is already in
|
||||
// use" response, so callers can surface a friendlier message.
|
||||
func isMountAlreadyExists(err error) bool {
|
||||
if err == nil {
|
||||
return false
|
||||
}
|
||||
var respErr *vault.ResponseError
|
||||
if errors.As(err, &respErr) {
|
||||
for _, e := range respErr.Errors {
|
||||
if strings.Contains(e, "path is already in use") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
@@ -0,0 +1,238 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"sync"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// mockVault is a minimal in-memory fake of the Vault/OpenBao HTTP API covering
|
||||
// the endpoints this provider uses.
|
||||
type mockVault struct {
|
||||
server *httptest.Server
|
||||
|
||||
mu sync.Mutex
|
||||
mounts map[string]map[string]interface{} // "litellm/" -> mount output
|
||||
configs map[string]map[string]interface{} // backend -> config data
|
||||
roles map[string]map[string]interface{} // "backend/roles/name" -> role data
|
||||
}
|
||||
|
||||
func newMockVault(t *testing.T) (*mockVault, *vaultClient) {
|
||||
t.Helper()
|
||||
m := &mockVault{
|
||||
mounts: map[string]map[string]interface{}{},
|
||||
configs: map[string]map[string]interface{}{},
|
||||
roles: map[string]map[string]interface{}{},
|
||||
}
|
||||
m.server = httptest.NewServer(http.HandlerFunc(m.handle))
|
||||
t.Cleanup(m.server.Close)
|
||||
|
||||
client, err := newVaultClient(m.server.URL, "test-token")
|
||||
if err != nil {
|
||||
t.Fatalf("newVaultClient: %v", err)
|
||||
}
|
||||
return m, client
|
||||
}
|
||||
|
||||
func (m *mockVault) handle(w http.ResponseWriter, r *http.Request) {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
path := strings.TrimPrefix(r.URL.Path, "/v1/")
|
||||
|
||||
switch {
|
||||
case path == "sys/mounts" && r.Method == http.MethodGet:
|
||||
writeSecret(w, map[string]interface{}{"data": toIface(m.mounts)})
|
||||
|
||||
case strings.HasPrefix(path, "sys/mounts/"):
|
||||
mp := strings.TrimPrefix(path, "sys/mounts/")
|
||||
key := strings.TrimRight(mp, "/") + "/"
|
||||
switch r.Method {
|
||||
case http.MethodPost, http.MethodPut:
|
||||
var body map[string]interface{}
|
||||
_ = json.NewDecoder(r.Body).Decode(&body)
|
||||
// Store the mount *output* shape (Vault returns int TTLs, not the
|
||||
// string TTLs it accepts on input).
|
||||
m.mounts[key] = map[string]interface{}{
|
||||
"type": body["type"],
|
||||
"description": body["description"],
|
||||
"config": map[string]interface{}{},
|
||||
}
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
case http.MethodDelete:
|
||||
delete(m.mounts, key)
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
|
||||
case strings.HasSuffix(path, "/config"):
|
||||
backend := strings.TrimSuffix(path, "/config")
|
||||
switch r.Method {
|
||||
case http.MethodPost, http.MethodPut:
|
||||
var body map[string]interface{}
|
||||
_ = json.NewDecoder(r.Body).Decode(&body)
|
||||
m.configs[backend] = body
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
case http.MethodGet:
|
||||
cfg, ok := m.configs[backend]
|
||||
if !ok {
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
// The real backend never returns master_key.
|
||||
out := map[string]interface{}{}
|
||||
for k, v := range cfg {
|
||||
if k == "master_key" {
|
||||
continue
|
||||
}
|
||||
out[k] = v
|
||||
}
|
||||
writeSecret(w, map[string]interface{}{"data": out})
|
||||
}
|
||||
|
||||
case strings.Contains(path, "/roles/"):
|
||||
switch r.Method {
|
||||
case http.MethodPost, http.MethodPut:
|
||||
var body map[string]interface{}
|
||||
_ = json.NewDecoder(r.Body).Decode(&body)
|
||||
m.roles[path] = body
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
case http.MethodGet:
|
||||
role, ok := m.roles[path]
|
||||
if !ok {
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
writeSecret(w, map[string]interface{}{"data": role})
|
||||
case http.MethodDelete:
|
||||
delete(m.roles, path)
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
|
||||
default:
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
}
|
||||
}
|
||||
|
||||
func toIface(m map[string]map[string]interface{}) map[string]interface{} {
|
||||
out := map[string]interface{}{}
|
||||
for k, v := range m {
|
||||
out[k] = v
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func writeSecret(w http.ResponseWriter, body map[string]interface{}) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
_ = json.NewEncoder(w).Encode(body)
|
||||
}
|
||||
|
||||
func TestClient_MountLifecycle(t *testing.T) {
|
||||
_, c := newMockVault(t)
|
||||
ctx := context.Background()
|
||||
|
||||
if err := c.enableMount(ctx, "litellm", "vault-plugin-secrets-litellm", "desc", mountConfig{}); err != nil {
|
||||
t.Fatalf("enableMount: %v", err)
|
||||
}
|
||||
info, err := c.mountInfo(ctx, "litellm")
|
||||
if err != nil {
|
||||
t.Fatalf("mountInfo: %v", err)
|
||||
}
|
||||
if info == nil {
|
||||
t.Fatal("expected mount to exist")
|
||||
}
|
||||
if info.Type != "vault-plugin-secrets-litellm" {
|
||||
t.Fatalf("unexpected mount type: %q", info.Type)
|
||||
}
|
||||
|
||||
if err := c.disableMount(ctx, "litellm"); err != nil {
|
||||
t.Fatalf("disableMount: %v", err)
|
||||
}
|
||||
info, err = c.mountInfo(ctx, "litellm")
|
||||
if err != nil {
|
||||
t.Fatalf("mountInfo after delete: %v", err)
|
||||
}
|
||||
if info != nil {
|
||||
t.Fatal("expected mount to be gone")
|
||||
}
|
||||
}
|
||||
|
||||
func TestClient_ConfigRoundTrip(t *testing.T) {
|
||||
m, c := newMockVault(t)
|
||||
ctx := context.Background()
|
||||
|
||||
err := c.writeConfig(ctx, "litellm", map[string]interface{}{
|
||||
"base_url": "http://litellm:4000",
|
||||
"master_key": "sk-secret",
|
||||
"request_timeout_seconds": 30,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("writeConfig: %v", err)
|
||||
}
|
||||
|
||||
cfg, err := c.readConfig(ctx, "litellm")
|
||||
if err != nil {
|
||||
t.Fatalf("readConfig: %v", err)
|
||||
}
|
||||
if cfg["base_url"] != "http://litellm:4000" {
|
||||
t.Fatalf("unexpected base_url: %v", cfg["base_url"])
|
||||
}
|
||||
if _, leaked := cfg["master_key"]; leaked {
|
||||
t.Fatal("master_key must not be returned by read")
|
||||
}
|
||||
_ = m
|
||||
}
|
||||
|
||||
func TestClient_ReadConfigMissing(t *testing.T) {
|
||||
_, c := newMockVault(t)
|
||||
cfg, err := c.readConfig(context.Background(), "litellm")
|
||||
if err != nil {
|
||||
t.Fatalf("readConfig: %v", err)
|
||||
}
|
||||
if cfg != nil {
|
||||
t.Fatalf("expected nil config, got %v", cfg)
|
||||
}
|
||||
}
|
||||
|
||||
func TestClient_RoleLifecycle(t *testing.T) {
|
||||
_, c := newMockVault(t)
|
||||
ctx := context.Background()
|
||||
|
||||
err := c.writeRole(ctx, "litellm", "team-a", map[string]interface{}{
|
||||
"models": []string{"gpt-4"},
|
||||
"max_budget": 25.0,
|
||||
"ttl": 3600,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("writeRole: %v", err)
|
||||
}
|
||||
|
||||
role, err := c.readRole(ctx, "litellm", "team-a")
|
||||
if err != nil {
|
||||
t.Fatalf("readRole: %v", err)
|
||||
}
|
||||
if role == nil {
|
||||
t.Fatal("expected role to exist")
|
||||
}
|
||||
|
||||
if err := c.deleteRole(ctx, "litellm", "team-a"); err != nil {
|
||||
t.Fatalf("deleteRole: %v", err)
|
||||
}
|
||||
role, err = c.readRole(ctx, "litellm", "team-a")
|
||||
if err != nil {
|
||||
t.Fatalf("readRole after delete: %v", err)
|
||||
}
|
||||
if role != nil {
|
||||
t.Fatal("expected role to be gone")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRolePath(t *testing.T) {
|
||||
if got := rolePath("litellm/", "team-a"); got != "litellm/roles/team-a" {
|
||||
t.Fatalf("unexpected role path: %q", got)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,171 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/attr"
|
||||
"github.com/hashicorp/terraform-plugin-framework/diag"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
// roleData builds the request payload for writing a role to the backend.
|
||||
func roleData(ctx context.Context, m secretBackendRoleModel) (map[string]interface{}, diag.Diagnostics) {
|
||||
var diags diag.Diagnostics
|
||||
data := map[string]interface{}{}
|
||||
|
||||
if !m.Models.IsNull() && !m.Models.IsUnknown() {
|
||||
var models []string
|
||||
diags.Append(m.Models.ElementsAs(ctx, &models, false)...)
|
||||
if diags.HasError() {
|
||||
return nil, diags
|
||||
}
|
||||
data["models"] = models
|
||||
} else {
|
||||
data["models"] = []string{}
|
||||
}
|
||||
|
||||
if !m.MaxBudget.IsNull() && !m.MaxBudget.IsUnknown() {
|
||||
data["max_budget"] = m.MaxBudget.ValueFloat64()
|
||||
}
|
||||
if !m.KeyAliasPrefix.IsNull() && !m.KeyAliasPrefix.IsUnknown() {
|
||||
data["key_alias_prefix"] = m.KeyAliasPrefix.ValueString()
|
||||
}
|
||||
if !m.TTL.IsNull() && !m.TTL.IsUnknown() {
|
||||
data["ttl"] = m.TTL.ValueInt64()
|
||||
}
|
||||
if !m.MaxTTL.IsNull() && !m.MaxTTL.IsUnknown() {
|
||||
data["max_ttl"] = m.MaxTTL.ValueInt64()
|
||||
}
|
||||
if !m.Metadata.IsNull() && !m.Metadata.IsUnknown() {
|
||||
var meta map[string]string
|
||||
diags.Append(m.Metadata.ElementsAs(ctx, &meta, false)...)
|
||||
if diags.HasError() {
|
||||
return nil, diags
|
||||
}
|
||||
data["metadata"] = meta
|
||||
}
|
||||
|
||||
return data, diags
|
||||
}
|
||||
|
||||
// applyRoleData refreshes a model from a role read out of the backend.
|
||||
func applyRoleData(ctx context.Context, m *secretBackendRoleModel, role map[string]interface{}) diag.Diagnostics {
|
||||
var diags diag.Diagnostics
|
||||
|
||||
models := toStringSlice(role["models"])
|
||||
if len(models) == 0 {
|
||||
m.Models = types.SetNull(types.StringType)
|
||||
} else {
|
||||
set, d := types.SetValueFrom(ctx, types.StringType, models)
|
||||
diags.Append(d...)
|
||||
m.Models = set
|
||||
}
|
||||
|
||||
if budget, ok := toFloat64(role["max_budget"]); ok && budget != 0 {
|
||||
m.MaxBudget = types.Float64Value(budget)
|
||||
} else if m.MaxBudget.IsUnknown() {
|
||||
m.MaxBudget = types.Float64Null()
|
||||
}
|
||||
|
||||
if prefix, ok := role["key_alias_prefix"].(string); ok {
|
||||
m.KeyAliasPrefix = types.StringValue(prefix)
|
||||
}
|
||||
|
||||
if ttl, ok := toInt64(role["ttl"]); ok && ttl != 0 {
|
||||
m.TTL = types.Int64Value(ttl)
|
||||
} else if m.TTL.IsUnknown() {
|
||||
m.TTL = types.Int64Null()
|
||||
}
|
||||
if maxTTL, ok := toInt64(role["max_ttl"]); ok && maxTTL != 0 {
|
||||
m.MaxTTL = types.Int64Value(maxTTL)
|
||||
} else if m.MaxTTL.IsUnknown() {
|
||||
m.MaxTTL = types.Int64Null()
|
||||
}
|
||||
|
||||
meta := toStringMap(role["metadata"])
|
||||
if len(meta) == 0 {
|
||||
m.Metadata = types.MapNull(types.StringType)
|
||||
} else {
|
||||
mp, d := types.MapValueFrom(ctx, types.StringType, meta)
|
||||
diags.Append(d...)
|
||||
m.Metadata = mp
|
||||
}
|
||||
|
||||
return diags
|
||||
}
|
||||
|
||||
func toStringSlice(v interface{}) []string {
|
||||
raw, ok := v.([]interface{})
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
out := make([]string, 0, len(raw))
|
||||
for _, e := range raw {
|
||||
if s, ok := e.(string); ok {
|
||||
out = append(out, s)
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func toStringMap(v interface{}) map[string]string {
|
||||
raw, ok := v.(map[string]interface{})
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
out := make(map[string]string, len(raw))
|
||||
for k, e := range raw {
|
||||
if s, ok := e.(string); ok {
|
||||
out[k] = s
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
// toInt64 coerces the numeric shapes Vault returns (json.Number, float64, int)
|
||||
// into an int64.
|
||||
func toInt64(v interface{}) (int64, bool) {
|
||||
switch n := v.(type) {
|
||||
case json.Number:
|
||||
i, err := n.Int64()
|
||||
if err != nil {
|
||||
f, ferr := n.Float64()
|
||||
if ferr != nil {
|
||||
return 0, false
|
||||
}
|
||||
return int64(f), true
|
||||
}
|
||||
return i, true
|
||||
case float64:
|
||||
return int64(n), true
|
||||
case int64:
|
||||
return n, true
|
||||
case int:
|
||||
return int64(n), true
|
||||
default:
|
||||
return 0, false
|
||||
}
|
||||
}
|
||||
|
||||
func toFloat64(v interface{}) (float64, bool) {
|
||||
switch n := v.(type) {
|
||||
case json.Number:
|
||||
f, err := n.Float64()
|
||||
if err != nil {
|
||||
return 0, false
|
||||
}
|
||||
return f, true
|
||||
case float64:
|
||||
return n, true
|
||||
case int64:
|
||||
return float64(n), true
|
||||
case int:
|
||||
return float64(n), true
|
||||
default:
|
||||
return 0, false
|
||||
}
|
||||
}
|
||||
|
||||
// ensure attr is referenced (kept for future typed conversions).
|
||||
var _ = attr.Value(nil)
|
||||
@@ -0,0 +1,166 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
func TestRoleData_FullRoundTrip(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
|
||||
models, _ := types.SetValueFrom(ctx, types.StringType, []string{"gpt-4", "gpt-3.5-turbo"})
|
||||
meta, _ := types.MapValueFrom(ctx, types.StringType, map[string]string{"team": "a"})
|
||||
|
||||
m := secretBackendRoleModel{
|
||||
Backend: types.StringValue("litellm"),
|
||||
Name: types.StringValue("team-a"),
|
||||
Models: models,
|
||||
MaxBudget: types.Float64Value(50),
|
||||
KeyAliasPrefix: types.StringValue("vault"),
|
||||
TTL: types.Int64Value(3600),
|
||||
MaxTTL: types.Int64Value(86400),
|
||||
Metadata: meta,
|
||||
}
|
||||
|
||||
data, diags := roleData(ctx, m)
|
||||
if diags.HasError() {
|
||||
t.Fatalf("roleData diags: %v", diags)
|
||||
}
|
||||
if got := data["max_budget"].(float64); got != 50 {
|
||||
t.Fatalf("max_budget: %v", got)
|
||||
}
|
||||
if got := data["ttl"].(int64); got != 3600 {
|
||||
t.Fatalf("ttl: %v", got)
|
||||
}
|
||||
if got := data["models"].([]string); len(got) != 2 {
|
||||
t.Fatalf("models: %v", got)
|
||||
}
|
||||
if got := data["metadata"].(map[string]string); got["team"] != "a" {
|
||||
t.Fatalf("metadata: %v", got)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRoleData_OmitsUnsetOptionals(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
m := secretBackendRoleModel{
|
||||
Backend: types.StringValue("litellm"),
|
||||
Name: types.StringValue("minimal"),
|
||||
Models: types.SetNull(types.StringType),
|
||||
MaxBudget: types.Float64Null(),
|
||||
KeyAliasPrefix: types.StringValue("vault"),
|
||||
TTL: types.Int64Null(),
|
||||
MaxTTL: types.Int64Null(),
|
||||
Metadata: types.MapNull(types.StringType),
|
||||
}
|
||||
data, diags := roleData(ctx, m)
|
||||
if diags.HasError() {
|
||||
t.Fatalf("diags: %v", diags)
|
||||
}
|
||||
if _, ok := data["max_budget"]; ok {
|
||||
t.Fatal("max_budget should be omitted when null")
|
||||
}
|
||||
if _, ok := data["ttl"]; ok {
|
||||
t.Fatal("ttl should be omitted when null")
|
||||
}
|
||||
// models is always sent (empty list = unrestricted).
|
||||
if got, ok := data["models"].([]string); !ok || len(got) != 0 {
|
||||
t.Fatalf("expected empty models slice, got %v", data["models"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyRoleData(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
m := &secretBackendRoleModel{
|
||||
Models: types.SetNull(types.StringType),
|
||||
MaxBudget: types.Float64Null(),
|
||||
TTL: types.Int64Null(),
|
||||
MaxTTL: types.Int64Null(),
|
||||
Metadata: types.MapNull(types.StringType),
|
||||
}
|
||||
|
||||
// Simulate what Vault returns (numbers arrive as json.Number).
|
||||
role := map[string]interface{}{
|
||||
"models": []interface{}{"gpt-4"},
|
||||
"max_budget": json.Number("50"),
|
||||
"key_alias_prefix": "vault",
|
||||
"ttl": json.Number("3600"),
|
||||
"max_ttl": json.Number("86400"),
|
||||
"metadata": map[string]interface{}{"team": "a"},
|
||||
}
|
||||
|
||||
diags := applyRoleData(ctx, m, role)
|
||||
if diags.HasError() {
|
||||
t.Fatalf("applyRoleData diags: %v", diags)
|
||||
}
|
||||
if m.TTL.ValueInt64() != 3600 {
|
||||
t.Fatalf("ttl: %v", m.TTL)
|
||||
}
|
||||
if m.MaxTTL.ValueInt64() != 86400 {
|
||||
t.Fatalf("max_ttl: %v", m.MaxTTL)
|
||||
}
|
||||
if m.MaxBudget.ValueFloat64() != 50 {
|
||||
t.Fatalf("max_budget: %v", m.MaxBudget)
|
||||
}
|
||||
if m.KeyAliasPrefix.ValueString() != "vault" {
|
||||
t.Fatalf("prefix: %v", m.KeyAliasPrefix)
|
||||
}
|
||||
var models []string
|
||||
m.Models.ElementsAs(ctx, &models, false)
|
||||
if len(models) != 1 || models[0] != "gpt-4" {
|
||||
t.Fatalf("models: %v", models)
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyRoleData_EmptyModelsBecomesNull(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
m := &secretBackendRoleModel{
|
||||
Models: types.SetValueMust(types.StringType, nil),
|
||||
Metadata: types.MapNull(types.StringType),
|
||||
}
|
||||
role := map[string]interface{}{"models": []interface{}{}}
|
||||
if diags := applyRoleData(ctx, m, role); diags.HasError() {
|
||||
t.Fatalf("diags: %v", diags)
|
||||
}
|
||||
if !m.Models.IsNull() {
|
||||
t.Fatalf("expected null models, got %v", m.Models)
|
||||
}
|
||||
}
|
||||
|
||||
func TestToInt64(t *testing.T) {
|
||||
cases := []struct {
|
||||
in interface{}
|
||||
want int64
|
||||
ok bool
|
||||
}{
|
||||
{json.Number("3600"), 3600, true},
|
||||
{float64(42), 42, true},
|
||||
{int64(7), 7, true},
|
||||
{int(9), 9, true},
|
||||
{"nope", 0, false},
|
||||
{nil, 0, false},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
got, ok := toInt64(tc.in)
|
||||
if ok != tc.ok || got != tc.want {
|
||||
t.Fatalf("toInt64(%v) = (%d,%v), want (%d,%v)", tc.in, got, ok, tc.want, tc.ok)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSplitRoleID(t *testing.T) {
|
||||
backend, name, ok := splitRoleID("litellm/roles/team-a")
|
||||
if !ok || backend != "litellm" || name != "team-a" {
|
||||
t.Fatalf("got backend=%q name=%q ok=%v", backend, name, ok)
|
||||
}
|
||||
if _, _, ok := splitRoleID("nonsense"); ok {
|
||||
t.Fatal("expected failure on malformed id")
|
||||
}
|
||||
// Nested mount paths must still split on the final /roles/.
|
||||
b, n, ok := splitRoleID("team/litellm/roles/x")
|
||||
if !ok || b != "team/litellm" || n != "x" {
|
||||
t.Fatalf("nested split: backend=%q name=%q ok=%v", b, n, ok)
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,97 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"os"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/datasource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/provider"
|
||||
"github.com/hashicorp/terraform-plugin-framework/provider/schema"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
var _ provider.Provider = &litellmProvider{}
|
||||
|
||||
type litellmProvider struct {
|
||||
version string
|
||||
}
|
||||
|
||||
type litellmProviderModel struct {
|
||||
Address types.String `tfsdk:"address"`
|
||||
Token types.String `tfsdk:"token"`
|
||||
}
|
||||
|
||||
func New(version string) func() provider.Provider {
|
||||
return func() provider.Provider {
|
||||
return &litellmProvider{version: version}
|
||||
}
|
||||
}
|
||||
|
||||
func (p *litellmProvider) Metadata(_ context.Context, _ provider.MetadataRequest, resp *provider.MetadataResponse) {
|
||||
resp.TypeName = "litellmvaultsecret"
|
||||
resp.Version = p.version
|
||||
}
|
||||
|
||||
func (p *litellmProvider) Schema(_ context.Context, _ provider.SchemaRequest, resp *provider.SchemaResponse) {
|
||||
resp.Schema = schema.Schema{
|
||||
Description: "Manage the LiteLLM dynamic secrets engine (config and roles) on HashiCorp Vault or OpenBao.",
|
||||
Attributes: map[string]schema.Attribute{
|
||||
"address": schema.StringAttribute{
|
||||
Description: "Address of the Vault/OpenBao server. Falls back to the VAULT_ADDR environment variable.",
|
||||
Optional: true,
|
||||
},
|
||||
"token": schema.StringAttribute{
|
||||
Description: "Token used to authenticate to Vault/OpenBao. Falls back to the VAULT_TOKEN environment variable.",
|
||||
Optional: true,
|
||||
Sensitive: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (p *litellmProvider) Configure(ctx context.Context, req provider.ConfigureRequest, resp *provider.ConfigureResponse) {
|
||||
var config litellmProviderModel
|
||||
resp.Diagnostics.Append(req.Config.Get(ctx, &config)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
address := os.Getenv("VAULT_ADDR")
|
||||
if !config.Address.IsNull() && config.Address.ValueString() != "" {
|
||||
address = config.Address.ValueString()
|
||||
}
|
||||
|
||||
token := os.Getenv("VAULT_TOKEN")
|
||||
if !config.Token.IsNull() && config.Token.ValueString() != "" {
|
||||
token = config.Token.ValueString()
|
||||
}
|
||||
|
||||
if address == "" {
|
||||
resp.Diagnostics.AddError(
|
||||
"missing Vault address",
|
||||
"Set the provider \"address\" attribute or the VAULT_ADDR environment variable.",
|
||||
)
|
||||
return
|
||||
}
|
||||
|
||||
client, err := newVaultClient(address, token)
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to create Vault client", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
resp.DataSourceData = client
|
||||
resp.ResourceData = client
|
||||
}
|
||||
|
||||
func (p *litellmProvider) Resources(_ context.Context) []func() resource.Resource {
|
||||
return []func() resource.Resource{
|
||||
NewSecretBackendResource,
|
||||
NewSecretBackendRoleResource,
|
||||
}
|
||||
}
|
||||
|
||||
func (p *litellmProvider) DataSources(_ context.Context) []func() datasource.DataSource {
|
||||
return nil
|
||||
}
|
||||
@@ -0,0 +1,225 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/path"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
var (
|
||||
_ resource.Resource = &secretBackendResource{}
|
||||
_ resource.ResourceWithImportState = &secretBackendResource{}
|
||||
)
|
||||
|
||||
const defaultPluginType = "vault-plugin-secrets-litellm"
|
||||
|
||||
type secretBackendResource struct {
|
||||
client *vaultClient
|
||||
}
|
||||
|
||||
type secretBackendModel struct {
|
||||
Path types.String `tfsdk:"path"`
|
||||
Plugin types.String `tfsdk:"plugin"`
|
||||
Description types.String `tfsdk:"description"`
|
||||
BaseURL types.String `tfsdk:"base_url"`
|
||||
MasterKey types.String `tfsdk:"master_key"`
|
||||
RequestTimeoutSeconds types.Int64 `tfsdk:"request_timeout_seconds"`
|
||||
}
|
||||
|
||||
func NewSecretBackendResource() resource.Resource {
|
||||
return &secretBackendResource{}
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
|
||||
resp.TypeName = req.ProviderTypeName + "_secret_backend"
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
|
||||
resp.Schema = schema.Schema{
|
||||
Description: "Mounts the LiteLLM secrets engine and writes its connection config.",
|
||||
Attributes: map[string]schema.Attribute{
|
||||
"path": schema.StringAttribute{
|
||||
Description: "Mount path for the LiteLLM secrets engine (e.g. \"litellm\").",
|
||||
Required: true,
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"plugin": schema.StringAttribute{
|
||||
Description: "Registered plugin name/type to mount.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: stringdefault.StaticString(defaultPluginType),
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"description": schema.StringAttribute{
|
||||
Description: "Human-readable description of the mount.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: stringdefault.StaticString(""),
|
||||
},
|
||||
"base_url": schema.StringAttribute{
|
||||
Description: "Base URL of the LiteLLM proxy (e.g. http://litellm:4000).",
|
||||
Required: true,
|
||||
},
|
||||
"master_key": schema.StringAttribute{
|
||||
Description: "LiteLLM master key used to manage virtual keys.",
|
||||
Required: true,
|
||||
Sensitive: true,
|
||||
},
|
||||
"request_timeout_seconds": schema.Int64Attribute{
|
||||
Description: "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: int64default.StaticInt64(30),
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
|
||||
if req.ProviderData == nil {
|
||||
return
|
||||
}
|
||||
client, ok := req.ProviderData.(*vaultClient)
|
||||
if !ok {
|
||||
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
|
||||
return
|
||||
}
|
||||
r.client = client
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
|
||||
var plan secretBackendModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
mountPath := strings.Trim(plan.Path.ValueString(), "/")
|
||||
|
||||
err := r.client.enableMount(ctx, mountPath, plan.Plugin.ValueString(), plan.Description.ValueString(), mountConfig{})
|
||||
if err != nil {
|
||||
if isMountAlreadyExists(err) {
|
||||
resp.Diagnostics.AddError(
|
||||
"mount path already in use",
|
||||
fmt.Sprintf("A secrets engine is already mounted at %q. Import it or choose another path.", mountPath),
|
||||
)
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.AddError("failed to enable litellm secrets engine", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
|
||||
// Roll back the mount so we don't leave a half-configured engine.
|
||||
_ = r.client.disableMount(ctx, mountPath)
|
||||
resp.Diagnostics.AddError("failed to write litellm config", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
plan.Path = types.StringValue(mountPath)
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
|
||||
var state secretBackendModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
mountPath := strings.Trim(state.Path.ValueString(), "/")
|
||||
|
||||
mount, err := r.client.mountInfo(ctx, mountPath)
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to read mount", err.Error())
|
||||
return
|
||||
}
|
||||
if mount == nil {
|
||||
resp.State.RemoveResource(ctx)
|
||||
return
|
||||
}
|
||||
state.Description = types.StringValue(mount.Description)
|
||||
if mount.Type != "" {
|
||||
state.Plugin = types.StringValue(mount.Type)
|
||||
}
|
||||
|
||||
cfg, err := r.client.readConfig(ctx, mountPath)
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to read litellm config", err.Error())
|
||||
return
|
||||
}
|
||||
if cfg != nil {
|
||||
if v, ok := cfg["base_url"].(string); ok {
|
||||
state.BaseURL = types.StringValue(v)
|
||||
}
|
||||
if n, ok := toInt64(cfg["request_timeout_seconds"]); ok {
|
||||
state.RequestTimeoutSeconds = types.Int64Value(n)
|
||||
}
|
||||
}
|
||||
// master_key is never returned by the backend; preserve the state value.
|
||||
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
|
||||
var plan, state secretBackendModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
mountPath := strings.Trim(state.Path.ValueString(), "/")
|
||||
|
||||
if !plan.Description.Equal(state.Description) {
|
||||
if err := r.client.tuneMount(ctx, mountPath, plan.Description.ValueString(), mountConfig{}); err != nil {
|
||||
resp.Diagnostics.AddError("failed to tune mount description", err.Error())
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
|
||||
resp.Diagnostics.AddError("failed to update litellm config", err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
plan.Path = types.StringValue(mountPath)
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
|
||||
var state secretBackendModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
if err := r.client.disableMount(ctx, strings.Trim(state.Path.ValueString(), "/")); err != nil {
|
||||
resp.Diagnostics.AddError("failed to disable litellm secrets engine", err.Error())
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
|
||||
resource.ImportStatePassthroughID(ctx, path.Root("path"), req, resp)
|
||||
}
|
||||
|
||||
func (r *secretBackendResource) configData(m secretBackendModel) map[string]interface{} {
|
||||
return map[string]interface{}{
|
||||
"base_url": m.BaseURL.ValueString(),
|
||||
"master_key": m.MasterKey.ValueString(),
|
||||
"request_timeout_seconds": m.RequestTimeoutSeconds.ValueInt64(),
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,235 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/diag"
|
||||
"github.com/hashicorp/terraform-plugin-framework/path"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
|
||||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
|
||||
"github.com/hashicorp/terraform-plugin-framework/types"
|
||||
)
|
||||
|
||||
var (
|
||||
_ resource.Resource = &secretBackendRoleResource{}
|
||||
_ resource.ResourceWithImportState = &secretBackendRoleResource{}
|
||||
)
|
||||
|
||||
type secretBackendRoleResource struct {
|
||||
client *vaultClient
|
||||
}
|
||||
|
||||
type secretBackendRoleModel struct {
|
||||
Backend types.String `tfsdk:"backend"`
|
||||
Name types.String `tfsdk:"name"`
|
||||
Models types.Set `tfsdk:"models"`
|
||||
MaxBudget types.Float64 `tfsdk:"max_budget"`
|
||||
KeyAliasPrefix types.String `tfsdk:"key_alias_prefix"`
|
||||
TTL types.Int64 `tfsdk:"ttl"`
|
||||
MaxTTL types.Int64 `tfsdk:"max_ttl"`
|
||||
Metadata types.Map `tfsdk:"metadata"`
|
||||
}
|
||||
|
||||
func NewSecretBackendRoleResource() resource.Resource {
|
||||
return &secretBackendRoleResource{}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
|
||||
resp.TypeName = req.ProviderTypeName + "_secret_backend_role"
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
|
||||
resp.Schema = schema.Schema{
|
||||
Description: "Manages a role on the LiteLLM secrets engine that constrains generated virtual keys.",
|
||||
Attributes: map[string]schema.Attribute{
|
||||
"backend": schema.StringAttribute{
|
||||
Description: "Mount path of the LiteLLM secrets engine.",
|
||||
Required: true,
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"name": schema.StringAttribute{
|
||||
Description: "Name of the role.",
|
||||
Required: true,
|
||||
PlanModifiers: []planmodifier.String{
|
||||
stringplanmodifier.RequiresReplace(),
|
||||
},
|
||||
},
|
||||
"models": schema.SetAttribute{
|
||||
Description: "Models a generated key may access. Empty means unrestricted.",
|
||||
ElementType: types.StringType,
|
||||
Optional: true,
|
||||
},
|
||||
"max_budget": schema.Float64Attribute{
|
||||
Description: "Spending limit applied to each generated key. 0 means unlimited.",
|
||||
Optional: true,
|
||||
},
|
||||
"key_alias_prefix": schema.StringAttribute{
|
||||
Description: "Prefix for the auto-generated key alias.",
|
||||
Optional: true,
|
||||
Computed: true,
|
||||
Default: stringdefault.StaticString("vault"),
|
||||
},
|
||||
"ttl": schema.Int64Attribute{
|
||||
Description: "Default lease TTL in seconds for keys generated from this role.",
|
||||
Optional: true,
|
||||
},
|
||||
"max_ttl": schema.Int64Attribute{
|
||||
Description: "Maximum lease TTL in seconds for keys generated from this role.",
|
||||
Optional: true,
|
||||
},
|
||||
"metadata": schema.MapAttribute{
|
||||
Description: "Metadata attached to each generated key.",
|
||||
ElementType: types.StringType,
|
||||
Optional: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
|
||||
if req.ProviderData == nil {
|
||||
return
|
||||
}
|
||||
client, ok := req.ProviderData.(*vaultClient)
|
||||
if !ok {
|
||||
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
|
||||
return
|
||||
}
|
||||
r.client = client
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
|
||||
var plan secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
data, diags := roleData(ctx, plan)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
|
||||
resp.Diagnostics.AddError("failed to create litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
|
||||
var state secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
role, err := r.client.readRole(ctx, state.Backend.ValueString(), state.Name.ValueString())
|
||||
if err != nil {
|
||||
resp.Diagnostics.AddError("failed to read litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
if role == nil {
|
||||
resp.State.RemoveResource(ctx)
|
||||
return
|
||||
}
|
||||
|
||||
diags := applyRoleData(ctx, &state, role)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
|
||||
var plan secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
data, diags := roleData(ctx, plan)
|
||||
resp.Diagnostics.Append(diags...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
|
||||
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
|
||||
resp.Diagnostics.AddError("failed to update litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
|
||||
var state secretBackendRoleModel
|
||||
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
||||
if resp.Diagnostics.HasError() {
|
||||
return
|
||||
}
|
||||
if err := r.client.deleteRole(ctx, state.Backend.ValueString(), state.Name.ValueString()); err != nil {
|
||||
resp.Diagnostics.AddError("failed to delete litellm role", err.Error())
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func (r *secretBackendRoleResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
|
||||
// Import ID format: "<backend>/roles/<name>".
|
||||
backend, name, ok := splitRoleID(req.ID)
|
||||
if !ok {
|
||||
resp.Diagnostics.AddError(
|
||||
"invalid import ID",
|
||||
fmt.Sprintf("expected \"<backend>/roles/<name>\", got %q", req.ID),
|
||||
)
|
||||
return
|
||||
}
|
||||
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("backend"), backend)...)
|
||||
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), name)...)
|
||||
}
|
||||
|
||||
// readInto refreshes the model in place from the backend after a write, so
|
||||
// computed fields (e.g. key_alias_prefix default) reflect stored values.
|
||||
func (r *secretBackendRoleResource) readInto(ctx context.Context, m *secretBackendRoleModel) diag.Diagnostics {
|
||||
var diags diag.Diagnostics
|
||||
role, err := r.client.readRole(ctx, m.Backend.ValueString(), m.Name.ValueString())
|
||||
if err != nil {
|
||||
diags.AddError("failed to read back litellm role", err.Error())
|
||||
return diags
|
||||
}
|
||||
if role == nil {
|
||||
diags.AddError("role missing after write", "the role was not found immediately after being written")
|
||||
return diags
|
||||
}
|
||||
return applyRoleData(ctx, m, role)
|
||||
}
|
||||
|
||||
func splitRoleID(id string) (backend, name string, ok bool) {
|
||||
marker := "/roles/"
|
||||
idx := strings.LastIndex(id, marker)
|
||||
if idx <= 0 {
|
||||
return "", "", false
|
||||
}
|
||||
backend = id[:idx]
|
||||
name = id[idx+len(marker):]
|
||||
if backend == "" || name == "" {
|
||||
return "", "", false
|
||||
}
|
||||
return backend, name, true
|
||||
}
|
||||
@@ -0,0 +1,28 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"flag"
|
||||
"log"
|
||||
|
||||
"github.com/hashicorp/terraform-plugin-framework/providerserver"
|
||||
|
||||
"git.unkin.net/unkin/terraform-provider-litellmvaultsecret/internal/provider"
|
||||
)
|
||||
|
||||
var version = "0.0.1"
|
||||
|
||||
func main() {
|
||||
var debug bool
|
||||
flag.BoolVar(&debug, "debug", false, "enable debug mode")
|
||||
flag.Parse()
|
||||
|
||||
opts := providerserver.ServeOpts{
|
||||
Address: "git.unkin.net/unkin/litellmvaultsecret",
|
||||
Debug: debug,
|
||||
}
|
||||
|
||||
if err := providerserver.Serve(context.Background(), provider.New(version), opts); err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
Executable
+122
@@ -0,0 +1,122 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# End-to-end test for terraform-provider-litellmvaultsecret.
|
||||
#
|
||||
# Builds the sibling litellm plugin and this provider, boots Vault + LiteLLM +
|
||||
# Postgres in Docker, then runs a real `terraform apply` through the provider to
|
||||
# mount the engine and create a role, and asserts a working virtual key can be
|
||||
# generated from it. Finally `terraform destroy` and verify the mount is gone.
|
||||
#
|
||||
set -euo pipefail
|
||||
|
||||
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
PLUGIN_REPO="${PLUGIN_REPO:-${ROOT_DIR}/../vault-plugin-secrets-litellm}"
|
||||
COMPOSE_FILE="${ROOT_DIR}/test/docker-compose.yml"
|
||||
COMPOSE="docker compose -f ${COMPOSE_FILE}"
|
||||
TF="${TF:-terraform}"
|
||||
E2E_DIR="${ROOT_DIR}/test/e2e"
|
||||
PLUGIN_BIN="vault-plugin-secrets-litellm"
|
||||
PROVIDER_BIN="terraform-provider-litellmvaultsecret"
|
||||
|
||||
MASTER_KEY="sk-master-e2e-1234"
|
||||
LITELLM_ADDR="http://127.0.0.1:4000"
|
||||
export VAULT_ADDR="http://127.0.0.1:8200"
|
||||
export VAULT_TOKEN="root"
|
||||
|
||||
red() { printf '\033[31m%s\033[0m\n' "$*"; }
|
||||
green() { printf '\033[32m%s\033[0m\n' "$*"; }
|
||||
blue() { printf '\033[34m==> %s\033[0m\n' "$*"; }
|
||||
fail() { red "FAIL: $*"; exit 1; }
|
||||
|
||||
cleanup() {
|
||||
blue "Cleaning up"
|
||||
if [ -d "${E2E_DIR}" ]; then
|
||||
(cd "${E2E_DIR}" && TF_CLI_CONFIG_FILE="${ROOT_DIR}/test/dev.tfrc" "${TF}" destroy -auto-approve >/dev/null 2>&1 || true)
|
||||
rm -f "${E2E_DIR}"/terraform.tfstate* "${E2E_DIR}"/.terraform.lock.hcl
|
||||
rm -rf "${E2E_DIR}/.terraform"
|
||||
fi
|
||||
${COMPOSE} down -v >/dev/null 2>&1 || true
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
wait_for() {
|
||||
local desc="$1"; shift
|
||||
local retries="${WAIT_RETRIES:-90}" i=0
|
||||
until "$@" >/dev/null 2>&1; do
|
||||
i=$((i + 1))
|
||||
[ "$i" -ge "$retries" ] && fail "timed out waiting for ${desc}"
|
||||
sleep 2
|
||||
done
|
||||
green "ready: ${desc}"
|
||||
}
|
||||
|
||||
chat_code() {
|
||||
curl -s -o /dev/null -w '%{http_code}' \
|
||||
-H "Authorization: Bearer $1" -H 'Content-Type: application/json' \
|
||||
-d "{\"model\":\"$2\",\"messages\":[{\"role\":\"user\",\"content\":\"hi\"}]}" \
|
||||
"${LITELLM_ADDR}/chat/completions"
|
||||
}
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
blue "Building litellm plugin from ${PLUGIN_REPO}"
|
||||
[ -d "${PLUGIN_REPO}" ] || fail "plugin repo not found at ${PLUGIN_REPO} (set PLUGIN_REPO)"
|
||||
mkdir -p "${ROOT_DIR}/test/plugins"
|
||||
( cd "${PLUGIN_REPO}" && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-s -w" \
|
||||
-o "${ROOT_DIR}/test/plugins/${PLUGIN_BIN}" ./cmd/vault-plugin-secrets-litellm )
|
||||
|
||||
blue "Building the provider"
|
||||
( cd "${ROOT_DIR}" && go build -o "${PROVIDER_BIN}" . )
|
||||
|
||||
blue "Writing terraform dev_overrides config"
|
||||
cat > "${ROOT_DIR}/test/dev.tfrc" <<EOF
|
||||
provider_installation {
|
||||
dev_overrides {
|
||||
"git.unkin.net/unkin/litellmvaultsecret" = "${ROOT_DIR}"
|
||||
}
|
||||
direct {}
|
||||
}
|
||||
EOF
|
||||
export TF_CLI_CONFIG_FILE="${ROOT_DIR}/test/dev.tfrc"
|
||||
|
||||
blue "Starting Docker stack"
|
||||
${COMPOSE} up -d --build
|
||||
wait_for "litellm" curl -fsS "${LITELLM_ADDR}/health/liveliness"
|
||||
wait_for "vault" ${COMPOSE} exec -T vault vault status -address=http://127.0.0.1:8200
|
||||
|
||||
blue "Registering the litellm plugin in Vault"
|
||||
SHA="$(sha256sum "${ROOT_DIR}/test/plugins/${PLUGIN_BIN}" | awk '{print $1}')"
|
||||
${COMPOSE} exec -T vault vault plugin register -sha256="${SHA}" secret "${PLUGIN_BIN}" >/dev/null
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
blue "terraform apply (mount engine + create role via the provider)"
|
||||
( cd "${E2E_DIR}" && "${TF}" apply -auto-approve )
|
||||
green "apply succeeded"
|
||||
|
||||
blue "Verifying the mount and role exist"
|
||||
${COMPOSE} exec -T vault vault secrets list 2>/dev/null | grep -q '^litellm/' \
|
||||
|| fail "litellm mount not found after apply"
|
||||
${COMPOSE} exec -T vault vault read litellm/roles/team-a >/dev/null \
|
||||
|| fail "role team-a not found after apply"
|
||||
green "mount + role present"
|
||||
|
||||
blue "Generating a virtual key from the terraform-managed role"
|
||||
KEY="$(${COMPOSE} exec -T vault vault read -field=key litellm/creds/team-a)"
|
||||
[ -n "${KEY}" ] || fail "no key generated"
|
||||
green "issued key ${KEY:0:12}..."
|
||||
|
||||
code="$(chat_code "${KEY}" gpt-3.5-turbo)"
|
||||
[ "${code}" = "200" ] || fail "allowed model returned HTTP ${code}, expected 200"
|
||||
green "allowed model (gpt-3.5-turbo) accepted"
|
||||
|
||||
code="$(chat_code "${KEY}" gpt-4)"
|
||||
[ "${code}" != "200" ] || fail "disallowed model unexpectedly succeeded"
|
||||
green "disallowed model (gpt-4) rejected (HTTP ${code})"
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
blue "terraform destroy (unmount engine)"
|
||||
( cd "${E2E_DIR}" && "${TF}" destroy -auto-approve )
|
||||
${COMPOSE} exec -T vault vault secrets list 2>/dev/null | grep -q '^litellm/' \
|
||||
&& fail "litellm mount still present after destroy" || true
|
||||
green "mount removed by destroy"
|
||||
|
||||
green "ALL PROVIDER END-TO-END CHECKS PASSED"
|
||||
@@ -0,0 +1,57 @@
|
||||
# E2E stack for the provider: Postgres + LiteLLM + a Vault dev server with the
|
||||
# litellm plugin mounted. Bind mounts use ":z" for SELinux (Fedora/RHEL).
|
||||
services:
|
||||
postgres:
|
||||
image: postgres:16-alpine
|
||||
environment:
|
||||
POSTGRES_USER: litellm
|
||||
POSTGRES_PASSWORD: litellm
|
||||
POSTGRES_DB: litellm
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U litellm"]
|
||||
interval: 3s
|
||||
timeout: 3s
|
||||
retries: 20
|
||||
|
||||
litellm:
|
||||
image: ghcr.io/berriai/litellm:main-stable
|
||||
depends_on:
|
||||
postgres:
|
||||
condition: service_healthy
|
||||
environment:
|
||||
LITELLM_MASTER_KEY: sk-master-e2e-1234
|
||||
DATABASE_URL: postgresql://litellm:litellm@postgres:5432/litellm
|
||||
STORE_MODEL_IN_DB: "True"
|
||||
command: ["--config", "/app/config.yaml", "--port", "4000"]
|
||||
volumes:
|
||||
- ./litellm/config.yaml:/app/config.yaml:ro,z
|
||||
ports:
|
||||
- "4000:4000"
|
||||
healthcheck:
|
||||
test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:4000/health/liveliness').status==200 else 1)"]
|
||||
interval: 5s
|
||||
timeout: 5s
|
||||
retries: 40
|
||||
|
||||
vault:
|
||||
image: hashicorp/vault:1.18
|
||||
depends_on:
|
||||
litellm:
|
||||
condition: service_healthy
|
||||
cap_add:
|
||||
- IPC_LOCK
|
||||
environment:
|
||||
VAULT_DEV_ROOT_TOKEN_ID: root
|
||||
VAULT_ADDR: http://127.0.0.1:8200
|
||||
VAULT_TOKEN: root
|
||||
command: ["server", "-dev", "-dev-listen-address=0.0.0.0:8200", "-config=/vault/vault.hcl"]
|
||||
volumes:
|
||||
- ./plugins:/vault/plugins:ro,z
|
||||
- ./vault/vault.hcl:/vault/vault.hcl:ro,z
|
||||
ports:
|
||||
- "8200:8200"
|
||||
healthcheck:
|
||||
test: ["CMD", "vault", "status", "-address=http://127.0.0.1:8200"]
|
||||
interval: 3s
|
||||
timeout: 3s
|
||||
retries: 20
|
||||
@@ -0,0 +1,29 @@
|
||||
terraform {
|
||||
required_providers {
|
||||
litellmvaultsecret = {
|
||||
source = "git.unkin.net/unkin/litellmvaultsecret"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "litellmvaultsecret" {
|
||||
address = "http://127.0.0.1:8200"
|
||||
token = "root"
|
||||
}
|
||||
|
||||
resource "litellmvaultsecret_secret_backend" "litellm" {
|
||||
path = "litellm"
|
||||
description = "LiteLLM dynamic virtual keys (e2e)"
|
||||
# Reachable from inside the vault container, where the plugin runs.
|
||||
base_url = "http://litellm:4000"
|
||||
master_key = "sk-master-e2e-1234"
|
||||
}
|
||||
|
||||
resource "litellmvaultsecret_secret_backend_role" "team_a" {
|
||||
backend = litellmvaultsecret_secret_backend.litellm.path
|
||||
name = "team-a"
|
||||
models = ["gpt-3.5-turbo"]
|
||||
max_budget = 10
|
||||
ttl = 3600
|
||||
max_ttl = 86400
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
model_list:
|
||||
- model_name: gpt-3.5-turbo
|
||||
litellm_params:
|
||||
model: openai/gpt-3.5-turbo
|
||||
api_key: sk-fake-openai-key
|
||||
mock_response: "hello from the mock model"
|
||||
- model_name: gpt-4
|
||||
litellm_params:
|
||||
model: openai/gpt-4
|
||||
api_key: sk-fake-openai-key
|
||||
mock_response: "hello from the mock model"
|
||||
|
||||
general_settings:
|
||||
master_key: sk-master-e2e-1234
|
||||
|
||||
litellm_settings:
|
||||
drop_params: true
|
||||
@@ -0,0 +1,4 @@
|
||||
# Combined with `-dev` so the dev server has a plugin_directory to register the
|
||||
# litellm plugin binary mounted from ./plugins.
|
||||
plugin_directory = "/vault/plugins"
|
||||
api_addr = "http://127.0.0.1:8200"
|
||||
Reference in New Issue
Block a user