diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dfe71c2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,14 @@ +/terraform-provider-litellmvaultsecret +*.zip +*.out +*.test +dist/ +.terraform/ +.terraform.lock.hcl +*.tfstate +*.tfstate.backup +.env + +# e2e artifacts +test/plugins/ +test/dev.tfrc diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..5b65ffe --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,15 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + + - repo: https://github.com/dnephin/pre-commit-golang + rev: v0.5.1 + hooks: + - id: go-fmt + - id: go-vet + - id: go-mod-tidy diff --git a/.woodpecker/build.yml b/.woodpecker/build.yml new file mode 100644 index 0000000..9c181f7 --- /dev/null +++ b/.woodpecker/build.yml @@ -0,0 +1,8 @@ +when: + - event: pull_request + +steps: + - name: build + image: golang:1.25 + commands: + - make build diff --git a/.woodpecker/pre-commit.yaml b/.woodpecker/pre-commit.yaml new file mode 100644 index 0000000..d57b508 --- /dev/null +++ b/.woodpecker/pre-commit.yaml @@ -0,0 +1,18 @@ +when: + - event: pull_request + +steps: + - name: pre-commit + image: git.unkin.net/unkin/almalinux9-gobuilder:20260606 + commands: + - uvx pre-commit run --all-files + backend_options: + kubernetes: + serviceAccountName: default + resources: + requests: + memory: 512Mi + cpu: 1 + limits: + memory: 2Gi + cpu: 2 diff --git a/.woodpecker/test.yml b/.woodpecker/test.yml new file mode 100644 index 0000000..bb94e07 --- /dev/null +++ b/.woodpecker/test.yml @@ -0,0 +1,13 @@ +when: + - event: pull_request + +steps: + - name: lint + image: golang:1.25 + commands: + - make lint + + - name: test + image: golang:1.25 + commands: + - make test diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..e28b8e4 --- /dev/null +++ b/Makefile @@ -0,0 +1,65 @@ +.PHONY: build install test lint fmt clean tidy package e2e patch minor major check-go + +BINARY := terraform-provider-litellmvaultsecret +VERSION ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo "0.0.0-dev") +OS_ARCH := linux_amd64 +INSTALL_VERSION := $(shell echo $(VERSION) | sed 's/^v//') +INSTALL_DIR := ~/.terraform.d/plugins/git.unkin.net/unkin/litellmvaultsecret/$(INSTALL_VERSION)/$(OS_ARCH) +ZIP := $(BINARY)_$(INSTALL_VERSION)_$(OS_ARCH).zip + +GO_VERSION_REQUIRED := 1.25 +GO_VERSION_ACTUAL := $(shell go version | sed 's/go version go\([0-9]*\.[0-9]*\).*/\1/') + +check-go: + @if [ "$$(printf '%s\n%s' "$(GO_VERSION_REQUIRED)" "$(GO_VERSION_ACTUAL)" | sort -V | head -1)" != "$(GO_VERSION_REQUIRED)" ]; then \ + echo "ERROR: Go >= $(GO_VERSION_REQUIRED) required, found $(GO_VERSION_ACTUAL)"; exit 1; \ + fi + +build: check-go tidy + go build -ldflags="-s -w -X main.version=$(VERSION)" -o $(BINARY) + +install: build + mkdir -p $(INSTALL_DIR) + cp $(BINARY) $(INSTALL_DIR)/ + +test: check-go + go test -race -count=1 ./... + +lint: check-go + go vet ./... + +fmt: check-go + gofmt -w . + +package: build + cp $(BINARY) $(BINARY)_v$(INSTALL_VERSION) + python3 -c "import zipfile,sys; z=zipfile.ZipFile(sys.argv[1],'w',zipfile.ZIP_DEFLATED); z.write(sys.argv[2]); z.close()" $(ZIP) $(BINARY)_v$(INSTALL_VERSION) + rm $(BINARY)_v$(INSTALL_VERSION) + +# End-to-end: boots Vault + LiteLLM + the plugin and applies real terraform. +e2e: + ./scripts/e2e.sh + +clean: + rm -f $(BINARY) *.zip + +tidy: + go mod tidy + +_LATEST := $(shell git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$$' | head -1) +_BASE := $(if $(_LATEST),$(_LATEST),v0.0.0) +_MAJ := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f1) +_MIN := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f2) +_PAT := $(shell echo $(_BASE) | sed 's/^v//' | cut -d. -f3) + +patch: + @NEW=v$(_MAJ).$(_MIN).$(shell expr $(_PAT) + 1); \ + git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW + +minor: + @NEW=v$(_MAJ).$(shell expr $(_MIN) + 1).0; \ + git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW + +major: + @NEW=v$(shell expr $(_MAJ) + 1).0.0; \ + git tag $$NEW && echo "Tagged $$NEW" && git push origin $$NEW diff --git a/README.md b/README.md index b6969d7..76ecafc 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,104 @@ # terraform-provider-litellmvaultsecret -Terraform provider for the Vault/OpenBao LiteLLM dynamic secrets engine (litellmvaultsecret) \ No newline at end of file +A Terraform/OpenTofu provider that manages the **LiteLLM dynamic secrets engine** +(the [`vault-plugin-secrets-litellm`](https://git.unkin.net/unkin/vault-plugin-secrets-litellm) +plugin) on HashiCorp Vault or OpenBao. + +It lets you declare, as code, the LiteLLM secrets-engine mount, its connection +config, and the roles that scope generated virtual keys — for use from +`terraform-vault`. + +## Provider + +```hcl +terraform { + required_providers { + litellmvaultsecret = { + source = "git.unkin.net/unkin/litellmvaultsecret" + } + } +} + +provider "litellmvaultsecret" { + address = "https://vault.example.com" # or VAULT_ADDR + token = var.vault_token # or VAULT_TOKEN +} +``` + +## Resources + +### `litellmvaultsecret_secret_backend` + +Mounts the engine and writes its connection config. + +| Attribute | Required | Description | +| ------------------------- | -------- | ---------------------------------------------------- | +| `path` | yes | Mount path (e.g. `litellm`). Forces replacement. | +| `base_url` | yes | LiteLLM proxy URL the plugin calls. | +| `master_key` | yes | LiteLLM master key (sensitive, never read back). | +| `plugin` | no | Registered plugin name (default `vault-plugin-secrets-litellm`). | +| `description` | no | Mount description. | +| `request_timeout_seconds` | no | Plugin→LiteLLM HTTP timeout (default 30). | + +### `litellmvaultsecret_secret_backend_role` + +Manages a role that constrains generated keys. + +| Attribute | Required | Description | +| ------------------ | -------- | ---------------------------------------------- | +| `backend` | yes | Mount path of the engine. Forces replacement. | +| `name` | yes | Role name. Forces replacement. | +| `models` | no | Allowed models (set); empty = unrestricted. | +| `max_budget` | no | Spending limit per key; 0 = unlimited. | +| `ttl` | no | Default lease TTL, in **seconds**. | +| `max_ttl` | no | Maximum lease TTL, in **seconds**. | +| `key_alias_prefix` | no | Prefix for the key alias (default `vault`). | +| `metadata` | no | Metadata attached to each key (map). | + +## Example + +```hcl +resource "litellmvaultsecret_secret_backend" "litellm" { + path = "litellm" + base_url = "http://litellm.litellm.svc:4000" + master_key = var.litellm_master_key +} + +resource "litellmvaultsecret_secret_backend_role" "team_a" { + backend = litellmvaultsecret_secret_backend.litellm.path + name = "team-a" + models = ["gpt-3.5-turbo", "gpt-4"] + max_budget = 50 + ttl = 3600 + max_ttl = 86400 +} +``` + +Consumers then read `litellm/creds/team-a` from Vault to obtain a scoped, +budgeted, lease-bound virtual key. + +## Import + +```sh +terraform import litellmvaultsecret_secret_backend.litellm litellm +terraform import litellmvaultsecret_secret_backend_role.team_a litellm/roles/team-a +``` + +## Development + +```sh +make build # build the provider binary +make install # install into ~/.terraform.d/plugins for local use +make test # unit tests (race-enabled) +make lint # go vet +make fmt # gofmt +make e2e # end-to-end: real Vault + LiteLLM + plugin, terraform apply +``` + +### End-to-end tests + +`make e2e` builds the sibling `vault-plugin-secrets-litellm` plugin, boots Vault + +LiteLLM + Postgres in Docker, installs this provider locally, then runs a real +`terraform apply` that mounts the engine and creates a role, and asserts that a +working virtual key can be generated from it. Requires Docker; bind mounts use +`:z` for SELinux. diff --git a/examples/resources/litellmvaultsecret_secret_backend/main.tf b/examples/resources/litellmvaultsecret_secret_backend/main.tf new file mode 100644 index 0000000..d0aeee1 --- /dev/null +++ b/examples/resources/litellmvaultsecret_secret_backend/main.tf @@ -0,0 +1,24 @@ +terraform { + required_providers { + litellmvaultsecret = { + source = "git.unkin.net/unkin/litellmvaultsecret" + } + } +} + +provider "litellmvaultsecret" { + # address and token fall back to VAULT_ADDR / VAULT_TOKEN + address = "https://vault.example.com" +} + +resource "litellmvaultsecret_secret_backend" "litellm" { + path = "litellm" + description = "LiteLLM dynamic virtual keys" + base_url = "http://litellm.litellm.svc:4000" + master_key = var.litellm_master_key +} + +variable "litellm_master_key" { + type = string + sensitive = true +} diff --git a/examples/resources/litellmvaultsecret_secret_backend_role/main.tf b/examples/resources/litellmvaultsecret_secret_backend_role/main.tf new file mode 100644 index 0000000..aa2163b --- /dev/null +++ b/examples/resources/litellmvaultsecret_secret_backend_role/main.tf @@ -0,0 +1,14 @@ +resource "litellmvaultsecret_secret_backend_role" "team_a" { + backend = litellmvaultsecret_secret_backend.litellm.path + name = "team-a" + + models = ["gpt-3.5-turbo", "gpt-4"] + max_budget = 50 + ttl = 3600 # seconds (1h) + max_ttl = 86400 # seconds (24h) + + metadata = { + team = "a" + env = "prod" + } +} diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..5ca61f4 --- /dev/null +++ b/go.mod @@ -0,0 +1,49 @@ +module git.unkin.net/unkin/terraform-provider-litellmvaultsecret + +go 1.25 + +require ( + github.com/hashicorp/terraform-plugin-framework v1.15.0 + github.com/hashicorp/vault/api v1.15.0 +) + +require ( + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/fatih/color v1.16.0 // indirect + github.com/go-jose/go-jose/v4 v4.0.4 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/hashicorp/errwrap v1.1.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-hclog v1.6.3 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-plugin v1.6.3 // indirect + github.com/hashicorp/go-retryablehttp v0.7.7 // indirect + github.com/hashicorp/go-rootcerts v1.0.2 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect + github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect + github.com/hashicorp/go-sockaddr v1.0.2 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect + github.com/hashicorp/terraform-plugin-go v0.27.0 // indirect + github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect + github.com/hashicorp/terraform-registry-address v0.2.5 // indirect + github.com/hashicorp/terraform-svchost v0.1.1 // indirect + github.com/hashicorp/yamux v0.1.1 // indirect + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/go-testing-interface v1.14.1 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/oklog/run v1.0.0 // indirect + github.com/ryanuber/go-glob v1.0.0 // indirect + github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect + github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect + golang.org/x/crypto v0.37.0 // indirect + golang.org/x/net v0.39.0 // indirect + golang.org/x/sys v0.32.0 // indirect + golang.org/x/text v0.24.0 // indirect + golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect + google.golang.org/grpc v1.72.1 // indirect + google.golang.org/protobuf v1.36.6 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..e5d4aed --- /dev/null +++ b/go.sum @@ -0,0 +1,147 @@ +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA= +github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E= +github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= +github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-plugin v1.6.3 h1:xgHB+ZUSYeuJi96WtxEjzi23uh7YQpznjGh0U0UUrwg= +github.com/hashicorp/go-plugin v1.6.3/go.mod h1:MRobyh+Wc/nYy1V4KAXUiYfzxoYhs7V1mlH1Z7iY2h0= +github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= +github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= +github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= +github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/terraform-plugin-framework v1.15.0 h1:LQ2rsOfmDLxcn5EeIwdXFtr03FVsNktbbBci8cOKdb4= +github.com/hashicorp/terraform-plugin-framework v1.15.0/go.mod h1:hxrNI/GY32KPISpWqlCoTLM9JZsGH3CyYlir09bD/fI= +github.com/hashicorp/terraform-plugin-go v0.27.0 h1:ujykws/fWIdsi6oTUT5Or4ukvEan4aN9lY+LOxVP8EE= +github.com/hashicorp/terraform-plugin-go v0.27.0/go.mod h1:FDa2Bb3uumkTGSkTFpWSOwWJDwA7bf3vdP3ltLDTH6o= +github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9TFvymaRGZED3FCV0= +github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow= +github.com/hashicorp/terraform-registry-address v0.2.5 h1:2GTftHqmUhVOeuu9CW3kwDkRe4pcBDq0uuK5VJngU1M= +github.com/hashicorp/terraform-registry-address v0.2.5/go.mod h1:PpzXWINwB5kuVS5CA7m1+eO2f1jKb5ZDIxrOPfpnGkg= +github.com/hashicorp/terraform-svchost v0.1.1 h1:EZZimZ1GxdqFRinZ1tpJwVxxt49xc/S52uzrw4x0jKQ= +github.com/hashicorp/terraform-svchost v0.1.1/go.mod h1:mNsjQfZyf/Jhz35v6/0LWcv26+X7JPS+buii2c9/ctc= +github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA= +github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8= +github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE= +github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c= +github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= +github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= +github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8= +github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok= +github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= +github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY= +go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI= +go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ= +go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= +go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= +go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= +go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= +go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= +go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k= +go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= +golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE= +golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc= +golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY= +golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20= +golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0= +golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ= +google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA= +google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= +google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/internal/provider/client.go b/internal/provider/client.go new file mode 100644 index 0000000..b82317f --- /dev/null +++ b/internal/provider/client.go @@ -0,0 +1,144 @@ +package provider + +import ( + "context" + "errors" + "fmt" + "strings" + + vault "github.com/hashicorp/vault/api" +) + +// vaultClient wraps the Vault/OpenBao API client with the operations this +// provider needs to manage the LiteLLM secrets engine. +type vaultClient struct { + api *vault.Client +} + +func newVaultClient(address, token string) (*vaultClient, error) { + cfg := vault.DefaultConfig() + if cfg.Error != nil { + return nil, cfg.Error + } + if address != "" { + cfg.Address = address + } + c, err := vault.NewClient(cfg) + if err != nil { + return nil, err + } + if token != "" { + c.SetToken(token) + } + return &vaultClient{api: c}, nil +} + +// mountConfig holds the tunable options applied when enabling the engine. +type mountConfig struct { + DefaultLeaseTTL string + MaxLeaseTTL string +} + +// enableMount mounts the secrets engine of the given plugin type at path. +func (c *vaultClient) enableMount(ctx context.Context, path, pluginType, description string, cfg mountConfig) error { + input := &vault.MountInput{ + Type: pluginType, + Description: description, + Config: vault.MountConfigInput{ + DefaultLeaseTTL: cfg.DefaultLeaseTTL, + MaxLeaseTTL: cfg.MaxLeaseTTL, + }, + } + return c.api.Sys().MountWithContext(ctx, path, input) +} + +// tuneMount updates tunable options of an existing mount (e.g. description). +func (c *vaultClient) tuneMount(ctx context.Context, path, description string, cfg mountConfig) error { + input := vault.MountConfigInput{ + Description: &description, + DefaultLeaseTTL: cfg.DefaultLeaseTTL, + MaxLeaseTTL: cfg.MaxLeaseTTL, + } + return c.api.Sys().TuneMountWithContext(ctx, path, input) +} + +// mountInfo returns the mount at the given path, or nil if it does not exist. +func (c *vaultClient) mountInfo(ctx context.Context, path string) (*vault.MountOutput, error) { + mounts, err := c.api.Sys().ListMountsWithContext(ctx) + if err != nil { + return nil, err + } + key := strings.TrimRight(path, "/") + "/" + if m, ok := mounts[key]; ok { + return m, nil + } + return nil, nil +} + +// disableMount unmounts the secrets engine at path. +func (c *vaultClient) disableMount(ctx context.Context, path string) error { + return c.api.Sys().UnmountWithContext(ctx, path) +} + +// writeConfig writes the LiteLLM connection config for the given backend mount. +func (c *vaultClient) writeConfig(ctx context.Context, backend string, data map[string]interface{}) error { + _, err := c.api.Logical().WriteWithContext(ctx, backend+"/config", data) + return err +} + +// readConfig reads the LiteLLM connection config, returning nil if absent. +func (c *vaultClient) readConfig(ctx context.Context, backend string) (map[string]interface{}, error) { + secret, err := c.api.Logical().ReadWithContext(ctx, backend+"/config") + if err != nil { + return nil, err + } + if secret == nil { + return nil, nil + } + return secret.Data, nil +} + +// writeRole creates or updates a role on the given backend mount. +func (c *vaultClient) writeRole(ctx context.Context, backend, name string, data map[string]interface{}) error { + _, err := c.api.Logical().WriteWithContext(ctx, rolePath(backend, name), data) + return err +} + +// readRole reads a role, returning nil if it does not exist. +func (c *vaultClient) readRole(ctx context.Context, backend, name string) (map[string]interface{}, error) { + secret, err := c.api.Logical().ReadWithContext(ctx, rolePath(backend, name)) + if err != nil { + return nil, err + } + if secret == nil { + return nil, nil + } + return secret.Data, nil +} + +// deleteRole removes a role from the backend mount. +func (c *vaultClient) deleteRole(ctx context.Context, backend, name string) error { + _, err := c.api.Logical().DeleteWithContext(ctx, rolePath(backend, name)) + return err +} + +func rolePath(backend, name string) string { + return fmt.Sprintf("%s/roles/%s", strings.TrimRight(backend, "/"), name) +} + +// isMountAlreadyExists reports whether the error is Vault's "path is already in +// use" response, so callers can surface a friendlier message. +func isMountAlreadyExists(err error) bool { + if err == nil { + return false + } + var respErr *vault.ResponseError + if errors.As(err, &respErr) { + for _, e := range respErr.Errors { + if strings.Contains(e, "path is already in use") { + return true + } + } + } + return false +} diff --git a/internal/provider/client_test.go b/internal/provider/client_test.go new file mode 100644 index 0000000..93ca2fb --- /dev/null +++ b/internal/provider/client_test.go @@ -0,0 +1,238 @@ +package provider + +import ( + "context" + "encoding/json" + "net/http" + "net/http/httptest" + "strings" + "sync" + "testing" +) + +// mockVault is a minimal in-memory fake of the Vault/OpenBao HTTP API covering +// the endpoints this provider uses. +type mockVault struct { + server *httptest.Server + + mu sync.Mutex + mounts map[string]map[string]interface{} // "litellm/" -> mount output + configs map[string]map[string]interface{} // backend -> config data + roles map[string]map[string]interface{} // "backend/roles/name" -> role data +} + +func newMockVault(t *testing.T) (*mockVault, *vaultClient) { + t.Helper() + m := &mockVault{ + mounts: map[string]map[string]interface{}{}, + configs: map[string]map[string]interface{}{}, + roles: map[string]map[string]interface{}{}, + } + m.server = httptest.NewServer(http.HandlerFunc(m.handle)) + t.Cleanup(m.server.Close) + + client, err := newVaultClient(m.server.URL, "test-token") + if err != nil { + t.Fatalf("newVaultClient: %v", err) + } + return m, client +} + +func (m *mockVault) handle(w http.ResponseWriter, r *http.Request) { + m.mu.Lock() + defer m.mu.Unlock() + + path := strings.TrimPrefix(r.URL.Path, "/v1/") + + switch { + case path == "sys/mounts" && r.Method == http.MethodGet: + writeSecret(w, map[string]interface{}{"data": toIface(m.mounts)}) + + case strings.HasPrefix(path, "sys/mounts/"): + mp := strings.TrimPrefix(path, "sys/mounts/") + key := strings.TrimRight(mp, "/") + "/" + switch r.Method { + case http.MethodPost, http.MethodPut: + var body map[string]interface{} + _ = json.NewDecoder(r.Body).Decode(&body) + // Store the mount *output* shape (Vault returns int TTLs, not the + // string TTLs it accepts on input). + m.mounts[key] = map[string]interface{}{ + "type": body["type"], + "description": body["description"], + "config": map[string]interface{}{}, + } + w.WriteHeader(http.StatusNoContent) + case http.MethodDelete: + delete(m.mounts, key) + w.WriteHeader(http.StatusNoContent) + } + + case strings.HasSuffix(path, "/config"): + backend := strings.TrimSuffix(path, "/config") + switch r.Method { + case http.MethodPost, http.MethodPut: + var body map[string]interface{} + _ = json.NewDecoder(r.Body).Decode(&body) + m.configs[backend] = body + w.WriteHeader(http.StatusNoContent) + case http.MethodGet: + cfg, ok := m.configs[backend] + if !ok { + w.WriteHeader(http.StatusNotFound) + return + } + // The real backend never returns master_key. + out := map[string]interface{}{} + for k, v := range cfg { + if k == "master_key" { + continue + } + out[k] = v + } + writeSecret(w, map[string]interface{}{"data": out}) + } + + case strings.Contains(path, "/roles/"): + switch r.Method { + case http.MethodPost, http.MethodPut: + var body map[string]interface{} + _ = json.NewDecoder(r.Body).Decode(&body) + m.roles[path] = body + w.WriteHeader(http.StatusNoContent) + case http.MethodGet: + role, ok := m.roles[path] + if !ok { + w.WriteHeader(http.StatusNotFound) + return + } + writeSecret(w, map[string]interface{}{"data": role}) + case http.MethodDelete: + delete(m.roles, path) + w.WriteHeader(http.StatusNoContent) + } + + default: + w.WriteHeader(http.StatusNotFound) + } +} + +func toIface(m map[string]map[string]interface{}) map[string]interface{} { + out := map[string]interface{}{} + for k, v := range m { + out[k] = v + } + return out +} + +func writeSecret(w http.ResponseWriter, body map[string]interface{}) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(body) +} + +func TestClient_MountLifecycle(t *testing.T) { + _, c := newMockVault(t) + ctx := context.Background() + + if err := c.enableMount(ctx, "litellm", "vault-plugin-secrets-litellm", "desc", mountConfig{}); err != nil { + t.Fatalf("enableMount: %v", err) + } + info, err := c.mountInfo(ctx, "litellm") + if err != nil { + t.Fatalf("mountInfo: %v", err) + } + if info == nil { + t.Fatal("expected mount to exist") + } + if info.Type != "vault-plugin-secrets-litellm" { + t.Fatalf("unexpected mount type: %q", info.Type) + } + + if err := c.disableMount(ctx, "litellm"); err != nil { + t.Fatalf("disableMount: %v", err) + } + info, err = c.mountInfo(ctx, "litellm") + if err != nil { + t.Fatalf("mountInfo after delete: %v", err) + } + if info != nil { + t.Fatal("expected mount to be gone") + } +} + +func TestClient_ConfigRoundTrip(t *testing.T) { + m, c := newMockVault(t) + ctx := context.Background() + + err := c.writeConfig(ctx, "litellm", map[string]interface{}{ + "base_url": "http://litellm:4000", + "master_key": "sk-secret", + "request_timeout_seconds": 30, + }) + if err != nil { + t.Fatalf("writeConfig: %v", err) + } + + cfg, err := c.readConfig(ctx, "litellm") + if err != nil { + t.Fatalf("readConfig: %v", err) + } + if cfg["base_url"] != "http://litellm:4000" { + t.Fatalf("unexpected base_url: %v", cfg["base_url"]) + } + if _, leaked := cfg["master_key"]; leaked { + t.Fatal("master_key must not be returned by read") + } + _ = m +} + +func TestClient_ReadConfigMissing(t *testing.T) { + _, c := newMockVault(t) + cfg, err := c.readConfig(context.Background(), "litellm") + if err != nil { + t.Fatalf("readConfig: %v", err) + } + if cfg != nil { + t.Fatalf("expected nil config, got %v", cfg) + } +} + +func TestClient_RoleLifecycle(t *testing.T) { + _, c := newMockVault(t) + ctx := context.Background() + + err := c.writeRole(ctx, "litellm", "team-a", map[string]interface{}{ + "models": []string{"gpt-4"}, + "max_budget": 25.0, + "ttl": 3600, + }) + if err != nil { + t.Fatalf("writeRole: %v", err) + } + + role, err := c.readRole(ctx, "litellm", "team-a") + if err != nil { + t.Fatalf("readRole: %v", err) + } + if role == nil { + t.Fatal("expected role to exist") + } + + if err := c.deleteRole(ctx, "litellm", "team-a"); err != nil { + t.Fatalf("deleteRole: %v", err) + } + role, err = c.readRole(ctx, "litellm", "team-a") + if err != nil { + t.Fatalf("readRole after delete: %v", err) + } + if role != nil { + t.Fatal("expected role to be gone") + } +} + +func TestRolePath(t *testing.T) { + if got := rolePath("litellm/", "team-a"); got != "litellm/roles/team-a" { + t.Fatalf("unexpected role path: %q", got) + } +} diff --git a/internal/provider/conversions.go b/internal/provider/conversions.go new file mode 100644 index 0000000..5b83cd9 --- /dev/null +++ b/internal/provider/conversions.go @@ -0,0 +1,171 @@ +package provider + +import ( + "context" + "encoding/json" + + "github.com/hashicorp/terraform-plugin-framework/attr" + "github.com/hashicorp/terraform-plugin-framework/diag" + "github.com/hashicorp/terraform-plugin-framework/types" +) + +// roleData builds the request payload for writing a role to the backend. +func roleData(ctx context.Context, m secretBackendRoleModel) (map[string]interface{}, diag.Diagnostics) { + var diags diag.Diagnostics + data := map[string]interface{}{} + + if !m.Models.IsNull() && !m.Models.IsUnknown() { + var models []string + diags.Append(m.Models.ElementsAs(ctx, &models, false)...) + if diags.HasError() { + return nil, diags + } + data["models"] = models + } else { + data["models"] = []string{} + } + + if !m.MaxBudget.IsNull() && !m.MaxBudget.IsUnknown() { + data["max_budget"] = m.MaxBudget.ValueFloat64() + } + if !m.KeyAliasPrefix.IsNull() && !m.KeyAliasPrefix.IsUnknown() { + data["key_alias_prefix"] = m.KeyAliasPrefix.ValueString() + } + if !m.TTL.IsNull() && !m.TTL.IsUnknown() { + data["ttl"] = m.TTL.ValueInt64() + } + if !m.MaxTTL.IsNull() && !m.MaxTTL.IsUnknown() { + data["max_ttl"] = m.MaxTTL.ValueInt64() + } + if !m.Metadata.IsNull() && !m.Metadata.IsUnknown() { + var meta map[string]string + diags.Append(m.Metadata.ElementsAs(ctx, &meta, false)...) + if diags.HasError() { + return nil, diags + } + data["metadata"] = meta + } + + return data, diags +} + +// applyRoleData refreshes a model from a role read out of the backend. +func applyRoleData(ctx context.Context, m *secretBackendRoleModel, role map[string]interface{}) diag.Diagnostics { + var diags diag.Diagnostics + + models := toStringSlice(role["models"]) + if len(models) == 0 { + m.Models = types.SetNull(types.StringType) + } else { + set, d := types.SetValueFrom(ctx, types.StringType, models) + diags.Append(d...) + m.Models = set + } + + if budget, ok := toFloat64(role["max_budget"]); ok && budget != 0 { + m.MaxBudget = types.Float64Value(budget) + } else if m.MaxBudget.IsUnknown() { + m.MaxBudget = types.Float64Null() + } + + if prefix, ok := role["key_alias_prefix"].(string); ok { + m.KeyAliasPrefix = types.StringValue(prefix) + } + + if ttl, ok := toInt64(role["ttl"]); ok && ttl != 0 { + m.TTL = types.Int64Value(ttl) + } else if m.TTL.IsUnknown() { + m.TTL = types.Int64Null() + } + if maxTTL, ok := toInt64(role["max_ttl"]); ok && maxTTL != 0 { + m.MaxTTL = types.Int64Value(maxTTL) + } else if m.MaxTTL.IsUnknown() { + m.MaxTTL = types.Int64Null() + } + + meta := toStringMap(role["metadata"]) + if len(meta) == 0 { + m.Metadata = types.MapNull(types.StringType) + } else { + mp, d := types.MapValueFrom(ctx, types.StringType, meta) + diags.Append(d...) + m.Metadata = mp + } + + return diags +} + +func toStringSlice(v interface{}) []string { + raw, ok := v.([]interface{}) + if !ok { + return nil + } + out := make([]string, 0, len(raw)) + for _, e := range raw { + if s, ok := e.(string); ok { + out = append(out, s) + } + } + return out +} + +func toStringMap(v interface{}) map[string]string { + raw, ok := v.(map[string]interface{}) + if !ok { + return nil + } + out := make(map[string]string, len(raw)) + for k, e := range raw { + if s, ok := e.(string); ok { + out[k] = s + } + } + return out +} + +// toInt64 coerces the numeric shapes Vault returns (json.Number, float64, int) +// into an int64. +func toInt64(v interface{}) (int64, bool) { + switch n := v.(type) { + case json.Number: + i, err := n.Int64() + if err != nil { + f, ferr := n.Float64() + if ferr != nil { + return 0, false + } + return int64(f), true + } + return i, true + case float64: + return int64(n), true + case int64: + return n, true + case int: + return int64(n), true + default: + return 0, false + } +} + +func toFloat64(v interface{}) (float64, bool) { + switch n := v.(type) { + case json.Number: + f, err := n.Float64() + if err != nil { + return 0, false + } + return f, true + case float64: + return n, true + case int64: + return float64(n), true + case int: + return float64(n), true + default: + return 0, false + } +} + +// ensure attr is referenced (kept for future typed conversions). +var _ = attr.Value(nil) diff --git a/internal/provider/conversions_test.go b/internal/provider/conversions_test.go new file mode 100644 index 0000000..b6bd094 --- /dev/null +++ b/internal/provider/conversions_test.go @@ -0,0 +1,166 @@ +package provider + +import ( + "context" + "encoding/json" + "testing" + + "github.com/hashicorp/terraform-plugin-framework/types" +) + +func TestRoleData_FullRoundTrip(t *testing.T) { + ctx := context.Background() + + models, _ := types.SetValueFrom(ctx, types.StringType, []string{"gpt-4", "gpt-3.5-turbo"}) + meta, _ := types.MapValueFrom(ctx, types.StringType, map[string]string{"team": "a"}) + + m := secretBackendRoleModel{ + Backend: types.StringValue("litellm"), + Name: types.StringValue("team-a"), + Models: models, + MaxBudget: types.Float64Value(50), + KeyAliasPrefix: types.StringValue("vault"), + TTL: types.Int64Value(3600), + MaxTTL: types.Int64Value(86400), + Metadata: meta, + } + + data, diags := roleData(ctx, m) + if diags.HasError() { + t.Fatalf("roleData diags: %v", diags) + } + if got := data["max_budget"].(float64); got != 50 { + t.Fatalf("max_budget: %v", got) + } + if got := data["ttl"].(int64); got != 3600 { + t.Fatalf("ttl: %v", got) + } + if got := data["models"].([]string); len(got) != 2 { + t.Fatalf("models: %v", got) + } + if got := data["metadata"].(map[string]string); got["team"] != "a" { + t.Fatalf("metadata: %v", got) + } +} + +func TestRoleData_OmitsUnsetOptionals(t *testing.T) { + ctx := context.Background() + m := secretBackendRoleModel{ + Backend: types.StringValue("litellm"), + Name: types.StringValue("minimal"), + Models: types.SetNull(types.StringType), + MaxBudget: types.Float64Null(), + KeyAliasPrefix: types.StringValue("vault"), + TTL: types.Int64Null(), + MaxTTL: types.Int64Null(), + Metadata: types.MapNull(types.StringType), + } + data, diags := roleData(ctx, m) + if diags.HasError() { + t.Fatalf("diags: %v", diags) + } + if _, ok := data["max_budget"]; ok { + t.Fatal("max_budget should be omitted when null") + } + if _, ok := data["ttl"]; ok { + t.Fatal("ttl should be omitted when null") + } + // models is always sent (empty list = unrestricted). + if got, ok := data["models"].([]string); !ok || len(got) != 0 { + t.Fatalf("expected empty models slice, got %v", data["models"]) + } +} + +func TestApplyRoleData(t *testing.T) { + ctx := context.Background() + m := &secretBackendRoleModel{ + Models: types.SetNull(types.StringType), + MaxBudget: types.Float64Null(), + TTL: types.Int64Null(), + MaxTTL: types.Int64Null(), + Metadata: types.MapNull(types.StringType), + } + + // Simulate what Vault returns (numbers arrive as json.Number). + role := map[string]interface{}{ + "models": []interface{}{"gpt-4"}, + "max_budget": json.Number("50"), + "key_alias_prefix": "vault", + "ttl": json.Number("3600"), + "max_ttl": json.Number("86400"), + "metadata": map[string]interface{}{"team": "a"}, + } + + diags := applyRoleData(ctx, m, role) + if diags.HasError() { + t.Fatalf("applyRoleData diags: %v", diags) + } + if m.TTL.ValueInt64() != 3600 { + t.Fatalf("ttl: %v", m.TTL) + } + if m.MaxTTL.ValueInt64() != 86400 { + t.Fatalf("max_ttl: %v", m.MaxTTL) + } + if m.MaxBudget.ValueFloat64() != 50 { + t.Fatalf("max_budget: %v", m.MaxBudget) + } + if m.KeyAliasPrefix.ValueString() != "vault" { + t.Fatalf("prefix: %v", m.KeyAliasPrefix) + } + var models []string + m.Models.ElementsAs(ctx, &models, false) + if len(models) != 1 || models[0] != "gpt-4" { + t.Fatalf("models: %v", models) + } +} + +func TestApplyRoleData_EmptyModelsBecomesNull(t *testing.T) { + ctx := context.Background() + m := &secretBackendRoleModel{ + Models: types.SetValueMust(types.StringType, nil), + Metadata: types.MapNull(types.StringType), + } + role := map[string]interface{}{"models": []interface{}{}} + if diags := applyRoleData(ctx, m, role); diags.HasError() { + t.Fatalf("diags: %v", diags) + } + if !m.Models.IsNull() { + t.Fatalf("expected null models, got %v", m.Models) + } +} + +func TestToInt64(t *testing.T) { + cases := []struct { + in interface{} + want int64 + ok bool + }{ + {json.Number("3600"), 3600, true}, + {float64(42), 42, true}, + {int64(7), 7, true}, + {int(9), 9, true}, + {"nope", 0, false}, + {nil, 0, false}, + } + for _, tc := range cases { + got, ok := toInt64(tc.in) + if ok != tc.ok || got != tc.want { + t.Fatalf("toInt64(%v) = (%d,%v), want (%d,%v)", tc.in, got, ok, tc.want, tc.ok) + } + } +} + +func TestSplitRoleID(t *testing.T) { + backend, name, ok := splitRoleID("litellm/roles/team-a") + if !ok || backend != "litellm" || name != "team-a" { + t.Fatalf("got backend=%q name=%q ok=%v", backend, name, ok) + } + if _, _, ok := splitRoleID("nonsense"); ok { + t.Fatal("expected failure on malformed id") + } + // Nested mount paths must still split on the final /roles/. + b, n, ok := splitRoleID("team/litellm/roles/x") + if !ok || b != "team/litellm" || n != "x" { + t.Fatalf("nested split: backend=%q name=%q ok=%v", b, n, ok) + } +} diff --git a/internal/provider/provider.go b/internal/provider/provider.go new file mode 100644 index 0000000..f6b1d5b --- /dev/null +++ b/internal/provider/provider.go @@ -0,0 +1,97 @@ +package provider + +import ( + "context" + "os" + + "github.com/hashicorp/terraform-plugin-framework/datasource" + "github.com/hashicorp/terraform-plugin-framework/provider" + "github.com/hashicorp/terraform-plugin-framework/provider/schema" + "github.com/hashicorp/terraform-plugin-framework/resource" + "github.com/hashicorp/terraform-plugin-framework/types" +) + +var _ provider.Provider = &litellmProvider{} + +type litellmProvider struct { + version string +} + +type litellmProviderModel struct { + Address types.String `tfsdk:"address"` + Token types.String `tfsdk:"token"` +} + +func New(version string) func() provider.Provider { + return func() provider.Provider { + return &litellmProvider{version: version} + } +} + +func (p *litellmProvider) Metadata(_ context.Context, _ provider.MetadataRequest, resp *provider.MetadataResponse) { + resp.TypeName = "litellmvaultsecret" + resp.Version = p.version +} + +func (p *litellmProvider) Schema(_ context.Context, _ provider.SchemaRequest, resp *provider.SchemaResponse) { + resp.Schema = schema.Schema{ + Description: "Manage the LiteLLM dynamic secrets engine (config and roles) on HashiCorp Vault or OpenBao.", + Attributes: map[string]schema.Attribute{ + "address": schema.StringAttribute{ + Description: "Address of the Vault/OpenBao server. Falls back to the VAULT_ADDR environment variable.", + Optional: true, + }, + "token": schema.StringAttribute{ + Description: "Token used to authenticate to Vault/OpenBao. Falls back to the VAULT_TOKEN environment variable.", + Optional: true, + Sensitive: true, + }, + }, + } +} + +func (p *litellmProvider) Configure(ctx context.Context, req provider.ConfigureRequest, resp *provider.ConfigureResponse) { + var config litellmProviderModel + resp.Diagnostics.Append(req.Config.Get(ctx, &config)...) + if resp.Diagnostics.HasError() { + return + } + + address := os.Getenv("VAULT_ADDR") + if !config.Address.IsNull() && config.Address.ValueString() != "" { + address = config.Address.ValueString() + } + + token := os.Getenv("VAULT_TOKEN") + if !config.Token.IsNull() && config.Token.ValueString() != "" { + token = config.Token.ValueString() + } + + if address == "" { + resp.Diagnostics.AddError( + "missing Vault address", + "Set the provider \"address\" attribute or the VAULT_ADDR environment variable.", + ) + return + } + + client, err := newVaultClient(address, token) + if err != nil { + resp.Diagnostics.AddError("failed to create Vault client", err.Error()) + return + } + + resp.DataSourceData = client + resp.ResourceData = client +} + +func (p *litellmProvider) Resources(_ context.Context) []func() resource.Resource { + return []func() resource.Resource{ + NewSecretBackendResource, + NewSecretBackendRoleResource, + } +} + +func (p *litellmProvider) DataSources(_ context.Context) []func() datasource.DataSource { + return nil +} diff --git a/internal/provider/resource_secret_backend.go b/internal/provider/resource_secret_backend.go new file mode 100644 index 0000000..95dbd6d --- /dev/null +++ b/internal/provider/resource_secret_backend.go @@ -0,0 +1,225 @@ +package provider + +import ( + "context" + "fmt" + "strings" + + "github.com/hashicorp/terraform-plugin-framework/path" + "github.com/hashicorp/terraform-plugin-framework/resource" + "github.com/hashicorp/terraform-plugin-framework/resource/schema" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier" + "github.com/hashicorp/terraform-plugin-framework/types" +) + +var ( + _ resource.Resource = &secretBackendResource{} + _ resource.ResourceWithImportState = &secretBackendResource{} +) + +const defaultPluginType = "vault-plugin-secrets-litellm" + +type secretBackendResource struct { + client *vaultClient +} + +type secretBackendModel struct { + Path types.String `tfsdk:"path"` + Plugin types.String `tfsdk:"plugin"` + Description types.String `tfsdk:"description"` + BaseURL types.String `tfsdk:"base_url"` + MasterKey types.String `tfsdk:"master_key"` + RequestTimeoutSeconds types.Int64 `tfsdk:"request_timeout_seconds"` +} + +func NewSecretBackendResource() resource.Resource { + return &secretBackendResource{} +} + +func (r *secretBackendResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) { + resp.TypeName = req.ProviderTypeName + "_secret_backend" +} + +func (r *secretBackendResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) { + resp.Schema = schema.Schema{ + Description: "Mounts the LiteLLM secrets engine and writes its connection config.", + Attributes: map[string]schema.Attribute{ + "path": schema.StringAttribute{ + Description: "Mount path for the LiteLLM secrets engine (e.g. \"litellm\").", + Required: true, + PlanModifiers: []planmodifier.String{ + stringplanmodifier.RequiresReplace(), + }, + }, + "plugin": schema.StringAttribute{ + Description: "Registered plugin name/type to mount.", + Optional: true, + Computed: true, + Default: stringdefault.StaticString(defaultPluginType), + PlanModifiers: []planmodifier.String{ + stringplanmodifier.RequiresReplace(), + }, + }, + "description": schema.StringAttribute{ + Description: "Human-readable description of the mount.", + Optional: true, + Computed: true, + Default: stringdefault.StaticString(""), + }, + "base_url": schema.StringAttribute{ + Description: "Base URL of the LiteLLM proxy (e.g. http://litellm:4000).", + Required: true, + }, + "master_key": schema.StringAttribute{ + Description: "LiteLLM master key used to manage virtual keys.", + Required: true, + Sensitive: true, + }, + "request_timeout_seconds": schema.Int64Attribute{ + Description: "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy.", + Optional: true, + Computed: true, + Default: int64default.StaticInt64(30), + }, + }, + } +} + +func (r *secretBackendResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) { + if req.ProviderData == nil { + return + } + client, ok := req.ProviderData.(*vaultClient) + if !ok { + resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData)) + return + } + r.client = client +} + +func (r *secretBackendResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) { + var plan secretBackendModel + resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...) + if resp.Diagnostics.HasError() { + return + } + + mountPath := strings.Trim(plan.Path.ValueString(), "/") + + err := r.client.enableMount(ctx, mountPath, plan.Plugin.ValueString(), plan.Description.ValueString(), mountConfig{}) + if err != nil { + if isMountAlreadyExists(err) { + resp.Diagnostics.AddError( + "mount path already in use", + fmt.Sprintf("A secrets engine is already mounted at %q. Import it or choose another path.", mountPath), + ) + return + } + resp.Diagnostics.AddError("failed to enable litellm secrets engine", err.Error()) + return + } + + if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil { + // Roll back the mount so we don't leave a half-configured engine. + _ = r.client.disableMount(ctx, mountPath) + resp.Diagnostics.AddError("failed to write litellm config", err.Error()) + return + } + + plan.Path = types.StringValue(mountPath) + resp.Diagnostics.Append(resp.State.Set(ctx, plan)...) +} + +func (r *secretBackendResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) { + var state secretBackendModel + resp.Diagnostics.Append(req.State.Get(ctx, &state)...) + if resp.Diagnostics.HasError() { + return + } + + mountPath := strings.Trim(state.Path.ValueString(), "/") + + mount, err := r.client.mountInfo(ctx, mountPath) + if err != nil { + resp.Diagnostics.AddError("failed to read mount", err.Error()) + return + } + if mount == nil { + resp.State.RemoveResource(ctx) + return + } + state.Description = types.StringValue(mount.Description) + if mount.Type != "" { + state.Plugin = types.StringValue(mount.Type) + } + + cfg, err := r.client.readConfig(ctx, mountPath) + if err != nil { + resp.Diagnostics.AddError("failed to read litellm config", err.Error()) + return + } + if cfg != nil { + if v, ok := cfg["base_url"].(string); ok { + state.BaseURL = types.StringValue(v) + } + if n, ok := toInt64(cfg["request_timeout_seconds"]); ok { + state.RequestTimeoutSeconds = types.Int64Value(n) + } + } + // master_key is never returned by the backend; preserve the state value. + + resp.Diagnostics.Append(resp.State.Set(ctx, state)...) +} + +func (r *secretBackendResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) { + var plan, state secretBackendModel + resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...) + resp.Diagnostics.Append(req.State.Get(ctx, &state)...) + if resp.Diagnostics.HasError() { + return + } + + mountPath := strings.Trim(state.Path.ValueString(), "/") + + if !plan.Description.Equal(state.Description) { + if err := r.client.tuneMount(ctx, mountPath, plan.Description.ValueString(), mountConfig{}); err != nil { + resp.Diagnostics.AddError("failed to tune mount description", err.Error()) + return + } + } + + if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil { + resp.Diagnostics.AddError("failed to update litellm config", err.Error()) + return + } + + plan.Path = types.StringValue(mountPath) + resp.Diagnostics.Append(resp.State.Set(ctx, plan)...) +} + +func (r *secretBackendResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) { + var state secretBackendModel + resp.Diagnostics.Append(req.State.Get(ctx, &state)...) + if resp.Diagnostics.HasError() { + return + } + if err := r.client.disableMount(ctx, strings.Trim(state.Path.ValueString(), "/")); err != nil { + resp.Diagnostics.AddError("failed to disable litellm secrets engine", err.Error()) + return + } +} + +func (r *secretBackendResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) { + resource.ImportStatePassthroughID(ctx, path.Root("path"), req, resp) +} + +func (r *secretBackendResource) configData(m secretBackendModel) map[string]interface{} { + return map[string]interface{}{ + "base_url": m.BaseURL.ValueString(), + "master_key": m.MasterKey.ValueString(), + "request_timeout_seconds": m.RequestTimeoutSeconds.ValueInt64(), + } +} diff --git a/internal/provider/resource_secret_backend_role.go b/internal/provider/resource_secret_backend_role.go new file mode 100644 index 0000000..7f2cde8 --- /dev/null +++ b/internal/provider/resource_secret_backend_role.go @@ -0,0 +1,235 @@ +package provider + +import ( + "context" + "fmt" + "strings" + + "github.com/hashicorp/terraform-plugin-framework/diag" + "github.com/hashicorp/terraform-plugin-framework/path" + "github.com/hashicorp/terraform-plugin-framework/resource" + "github.com/hashicorp/terraform-plugin-framework/resource/schema" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault" + "github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier" + "github.com/hashicorp/terraform-plugin-framework/types" +) + +var ( + _ resource.Resource = &secretBackendRoleResource{} + _ resource.ResourceWithImportState = &secretBackendRoleResource{} +) + +type secretBackendRoleResource struct { + client *vaultClient +} + +type secretBackendRoleModel struct { + Backend types.String `tfsdk:"backend"` + Name types.String `tfsdk:"name"` + Models types.Set `tfsdk:"models"` + MaxBudget types.Float64 `tfsdk:"max_budget"` + KeyAliasPrefix types.String `tfsdk:"key_alias_prefix"` + TTL types.Int64 `tfsdk:"ttl"` + MaxTTL types.Int64 `tfsdk:"max_ttl"` + Metadata types.Map `tfsdk:"metadata"` +} + +func NewSecretBackendRoleResource() resource.Resource { + return &secretBackendRoleResource{} +} + +func (r *secretBackendRoleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) { + resp.TypeName = req.ProviderTypeName + "_secret_backend_role" +} + +func (r *secretBackendRoleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) { + resp.Schema = schema.Schema{ + Description: "Manages a role on the LiteLLM secrets engine that constrains generated virtual keys.", + Attributes: map[string]schema.Attribute{ + "backend": schema.StringAttribute{ + Description: "Mount path of the LiteLLM secrets engine.", + Required: true, + PlanModifiers: []planmodifier.String{ + stringplanmodifier.RequiresReplace(), + }, + }, + "name": schema.StringAttribute{ + Description: "Name of the role.", + Required: true, + PlanModifiers: []planmodifier.String{ + stringplanmodifier.RequiresReplace(), + }, + }, + "models": schema.SetAttribute{ + Description: "Models a generated key may access. Empty means unrestricted.", + ElementType: types.StringType, + Optional: true, + }, + "max_budget": schema.Float64Attribute{ + Description: "Spending limit applied to each generated key. 0 means unlimited.", + Optional: true, + }, + "key_alias_prefix": schema.StringAttribute{ + Description: "Prefix for the auto-generated key alias.", + Optional: true, + Computed: true, + Default: stringdefault.StaticString("vault"), + }, + "ttl": schema.Int64Attribute{ + Description: "Default lease TTL in seconds for keys generated from this role.", + Optional: true, + }, + "max_ttl": schema.Int64Attribute{ + Description: "Maximum lease TTL in seconds for keys generated from this role.", + Optional: true, + }, + "metadata": schema.MapAttribute{ + Description: "Metadata attached to each generated key.", + ElementType: types.StringType, + Optional: true, + }, + }, + } +} + +func (r *secretBackendRoleResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) { + if req.ProviderData == nil { + return + } + client, ok := req.ProviderData.(*vaultClient) + if !ok { + resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData)) + return + } + r.client = client +} + +func (r *secretBackendRoleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) { + var plan secretBackendRoleModel + resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...) + if resp.Diagnostics.HasError() { + return + } + + data, diags := roleData(ctx, plan) + resp.Diagnostics.Append(diags...) + if resp.Diagnostics.HasError() { + return + } + + if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil { + resp.Diagnostics.AddError("failed to create litellm role", err.Error()) + return + } + resp.Diagnostics.Append(r.readInto(ctx, &plan)...) + if resp.Diagnostics.HasError() { + return + } + resp.Diagnostics.Append(resp.State.Set(ctx, plan)...) +} + +func (r *secretBackendRoleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) { + var state secretBackendRoleModel + resp.Diagnostics.Append(req.State.Get(ctx, &state)...) + if resp.Diagnostics.HasError() { + return + } + + role, err := r.client.readRole(ctx, state.Backend.ValueString(), state.Name.ValueString()) + if err != nil { + resp.Diagnostics.AddError("failed to read litellm role", err.Error()) + return + } + if role == nil { + resp.State.RemoveResource(ctx) + return + } + + diags := applyRoleData(ctx, &state, role) + resp.Diagnostics.Append(diags...) + if resp.Diagnostics.HasError() { + return + } + resp.Diagnostics.Append(resp.State.Set(ctx, state)...) +} + +func (r *secretBackendRoleResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) { + var plan secretBackendRoleModel + resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...) + if resp.Diagnostics.HasError() { + return + } + + data, diags := roleData(ctx, plan) + resp.Diagnostics.Append(diags...) + if resp.Diagnostics.HasError() { + return + } + + if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil { + resp.Diagnostics.AddError("failed to update litellm role", err.Error()) + return + } + resp.Diagnostics.Append(r.readInto(ctx, &plan)...) + if resp.Diagnostics.HasError() { + return + } + resp.Diagnostics.Append(resp.State.Set(ctx, plan)...) +} + +func (r *secretBackendRoleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) { + var state secretBackendRoleModel + resp.Diagnostics.Append(req.State.Get(ctx, &state)...) + if resp.Diagnostics.HasError() { + return + } + if err := r.client.deleteRole(ctx, state.Backend.ValueString(), state.Name.ValueString()); err != nil { + resp.Diagnostics.AddError("failed to delete litellm role", err.Error()) + return + } +} + +func (r *secretBackendRoleResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) { + // Import ID format: "/roles/". + backend, name, ok := splitRoleID(req.ID) + if !ok { + resp.Diagnostics.AddError( + "invalid import ID", + fmt.Sprintf("expected \"/roles/\", got %q", req.ID), + ) + return + } + resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("backend"), backend)...) + resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), name)...) +} + +// readInto refreshes the model in place from the backend after a write, so +// computed fields (e.g. key_alias_prefix default) reflect stored values. +func (r *secretBackendRoleResource) readInto(ctx context.Context, m *secretBackendRoleModel) diag.Diagnostics { + var diags diag.Diagnostics + role, err := r.client.readRole(ctx, m.Backend.ValueString(), m.Name.ValueString()) + if err != nil { + diags.AddError("failed to read back litellm role", err.Error()) + return diags + } + if role == nil { + diags.AddError("role missing after write", "the role was not found immediately after being written") + return diags + } + return applyRoleData(ctx, m, role) +} + +func splitRoleID(id string) (backend, name string, ok bool) { + marker := "/roles/" + idx := strings.LastIndex(id, marker) + if idx <= 0 { + return "", "", false + } + backend = id[:idx] + name = id[idx+len(marker):] + if backend == "" || name == "" { + return "", "", false + } + return backend, name, true +} diff --git a/main.go b/main.go new file mode 100644 index 0000000..523a05f --- /dev/null +++ b/main.go @@ -0,0 +1,28 @@ +package main + +import ( + "context" + "flag" + "log" + + "github.com/hashicorp/terraform-plugin-framework/providerserver" + + "git.unkin.net/unkin/terraform-provider-litellmvaultsecret/internal/provider" +) + +var version = "0.0.1" + +func main() { + var debug bool + flag.BoolVar(&debug, "debug", false, "enable debug mode") + flag.Parse() + + opts := providerserver.ServeOpts{ + Address: "git.unkin.net/unkin/litellmvaultsecret", + Debug: debug, + } + + if err := providerserver.Serve(context.Background(), provider.New(version), opts); err != nil { + log.Fatal(err) + } +} diff --git a/scripts/e2e.sh b/scripts/e2e.sh new file mode 100755 index 0000000..c4fbf0a --- /dev/null +++ b/scripts/e2e.sh @@ -0,0 +1,122 @@ +#!/usr/bin/env bash +# +# End-to-end test for terraform-provider-litellmvaultsecret. +# +# Builds the sibling litellm plugin and this provider, boots Vault + LiteLLM + +# Postgres in Docker, then runs a real `terraform apply` through the provider to +# mount the engine and create a role, and asserts a working virtual key can be +# generated from it. Finally `terraform destroy` and verify the mount is gone. +# +set -euo pipefail + +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +PLUGIN_REPO="${PLUGIN_REPO:-${ROOT_DIR}/../vault-plugin-secrets-litellm}" +COMPOSE_FILE="${ROOT_DIR}/test/docker-compose.yml" +COMPOSE="docker compose -f ${COMPOSE_FILE}" +TF="${TF:-terraform}" +E2E_DIR="${ROOT_DIR}/test/e2e" +PLUGIN_BIN="vault-plugin-secrets-litellm" +PROVIDER_BIN="terraform-provider-litellmvaultsecret" + +MASTER_KEY="sk-master-e2e-1234" +LITELLM_ADDR="http://127.0.0.1:4000" +export VAULT_ADDR="http://127.0.0.1:8200" +export VAULT_TOKEN="root" + +red() { printf '\033[31m%s\033[0m\n' "$*"; } +green() { printf '\033[32m%s\033[0m\n' "$*"; } +blue() { printf '\033[34m==> %s\033[0m\n' "$*"; } +fail() { red "FAIL: $*"; exit 1; } + +cleanup() { + blue "Cleaning up" + if [ -d "${E2E_DIR}" ]; then + (cd "${E2E_DIR}" && TF_CLI_CONFIG_FILE="${ROOT_DIR}/test/dev.tfrc" "${TF}" destroy -auto-approve >/dev/null 2>&1 || true) + rm -f "${E2E_DIR}"/terraform.tfstate* "${E2E_DIR}"/.terraform.lock.hcl + rm -rf "${E2E_DIR}/.terraform" + fi + ${COMPOSE} down -v >/dev/null 2>&1 || true +} +trap cleanup EXIT + +wait_for() { + local desc="$1"; shift + local retries="${WAIT_RETRIES:-90}" i=0 + until "$@" >/dev/null 2>&1; do + i=$((i + 1)) + [ "$i" -ge "$retries" ] && fail "timed out waiting for ${desc}" + sleep 2 + done + green "ready: ${desc}" +} + +chat_code() { + curl -s -o /dev/null -w '%{http_code}' \ + -H "Authorization: Bearer $1" -H 'Content-Type: application/json' \ + -d "{\"model\":\"$2\",\"messages\":[{\"role\":\"user\",\"content\":\"hi\"}]}" \ + "${LITELLM_ADDR}/chat/completions" +} + +# --------------------------------------------------------------------------- +blue "Building litellm plugin from ${PLUGIN_REPO}" +[ -d "${PLUGIN_REPO}" ] || fail "plugin repo not found at ${PLUGIN_REPO} (set PLUGIN_REPO)" +mkdir -p "${ROOT_DIR}/test/plugins" +( cd "${PLUGIN_REPO}" && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-s -w" \ + -o "${ROOT_DIR}/test/plugins/${PLUGIN_BIN}" ./cmd/vault-plugin-secrets-litellm ) + +blue "Building the provider" +( cd "${ROOT_DIR}" && go build -o "${PROVIDER_BIN}" . ) + +blue "Writing terraform dev_overrides config" +cat > "${ROOT_DIR}/test/dev.tfrc" </dev/null + +# --------------------------------------------------------------------------- +blue "terraform apply (mount engine + create role via the provider)" +( cd "${E2E_DIR}" && "${TF}" apply -auto-approve ) +green "apply succeeded" + +blue "Verifying the mount and role exist" +${COMPOSE} exec -T vault vault secrets list 2>/dev/null | grep -q '^litellm/' \ + || fail "litellm mount not found after apply" +${COMPOSE} exec -T vault vault read litellm/roles/team-a >/dev/null \ + || fail "role team-a not found after apply" +green "mount + role present" + +blue "Generating a virtual key from the terraform-managed role" +KEY="$(${COMPOSE} exec -T vault vault read -field=key litellm/creds/team-a)" +[ -n "${KEY}" ] || fail "no key generated" +green "issued key ${KEY:0:12}..." + +code="$(chat_code "${KEY}" gpt-3.5-turbo)" +[ "${code}" = "200" ] || fail "allowed model returned HTTP ${code}, expected 200" +green "allowed model (gpt-3.5-turbo) accepted" + +code="$(chat_code "${KEY}" gpt-4)" +[ "${code}" != "200" ] || fail "disallowed model unexpectedly succeeded" +green "disallowed model (gpt-4) rejected (HTTP ${code})" + +# --------------------------------------------------------------------------- +blue "terraform destroy (unmount engine)" +( cd "${E2E_DIR}" && "${TF}" destroy -auto-approve ) +${COMPOSE} exec -T vault vault secrets list 2>/dev/null | grep -q '^litellm/' \ + && fail "litellm mount still present after destroy" || true +green "mount removed by destroy" + +green "ALL PROVIDER END-TO-END CHECKS PASSED" diff --git a/test/docker-compose.yml b/test/docker-compose.yml new file mode 100644 index 0000000..8e22b88 --- /dev/null +++ b/test/docker-compose.yml @@ -0,0 +1,57 @@ +# E2E stack for the provider: Postgres + LiteLLM + a Vault dev server with the +# litellm plugin mounted. Bind mounts use ":z" for SELinux (Fedora/RHEL). +services: + postgres: + image: postgres:16-alpine + environment: + POSTGRES_USER: litellm + POSTGRES_PASSWORD: litellm + POSTGRES_DB: litellm + healthcheck: + test: ["CMD-SHELL", "pg_isready -U litellm"] + interval: 3s + timeout: 3s + retries: 20 + + litellm: + image: ghcr.io/berriai/litellm:main-stable + depends_on: + postgres: + condition: service_healthy + environment: + LITELLM_MASTER_KEY: sk-master-e2e-1234 + DATABASE_URL: postgresql://litellm:litellm@postgres:5432/litellm + STORE_MODEL_IN_DB: "True" + command: ["--config", "/app/config.yaml", "--port", "4000"] + volumes: + - ./litellm/config.yaml:/app/config.yaml:ro,z + ports: + - "4000:4000" + healthcheck: + test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:4000/health/liveliness').status==200 else 1)"] + interval: 5s + timeout: 5s + retries: 40 + + vault: + image: hashicorp/vault:1.18 + depends_on: + litellm: + condition: service_healthy + cap_add: + - IPC_LOCK + environment: + VAULT_DEV_ROOT_TOKEN_ID: root + VAULT_ADDR: http://127.0.0.1:8200 + VAULT_TOKEN: root + command: ["server", "-dev", "-dev-listen-address=0.0.0.0:8200", "-config=/vault/vault.hcl"] + volumes: + - ./plugins:/vault/plugins:ro,z + - ./vault/vault.hcl:/vault/vault.hcl:ro,z + ports: + - "8200:8200" + healthcheck: + test: ["CMD", "vault", "status", "-address=http://127.0.0.1:8200"] + interval: 3s + timeout: 3s + retries: 20 diff --git a/test/e2e/main.tf b/test/e2e/main.tf new file mode 100644 index 0000000..53188bb --- /dev/null +++ b/test/e2e/main.tf @@ -0,0 +1,29 @@ +terraform { + required_providers { + litellmvaultsecret = { + source = "git.unkin.net/unkin/litellmvaultsecret" + } + } +} + +provider "litellmvaultsecret" { + address = "http://127.0.0.1:8200" + token = "root" +} + +resource "litellmvaultsecret_secret_backend" "litellm" { + path = "litellm" + description = "LiteLLM dynamic virtual keys (e2e)" + # Reachable from inside the vault container, where the plugin runs. + base_url = "http://litellm:4000" + master_key = "sk-master-e2e-1234" +} + +resource "litellmvaultsecret_secret_backend_role" "team_a" { + backend = litellmvaultsecret_secret_backend.litellm.path + name = "team-a" + models = ["gpt-3.5-turbo"] + max_budget = 10 + ttl = 3600 + max_ttl = 86400 +} diff --git a/test/litellm/config.yaml b/test/litellm/config.yaml new file mode 100644 index 0000000..839ab63 --- /dev/null +++ b/test/litellm/config.yaml @@ -0,0 +1,17 @@ +model_list: + - model_name: gpt-3.5-turbo + litellm_params: + model: openai/gpt-3.5-turbo + api_key: sk-fake-openai-key + mock_response: "hello from the mock model" + - model_name: gpt-4 + litellm_params: + model: openai/gpt-4 + api_key: sk-fake-openai-key + mock_response: "hello from the mock model" + +general_settings: + master_key: sk-master-e2e-1234 + +litellm_settings: + drop_params: true diff --git a/test/vault/vault.hcl b/test/vault/vault.hcl new file mode 100644 index 0000000..1295640 --- /dev/null +++ b/test/vault/vault.hcl @@ -0,0 +1,4 @@ +# Combined with `-dev` so the dev server has a plugin_directory to register the +# litellm plugin binary mounted from ./plugins. +plugin_directory = "/vault/plugins" +api_addr = "http://127.0.0.1:8200"