Files
terraform-provider-litellmv…/internal/provider/resource_secret_backend_role.go
T
unkinben 8ca6c39c66 Add terraform-provider-litellmvaultsecret implementation
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM
dynamic secrets engine on Vault/OpenBao via the Vault API.

- Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend
  (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget,
  ttl/max_ttl in seconds, metadata)
- Unit tests against a mock Vault API
- End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres,
  and runs a real terraform apply/destroy asserting key generation works
- Makefile, woodpecker CI (build/test/pre-commit), examples, README
2026-07-02 23:23:13 +10:00

236 lines
7.6 KiB
Go

package provider
import (
"context"
"fmt"
"strings"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/types"
)
var (
_ resource.Resource = &secretBackendRoleResource{}
_ resource.ResourceWithImportState = &secretBackendRoleResource{}
)
type secretBackendRoleResource struct {
client *vaultClient
}
type secretBackendRoleModel struct {
Backend types.String `tfsdk:"backend"`
Name types.String `tfsdk:"name"`
Models types.Set `tfsdk:"models"`
MaxBudget types.Float64 `tfsdk:"max_budget"`
KeyAliasPrefix types.String `tfsdk:"key_alias_prefix"`
TTL types.Int64 `tfsdk:"ttl"`
MaxTTL types.Int64 `tfsdk:"max_ttl"`
Metadata types.Map `tfsdk:"metadata"`
}
func NewSecretBackendRoleResource() resource.Resource {
return &secretBackendRoleResource{}
}
func (r *secretBackendRoleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
resp.TypeName = req.ProviderTypeName + "_secret_backend_role"
}
func (r *secretBackendRoleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
resp.Schema = schema.Schema{
Description: "Manages a role on the LiteLLM secrets engine that constrains generated virtual keys.",
Attributes: map[string]schema.Attribute{
"backend": schema.StringAttribute{
Description: "Mount path of the LiteLLM secrets engine.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"name": schema.StringAttribute{
Description: "Name of the role.",
Required: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.RequiresReplace(),
},
},
"models": schema.SetAttribute{
Description: "Models a generated key may access. Empty means unrestricted.",
ElementType: types.StringType,
Optional: true,
},
"max_budget": schema.Float64Attribute{
Description: "Spending limit applied to each generated key. 0 means unlimited.",
Optional: true,
},
"key_alias_prefix": schema.StringAttribute{
Description: "Prefix for the auto-generated key alias.",
Optional: true,
Computed: true,
Default: stringdefault.StaticString("vault"),
},
"ttl": schema.Int64Attribute{
Description: "Default lease TTL in seconds for keys generated from this role.",
Optional: true,
},
"max_ttl": schema.Int64Attribute{
Description: "Maximum lease TTL in seconds for keys generated from this role.",
Optional: true,
},
"metadata": schema.MapAttribute{
Description: "Metadata attached to each generated key.",
ElementType: types.StringType,
Optional: true,
},
},
}
}
func (r *secretBackendRoleResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
if req.ProviderData == nil {
return
}
client, ok := req.ProviderData.(*vaultClient)
if !ok {
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
return
}
r.client = client
}
func (r *secretBackendRoleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
var plan secretBackendRoleModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
data, diags := roleData(ctx, plan)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
resp.Diagnostics.AddError("failed to create litellm role", err.Error())
return
}
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendRoleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
var state secretBackendRoleModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
role, err := r.client.readRole(ctx, state.Backend.ValueString(), state.Name.ValueString())
if err != nil {
resp.Diagnostics.AddError("failed to read litellm role", err.Error())
return
}
if role == nil {
resp.State.RemoveResource(ctx)
return
}
diags := applyRoleData(ctx, &state, role)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
}
func (r *secretBackendRoleResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
var plan secretBackendRoleModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
data, diags := roleData(ctx, plan)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.writeRole(ctx, plan.Backend.ValueString(), plan.Name.ValueString(), data); err != nil {
resp.Diagnostics.AddError("failed to update litellm role", err.Error())
return
}
resp.Diagnostics.Append(r.readInto(ctx, &plan)...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
}
func (r *secretBackendRoleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
var state secretBackendRoleModel
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
if resp.Diagnostics.HasError() {
return
}
if err := r.client.deleteRole(ctx, state.Backend.ValueString(), state.Name.ValueString()); err != nil {
resp.Diagnostics.AddError("failed to delete litellm role", err.Error())
return
}
}
func (r *secretBackendRoleResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
// Import ID format: "<backend>/roles/<name>".
backend, name, ok := splitRoleID(req.ID)
if !ok {
resp.Diagnostics.AddError(
"invalid import ID",
fmt.Sprintf("expected \"<backend>/roles/<name>\", got %q", req.ID),
)
return
}
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("backend"), backend)...)
resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("name"), name)...)
}
// readInto refreshes the model in place from the backend after a write, so
// computed fields (e.g. key_alias_prefix default) reflect stored values.
func (r *secretBackendRoleResource) readInto(ctx context.Context, m *secretBackendRoleModel) diag.Diagnostics {
var diags diag.Diagnostics
role, err := r.client.readRole(ctx, m.Backend.ValueString(), m.Name.ValueString())
if err != nil {
diags.AddError("failed to read back litellm role", err.Error())
return diags
}
if role == nil {
diags.AddError("role missing after write", "the role was not found immediately after being written")
return diags
}
return applyRoleData(ctx, m, role)
}
func splitRoleID(id string) (backend, name string, ok bool) {
marker := "/roles/"
idx := strings.LastIndex(id, marker)
if idx <= 0 {
return "", "", false
}
backend = id[:idx]
name = id[idx+len(marker):]
if backend == "" || name == "" {
return "", "", false
}
return backend, name, true
}