8ca6c39c66
Populate the repo with the Terraform/OpenTofu provider that manages the LiteLLM dynamic secrets engine on Vault/OpenBao via the Vault API. - Provider (VAULT_ADDR/VAULT_TOKEN) with resources litellmvaultsecret_secret_backend (mount + config) and litellmvaultsecret_secret_backend_role (models, max_budget, ttl/max_ttl in seconds, metadata) - Unit tests against a mock Vault API - End-to-end test: builds the sibling plugin, boots Vault + LiteLLM + Postgres, and runs a real terraform apply/destroy asserting key generation works - Makefile, woodpecker CI (build/test/pre-commit), examples, README
226 lines
7.5 KiB
Go
226 lines
7.5 KiB
Go
package provider
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/terraform-plugin-framework/path"
|
|
"github.com/hashicorp/terraform-plugin-framework/resource"
|
|
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
|
|
"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
|
|
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
|
|
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
|
|
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
|
|
"github.com/hashicorp/terraform-plugin-framework/types"
|
|
)
|
|
|
|
var (
|
|
_ resource.Resource = &secretBackendResource{}
|
|
_ resource.ResourceWithImportState = &secretBackendResource{}
|
|
)
|
|
|
|
const defaultPluginType = "vault-plugin-secrets-litellm"
|
|
|
|
type secretBackendResource struct {
|
|
client *vaultClient
|
|
}
|
|
|
|
type secretBackendModel struct {
|
|
Path types.String `tfsdk:"path"`
|
|
Plugin types.String `tfsdk:"plugin"`
|
|
Description types.String `tfsdk:"description"`
|
|
BaseURL types.String `tfsdk:"base_url"`
|
|
MasterKey types.String `tfsdk:"master_key"`
|
|
RequestTimeoutSeconds types.Int64 `tfsdk:"request_timeout_seconds"`
|
|
}
|
|
|
|
func NewSecretBackendResource() resource.Resource {
|
|
return &secretBackendResource{}
|
|
}
|
|
|
|
func (r *secretBackendResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
|
|
resp.TypeName = req.ProviderTypeName + "_secret_backend"
|
|
}
|
|
|
|
func (r *secretBackendResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
|
|
resp.Schema = schema.Schema{
|
|
Description: "Mounts the LiteLLM secrets engine and writes its connection config.",
|
|
Attributes: map[string]schema.Attribute{
|
|
"path": schema.StringAttribute{
|
|
Description: "Mount path for the LiteLLM secrets engine (e.g. \"litellm\").",
|
|
Required: true,
|
|
PlanModifiers: []planmodifier.String{
|
|
stringplanmodifier.RequiresReplace(),
|
|
},
|
|
},
|
|
"plugin": schema.StringAttribute{
|
|
Description: "Registered plugin name/type to mount.",
|
|
Optional: true,
|
|
Computed: true,
|
|
Default: stringdefault.StaticString(defaultPluginType),
|
|
PlanModifiers: []planmodifier.String{
|
|
stringplanmodifier.RequiresReplace(),
|
|
},
|
|
},
|
|
"description": schema.StringAttribute{
|
|
Description: "Human-readable description of the mount.",
|
|
Optional: true,
|
|
Computed: true,
|
|
Default: stringdefault.StaticString(""),
|
|
},
|
|
"base_url": schema.StringAttribute{
|
|
Description: "Base URL of the LiteLLM proxy (e.g. http://litellm:4000).",
|
|
Required: true,
|
|
},
|
|
"master_key": schema.StringAttribute{
|
|
Description: "LiteLLM master key used to manage virtual keys.",
|
|
Required: true,
|
|
Sensitive: true,
|
|
},
|
|
"request_timeout_seconds": schema.Int64Attribute{
|
|
Description: "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy.",
|
|
Optional: true,
|
|
Computed: true,
|
|
Default: int64default.StaticInt64(30),
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func (r *secretBackendResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
|
|
if req.ProviderData == nil {
|
|
return
|
|
}
|
|
client, ok := req.ProviderData.(*vaultClient)
|
|
if !ok {
|
|
resp.Diagnostics.AddError("unexpected provider data type", fmt.Sprintf("got %T", req.ProviderData))
|
|
return
|
|
}
|
|
r.client = client
|
|
}
|
|
|
|
func (r *secretBackendResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
|
|
var plan secretBackendModel
|
|
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
mountPath := strings.Trim(plan.Path.ValueString(), "/")
|
|
|
|
err := r.client.enableMount(ctx, mountPath, plan.Plugin.ValueString(), plan.Description.ValueString(), mountConfig{})
|
|
if err != nil {
|
|
if isMountAlreadyExists(err) {
|
|
resp.Diagnostics.AddError(
|
|
"mount path already in use",
|
|
fmt.Sprintf("A secrets engine is already mounted at %q. Import it or choose another path.", mountPath),
|
|
)
|
|
return
|
|
}
|
|
resp.Diagnostics.AddError("failed to enable litellm secrets engine", err.Error())
|
|
return
|
|
}
|
|
|
|
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
|
|
// Roll back the mount so we don't leave a half-configured engine.
|
|
_ = r.client.disableMount(ctx, mountPath)
|
|
resp.Diagnostics.AddError("failed to write litellm config", err.Error())
|
|
return
|
|
}
|
|
|
|
plan.Path = types.StringValue(mountPath)
|
|
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
|
}
|
|
|
|
func (r *secretBackendResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
|
|
var state secretBackendModel
|
|
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
mountPath := strings.Trim(state.Path.ValueString(), "/")
|
|
|
|
mount, err := r.client.mountInfo(ctx, mountPath)
|
|
if err != nil {
|
|
resp.Diagnostics.AddError("failed to read mount", err.Error())
|
|
return
|
|
}
|
|
if mount == nil {
|
|
resp.State.RemoveResource(ctx)
|
|
return
|
|
}
|
|
state.Description = types.StringValue(mount.Description)
|
|
if mount.Type != "" {
|
|
state.Plugin = types.StringValue(mount.Type)
|
|
}
|
|
|
|
cfg, err := r.client.readConfig(ctx, mountPath)
|
|
if err != nil {
|
|
resp.Diagnostics.AddError("failed to read litellm config", err.Error())
|
|
return
|
|
}
|
|
if cfg != nil {
|
|
if v, ok := cfg["base_url"].(string); ok {
|
|
state.BaseURL = types.StringValue(v)
|
|
}
|
|
if n, ok := toInt64(cfg["request_timeout_seconds"]); ok {
|
|
state.RequestTimeoutSeconds = types.Int64Value(n)
|
|
}
|
|
}
|
|
// master_key is never returned by the backend; preserve the state value.
|
|
|
|
resp.Diagnostics.Append(resp.State.Set(ctx, state)...)
|
|
}
|
|
|
|
func (r *secretBackendResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
|
|
var plan, state secretBackendModel
|
|
resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
|
|
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
|
|
mountPath := strings.Trim(state.Path.ValueString(), "/")
|
|
|
|
if !plan.Description.Equal(state.Description) {
|
|
if err := r.client.tuneMount(ctx, mountPath, plan.Description.ValueString(), mountConfig{}); err != nil {
|
|
resp.Diagnostics.AddError("failed to tune mount description", err.Error())
|
|
return
|
|
}
|
|
}
|
|
|
|
if err := r.client.writeConfig(ctx, mountPath, r.configData(plan)); err != nil {
|
|
resp.Diagnostics.AddError("failed to update litellm config", err.Error())
|
|
return
|
|
}
|
|
|
|
plan.Path = types.StringValue(mountPath)
|
|
resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
|
|
}
|
|
|
|
func (r *secretBackendResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
|
|
var state secretBackendModel
|
|
resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
|
|
if resp.Diagnostics.HasError() {
|
|
return
|
|
}
|
|
if err := r.client.disableMount(ctx, strings.Trim(state.Path.ValueString(), "/")); err != nil {
|
|
resp.Diagnostics.AddError("failed to disable litellm secrets engine", err.Error())
|
|
return
|
|
}
|
|
}
|
|
|
|
func (r *secretBackendResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
|
|
resource.ImportStatePassthroughID(ctx, path.Root("path"), req, resp)
|
|
}
|
|
|
|
func (r *secretBackendResource) configData(m secretBackendModel) map[string]interface{} {
|
|
return map[string]interface{}{
|
|
"base_url": m.BaseURL.ValueString(),
|
|
"master_key": m.MasterKey.ValueString(),
|
|
"request_timeout_seconds": m.RequestTimeoutSeconds.ValueInt64(),
|
|
}
|
|
}
|