RADAR-6348: Add hcp_vault_radar_secret_manager_vault_dedicated resource. (#1392)

Author: trentdibacco

.changelog/1392.txt

@@ -0,0 +1,4 @@
+```release-note:feature
+Add preview of hcp_vault_radar_secret_manager_vault_dedicated, a new Radar resource to manage integrations with
+HCP Vault Dedicated as a secret manager.
+```

.github/workflows/_testacc_vaultradar.yml

@@ -78,8 +78,11 @@ jobs:
           # RADAR_GITHUB_ENTERPRISE_DOMAIN: ${{ secrets.RADAR_GITHUB_ENTERPRISE_DOMAIN }}
           # RADAR_GITHUB_ENTERPRISE_TOKEN: ${{ secrets.RADAR_GITHUB_ENTERPRISE_TOKEN }}
           # RADAR_GITHUB_ENTERPRISE_TOKEN_2: ${{ secrets.RADAR_GITHUB_ENTERPRISE_TOKEN_2 }}
-          RADAR_HCP_RESOURCE_NAME: "vault-radar/project/4213bd26-e28e-4e89-b298-6a2abcaf26ca/scan-target/GJLCPNqkmmdbTCMCbdcz"
+          RADAR_HCP_RESOURCE_NAME: "vault-radar/project/4213bd26-e28e-4e89-b298-6a2abcaf26ca/scan-target/CnDtkwdQKBzLbjLrWTbf"
           RADAR_RESOURCES_URI_LIKE_FILTER: "git://github.com/vaultradarcv/hcp-terraform-provider-test-resource.git"
+          # RADAR_SM_VAULT_DEDICATED_VAULT_URL: ${{ secrets.RADAR_SM_VAULT_DEDICATED_VAULT_URL }}
+          # RADAR_SM_VAULT_DEDICATED_MOUNT_PATH: ${{ secrets.RADAR_SM_VAULT_DEDICATED_MOUNT_PATH }}
+          # RADAR_SM_VAULT_DEDICATED_ROLE_NAME: ${{ secrets.RADAR_SM_VAULT_DEDICATED_ROLE_NAME}}
         run: |
           go test \
             ./internal/provider/vaultradar \

docs/resources/vault_radar_secret_manager_vault_dedicated.md

@@ -0,0 +1,100 @@
+---
+page_title: "hcp_vault_radar_secret_manager_vault_dedicated Resource - terraform-provider-hcp"
+subcategory: "HCP Vault Radar"
+description: |-
+  This terraform resource manages a HCP Vault Dedicated secret manager in Vault Radar. See Create a Vault policy https://developer.hashicorp.com/hcp/docs/vault-radar/agent/correlate-vault#create-a-vault-policy for details on creating the auth policy required.
+---
+
+# hcp_vault_radar_secret_manager_vault_dedicated (Resource)
+
+-> **Note:** This feature is currently in private beta.
+
+This terraform resource manages a HCP Vault Dedicated secret manager in Vault Radar. See [Create a Vault policy](https://developer.hashicorp.com/hcp/docs/vault-radar/agent/correlate-vault#create-a-vault-policy) for details on creating the auth policy required.
+
+~> **Note:** A Radar agent is required before adding a Radar secret manager resource.
+
+~> **Note:** One of the following authentication methods is required to create a Radar secret manager resource:
+- Kubernetes
+- AppRole
+- Token
+
+~> **Note:** Auth methods need to be configured in the `admin` namespace of the HCP Vault Dedicated cluster.
+
+~> **Note:** Environment variables that correspond to the authentication method being used must be available to the agent.
+
+## Example Usage
+
+```terraform
+# Usage with Kubernetes auth method
+resource "hcp_vault_radar_secret_manager_vault_dedicated" "secret_manager_example_1" {
+  vault_url = "example-1.hashicorp.cloud:8200"
+  kubernetes = {
+    mount_path = "kubernetes"
+    role_name  = "vault-radar-role"
+  }
+}
+
+# Usage with AppRole (Push) auth method.
+resource "hcp_vault_radar_secret_manager_vault_dedicated" "secret_manager_example_2" {
+  vault_url = "example-2.hashicorp.cloud:8200"
+  approle_push = {
+    mount_path        = "approle"
+    role_id_env_var   = "VAULT_APPROLE_ROLE_ID"
+    secret_id_env_var = "VAULT_APPROLE_SECRET_ID"
+  }
+}
+
+# Usage with Token auth method
+resource "hcp_vault_radar_secret_manager_vault_dedicated" "secret_manager_example_3" {
+  vault_url = "example-3.hashicorp.cloud:8200"
+  token = {
+    token_env_var = "VAULT_TOKEN"
+  }
+}
+```
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `vault_url` (String) Specify the URL of the Vault instance without protocol. Example: 'acme-public-vault-abc.def.z1.hashicorp.cloud:8200'.
+
+### Optional
+
+- `access_read_write` (Boolean) Indicates if the auth method has read and write access to the secrets engine. Defaults to false. Set this to true if you want to copy secrets to this secret manager as part of remediation process. (see https://developer.hashicorp.com/hcp/docs/vault-radar/remediate-secrets/copy-secrets)
+- `approle_push` (Attributes) Configuration for AppRole Push-based authentication. Only one authentication method may be configured. (see [below for nested schema](#nestedatt--approle_push))
+- `kubernetes` (Attributes) Configuration for Kubernetes-based authentication. Only one authentication method may be configured. (see [below for nested schema](#nestedatt--kubernetes))
+- `project_id` (String) The ID of the HCP project where Vault Radar is located. If not specified, the project specified in the HCP Provider config block will be used, if configured.
+- `token` (Attributes) Configuration for token-based authentication. Only one authentication method may be configured. (see [below for nested schema](#nestedatt--token))
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedatt--approle_push"></a>
+### Nested Schema for `approle_push`
+
+Required:
+
+- `mount_path` (String) Mount path of the AppRole auth method in Vault. Example 'approle'.
+- `role_id_env_var` (String) Environment variable containing the AppRole role ID. Example: 'VAULT_APPROLE_ROLE_ID'.
+- `secret_id_env_var` (String) Environment variable containing the AppRole secret ID. Example: 'VAULT_APPROLE_SECRET_ID'.
+
+
+<a id="nestedatt--kubernetes"></a>
+### Nested Schema for `kubernetes`
+
+Required:
+
+- `mount_path` (String) Mount path where the Kubernetes auth method is enabled in Vault. Example 'kubernetes'.
+- `role_name` (String) Kubernetes authentication role configured in Vault.  Example 'vault-radar-role'.
+
+
+<a id="nestedatt--token"></a>
+### Nested Schema for `token`
+
+Required:
+
+- `token_env_var` (String) Environment variable name containing the Vault token. Example: 'VAULT_TOKEN'.

examples/resources/hcp_vault_radar_secret_manager_vault_dedicated/resource.tf

@@ -0,0 +1,26 @@
+# Usage with Kubernetes auth method
+resource "hcp_vault_radar_secret_manager_vault_dedicated" "secret_manager_example_1" {
+  vault_url = "example-1.hashicorp.cloud:8200"
+  kubernetes = {
+    mount_path = "kubernetes"
+    role_name  = "vault-radar-role"
+  }
+}
+
+# Usage with AppRole (Push) auth method.
+resource "hcp_vault_radar_secret_manager_vault_dedicated" "secret_manager_example_2" {
+  vault_url = "example-2.hashicorp.cloud:8200"
+  approle_push = {
+    mount_path        = "approle"
+    role_id_env_var   = "VAULT_APPROLE_ROLE_ID"
+    secret_id_env_var = "VAULT_APPROLE_SECRET_ID"
+  }
+}
+
+# Usage with Token auth method
+resource "hcp_vault_radar_secret_manager_vault_dedicated" "secret_manager_example_3" {
+  vault_url = "example-3.hashicorp.cloud:8200"
+  token = {
+    token_env_var = "VAULT_TOKEN"
+  }
+}

go.mod

@@ -13,14 +13,14 @@ require (
 	github.com/hashicorp/go-cty v1.5.0
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/go-version v1.7.0
-	github.com/hashicorp/hcp-sdk-go v0.159.0
+	github.com/hashicorp/hcp-sdk-go v0.161.0
 	github.com/hashicorp/terraform-plugin-docs v0.20.1
 	github.com/hashicorp/terraform-plugin-framework v1.15.0
 	github.com/hashicorp/terraform-plugin-framework-validators v0.18.0
 	github.com/hashicorp/terraform-plugin-go v0.28.0
 	github.com/hashicorp/terraform-plugin-mux v0.20.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	google.golang.org/grpc v1.72.1
 )
@@ -29,6 +29,17 @@ require (
 	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/Kunde21/markdownfmt/v3 v3.1.0 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.7.1 // indirect
+	github.com/go-openapi/swag/cmdutils v0.24.0 // indirect
+	github.com/go-openapi/swag/conv v0.24.0 // indirect
+	github.com/go-openapi/swag/fileutils v0.24.0 // indirect
+	github.com/go-openapi/swag/jsonname v0.24.0 // indirect
+	github.com/go-openapi/swag/jsonutils v0.24.0 // indirect
+	github.com/go-openapi/swag/loading v0.24.0 // indirect
+	github.com/go-openapi/swag/mangling v0.24.0 // indirect
+	github.com/go-openapi/swag/netutils v0.24.0 // indirect
+	github.com/go-openapi/swag/stringutils v0.24.0 // indirect
+	github.com/go-openapi/swag/typeutils v0.24.0 // indirect
+	github.com/go-openapi/swag/yamlutils v0.24.0 // indirect
 	github.com/hashicorp/cli v1.1.7 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
@@ -63,7 +74,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/loads v0.22.0 // indirect
 	github.com/go-openapi/spec v0.21.0 // indirect
-	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-openapi/swag v0.24.1 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect

go.sum

@@ -76,8 +76,30 @@ github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9Z
 github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
 github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c=
 github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4=
-github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
-github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
+github.com/go-openapi/swag v0.24.1 h1:DPdYTZKo6AQCRqzwr/kGkxJzHhpKxZ9i/oX0zag+MF8=
+github.com/go-openapi/swag v0.24.1/go.mod h1:sm8I3lCPlspsBBwUm1t5oZeWZS0s7m/A+Psg0ooRU0A=
+github.com/go-openapi/swag/cmdutils v0.24.0 h1:KlRCffHwXFI6E5MV9n8o8zBRElpY4uK4yWyAMWETo9I=
+github.com/go-openapi/swag/cmdutils v0.24.0/go.mod h1:uxib2FAeQMByyHomTlsP8h1TtPd54Msu2ZDU/H5Vuf8=
+github.com/go-openapi/swag/conv v0.24.0 h1:ejB9+7yogkWly6pnruRX45D1/6J+ZxRu92YFivx54ik=
+github.com/go-openapi/swag/conv v0.24.0/go.mod h1:jbn140mZd7EW2g8a8Y5bwm8/Wy1slLySQQ0ND6DPc2c=
+github.com/go-openapi/swag/fileutils v0.24.0 h1:U9pCpqp4RUytnD689Ek/N1d2N/a//XCeqoH508H5oak=
+github.com/go-openapi/swag/fileutils v0.24.0/go.mod h1:3SCrCSBHyP1/N+3oErQ1gP+OX1GV2QYFSnrTbzwli90=
+github.com/go-openapi/swag/jsonname v0.24.0 h1:2wKS9bgRV/xB8c62Qg16w4AUiIrqqiniJFtZGi3dg5k=
+github.com/go-openapi/swag/jsonname v0.24.0/go.mod h1:GXqrPzGJe611P7LG4QB9JKPtUZ7flE4DOVechNaDd7Q=
+github.com/go-openapi/swag/jsonutils v0.24.0 h1:F1vE1q4pg1xtO3HTyJYRmEuJ4jmIp2iZ30bzW5XgZts=
+github.com/go-openapi/swag/jsonutils v0.24.0/go.mod h1:vBowZtF5Z4DDApIoxcIVfR8v0l9oq5PpYRUuteVu6f0=
+github.com/go-openapi/swag/loading v0.24.0 h1:ln/fWTwJp2Zkj5DdaX4JPiddFC5CHQpvaBKycOlceYc=
+github.com/go-openapi/swag/loading v0.24.0/go.mod h1:gShCN4woKZYIxPxbfbyHgjXAhO61m88tmjy0lp/LkJk=
+github.com/go-openapi/swag/mangling v0.24.0 h1:PGOQpViCOUroIeak/Uj/sjGAq9LADS3mOyjznmHy2pk=
+github.com/go-openapi/swag/mangling v0.24.0/go.mod h1:Jm5Go9LHkycsz0wfoaBDkdc4CkpuSnIEf62brzyCbhc=
+github.com/go-openapi/swag/netutils v0.24.0 h1:Bz02HRjYv8046Ycg/w80q3g9QCWeIqTvlyOjQPDjD8w=
+github.com/go-openapi/swag/netutils v0.24.0/go.mod h1:WRgiHcYTnx+IqfMCtu0hy9oOaPR0HnPbmArSRN1SkZM=
+github.com/go-openapi/swag/stringutils v0.24.0 h1:i4Z/Jawf9EvXOLUbT97O0HbPUja18VdBxeadyAqS1FM=
+github.com/go-openapi/swag/stringutils v0.24.0/go.mod h1:5nUXB4xA0kw2df5PRipZDslPJgJut+NjL7D25zPZ/4w=
+github.com/go-openapi/swag/typeutils v0.24.0 h1:d3szEGzGDf4L2y1gYOSSLeK6h46F+zibnEas2Jm/wIw=
+github.com/go-openapi/swag/typeutils v0.24.0/go.mod h1:q8C3Kmk/vh2VhpCLaoR2MVWOGP8y7Jc8l82qCTd1DYI=
+github.com/go-openapi/swag/yamlutils v0.24.0 h1:bhw4894A7Iw6ne+639hsBNRHg9iZg/ISrOVr+sJGp4c=
+github.com/go-openapi/swag/yamlutils v0.24.0/go.mod h1:DpKv5aYuaGm/sULePoeiG8uwMpZSfReo1HR3Ik0yaG8=
 github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
@@ -126,8 +148,8 @@ github.com/hashicorp/hc-install v0.9.2 h1:v80EtNX4fCVHqzL9Lg/2xkp62bbvQMnvPQ0G+O
 github.com/hashicorp/hc-install v0.9.2/go.mod h1:XUqBQNnuT4RsxoxiM9ZaUk0NX8hi2h+Lb6/c0OZnC/I=
 github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
 github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
-github.com/hashicorp/hcp-sdk-go v0.159.0 h1:HjftKECqpDbC/IHAUILBBzxpY/0HcBmcXK4Y7jUvcc4=
-github.com/hashicorp/hcp-sdk-go v0.159.0/go.mod h1:K8clI5eI+fPCauEEdcXgnbpkIwtk5BayzYcTyJz/sss=
+github.com/hashicorp/hcp-sdk-go v0.161.0 h1:7DOMGou/w9bd9TgsgiCKZPQwY57Dq+hG+tKEGqbIQ4M=
+github.com/hashicorp/hcp-sdk-go v0.161.0/go.mod h1:v2vbpNIrmgUTelW4Z+ur+aQuSPxeaVK3xytFdpEXvSg=
 github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/terraform-exec v0.23.0 h1:MUiBM1s0CNlRFsCLJuM5wXZrzA3MnPYEsiXmzATMW/I=
@@ -239,8 +261,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=

internal/clients/client.go

@@ -66,6 +66,7 @@ import (
 	radar_connection_service "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-radar/preview/2023-05-01/client/integration_connection_service"
 	radar_subscription_service "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-radar/preview/2023-05-01/client/integration_subscription_service"
 	radar_resource_service "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-radar/preview/2023-05-01/client/resource_service"
+	radar_secret_manager_service "github.com/hashicorp/hcp-sdk-go/clients/cloud-vault-radar/preview/2023-05-01/client/secret_manager_service"
 
 	hcpConfig "github.com/hashicorp/hcp-sdk-go/config"
 	sdk "github.com/hashicorp/hcp-sdk-go/httpclient"
@@ -98,6 +99,7 @@ type Client struct {
 	RadarConnectionService         radar_connection_service.ClientService
 	RadarSubscriptionService       radar_subscription_service.ClientService
 	RadarResourceService           radar_resource_service.ClientService
+	RadarSecretManagerService      radar_secret_manager_service.ClientService
 }
 
 // ClientConfig specifies configuration for the client that interacts with HCP
@@ -202,6 +204,7 @@ func NewClient(config ClientConfig) (*Client, error) {
 		RadarConnectionService:         cloud_vault_radar.New(httpClient, nil).IntegrationConnectionService,
 		RadarSubscriptionService:       cloud_vault_radar.New(httpClient, nil).IntegrationSubscriptionService,
 		RadarResourceService:           cloud_vault_radar.New(httpClient, nil).ResourceService,
+		RadarSecretManagerService:      cloud_vault_radar.New(httpClient, nil).SecretManagerService,
 	}
 
 	return client, nil