diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2180a2c..cbb6b64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,12 @@
+## v0.15.1
+
+FEATURES:
+
+- Restructured `meshstack_platform` authentication configuration for all platforms.
+- Renamed fields: `user_look_up_strategy` → `user_lookup_strategy`, `service_account_config` → `service_account`.
+- Secrets now use nested `plaintext` field within credential objects.
## v0.15.0
+
FEATURES:
- Support multi select building block inputs.
diff --git a/client/client.go b/client/client.go
index fb657ca..cbad2d5 100644
--- a/client/client.go
+++ b/client/client.go
@@ -111,7 +111,7 @@ func (c *MeshStackProviderClient) login() error {
if err != nil {
return err
} else if res.StatusCode != 200 {
- return errors.New(fmt.Sprintf("Status %d: %s", res.StatusCode, ERROR_AUTHENTICATION_FAILURE))
+ return fmt.Errorf("Status %d: %s", res.StatusCode, ERROR_AUTHENTICATION_FAILURE)
}
defer res.Body.Close()
diff --git a/client/platform.go b/client/platform.go
index 01500b0..a993c26 100644
--- a/client/platform.go
+++ b/client/platform.go
@@ -39,6 +39,11 @@ type MeshPlatformSpec struct {
QuotaDefinitions []QuotaDefinition `json:"quotaDefinitions" tfsdk:"quota_definitions"`
}
+type SecretEmbedded struct {
+ Plaintext *string `json:"plaintext,omitempty" tfsdk:"plaintext"`
+ // TODO: add Hash field
+}
+
type QuotaDefinition struct {
QuotaKey string `json:"quotaKey" tfsdk:"quota_key"`
MinValue int `json:"minValue" tfsdk:"min_value"`
diff --git a/client/platform_config_aks.go b/client/platform_config_aks.go
index 927d119..369650d 100644
--- a/client/platform_config_aks.go
+++ b/client/platform_config_aks.go
@@ -8,7 +8,7 @@ type AksPlatformConfig struct {
}
type AksReplicationConfig struct {
- AccessToken string `json:"accessToken" tfsdk:"access_token"`
+ AccessToken SecretEmbedded `json:"accessToken" tfsdk:"access_token"`
NamespaceNamePattern string `json:"namespaceNamePattern" tfsdk:"namespace_name_pattern"`
GroupNamePattern string `json:"groupNamePattern" tfsdk:"group_name_pattern"`
ServicePrincipal AksServicePrincipalConfig `json:"servicePrincipal" tfsdk:"service_principal"`
@@ -17,16 +17,15 @@ type AksReplicationConfig struct {
AksResourceGroup string `json:"aksResourceGroup" tfsdk:"aks_resource_group"`
RedirectUrl *string `json:"redirectUrl,omitempty" tfsdk:"redirect_url"`
SendAzureInvitationMail bool `json:"sendAzureInvitationMail" tfsdk:"send_azure_invitation_mail"`
- UserLookUpStrategy string `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+ UserLookupStrategy string `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
AdministrativeUnitId *string `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
}
type AksServicePrincipalConfig struct {
- ClientId string `json:"clientId" tfsdk:"client_id"`
- AuthType string `json:"authType" tfsdk:"auth_type"`
- CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
- EntraTenant string `json:"entraTenant" tfsdk:"entra_tenant"`
- ObjectId string `json:"objectId" tfsdk:"object_id"`
+ EntraTenant string `json:"entraTenant" tfsdk:"entra_tenant"`
+ ObjectId string `json:"objectId" tfsdk:"object_id"`
+ ClientId string `json:"clientId" tfsdk:"client_id"`
+ Auth AzureAuthConfig `json:"auth" tfsdk:"auth"`
}
type AksMeteringConfig struct {
diff --git a/client/platform_config_aws.go b/client/platform_config_aws.go
index a193b09..01805e6 100644
--- a/client/platform_config_aws.go
+++ b/client/platform_config_aws.go
@@ -24,18 +24,23 @@ type AwsReplicationConfig struct {
}
type AwsAccessConfig struct {
- OrganizationRootAccountRole string `json:"organizationRootAccountRole" tfsdk:"organization_root_account_role"`
- OrganizationRootAccountExternalId *string `json:"organizationRootAccountExternalId,omitempty" tfsdk:"organization_root_account_external_id"`
- ServiceUserConfig *AwsServiceUserConfig `json:"serviceUserConfig,omitempty" tfsdk:"service_user_config"`
- WorkloadIdentityConfig *AwsWorkloadIdentityConfig `json:"workloadIdentityConfig,omitempty" tfsdk:"workload_identity_config"`
+ OrganizationRootAccountRole string `json:"organizationRootAccountRole" tfsdk:"organization_root_account_role"`
+ OrganizationRootAccountExternalId *string `json:"organizationRootAccountExternalId,omitempty" tfsdk:"organization_root_account_external_id"`
+ Auth AwsAuth `json:"auth" tfsdk:"auth"`
}
-type AwsServiceUserConfig struct {
- AccessKey string `json:"accessKey" tfsdk:"access_key"`
- SecretKey string `json:"secretKey" tfsdk:"secret_key"`
+type AwsAuth struct {
+ Type string `json:"type" tfsdk:"type"`
+ Credential *AwsServiceUserCredential `json:"credential,omitempty" tfsdk:"credential"`
+ WorkloadIdentity *AwsWorkloadIdentityCredential `json:"workloadIdentity,omitempty" tfsdk:"workload_identity"`
}
-type AwsWorkloadIdentityConfig struct {
+type AwsServiceUserCredential struct {
+ AccessKey string `json:"accessKey" tfsdk:"access_key"`
+ SecretKey SecretEmbedded `json:"secretKey" tfsdk:"secret_key"`
+}
+
+type AwsWorkloadIdentityCredential struct {
RoleArn string `json:"roleArn" tfsdk:"role_arn"`
}
@@ -43,7 +48,7 @@ type AwsSsoConfig struct {
ScimEndpoint string `json:"scimEndpoint" tfsdk:"scim_endpoint"`
Arn string `json:"arn" tfsdk:"arn"`
GroupNamePattern string `json:"groupNamePattern" tfsdk:"group_name_pattern"`
- SsoAccessToken string `json:"ssoAccessToken" tfsdk:"sso_access_token"`
+ SsoAccessToken SecretEmbedded `json:"ssoAccessToken" tfsdk:"sso_access_token"`
AwsRoleMappings []AwsSsoRoleMapping `json:"awsRoleMappings" tfsdk:"aws_role_mappings"`
SignInUrl string `json:"signInUrl" tfsdk:"sign_in_url"`
}
diff --git a/client/platform_config_azure.go b/client/platform_config_azure.go
index 6541a42..2d0375d 100644
--- a/client/platform_config_azure.go
+++ b/client/platform_config_azure.go
@@ -16,23 +16,26 @@ type AzureReplicationConfig struct {
BlueprintLocation string `json:"blueprintLocation" tfsdk:"blueprint_location"`
AzureRoleMappings []AzureRoleMapping `json:"azureRoleMappings" tfsdk:"azure_role_mappings"`
TenantTags *MeshTenantTags `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
- UserLookUpStrategy string `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+ UserLookUpStrategy string `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
SkipUserGroupPermissionCleanup bool `json:"skipUserGroupPermissionCleanup" tfsdk:"skip_user_group_permission_cleanup"`
AdministrativeUnitId *string `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
AllowHierarchicalManagementGroupAssignment bool `json:"allowHierarchicalManagementGroupAssignment" tfsdk:"allow_hierarchical_management_group_assignment"`
}
type AzureServicePrincipalConfig struct {
- ClientId string `json:"clientId" tfsdk:"client_id"`
- AuthType string `json:"authType" tfsdk:"auth_type"`
- CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
- ObjectId string `json:"objectId" tfsdk:"object_id"`
+ ClientId string `json:"clientId" tfsdk:"client_id"`
+ ObjectId string `json:"objectId" tfsdk:"object_id"`
+ Auth AzureAuthConfig `json:"auth" tfsdk:"auth"`
+}
+
+type AzureAuthConfig struct {
+ Type string `json:"type" tfsdk:"type"`
+ Credential *SecretEmbedded `json:"credential,omitempty" tfsdk:"credential"`
}
type AzureGraphApiCredentials struct {
- ClientId string `json:"clientId" tfsdk:"client_id"`
- AuthType string `json:"authType" tfsdk:"auth_type"`
- CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
+ ClientId string `json:"clientId" tfsdk:"client_id"`
+ Auth AzureAuthConfig `json:"auth" tfsdk:"auth"`
}
type AzureSubscriptionProvisioningConfig struct {
diff --git a/client/platform_config_azurerg.go b/client/platform_config_azurerg.go
index d553f56..e984d30 100644
--- a/client/platform_config_azurerg.go
+++ b/client/platform_config_azurerg.go
@@ -11,7 +11,7 @@ type AzureRgReplicationConfig struct {
ResourceGroupNamePattern string `json:"resourceGroupNamePattern" tfsdk:"resource_group_name_pattern"`
UserGroupNamePattern string `json:"userGroupNamePattern" tfsdk:"user_group_name_pattern"`
B2bUserInvitation *AzureInviteB2BUserConfig `json:"b2bUserInvitation,omitempty" tfsdk:"b2b_user_invitation"`
- UserLookUpStrategy string `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+ UserLookUpStrategy string `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
TenantTags *MeshTenantTags `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
SkipUserGroupPermissionCleanup bool `json:"skipUserGroupPermissionCleanup" tfsdk:"skip_user_group_permission_cleanup"`
AdministrativeUnitId *string `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
diff --git a/client/platform_config_gcp.go b/client/platform_config_gcp.go
index 4812173..83cc037 100644
--- a/client/platform_config_gcp.go
+++ b/client/platform_config_gcp.go
@@ -6,7 +6,7 @@ type GcpPlatformConfig struct {
}
type GcpReplicationConfig struct {
- ServiceAccountConfig GcpServiceAccountConfig `json:"serviceAccountConfig" tfsdk:"service_account_config"`
+ ServiceAccount GcpServiceAccountConfig `json:"serviceAccount" tfsdk:"service_account"`
Domain string `json:"domain" tfsdk:"domain"`
CustomerId string `json:"customerId" tfsdk:"customer_id"`
GroupNamePattern string `json:"groupNamePattern" tfsdk:"group_name_pattern"`
@@ -22,12 +22,9 @@ type GcpReplicationConfig struct {
}
type GcpServiceAccountConfig struct {
- ServiceAccountCredentialsConfig *GcpServiceAccountCredentialsConfig `json:"serviceAccountCredentialsConfig,omitempty" tfsdk:"service_account_credentials_config"`
- ServiceAccountWorkloadIdentityConfig *GcpServiceAccountWorkloadIdentityConfig `json:"serviceAccountWorkloadIdentityConfig,omitempty" tfsdk:"service_account_workload_identity_config"`
-}
-
-type GcpServiceAccountCredentialsConfig struct {
- ServiceAccountCredentialsB64 string `json:"serviceAccountCredentialsB64" tfsdk:"service_account_credentials_b64"`
+ Type string `json:"type" tfsdk:"type"`
+ Credential *SecretEmbedded `json:"credential,omitempty" tfsdk:"credential"`
+ WorkloadIdentity *GcpServiceAccountWorkloadIdentityConfig `json:"workloadIdentity,omitempty" tfsdk:"workload_identity"`
}
type GcpServiceAccountWorkloadIdentityConfig struct {
@@ -41,7 +38,7 @@ type GcpPlatformRoleMapping struct {
}
type GcpMeteringConfig struct {
- ServiceAccountConfig GcpServiceAccountConfig `json:"serviceAccountConfig" tfsdk:"service_account_config"`
+ ServiceAccount GcpServiceAccountConfig `json:"serviceAccount" tfsdk:"service_account"`
BigqueryTable string `json:"bigqueryTable" tfsdk:"bigquery_table"`
BigqueryTableForCarbonFootprint *string `json:"bigqueryTableForCarbonFootprint,omitempty" tfsdk:"bigquery_table_for_carbon_footprint"`
CarbonFootprintDataCollectionStartMonth *string `json:"carbonFootprintDataCollectionStartMonth,omitempty" tfsdk:"carbon_footprint_data_collection_start_month"`
diff --git a/client/platform_config_kubernetes.go b/client/platform_config_kubernetes.go
index 72b0d96..893ba2d 100644
--- a/client/platform_config_kubernetes.go
+++ b/client/platform_config_kubernetes.go
@@ -13,7 +13,7 @@ type KubernetesReplicationConfig struct {
}
type KubernetesClientConfig struct {
- AccessToken string `json:"accessToken" tfsdk:"access_token"`
+ AccessToken SecretEmbedded `json:"accessToken" tfsdk:"access_token"`
}
type KubernetesMeteringConfig struct {
diff --git a/client/platform_config_openshift.go b/client/platform_config_openshift.go
index 2dc05c7..1dcf722 100644
--- a/client/platform_config_openshift.go
+++ b/client/platform_config_openshift.go
@@ -12,7 +12,7 @@ type OpenShiftReplicationConfig struct {
WebConsoleUrl *string `json:"webConsoleUrl,omitempty" tfsdk:"web_console_url"`
ProjectNamePattern string `json:"projectNamePattern" tfsdk:"project_name_pattern"`
EnableTemplateInstantiation bool `json:"enableTemplateInstantiation" tfsdk:"enable_template_instantiation"`
- OpenShiftRoleMappings []OpenShiftPlatformRoleMapping `json:"openshiftRoleMappings" tfsdk:"openshift_role_mappings"`
+ OpenshiftRoleMappings []OpenShiftPlatformRoleMapping `json:"openshiftRoleMappings" tfsdk:"openshift_role_mappings"`
IdentityProviderName string `json:"identityProviderName" tfsdk:"identity_provider_name"`
TenantTags *MeshTenantTags `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
}
@@ -24,5 +24,5 @@ type OpenShiftMeteringConfig struct {
type OpenShiftPlatformRoleMapping struct {
MeshProjectRoleRef MeshProjectRoleRefV2 `json:"projectRoleRef" tfsdk:"project_role_ref"`
- OpenShiftRole string `json:"openshiftRole" tfsdk:"openshift_role"`
+ OpenshiftRole string `json:"openshiftRole" tfsdk:"openshift_role"`
}
diff --git a/docs/data-sources/platform.md b/docs/data-sources/platform.md
index a245079..510e1c5 100644
--- a/docs/data-sources/platform.md
+++ b/docs/data-sources/platform.md
@@ -111,7 +111,15 @@ Read-Only:
Read-Only:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes, Sensitive) The access token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--aks--metering--client_config--access_token))
+
+
+### Nested Schema for `spec.config.aks.metering.client_config.access_token`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
@@ -129,7 +137,7 @@ Read-Only:
Read-Only:
-- `access_token` (String) The Access Token of the service account for replicator access.
+- `access_token` (Attributes, Sensitive) The access token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--aks--replication--access_token))
- `administrative_unit_id` (String) If you enter an administrative unit ID the replicated (and potentially existing) groups will be put into this AU. This can be used to limit the permission scopes which are required for the replicator principal. If you remove the AU ID again or change it, the groups will not be removed from the old AU.
- `aks_cluster_name` (String) Name of the AKS cluster
- `aks_resource_group` (String) Resource group for the AKS cluster
@@ -139,19 +147,43 @@ Read-Only:
- `redirect_url` (String) This is the URL that Azure’s consent experience redirects users to after they accept their invitation.
- `send_azure_invitation_mail` (Boolean) Flag to send Azure invitation emails. When true, meshStack instructs Azure to send out Invitation mails to invited users.
- `service_principal` (Attributes) Service principal configuration for AKS (see [below for nested schema](#nestedatt--spec--config--aks--replication--service_principal))
-- `user_look_up_strategy` (String) Strategy for user lookup in Azure (`userPrincipalName` or `email`)
+- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`userPrincipalName` or `email`)
+
+
+### Nested Schema for `spec.config.aks.replication.access_token`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
### Nested Schema for `spec.config.aks.replication.service_principal`
Read-Only:
-- `auth_type` (String) Authentication type for the service principal (`CREDENTIALS` or `WORKLOAD_IDENTITY`)
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--aks--replication--service_principal--auth))
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID'.
-- `credentials_auth_client_secret` (String) Client secret for the service principal (if `authType` is `CREDENTIALS`)
- `entra_tenant` (String) Domain name or ID of the Entra Tenant that holds the Service Principal.
- `object_id` (String) The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.
+
+### Nested Schema for `spec.config.aks.replication.service_principal.auth`
+
+Read-Only:
+
+- `credential` (Attributes, Sensitive) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--aks--replication--service_principal--auth--credential))
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.aks.replication.service_principal.auth.credential`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
+
@@ -180,22 +212,38 @@ Read-Only:
Read-Only:
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--auth))
- `organization_root_account_external_id` (String) ExternalId for the organization root account role
- `organization_root_account_role` (String) ARN of the Management Account Role
-- `service_user_config` (Attributes) Service user configuration (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--service_user_config))
-- `workload_identity_config` (Attributes) Workload identity configuration (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--workload_identity_config))
-
-### Nested Schema for `spec.config.aws.metering.access_config.service_user_config`
+
+### Nested Schema for `spec.config.aws.metering.access_config.auth`
+
+Read-Only:
+
+- `credential` (Attributes) Service user credential configuration (if type is credential) (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--auth--credential))
+- `type` (String) Authentication type (credential or workloadIdentity)
+- `workload_identity` (Attributes) Workload identity configuration (if type is workloadIdentity) (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--auth--workload_identity))
+
+
+### Nested Schema for `spec.config.aws.metering.access_config.auth.credential`
Read-Only:
- `access_key` (String) AWS access key
-- `secret_key` (String, Sensitive) AWS secret key
+- `secret_key` (Attributes, Sensitive) AWS secret key (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--auth--credential--secret_key))
+
+
+### Nested Schema for `spec.config.aws.metering.access_config.auth.credential.secret_key`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
-
-### Nested Schema for `spec.config.aws.metering.access_config.workload_identity_config`
+
+
+### Nested Schema for `spec.config.aws.metering.access_config.auth.workload_identity`
Read-Only:
@@ -203,6 +251,7 @@ Read-Only:
+
### Nested Schema for `spec.config.aws.metering.processing`
@@ -238,22 +287,38 @@ Read-Only:
Read-Only:
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--auth))
- `organization_root_account_external_id` (String) ExternalId to enhance security in a multi account setup when assuming the organization root account role.
- `organization_root_account_role` (String) ARN of the Management Account Role. The Management Account contains your AWS organization. E.g. arn:aws:iam::123456789:role/MeshfedServiceRole.
-- `service_user_config` (Attributes) Service user configuration (alternative to `workload_identity_config`) (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--service_user_config))
-- `workload_identity_config` (Attributes) Workload identity configuration (alternative to `service_user_config`) (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--workload_identity_config))
-
-### Nested Schema for `spec.config.aws.replication.access_config.service_user_config`
+
+### Nested Schema for `spec.config.aws.replication.access_config.auth`
+
+Read-Only:
+
+- `credential` (Attributes) Service user credential configuration (if type is credential) (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--auth--credential))
+- `type` (String) Authentication type (credential or workloadIdentity)
+- `workload_identity` (Attributes) Workload identity configuration (if type is workloadIdentity) (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--auth--workload_identity))
+
+
+### Nested Schema for `spec.config.aws.replication.access_config.auth.credential`
Read-Only:
- `access_key` (String) AWS access key for service user
-- `secret_key` (String) AWS secret key for service user
+- `secret_key` (Attributes, Sensitive) AWS secret key (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--auth--credential--secret_key))
+
+
+### Nested Schema for `spec.config.aws.replication.access_config.auth.credential.secret_key`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
-
-### Nested Schema for `spec.config.aws.replication.access_config.workload_identity_config`
+
+### Nested Schema for `spec.config.aws.replication.access_config.auth.workload_identity`
Read-Only:
@@ -261,6 +326,7 @@ Read-Only:
+
### Nested Schema for `spec.config.aws.replication.aws_sso`
@@ -271,7 +337,7 @@ Read-Only:
- `group_name_pattern` (String) Configures the pattern that defines the desired name of AWS IAM Identity Center groups managed by meshStack. It follows the usual replicator string pattern features and provides the additional replacement 'platformGroupAlias', which contains the role name suffix, which is configurable via Role Mappings in this platform config or via a meshLandingZone. Operators must ensure the group names will be unique within the same AWS IAM Identity Center Instance with that configuration. meshStack will additionally prefix the group name with 'mst-' to be able to identify the groups that are managed by meshStack.
- `scim_endpoint` (String) The SCIM endpoint you can find in your AWS IAM Identity Center Automatic provisioning config.
- `sign_in_url` (String) The AWS IAM Identity Center sign in Url, that must be used by end-users to log in via AWS IAM Identity Center to AWS Management Console.
-- `sso_access_token` (String) The AWS IAM Identity Center SCIM Access Token that was generated via the Automatic provisioning config in AWS IAM Identity Center.
+- `sso_access_token` (Attributes, Sensitive) The AWS IAM Identity Center SCIM Access Token that was generated via the Automatic provisioning config in AWS IAM Identity Center. (see [below for nested schema](#nestedatt--spec--config--aws--replication--aws_sso--sso_access_token))
### Nested Schema for `spec.config.aws.replication.aws_sso.aws_role_mappings`
@@ -295,6 +361,14 @@ Read-Only:
+
+### Nested Schema for `spec.config.aws.replication.aws_sso.sso_access_token`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
### Nested Schema for `spec.config.aws.replication.enrollment_configuration`
@@ -356,11 +430,27 @@ Read-Only:
Read-Only:
-- `auth_type` (String) Authentication type (CREDENTIALS or WORKLOAD_IDENTITY)
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--azure--metering--service_principal--auth))
- `client_id` (String) The Application (Client) ID
-- `credentials_auth_client_secret` (String, Sensitive) Client secret (if authType is CREDENTIALS)
- `object_id` (String) The Object ID of the Enterprise Application
+
+### Nested Schema for `spec.config.azure.metering.service_principal.auth`
+
+Read-Only:
+
+- `credential` (Attributes, Sensitive) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--azure--metering--service_principal--auth--credential))
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.azure.metering.service_principal.auth.credential`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
+
@@ -380,7 +470,7 @@ Read-Only:
- `skip_user_group_permission_cleanup` (Boolean) Flag to skip user group permission cleanup. For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.
- `subscription_name_pattern` (String) Configures the pattern that defines the desired name of Azure Subscriptions managed by meshStack.
- `tenant_tags` (Attributes) Tenant tagging configuration. (see [below for nested schema](#nestedatt--spec--config--azure--replication--tenant_tags))
-- `user_look_up_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
### Nested Schema for `spec.config.azure.replication.azure_role_mappings`
@@ -447,9 +537,25 @@ Read-Only:
Read-Only:
-- `auth_type` (String) Must be one of `CREDENTIALS` or `WORKLOAD_IDENTITY`. Workload Identity Federation is the one that we recommend as it enables the most secure approach to provide access to your Azure tenant without using long lived credentials. Credential Authentication is an alternative approach where you have to provide a clientSecret manually to meshStack and meshStack stores it encrypted.
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--azure--replication--provisioning--customer_agreement--source_service_principal--auth))
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the "Enterprise Application" but can also be retrieved via the "App Registration" object as "Application (Client) ID".
-- `credentials_auth_client_secret` (String) Must be set if and only if authType is CREDENTIALS. A valid secret for accessing the application. In Azure Portal, this can be configured on the "App Registration" under Certificates & secrets. [How is this information secured?](https://docs.meshcloud.io/operations/security-faq/#how-does-meshstack-securely-handle-my-cloud-platform-credentials)
+
+
+### Nested Schema for `spec.config.azure.replication.provisioning.customer_agreement.source_service_principal.auth`
+
+Read-Only:
+
+- `credential` (Attributes, Sensitive) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--azure--replication--provisioning--customer_agreement--source_service_principal--auth--credential))
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.azure.replication.provisioning.customer_agreement.source_service_principal.auth.credential`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
@@ -478,11 +584,27 @@ Read-Only:
Read-Only:
-- `auth_type` (String) Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--azure--replication--service_principal--auth))
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID
-- `credentials_auth_client_secret` (String) Client secret (if authType is `CREDENTIALS`)
- `object_id` (String) The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.
+
+### Nested Schema for `spec.config.azure.replication.service_principal.auth`
+
+Read-Only:
+
+- `credential` (Attributes, Sensitive) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--azure--replication--service_principal--auth--credential))
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.azure.replication.service_principal.auth.credential`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
+
### Nested Schema for `spec.config.azure.replication.tenant_tags`
@@ -526,7 +648,7 @@ Read-Only:
- `subscription` (String) The Subscription that will contain all the created Resource Groups. Once you set the Subscription, you must not change it.
- `tenant_tags` (Attributes) Tenant tags configuration (see [below for nested schema](#nestedatt--spec--config--azurerg--replication--tenant_tags))
- `user_group_name_pattern` (String) Configures the pattern that defines the desired name of AAD groups managed by meshStack. It follows the usual replicator string pattern features and provides the additional replacement 'platformGroupAlias', which contains the role name suffix. This suffix is configurable via Role Mappings in this platform config.
-- `user_look_up_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) User lookup strategy (`UserByMailLookupStrategy` or `UserByUsernameLookupStrategy`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
### Nested Schema for `spec.config.azurerg.replication.b2b_user_invitation`
@@ -542,11 +664,27 @@ Read-Only:
Read-Only:
-- `auth_type` (String) Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--azurerg--replication--service_principal--auth))
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID
-- `credentials_auth_client_secret` (String) Client secret (if authType is `CREDENTIALS`)
- `object_id` (String) The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.
+
+### Nested Schema for `spec.config.azurerg.replication.service_principal.auth`
+
+Read-Only:
+
+- `credential` (Attributes, Sensitive) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--azurerg--replication--service_principal--auth--credential))
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.azurerg.replication.service_principal.auth.credential`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
+
### Nested Schema for `spec.config.azurerg.replication.tenant_tags`
@@ -587,7 +725,7 @@ Read-Only:
- `carbon_footprint_data_collection_start_month` (String) Start month for carbon footprint data collection
- `partition_time_column` (String) Partition time column name
- `processing` (Attributes) Processing configuration for metering (see [below for nested schema](#nestedatt--spec--config--gcp--metering--processing))
-- `service_account_config` (Attributes) Service account configuration for GCP metering (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account_config))
+- `service_account` (Attributes) Service account configuration for GCP metering (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account))
### Nested Schema for `spec.config.gcp.metering.processing`
@@ -598,24 +736,25 @@ Read-Only:
- `delete_raw_data_after_days` (Number) Number of days after which raw data should be deleted.
-
-### Nested Schema for `spec.config.gcp.metering.service_account_config`
+
+### Nested Schema for `spec.config.gcp.metering.service_account`
Read-Only:
-- `service_account_credentials_config` (Attributes) Service account credentials configuration (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account_config--service_account_credentials_config))
-- `service_account_workload_identity_config` (Attributes) Service account workload identity configuration (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account_config--service_account_workload_identity_config))
+- `credential` (Attributes, Sensitive) Base64 encoded service account credentials (if type supports it) (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account--credential))
+- `type` (String) Service account type
+- `workload_identity` (Attributes) Workload identity configuration (if type supports it) (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account--workload_identity))
-
-### Nested Schema for `spec.config.gcp.metering.service_account_config.service_account_credentials_config`
+
+### Nested Schema for `spec.config.gcp.metering.service_account.credential`
Read-Only:
-- `service_account_credentials_b64` (String, Sensitive) Base64 encoded service account credentials
+- `plaintext` (String, Sensitive) Plaintext secret value
-
-### Nested Schema for `spec.config.gcp.metering.service_account_config.service_account_workload_identity_config`
+
+### Nested Schema for `spec.config.gcp.metering.service_account.workload_identity`
Read-Only:
@@ -638,7 +777,7 @@ Read-Only:
- `group_name_pattern` (String) All the commonly available replicator string template properties are available. Additionally you can also use 'platformGroupAlias' as a placeholder to access the specific project role from the role mappings done in this platform configuration or in the meshLandingZone configuration.
- `project_id_pattern` (String) All the commonly available replicator string template properties are available. The resulting string must not exceed a total length of 30 characters. Only alphanumeric + hyphen are allowed. We recommend that configuration include at least 3 characters of the random parameter to reduce the chance of naming collisions as the project Ids must be globally unique within GCP.
- `project_name_pattern` (String) All the commonly available replicator string template properties are available. The result must be 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, single-quote, double-quote, space, and exclamation point. When length restrictions are applied, the abbreviation will be in the middle and marked by a single-quote.
-- `service_account_config` (Attributes) Service account configuration. Either `serviceAccountCredentialsConfig` or `serviceAccountWorkloadIdentityConfig` must be provided. (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account_config))
+- `service_account` (Attributes) Service account configuration. Either credential or workload_identity must be provided. (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account))
- `skip_user_group_permission_cleanup` (Boolean) For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the GCP platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.
- `tenant_tags` (Attributes) Tenant tags configuration (see [below for nested schema](#nestedatt--spec--config--gcp--replication--tenant_tags))
- `used_external_id_type` (String) The type of external ID used for user lookup.
@@ -665,24 +804,25 @@ Read-Only:
-
-### Nested Schema for `spec.config.gcp.replication.service_account_config`
+
+### Nested Schema for `spec.config.gcp.replication.service_account`
Read-Only:
-- `service_account_credentials_config` (Attributes) Service account credentials configuration (alternative to serviceAccountWorkloadIdentityConfig) (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account_config--service_account_credentials_config))
-- `service_account_workload_identity_config` (Attributes) Service account workload identity configuration (alternative to serviceAccountCredentialsConfig) (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account_config--service_account_workload_identity_config))
+- `credential` (Attributes, Sensitive) Base64 encoded credentials.json file for a GCP ServiceAccount (if type supports it). The replicator uses this Service Account to automate GCP API operations (IAM, ResourceManager etc.). (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account--credential))
+- `type` (String) Service account type
+- `workload_identity` (Attributes) Workload identity configuration (if type supports it) (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account--workload_identity))
-
-### Nested Schema for `spec.config.gcp.replication.service_account_config.service_account_credentials_config`
+
+### Nested Schema for `spec.config.gcp.replication.service_account.credential`
Read-Only:
-- `service_account_credentials_b64` (String, Sensitive) Base64 encoded credentials.json file for a GCP ServiceAccount. The replicator uses this Service Account to automate GCP API operations (IAM, ResourceManager etc.).
+- `plaintext` (String, Sensitive) Plaintext secret value
-
-### Nested Schema for `spec.config.gcp.replication.service_account_config.service_account_workload_identity_config`
+
+### Nested Schema for `spec.config.gcp.replication.service_account.workload_identity`
Read-Only:
@@ -727,13 +867,31 @@ Read-Only:
Read-Only:
- `client_config` (Attributes) Client configuration for Kubernetes metering (see [below for nested schema](#nestedatt--spec--config--kubernetes--metering--client_config))
+- `processing` (Attributes) Processing configuration for metering (see [below for nested schema](#nestedatt--spec--config--kubernetes--metering--processing))
### Nested Schema for `spec.config.kubernetes.metering.client_config`
Read-Only:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes, Sensitive) The access token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--kubernetes--metering--client_config--access_token))
+
+
+### Nested Schema for `spec.config.kubernetes.metering.client_config.access_token`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
+
+
+### Nested Schema for `spec.config.kubernetes.metering.processing`
+
+Read-Only:
+
+- `compact_timelines_after_days` (Number) Number of days after which timelines should be compacted.
+- `delete_raw_data_after_days` (Number) Number of days after which raw data should be deleted.
@@ -750,7 +908,15 @@ Read-Only:
Read-Only:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes, Sensitive) The access token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--kubernetes--replication--client_config--access_token))
+
+
+### Nested Schema for `spec.config.kubernetes.replication.client_config.access_token`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
@@ -778,7 +944,15 @@ Read-Only:
Read-Only:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes, Sensitive) The access token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--openshift--metering--client_config--access_token))
+
+
+### Nested Schema for `spec.config.openshift.metering.client_config.access_token`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
@@ -809,7 +983,15 @@ Read-Only:
Read-Only:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes, Sensitive) The access token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--openshift--replication--client_config--access_token))
+
+
+### Nested Schema for `spec.config.openshift.replication.client_config.access_token`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
diff --git a/docs/resources/platform.md b/docs/resources/platform.md
index f6f0be9..c2191bc 100644
--- a/docs/resources/platform.md
+++ b/docs/resources/platform.md
@@ -49,10 +49,13 @@ resource "meshstack_platform" "example" {
replication = {
service_principal = {
- client_id = "58d6f907-7b0e-4fd8-b328-3e8342dddc8d"
- auth_type = "CREDENTIALS"
- credentials_auth_client_secret = "mesh/hidden-secret"
- object_id = "3c305efe-625d-4eaf-9bfa-b981ddbcc99f"
+ client_id = "58d6f907-7b0e-4fd8-b328-3e8342dddc8d"
+ object_id = "3c305efe-625d-4eaf-9bfa-b981ddbcc99f"
+ auth = {
+ credential = {
+ plaintext = "your-client-secret-here"
+ }
+ }
}
provisioning = {
@@ -140,7 +143,7 @@ resource "meshstack_platform" "example" {
]
}
- user_look_up_strategy = "UserByMailLookupStrategy"
+ user_lookup_strategy = "UserByMailLookupStrategy"
skip_user_group_permission_cleanup = false
allow_hierarchical_management_group_assignment = false
}
@@ -194,9 +197,9 @@ Required:
Optional:
-- `contributing_workspaces` (List of String) A list of workspace identifiers that may contribute to this meshPlatform.
+- `contributing_workspaces` (Set of String) A list of workspace identifiers that may contribute to this meshPlatform.
- `documentation_url` (String) URL for platform documentation.
-- `quota_definitions` (List of Object) List of quota definitions for the platform. (see [below for nested schema](#nestedatt--spec--quota_definitions))
+- `quota_definitions` (Set of Object) List of quota definitions for the platform. (see [below for nested schema](#nestedatt--spec--quota_definitions))
- `support_url` (String) URL for platform support documentation.
@@ -209,7 +212,7 @@ Required:
Optional:
-- `restricted_to_workspaces` (List of String) If the restriction is set to `RESTRICTED`, you can specify the workspace identifiers this meshPlatform is restricted to.
+- `restricted_to_workspaces` (Set of String) If the restriction is set to `RESTRICTED`, you can specify the workspace identifiers this meshPlatform is restricted to.
@@ -234,11 +237,11 @@ Read-Only:
Required:
-- `base_url` (String) Base URL of the AKS cluster
+- `base_url` (String) This is the base URL to your AKS cluster, which is used to call the APIs to create new AKS tenants, get raw data for metering the AKS tenants, etc. An example base URL is: https://myaks-dns.westeurope.azmk8s.io:443
Optional:
-- `disable_ssl_validation` (Boolean) Flag to disable SSL validation for the AKS cluster. (SSL Validation should at best never be disabled, but for integration of some private cloud platforms in an early state, they might not yet be using valid SSL certificates. In that case it can make sense to disable SSL validation here to already test integration of these platforms.)
+- `disable_ssl_validation` (Boolean) Flag to disable SSL validation for the AKS cluster. SSL Validation should at best never be disabled, but for integration of some private cloud platforms in an early state, they might not yet be using valid SSL certificates. In that case it can make sense to disable SSL validation here to already test integration of these platforms.
- `metering` (Attributes) Metering configuration for AKS (optional, but required for metering) (see [below for nested schema](#nestedatt--spec--config--aks--metering))
- `replication` (Attributes) Replication configuration for AKS (optional, but required for replication) (see [below for nested schema](#nestedatt--spec--config--aks--replication))
@@ -255,7 +258,15 @@ Required:
Required:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes) The Access Token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--aks--metering--client_config--access_token))
+
+
+### Nested Schema for `spec.config.aks.metering.client_config.access_token`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
@@ -273,7 +284,7 @@ Optional:
Required:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes) The Access Token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--aks--replication--access_token))
- `aks_cluster_name` (String) Name of the AKS cluster.
- `aks_resource_group` (String) Resource group for the AKS cluster
- `aks_subscription_id` (String) Subscription ID for the AKS cluster
@@ -281,26 +292,50 @@ Required:
- `namespace_name_pattern` (String) Pattern for naming namespaces in AKS
- `send_azure_invitation_mail` (Boolean) Flag to send Azure invitation emails. When true, meshStack instructs Azure to send out Invitation mails to invited users.
- `service_principal` (Attributes) Service principal configuration for AKS (see [below for nested schema](#nestedatt--spec--config--aks--replication--service_principal))
-- `user_look_up_strategy` (String) Strategy for user lookup in Azure (`userPrincipalName` or `email`)
+- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`UserByMailLookupStrategy` or `UserByUsernameLookupStrategy`)
Optional:
- `administrative_unit_id` (String) If you enter an administrative unit ID the replicated (and potentially existing) groups will be put into this AU. This can be used to limit the permission scopes which are required for the replicator principal. If you remove the AU ID again or change it, the groups will not be removed from the old AU.
- `redirect_url` (String) This is the URL that Azure's consent experience redirects users to after they accept their invitation.
+
+### Nested Schema for `spec.config.aks.replication.access_token`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
### Nested Schema for `spec.config.aks.replication.service_principal`
Required:
-- `auth_type` (String) Authentication type for the service principal (`CREDENTIALS` or `WORKLOAD_IDENTITY`)
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--aks--replication--service_principal--auth))
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID'.
- `entra_tenant` (String) Domain name or ID of the Entra Tenant that holds the Service Principal.
- `object_id` (String) The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.
+
+### Nested Schema for `spec.config.aks.replication.service_principal.auth`
+
Optional:
-- `credentials_auth_client_secret` (String, Sensitive) Client secret for the service principal (if `authType` is `CREDENTIALS`)
+- `credential` (Attributes) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--aks--replication--service_principal--auth--credential))
+
+Read-Only:
+
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.aks.replication.service_principal.auth.credential`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
@@ -330,25 +365,44 @@ Required:
Required:
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--auth))
- `organization_root_account_role` (String) ARN of the Management Account Role. The Management Account contains your AWS organization. E.g. `arn:aws:iam::123456789:role/MeshfedServiceRole`.
Optional:
- `organization_root_account_external_id` (String) ExternalId to enhance security in a multi account setup when assuming the organization root account role.
-- `service_user_config` (Attributes) Service user configuration (alternative to `workload_identity_config`) (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--service_user_config))
-- `workload_identity_config` (Attributes) Workload identity configuration (alternative to `service_user_config`) (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--workload_identity_config))
-
-### Nested Schema for `spec.config.aws.metering.access_config.service_user_config`
+
+### Nested Schema for `spec.config.aws.metering.access_config.auth`
+
+Optional:
+
+- `credential` (Attributes) Service user credential configuration (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--auth--credential))
+- `workload_identity` (Attributes) Workload identity configuration (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--auth--workload_identity))
+
+Read-Only:
+
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.aws.metering.access_config.auth.credential`
Required:
- `access_key` (String) AWS access key for service user
-- `secret_key` (String, Sensitive) AWS secret key for service user
+- `secret_key` (Attributes) AWS secret key for service user (see [below for nested schema](#nestedatt--spec--config--aws--metering--access_config--auth--credential--secret_key))
+
+
+### Nested Schema for `spec.config.aws.metering.access_config.auth.credential.secret_key`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
-
-### Nested Schema for `spec.config.aws.metering.access_config.workload_identity_config`
+
+
+### Nested Schema for `spec.config.aws.metering.access_config.auth.workload_identity`
Required:
@@ -356,6 +410,7 @@ Required:
+
### Nested Schema for `spec.config.aws.metering.processing`
@@ -394,25 +449,44 @@ Optional:
Required:
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--auth))
- `organization_root_account_role` (String) ARN of the Management Account Role. The Management Account contains your AWS organization. E.g. `arn:aws:iam::123456789:role/MeshfedServiceRole`.
Optional:
- `organization_root_account_external_id` (String) ExternalId to enhance security in a multi account setup when assuming the organization root account role.
-- `service_user_config` (Attributes) Service user configuration (alternative to `workload_identity_config`) (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--service_user_config))
-- `workload_identity_config` (Attributes) Workload identity configuration (alternative to `service_user_config`) (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--workload_identity_config))
-
-### Nested Schema for `spec.config.aws.replication.access_config.service_user_config`
+
+### Nested Schema for `spec.config.aws.replication.access_config.auth`
+
+Optional:
+
+- `credential` (Attributes) Service user credential configuration (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--auth--credential))
+- `workload_identity` (Attributes) Workload identity configuration (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--auth--workload_identity))
+
+Read-Only:
+
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.aws.replication.access_config.auth.credential`
Required:
- `access_key` (String) AWS access key for service user
-- `secret_key` (String, Sensitive) AWS secret key for service user
+- `secret_key` (Attributes) AWS secret key for service user (see [below for nested schema](#nestedatt--spec--config--aws--replication--access_config--auth--credential--secret_key))
+
+
+### Nested Schema for `spec.config.aws.replication.access_config.auth.credential.secret_key`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
-
-### Nested Schema for `spec.config.aws.replication.access_config.workload_identity_config`
+
+### Nested Schema for `spec.config.aws.replication.access_config.auth.workload_identity`
Required:
@@ -420,6 +494,7 @@ Required:
+
### Nested Schema for `spec.config.aws.replication.aws_sso`
@@ -433,7 +508,7 @@ Optional:
- `aws_role_mappings` (Attributes List) AWS role mappings for AWS SSO (see [below for nested schema](#nestedatt--spec--config--aws--replication--aws_sso--aws_role_mappings))
- `sign_in_url` (String) The AWS IAM Identity Center sign in Url, that must be used by end-users to log in via AWS IAM Identity Center to AWS Management Console.
-- `sso_access_token` (String, Sensitive) The AWS IAM Identity Center SCIM Access Token that was generated via the Automatic provisioning config in AWS IAM Identity Center.
+- `sso_access_token` (Attributes) The AWS IAM Identity Center SCIM Access Token that was generated via the Automatic provisioning config in AWS IAM Identity Center. (see [below for nested schema](#nestedatt--spec--config--aws--replication--aws_sso--sso_access_token))
### Nested Schema for `spec.config.aws.replication.aws_sso.aws_role_mappings`
@@ -460,6 +535,14 @@ Read-Only:
+
+### Nested Schema for `spec.config.aws.replication.aws_sso.sso_access_token`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
### Nested Schema for `spec.config.aws.replication.enrollment_configuration`
@@ -475,7 +558,7 @@ Required:
Required:
-- `namespace_prefix` (String) Namespace prefix for tenant tags
+- `namespace_prefix` (String) This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.
Optional:
@@ -527,13 +610,29 @@ Optional:
Required:
-- `auth_type` (String) Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--azure--metering--service_principal--auth))
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID
- `object_id` (String) The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.
+
+### Nested Schema for `spec.config.azure.metering.service_principal.auth`
+
Optional:
-- `credentials_auth_client_secret` (String, Sensitive) Client secret (if authType is `CREDENTIALS`)
+- `credential` (Attributes) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--azure--metering--service_principal--auth--credential))
+
+Read-Only:
+
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.azure.metering.service_principal.auth.credential`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
@@ -549,7 +648,7 @@ Required:
- `service_principal` (Attributes) Service principal configuration for Azure (see [below for nested schema](#nestedatt--spec--config--azure--replication--service_principal))
- `skip_user_group_permission_cleanup` (Boolean) Flag to skip user group permission cleanup. For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.
- `subscription_name_pattern` (String) Configures the pattern that defines the desired name of Azure Subscriptions managed by meshStack.
-- `user_look_up_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`UserByMailLookupStrategy` or `UserByUsernameLookupStrategy`)
Optional:
@@ -557,7 +656,7 @@ Optional:
- `b2b_user_invitation` (Attributes) Optional B2B user invitation configuration. When configured, instructs the replicator to create AAD B2B guest invitations for users missing in the AAD tenant managed by this meshPlatform. (see [below for nested schema](#nestedatt--spec--config--azure--replication--b2b_user_invitation))
- `blueprint_location` (String) The Azure location where replication creates and updates Blueprint Assignments. Note that it's still possible that the Blueprint creates resources in other locations, this is merely the location where the Blueprint Assignment is managed.
- `provisioning` (Attributes) To provide Azure Subscription for your organization's meshProjects, meshcloud supports using Enterprise Enrollment or allocating from a pool of pre-provisioned subscriptions. One of the subFields enterpriseEnrollment, customerAgreement or preProvisioned must be provided! (see [below for nested schema](#nestedatt--spec--config--azure--replication--provisioning))
-- `tenant_tags` (Attributes) Tenant tagging configuration. (see [below for nested schema](#nestedatt--spec--config--azure--replication--tenant_tags))
+- `tenant_tags` (Attributes) Tenant tags configuration (see [below for nested schema](#nestedatt--spec--config--azure--replication--tenant_tags))
### Nested Schema for `spec.config.azure.replication.azure_role_mappings`
@@ -594,13 +693,29 @@ Read-Only:
Required:
-- `auth_type` (String) Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID
- `object_id` (String) The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.
-Optional:
+Read-Only:
+
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--azure--replication--service_principal--auth))
+
+
+### Nested Schema for `spec.config.azure.replication.service_principal.auth`
+
+Read-Only:
+
+- `credential` (Attributes, Sensitive) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--azure--replication--service_principal--auth--credential))
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.azure.replication.service_principal.auth.credential`
+
+Read-Only:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
-- `credentials_auth_client_secret` (String, Sensitive) Client secret (if authType is `CREDENTIALS`)
@@ -641,12 +756,28 @@ Optional:
Required:
-- `auth_type` (String) Must be one of `CREDENTIALS` or `WORKLOAD_IDENTITY`. Workload Identity Federation is the one that we recommend as it enables the most secure approach to provide access to your Azure tenant without using long lived credentials. Credential Authentication is an alternative approach where you have to provide a clientSecret manually to meshStack and meshStack stores it encrypted.
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--azure--replication--provisioning--customer_agreement--source_service_principal--auth))
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the "Enterprise Application" but can also be retrieved via the "App Registration" object as "Application (Client) ID".
+
+### Nested Schema for `spec.config.azure.replication.provisioning.customer_agreement.source_service_principal.auth`
+
Optional:
-- `credentials_auth_client_secret` (String, Sensitive) Must be set if and only if authType is CREDENTIALS. A valid secret for accessing the application. In Azure Portal, this can be configured on the "App Registration" under Certificates & secrets. [How is this information secured?](https://docs.meshcloud.io/operations/security-faq/#how-does-meshstack-securely-handle-my-cloud-platform-credentials)
+- `credential` (Attributes) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--azure--replication--provisioning--customer_agreement--source_service_principal--auth--credential))
+
+Read-Only:
+
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.azure.replication.provisioning.customer_agreement.source_service_principal.auth.credential`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
@@ -718,7 +849,7 @@ Required:
- `skip_user_group_permission_cleanup` (Boolean) For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.
- `subscription` (String) The Subscription that will contain all the created Resource Groups. Once you set the Subscription, you must not change it.
- `user_group_name_pattern` (String) Configures the pattern that defines the desired name of AAD groups managed by meshStack. It follows the usual replicator string pattern features and provides the additional replacement 'platformGroupAlias', which contains the role name suffix. This suffix is configurable via Role Mappings in this platform config.
-- `user_look_up_strategy` (String) User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.
+- `user_lookup_strategy` (String) Strategy for user lookup in Azure (`UserByMailLookupStrategy` or `UserByUsernameLookupStrategy`)
Optional:
@@ -731,13 +862,29 @@ Optional:
Required:
-- `auth_type` (String) Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)
+- `auth` (Attributes) Authentication configuration (see [below for nested schema](#nestedatt--spec--config--azurerg--replication--service_principal--auth))
- `client_id` (String) The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID
- `object_id` (String) The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.
+
+### Nested Schema for `spec.config.azurerg.replication.service_principal.auth`
+
Optional:
-- `credentials_auth_client_secret` (String, Sensitive) Client secret (if authType is `CREDENTIALS`)
+- `credential` (Attributes) Client secret (if type is credential) (see [below for nested schema](#nestedatt--spec--config--azurerg--replication--service_principal--auth--credential))
+
+Read-Only:
+
+- `type` (String) Authentication type (credential or workloadIdentity)
+
+
+### Nested Schema for `spec.config.azurerg.replication.service_principal.auth.credential`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
+
@@ -788,7 +935,7 @@ Required:
- `bigquery_table` (String) BigQuery table for metering data.
- `partition_time_column` (String) Partition time column for BigQuery table.
- `processing` (Attributes) Processing configuration for metering (see [below for nested schema](#nestedatt--spec--config--gcp--metering--processing))
-- `service_account_config` (Attributes) Service account configuration. Either `serviceAccountCredentialsConfig` or `serviceAccountWorkloadIdentityConfig` must be provided. (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account_config))
+- `service_account` (Attributes) Service account configuration. Either credential or workload_identity must be provided. (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account))
Optional:
@@ -805,24 +952,28 @@ Optional:
- `delete_raw_data_after_days` (Number) Number of days after which raw data should be deleted.
-
-### Nested Schema for `spec.config.gcp.metering.service_account_config`
+
+### Nested Schema for `spec.config.gcp.metering.service_account`
Optional:
-- `service_account_credentials_config` (Attributes) Service account credentials configuration (alternative to serviceAccountWorkloadIdentityConfig) (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account_config--service_account_credentials_config))
-- `service_account_workload_identity_config` (Attributes) Service account workload identity configuration (alternative to serviceAccountCredentialsConfig) (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account_config--service_account_workload_identity_config))
+- `credential` (Attributes) Base64 encoded credentials.json file for a GCP ServiceAccount. (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account--credential))
+- `workload_identity` (Attributes) Workload identity configuration. (see [below for nested schema](#nestedatt--spec--config--gcp--metering--service_account--workload_identity))
+
+Read-Only:
+
+- `type` (String) Service account type
-
-### Nested Schema for `spec.config.gcp.metering.service_account_config.service_account_credentials_config`
+
+### Nested Schema for `spec.config.gcp.metering.service_account.credential`
Required:
-- `service_account_credentials_b64` (String, Sensitive) Base64 encoded credentials.json file for a GCP ServiceAccount. The replicator uses this Service Account to automate GCP API operations (IAM, ResourceManager etc.).
+- `plaintext` (String, Sensitive) Plaintext secret value
-
-### Nested Schema for `spec.config.gcp.metering.service_account_config.service_account_workload_identity_config`
+
+### Nested Schema for `spec.config.gcp.metering.service_account.workload_identity`
Required:
@@ -845,7 +996,7 @@ Required:
- `group_name_pattern` (String) All the commonly available replicator string template properties are available. Additionally you can also use 'platformGroupAlias' as a placeholder to access the specific project role from the role mappings done in this platform configuration or in the meshLandingZone configuration.
- `project_id_pattern` (String) All the commonly available replicator string template properties are available. The resulting string must not exceed a total length of 30 characters. Only alphanumeric + hyphen are allowed. We recommend that configuration include at least 3 characters of the random parameter to reduce the chance of naming collisions as the project Ids must be globally unique within GCP.
- `project_name_pattern` (String) All the commonly available replicator string template properties are available. The result must be 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, single-quote, double-quote, space, and exclamation point. When length restrictions are applied, the abbreviation will be in the middle and marked by a single-quote.
-- `service_account_config` (Attributes) Service account configuration. Either `serviceAccountCredentialsConfig` or `serviceAccountWorkloadIdentityConfig` must be provided. (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account_config))
+- `service_account` (Attributes) Service account configuration. Either credential or workload_identity must be provided. (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account))
- `skip_user_group_permission_cleanup` (Boolean) For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the GCP platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.
- `user_lookup_strategy` (String) Users can either be looked up by E-Mail or externalAccountId. This must also be the property that is placed in the external user id (EUID) of your meshUser entity to match. E-Mail is usually a good choice as this is often set up as the EUID throughout all cloud platforms and meshStack. ('email' or 'externalId')
@@ -875,24 +1026,28 @@ Read-Only:
-
-### Nested Schema for `spec.config.gcp.replication.service_account_config`
+
+### Nested Schema for `spec.config.gcp.replication.service_account`
Optional:
-- `service_account_credentials_config` (Attributes) Service account credentials configuration (alternative to serviceAccountWorkloadIdentityConfig) (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account_config--service_account_credentials_config))
-- `service_account_workload_identity_config` (Attributes) Service account workload identity configuration (alternative to serviceAccountCredentialsConfig) (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account_config--service_account_workload_identity_config))
+- `credential` (Attributes) Base64 encoded credentials.json file for a GCP ServiceAccount. (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account--credential))
+- `workload_identity` (Attributes) Workload identity configuration. (see [below for nested schema](#nestedatt--spec--config--gcp--replication--service_account--workload_identity))
+
+Read-Only:
-
-### Nested Schema for `spec.config.gcp.replication.service_account_config.service_account_credentials_config`
+- `type` (String) Service account type
+
+
+### Nested Schema for `spec.config.gcp.replication.service_account.credential`
Required:
-- `service_account_credentials_b64` (String, Sensitive) Base64 encoded credentials.json file for a GCP ServiceAccount. The replicator uses this Service Account to automate GCP API operations (IAM, ResourceManager etc.).
+- `plaintext` (String, Sensitive) Plaintext secret value
-
-### Nested Schema for `spec.config.gcp.replication.service_account_config.service_account_workload_identity_config`
+
+### Nested Schema for `spec.config.gcp.replication.service_account.workload_identity`
Required:
@@ -906,7 +1061,7 @@ Required:
Required:
-- `namespace_prefix` (String) Namespace prefix for tenant tags
+- `namespace_prefix` (String) This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.
Optional:
@@ -929,7 +1084,7 @@ Required:
Required:
-- `base_url` (String) This URL is the base URL to your Kubernetes Cluster, which is used to call the APIs to create new Kubernetes projects, get raw data for metering the Kubernetes projects, etc. An example base URL is: https://k8s.dev.eu-de-central.msh.host:6443
+- `base_url` (String) This is the base URL to your Kubernetes cluster, which is used to call the APIs to create new Kubernetes tenants, get raw data for metering the Kubernetes tenants, etc. An example base URL is: https://k8s.dev.eu-de-central.msh.host:6443
Optional:
@@ -950,7 +1105,15 @@ Required:
Required:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes) The Access Token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--kubernetes--metering--client_config--access_token))
+
+
+### Nested Schema for `spec.config.kubernetes.metering.client_config.access_token`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
@@ -976,7 +1139,15 @@ Required:
Required:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes) The Access Token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--kubernetes--replication--client_config--access_token))
+
+
+### Nested Schema for `spec.config.kubernetes.replication.client_config.access_token`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
@@ -986,7 +1157,7 @@ Required:
Required:
-- `base_url` (String) This URL is the base URL to your OpenShift Cluster, which is used to call the APIs to create new OpenShift projects, get raw data for metering the OpenShift projects, etc. An example base URL is: https://api.okd4.dev.eu-de-central.msh.host:6443
+- `base_url` (String) This is the base URL to your OpenShift cluster, which is used to call the APIs to create new OpenShift tenants, get raw data for metering the OpenShift tenants, etc. An example base URL is: https://api.okd4.dev.eu-de-central.msh.host:6443
Optional:
@@ -1007,7 +1178,15 @@ Required:
Required:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes) The Access Token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--openshift--metering--client_config--access_token))
+
+
+### Nested Schema for `spec.config.openshift.metering.client_config.access_token`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
@@ -1041,7 +1220,15 @@ Optional:
Required:
-- `access_token` (String, Sensitive) The Access Token of the service account for replicator access.
+- `access_token` (Attributes) The Access Token of the service account for replicator access. (see [below for nested schema](#nestedatt--spec--config--openshift--replication--client_config--access_token))
+
+
+### Nested Schema for `spec.config.openshift.replication.client_config.access_token`
+
+Required:
+
+- `plaintext` (String, Sensitive) Plaintext secret value
+
diff --git a/examples/resources/meshstack_platform/resource.tf b/examples/resources/meshstack_platform/resource.tf
index 88ac15c..845633c 100644
--- a/examples/resources/meshstack_platform/resource.tf
+++ b/examples/resources/meshstack_platform/resource.tf
@@ -28,10 +28,13 @@ resource "meshstack_platform" "example" {
replication = {
service_principal = {
- client_id = "58d6f907-7b0e-4fd8-b328-3e8342dddc8d"
- auth_type = "CREDENTIALS"
- credentials_auth_client_secret = "mesh/hidden-secret"
- object_id = "3c305efe-625d-4eaf-9bfa-b981ddbcc99f"
+ client_id = "58d6f907-7b0e-4fd8-b328-3e8342dddc8d"
+ object_id = "3c305efe-625d-4eaf-9bfa-b981ddbcc99f"
+ auth = {
+ credential = {
+ plaintext = "your-client-secret-here"
+ }
+ }
}
provisioning = {
@@ -119,7 +122,7 @@ resource "meshstack_platform" "example" {
]
}
- user_look_up_strategy = "UserByMailLookupStrategy"
+ user_lookup_strategy = "UserByMailLookupStrategy"
skip_user_group_permission_cleanup = false
allow_hierarchical_management_group_assignment = false
}
diff --git a/internal/provider/auth_type_plan_modifier.go b/internal/provider/auth_type_plan_modifier.go
new file mode 100644
index 0000000..1970e63
--- /dev/null
+++ b/internal/provider/auth_type_plan_modifier.go
@@ -0,0 +1,58 @@
+package provider
+
+import (
+ "context"
+
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+ "github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+// authTypeModifier sets the auth type based on which credential field is populated
+type authTypeModifier struct{}
+
+func (m authTypeModifier) Description(ctx context.Context) string {
+ return "Sets auth type to 'credential' if credential is set, 'workloadIdentity' otherwise"
+}
+
+func (m authTypeModifier) MarkdownDescription(ctx context.Context) string {
+ return "Sets auth type to 'credential' if credential is set, 'workloadIdentity' otherwise"
+}
+
+func (m authTypeModifier) PlanModifyString(ctx context.Context, req planmodifier.StringRequest, resp *planmodifier.StringResponse) {
+ // Get the parent object (auth config)
+ var authConfig types.Object
+ resp.Diagnostics.Append(req.Plan.GetAttribute(ctx, req.Path.ParentPath(), &authConfig)...)
+ if resp.Diagnostics.HasError() {
+ return
+ }
+
+ if authConfig.IsNull() || authConfig.IsUnknown() {
+ return
+ }
+
+ // Extract the credential field from the auth config
+ attrs := authConfig.Attributes()
+ credentialAttr, exists := attrs["credential"]
+ if !exists {
+ return
+ }
+
+ // Check if credential is set (not null)
+ credentialObj, ok := credentialAttr.(types.Object)
+ if !ok {
+ return
+ }
+
+ // Set type based on whether credential is populated
+ if credentialObj.IsNull() || credentialObj.IsUnknown() {
+ resp.PlanValue = types.StringValue("workloadIdentity")
+ } else {
+ resp.PlanValue = types.StringValue("credential")
+ }
+}
+
+func authTypeDefault() planmodifier.String {
+ return authTypeModifier{}
+}
+
+var _ planmodifier.String = authTypeModifier{}
diff --git a/internal/provider/platform_data_source.go b/internal/provider/platform_data_source.go
index c28f865..50a2bab 100644
--- a/internal/provider/platform_data_source.go
+++ b/internal/provider/platform_data_source.go
@@ -204,6 +204,21 @@ func (d *platformDataSource) Schema(_ context.Context, _ datasource.SchemaReques
}
}
+func secretEmbeddedDataSourceSchema(description string) schema.Attribute {
+ return schema.SingleNestedAttribute{
+ MarkdownDescription: description,
+ Computed: true,
+ Sensitive: true,
+ Attributes: map[string]schema.Attribute{
+ "plaintext": schema.StringAttribute{
+ MarkdownDescription: "Plaintext secret value",
+ Computed: true,
+ Sensitive: true,
+ },
+ },
+ }
+}
+
func awsPlatformDataSourceSchema() schema.Attribute {
return schema.SingleNestedAttribute{
MarkdownDescription: "Configuration for AWS",
@@ -344,28 +359,33 @@ func awsMeteringConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "ExternalId for the organization root account role",
Computed: true,
},
- "service_user_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service user configuration",
+ "auth": schema.SingleNestedAttribute{
+ MarkdownDescription: "Authentication configuration",
Computed: true,
Attributes: map[string]schema.Attribute{
- "access_key": schema.StringAttribute{
- MarkdownDescription: "AWS access key",
+ "type": schema.StringAttribute{
+ MarkdownDescription: "Authentication type (credential or workloadIdentity)",
Computed: true,
},
- "secret_key": schema.StringAttribute{
- MarkdownDescription: "AWS secret key",
+ "credential": schema.SingleNestedAttribute{
+ MarkdownDescription: "Service user credential configuration (if type is credential)",
Computed: true,
- Sensitive: true,
+ Attributes: map[string]schema.Attribute{
+ "access_key": schema.StringAttribute{
+ MarkdownDescription: "AWS access key",
+ Computed: true,
+ },
+ "secret_key": secretEmbeddedDataSourceSchema("AWS secret key")},
},
- },
- },
- "workload_identity_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Workload identity configuration",
- Computed: true,
- Attributes: map[string]schema.Attribute{
- "role_arn": schema.StringAttribute{
- MarkdownDescription: "ARN of the role for workload identity",
+ "workload_identity": schema.SingleNestedAttribute{
+ MarkdownDescription: "Workload identity configuration (if type is workloadIdentity)",
Computed: true,
+ Attributes: map[string]schema.Attribute{
+ "role_arn": schema.StringAttribute{
+ MarkdownDescription: "ARN of the role for workload identity",
+ Computed: true,
+ },
+ },
},
},
},
@@ -401,19 +421,11 @@ func azureMeteringConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID",
Computed: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Authentication type (CREDENTIALS or WORKLOAD_IDENTITY)",
- Computed: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Client secret (if authType is CREDENTIALS)",
- Computed: true,
- Sensitive: true,
- },
"object_id": schema.StringAttribute{
MarkdownDescription: "The Object ID of the Enterprise Application",
Computed: true,
},
+ "auth": azureAuthConfigDataSourceSchema(),
},
},
"processing": meteringProcessingConfigDataSourceSchema(),
@@ -426,23 +438,17 @@ func gcpMeteringConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "Metering configuration for GCP (optional, but required for metering)",
Computed: true,
Attributes: map[string]schema.Attribute{
- "service_account_config": schema.SingleNestedAttribute{
+ "service_account": schema.SingleNestedAttribute{
MarkdownDescription: "Service account configuration for GCP metering",
Computed: true,
Attributes: map[string]schema.Attribute{
- "service_account_credentials_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service account credentials configuration",
+ "type": schema.StringAttribute{
+ MarkdownDescription: "Service account type",
Computed: true,
- Attributes: map[string]schema.Attribute{
- "service_account_credentials_b64": schema.StringAttribute{
- MarkdownDescription: "Base64 encoded service account credentials",
- Computed: true,
- Sensitive: true,
- },
- },
},
- "service_account_workload_identity_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service account workload identity configuration",
+ "credential": secretEmbeddedDataSourceSchema("Base64 encoded service account credentials (if type supports it)"),
+ "workload_identity": schema.SingleNestedAttribute{
+ MarkdownDescription: "Workload identity configuration (if type supports it)",
Computed: true,
Attributes: map[string]schema.Attribute{
"audience": schema.StringAttribute{
@@ -487,10 +493,7 @@ func aksReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "Replication configuration for AKS (optional, but required for replication)",
Computed: true,
Attributes: map[string]schema.Attribute{
- "access_token": schema.StringAttribute{
- MarkdownDescription: "The Access Token of the service account for replicator access.",
- Computed: true,
- },
+ "access_token": secretEmbeddedDataSourceSchema("The access token of the service account for replicator access."),
"namespace_name_pattern": schema.StringAttribute{
MarkdownDescription: "Pattern for naming namespaces in AKS",
Computed: true,
@@ -507,14 +510,7 @@ func aksReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID'.",
Computed: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Authentication type for the service principal (`CREDENTIALS` or `WORKLOAD_IDENTITY`)",
- Computed: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Client secret for the service principal (if `authType` is `CREDENTIALS`)",
- Computed: true,
- },
+ "auth": azureAuthConfigDataSourceSchema(),
"entra_tenant": schema.StringAttribute{
MarkdownDescription: "Domain name or ID of the Entra Tenant that holds the Service Principal.",
Computed: true,
@@ -545,7 +541,7 @@ func aksReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "Flag to send Azure invitation emails. When true, meshStack instructs Azure to send out Invitation mails to invited users.",
Computed: true,
},
- "user_look_up_strategy": schema.StringAttribute{
+ "user_lookup_strategy": schema.StringAttribute{
MarkdownDescription: "Strategy for user lookup in Azure (`userPrincipalName` or `email`)",
Computed: true,
},
@@ -574,27 +570,34 @@ func awsReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "ExternalId to enhance security in a multi account setup when assuming the organization root account role.",
Computed: true,
},
- "service_user_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service user configuration (alternative to `workload_identity_config`)",
+ "auth": schema.SingleNestedAttribute{
+ MarkdownDescription: "Authentication configuration",
Computed: true,
Attributes: map[string]schema.Attribute{
- "access_key": schema.StringAttribute{
- MarkdownDescription: "AWS access key for service user",
+ "type": schema.StringAttribute{
+ MarkdownDescription: "Authentication type (credential or workloadIdentity)",
Computed: true,
},
- "secret_key": schema.StringAttribute{
- MarkdownDescription: "AWS secret key for service user",
+ "credential": schema.SingleNestedAttribute{
+ MarkdownDescription: "Service user credential configuration (if type is credential)",
Computed: true,
+ Attributes: map[string]schema.Attribute{
+ "access_key": schema.StringAttribute{
+ MarkdownDescription: "AWS access key for service user",
+ Computed: true,
+ },
+ "secret_key": secretEmbeddedDataSourceSchema("AWS secret key"),
+ },
},
- },
- },
- "workload_identity_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Workload identity configuration (alternative to `service_user_config`)",
- Computed: true,
- Attributes: map[string]schema.Attribute{
- "role_arn": schema.StringAttribute{
- MarkdownDescription: "ARN of the role that should be used as the entry point for meshStack by assuming it via web identity.",
+ "workload_identity": schema.SingleNestedAttribute{
+ MarkdownDescription: "Workload identity configuration (if type is workloadIdentity)",
Computed: true,
+ Attributes: map[string]schema.Attribute{
+ "role_arn": schema.StringAttribute{
+ MarkdownDescription: "ARN of the role that should be used as the entry point for meshStack by assuming it via web identity.",
+ Computed: true,
+ },
+ },
},
},
},
@@ -670,10 +673,7 @@ func awsReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "Configures the pattern that defines the desired name of AWS IAM Identity Center groups managed by meshStack. It follows the usual replicator string pattern features and provides the additional replacement 'platformGroupAlias', which contains the role name suffix, which is configurable via Role Mappings in this platform config or via a meshLandingZone. Operators must ensure the group names will be unique within the same AWS IAM Identity Center Instance with that configuration. meshStack will additionally prefix the group name with 'mst-' to be able to identify the groups that are managed by meshStack.",
Computed: true,
},
- "sso_access_token": schema.StringAttribute{
- MarkdownDescription: "The AWS IAM Identity Center SCIM Access Token that was generated via the Automatic provisioning config in AWS IAM Identity Center.",
- Computed: true,
- },
+ "sso_access_token": secretEmbeddedDataSourceSchema("The AWS IAM Identity Center SCIM Access Token that was generated via the Automatic provisioning config in AWS IAM Identity Center."),
"aws_role_mappings": schema.ListNestedAttribute{
MarkdownDescription: "AWS role mappings for AWS SSO",
Computed: true,
@@ -741,14 +741,7 @@ func azureReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID",
Computed: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)",
- Computed: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Client secret (if authType is `CREDENTIALS`)",
- Computed: true,
- },
+ "auth": azureAuthConfigDataSourceSchema(),
"object_id": schema.StringAttribute{
MarkdownDescription: "The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.",
Computed: true,
@@ -798,14 +791,7 @@ func azureReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the \"Enterprise Application\" but can also be retrieved via the \"App Registration\" object as \"Application (Client) ID\".",
Computed: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Must be one of `CREDENTIALS` or `WORKLOAD_IDENTITY`. Workload Identity Federation is the one that we recommend as it enables the most secure approach to provide access to your Azure tenant without using long lived credentials. Credential Authentication is an alternative approach where you have to provide a clientSecret manually to meshStack and meshStack stores it encrypted.",
- Computed: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Must be set if and only if authType is CREDENTIALS. A valid secret for accessing the application. In Azure Portal, this can be configured on the \"App Registration\" under Certificates & secrets. [How is this information secured?](https://docs.meshcloud.io/operations/security-faq/#how-does-meshstack-securely-handle-my-cloud-platform-credentials)",
- Computed: true,
- },
+ "auth": azureAuthConfigDataSourceSchema(),
},
},
"destination_entra_id": schema.StringAttribute{
@@ -916,7 +902,7 @@ func azureReplicationConfigDataSourceSchema() schema.Attribute {
},
},
},
- "user_look_up_strategy": schema.StringAttribute{
+ "user_lookup_strategy": schema.StringAttribute{
MarkdownDescription: "User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
Computed: true,
},
@@ -936,6 +922,20 @@ func azureReplicationConfigDataSourceSchema() schema.Attribute {
}
}
+func azureAuthConfigDataSourceSchema() schema.Attribute {
+ return schema.SingleNestedAttribute{
+ MarkdownDescription: "Authentication configuration",
+ Computed: true,
+ Attributes: map[string]schema.Attribute{
+ "type": schema.StringAttribute{
+ MarkdownDescription: "Authentication type (credential or workloadIdentity)",
+ Computed: true,
+ },
+ "credential": secretEmbeddedDataSourceSchema("Client secret (if type is credential)"),
+ },
+ }
+}
+
func azureRgReplicationConfigDataSourceSchema() schema.Attribute {
return schema.SingleNestedAttribute{
MarkdownDescription: "Azure Resource Group-specific replication configuration for the platform.",
@@ -949,14 +949,7 @@ func azureRgReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID",
Computed: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)",
- Computed: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Client secret (if authType is `CREDENTIALS`)",
- Computed: true,
- },
+ "auth": azureAuthConfigDataSourceSchema(),
"object_id": schema.StringAttribute{
MarkdownDescription: "The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.",
Computed: true,
@@ -989,8 +982,8 @@ func azureRgReplicationConfigDataSourceSchema() schema.Attribute {
},
},
},
- "user_look_up_strategy": schema.StringAttribute{
- MarkdownDescription: "User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
+ "user_lookup_strategy": schema.StringAttribute{
+ MarkdownDescription: "User lookup strategy (`UserByMailLookupStrategy` or `UserByUsernameLookupStrategy`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
Computed: true,
},
"tenant_tags": schema.SingleNestedAttribute{
@@ -1040,23 +1033,17 @@ func gcpReplicationConfigDataSourceSchema() schema.Attribute {
MarkdownDescription: "GCP-specific replication configuration for the platform.",
Computed: true,
Attributes: map[string]schema.Attribute{
- "service_account_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service account configuration. Either `serviceAccountCredentialsConfig` or `serviceAccountWorkloadIdentityConfig` must be provided.",
+ "service_account": schema.SingleNestedAttribute{
+ MarkdownDescription: "Service account configuration. Either credential or workload_identity must be provided.",
Computed: true,
Attributes: map[string]schema.Attribute{
- "service_account_credentials_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service account credentials configuration (alternative to serviceAccountWorkloadIdentityConfig)",
+ "type": schema.StringAttribute{
+ MarkdownDescription: "Service account type",
Computed: true,
- Attributes: map[string]schema.Attribute{
- "service_account_credentials_b64": schema.StringAttribute{
- MarkdownDescription: "Base64 encoded credentials.json file for a GCP ServiceAccount. The replicator uses this Service Account to automate GCP API operations (IAM, ResourceManager etc.).",
- Computed: true,
- Sensitive: true,
- },
- },
},
- "service_account_workload_identity_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service account workload identity configuration (alternative to serviceAccountCredentialsConfig)",
+ "credential": secretEmbeddedDataSourceSchema("Base64 encoded credentials.json file for a GCP ServiceAccount (if type supports it). The replicator uses this Service Account to automate GCP API operations (IAM, ResourceManager etc.)."),
+ "workload_identity": schema.SingleNestedAttribute{
+ MarkdownDescription: "Workload identity configuration (if type supports it)",
Computed: true,
Attributes: map[string]schema.Attribute{
"audience": schema.StringAttribute{
@@ -1159,11 +1146,7 @@ func kubernetesClientConfigDataSourceSchema(description string) schema.Attribute
MarkdownDescription: description,
Computed: true,
Attributes: map[string]schema.Attribute{
- "access_token": schema.StringAttribute{
- MarkdownDescription: "The Access Token of the service account for replicator access.",
- Computed: true,
- Sensitive: true,
- },
+ "access_token": secretEmbeddedDataSourceSchema("The access token of the service account for replicator access."),
},
}
}
@@ -1205,6 +1188,7 @@ func kubernetesMeteringConfigDataSourceSchema() schema.Attribute {
Computed: true,
Attributes: map[string]schema.Attribute{
"client_config": kubernetesClientConfigDataSourceSchema("Client configuration for Kubernetes metering"),
+ "processing": meteringProcessingConfigDataSourceSchema(),
},
}
}
diff --git a/internal/provider/platform_resource.go b/internal/provider/platform_resource.go
index 872e00d..2a62636 100644
--- a/internal/provider/platform_resource.go
+++ b/internal/provider/platform_resource.go
@@ -14,8 +14,8 @@ import (
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
- "github.com/hashicorp/terraform-plugin-framework/resource/schema/listdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema/setdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/schema/validator"
@@ -188,12 +188,12 @@ func (r *platformResource) Schema(_ context.Context, _ resource.SchemaRequest, r
},
},
},
- "contributing_workspaces": schema.ListAttribute{
+ "contributing_workspaces": schema.SetAttribute{
MarkdownDescription: "A list of workspace identifiers that may contribute to this meshPlatform.",
ElementType: types.StringType,
Optional: true,
Computed: true,
- Default: listdefault.StaticValue(types.ListValueMust(types.StringType, []attr.Value{})),
+ Default: setdefault.StaticValue(types.SetValueMust(types.StringType, []attr.Value{})),
},
"availability": schema.SingleNestedAttribute{
MarkdownDescription: "Availability configuration for the meshPlatform.",
@@ -213,16 +213,17 @@ func (r *platformResource) Schema(_ context.Context, _ resource.SchemaRequest, r
stringvalidator.OneOf("PUBLISHED", "UNPUBLISHED"),
},
},
- "restricted_to_workspaces": schema.ListAttribute{
+ // TODO: check this is not empty if set to restricted and that it's set to the owner if private
+ "restricted_to_workspaces": schema.SetAttribute{
MarkdownDescription: "If the restriction is set to `RESTRICTED`, you can specify the workspace identifiers this meshPlatform is restricted to.",
ElementType: types.StringType,
Optional: true,
Computed: true,
- Default: listdefault.StaticValue(types.ListValueMust(types.StringType, []attr.Value{})),
+ Default: setdefault.StaticValue(types.SetValueMust(types.StringType, []attr.Value{})),
},
},
},
- "quota_definitions": schema.ListAttribute{
+ "quota_definitions": schema.SetAttribute{
MarkdownDescription: "List of quota definitions for the platform.",
Optional: true,
Computed: true,
@@ -230,7 +231,7 @@ func (r *platformResource) Schema(_ context.Context, _ resource.SchemaRequest, r
ElementType: types.ObjectType{
AttrTypes: quotaDefinitionAttrTypes,
},
- Default: listdefault.StaticValue(types.ListValueMust(types.ObjectType{
+ Default: setdefault.StaticValue(types.SetValueMust(types.ObjectType{
AttrTypes: quotaDefinitionAttrTypes,
}, []attr.Value{})),
},
@@ -286,6 +287,21 @@ func meteringProcessingConfigSchema() schema.Attribute {
}
}
+func secretEmbeddedSchema(description string, optional bool) schema.Attribute {
+ return schema.SingleNestedAttribute{
+ MarkdownDescription: description,
+ Required: !optional,
+ Optional: optional,
+ Attributes: map[string]schema.Attribute{
+ "plaintext": schema.StringAttribute{
+ MarkdownDescription: "Plaintext secret value",
+ Required: true,
+ Sensitive: true,
+ },
+ },
+ }
+}
+
func (r *platformResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
platform := client.MeshPlatformCreate{
Metadata: client.MeshPlatformCreateMetadata{},
@@ -294,7 +310,6 @@ func (r *platformResource) Create(ctx context.Context, req resource.CreateReques
// Retrieve values from plan
resp.Diagnostics.Append(req.Plan.GetAttribute(ctx, path.Root("api_version"), &platform.ApiVersion)...)
resp.Diagnostics.Append(req.Plan.GetAttribute(ctx, path.Root("spec"), &platform.Spec)...)
-
resp.Diagnostics.Append(req.Plan.GetAttribute(ctx, path.Root("metadata").AtName("name"), &platform.Metadata.Name)...)
resp.Diagnostics.Append(req.Plan.GetAttribute(ctx, path.Root("metadata").AtName("owned_by_workspace"), &platform.Metadata.OwnedByWorkspace)...)
@@ -316,7 +331,7 @@ func (r *platformResource) Create(ctx context.Context, req resource.CreateReques
return
}
- resp.Diagnostics.Append(resp.State.Set(ctx, createdPlatform)...)
+ resp.Diagnostics.Append(resp.State.Set(ctx, &createdPlatform)...)
}
func (r *platformResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
diff --git a/internal/provider/platform_resource_obfuscationhandling.go b/internal/provider/platform_resource_obfuscationhandling.go
index 4d26ab4..1cc8a61 100644
--- a/internal/provider/platform_resource_obfuscationhandling.go
+++ b/internal/provider/platform_resource_obfuscationhandling.go
@@ -5,18 +5,14 @@ import (
"github.com/meshcloud/terraform-provider-meshstack/client"
)
-const (
- obfuscatedValue = "mesh/hidden-secret"
-)
-
// This function is necessary to handle obfuscated secrets for meshPlatforms.
// The meshPlatform API won't return secrets in plain text, but obfuscated values.
// As a result we keep those from the plan/state and re-apply them to the object read from the API.
//
// MUST NOT PASS ANY NIL VALUES
// MUST PASS compatible types
-func handleObfuscatedSecrets(obfuscated *client.PlatformConfig, plain *client.PlatformConfig, d diag.Diagnostics) {
- if obfuscated == nil || plain == nil || obfuscated.Type != plain.Type {
+func handleObfuscatedSecrets(target *client.PlatformConfig, input *client.PlatformConfig, d diag.Diagnostics) {
+ if target == nil || input == nil || target.Type != input.Type {
d.AddError(
"Internal Error",
"Could not handle obfuscated secrets due to invalid input parameters.",
@@ -24,138 +20,150 @@ func handleObfuscatedSecrets(obfuscated *client.PlatformConfig, plain *client.Pl
return
}
- switch obfuscated.Type {
+ switch target.Type {
case "aks":
- if obfuscated.Aks != nil && plain.Aks != nil {
- if obfuscated.Aks.Replication != nil && plain.Aks.Replication != nil {
- // access token
- if obfuscated.Aks.Replication.AccessToken == obfuscatedValue {
- obfuscated.Aks.Replication.AccessToken = plain.Aks.Replication.AccessToken
+ if target.Aks != nil && input.Aks != nil {
+ if target.Aks.Replication != nil && input.Aks.Replication != nil {
+ // replication access token - only restore plaintext if it was obfuscated (nil) from API
+ if target.Aks.Replication.AccessToken.Plaintext == nil && input.Aks.Replication.AccessToken.Plaintext != nil {
+ target.Aks.Replication.AccessToken.Plaintext = input.Aks.Replication.AccessToken.Plaintext
}
- // SP client secret
- if obfuscated.Aks.Replication.ServicePrincipal.CredentialsAuthClientSecret != nil &&
- plain.Aks.Replication.ServicePrincipal.CredentialsAuthClientSecret != nil &&
- *obfuscated.Aks.Replication.ServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
- obfuscated.Aks.Replication.ServicePrincipal.CredentialsAuthClientSecret = plain.Aks.Replication.ServicePrincipal.CredentialsAuthClientSecret
+ // SP client secret - only restore plaintext if it was obfuscated (nil) from API
+ if target.Aks.Replication.ServicePrincipal.Auth.Credential != nil &&
+ input.Aks.Replication.ServicePrincipal.Auth.Credential != nil &&
+ target.Aks.Replication.ServicePrincipal.Auth.Credential.Plaintext == nil &&
+ input.Aks.Replication.ServicePrincipal.Auth.Credential.Plaintext != nil {
+ target.Aks.Replication.ServicePrincipal.Auth.Credential.Plaintext = input.Aks.Replication.ServicePrincipal.Auth.Credential.Plaintext
}
}
- // metering access token
- if obfuscated.Aks.Metering != nil && plain.Aks.Metering != nil &&
- obfuscated.Aks.Metering.ClientConfig.AccessToken == obfuscatedValue {
- obfuscated.Aks.Metering.ClientConfig.AccessToken = plain.Aks.Metering.ClientConfig.AccessToken
+ // metering access token - only restore plaintext if it was obfuscated (nil) from API
+ if target.Aks.Metering != nil && input.Aks.Metering != nil &&
+ target.Aks.Metering.ClientConfig.AccessToken.Plaintext == nil && input.Aks.Metering.ClientConfig.AccessToken.Plaintext != nil {
+ target.Aks.Metering.ClientConfig.AccessToken.Plaintext = input.Aks.Metering.ClientConfig.AccessToken.Plaintext
}
}
case "aws":
- if obfuscated.Aws != nil && plain.Aws != nil {
- if obfuscated.Aws.Replication != nil && plain.Aws.Replication != nil {
- // replication access-config service-user secret key
- if obfuscated.Aws.Replication.AccessConfig.ServiceUserConfig != nil &&
- plain.Aws.Replication.AccessConfig.ServiceUserConfig != nil &&
- obfuscated.Aws.Replication.AccessConfig.ServiceUserConfig.SecretKey == obfuscatedValue {
- obfuscated.Aws.Replication.AccessConfig.ServiceUserConfig.SecretKey = plain.Aws.Replication.AccessConfig.ServiceUserConfig.SecretKey
+ if target.Aws != nil && input.Aws != nil {
+ if target.Aws.Replication != nil && input.Aws.Replication != nil {
+ // replication access-config service-user secret key - only restore plaintext if it was obfuscated (nil) from API
+ if target.Aws.Replication.AccessConfig.Auth.Credential != nil &&
+ input.Aws.Replication.AccessConfig.Auth.Credential != nil &&
+ target.Aws.Replication.AccessConfig.Auth.Credential.SecretKey.Plaintext == nil &&
+ input.Aws.Replication.AccessConfig.Auth.Credential.SecretKey.Plaintext != nil {
+ target.Aws.Replication.AccessConfig.Auth.Credential.SecretKey.Plaintext = input.Aws.Replication.AccessConfig.Auth.Credential.SecretKey.Plaintext
}
- // replication AWS SSO token
- if obfuscated.Aws.Replication.AwsSso != nil &&
- plain.Aws.Replication.AwsSso != nil &&
- obfuscated.Aws.Replication.AwsSso.SsoAccessToken == obfuscatedValue {
- obfuscated.Aws.Replication.AwsSso.SsoAccessToken = plain.Aws.Replication.AwsSso.SsoAccessToken
+ // replication AWS SSO token - only restore plaintext if it was obfuscated (nil) from API
+ if target.Aws.Replication.AwsSso != nil &&
+ input.Aws.Replication.AwsSso != nil &&
+ target.Aws.Replication.AwsSso.SsoAccessToken.Plaintext == nil &&
+ input.Aws.Replication.AwsSso.SsoAccessToken.Plaintext != nil {
+ target.Aws.Replication.AwsSso.SsoAccessToken.Plaintext = input.Aws.Replication.AwsSso.SsoAccessToken.Plaintext
}
}
- // metering access-config service-user secret key
- if obfuscated.Aws.Metering != nil && plain.Aws.Metering != nil &&
- obfuscated.Aws.Metering.AccessConfig.ServiceUserConfig != nil &&
- plain.Aws.Metering.AccessConfig.ServiceUserConfig != nil &&
- obfuscated.Aws.Metering.AccessConfig.ServiceUserConfig.SecretKey == obfuscatedValue {
- obfuscated.Aws.Metering.AccessConfig.ServiceUserConfig.SecretKey = plain.Aws.Metering.AccessConfig.ServiceUserConfig.SecretKey
+ // metering access-config service-user secret key - only restore plaintext if it was obfuscated (nil) from API
+ if target.Aws.Metering != nil && input.Aws.Metering != nil &&
+ target.Aws.Metering.AccessConfig.Auth.Credential != nil &&
+ input.Aws.Metering.AccessConfig.Auth.Credential != nil &&
+ target.Aws.Metering.AccessConfig.Auth.Credential.SecretKey.Plaintext == nil &&
+ input.Aws.Metering.AccessConfig.Auth.Credential.SecretKey.Plaintext != nil {
+ target.Aws.Metering.AccessConfig.Auth.Credential.SecretKey.Plaintext = input.Aws.Metering.AccessConfig.Auth.Credential.SecretKey.Plaintext
}
}
case "azure":
- if obfuscated.Azure != nil && plain.Azure != nil {
- if obfuscated.Azure.Replication != nil && plain.Azure.Replication != nil {
- // replication SP client secret
- if obfuscated.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret != nil &&
- plain.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret != nil &&
- *obfuscated.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
- obfuscated.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret = plain.Azure.Replication.ServicePrincipal.CredentialsAuthClientSecret
+ if target.Azure != nil && input.Azure != nil {
+ if target.Azure.Replication != nil && input.Azure.Replication != nil {
+ // replication SP client secret - only restore plaintext if it was obfuscated (nil) from API
+ if target.Azure.Replication.ServicePrincipal.Auth.Credential != nil &&
+ input.Azure.Replication.ServicePrincipal.Auth.Credential != nil &&
+ target.Azure.Replication.ServicePrincipal.Auth.Credential.Plaintext == nil &&
+ input.Azure.Replication.ServicePrincipal.Auth.Credential.Plaintext != nil {
+ target.Azure.Replication.ServicePrincipal.Auth.Credential.Plaintext = input.Azure.Replication.ServicePrincipal.Auth.Credential.Plaintext
}
- // replication provisioning customer agreement SP client secret
- if obfuscated.Azure.Replication.Provisioning != nil &&
- plain.Azure.Replication.Provisioning != nil &&
- obfuscated.Azure.Replication.Provisioning.CustomerAgreement != nil &&
- plain.Azure.Replication.Provisioning.CustomerAgreement != nil &&
- obfuscated.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret != nil &&
- plain.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret != nil &&
- *obfuscated.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
- obfuscated.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret = plain.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.CredentialsAuthClientSecret
+ // replication provisioning customer agreement SP client secret - only restore plaintext if it was obfuscated (nil) from API
+ if target.Azure.Replication.Provisioning != nil &&
+ input.Azure.Replication.Provisioning != nil &&
+ target.Azure.Replication.Provisioning.CustomerAgreement != nil &&
+ input.Azure.Replication.Provisioning.CustomerAgreement != nil &&
+ target.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.Auth.Credential != nil &&
+ input.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.Auth.Credential != nil &&
+ target.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.Auth.Credential.Plaintext == nil &&
+ input.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.Auth.Credential.Plaintext != nil {
+ target.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.Auth.Credential.Plaintext = input.Azure.Replication.Provisioning.CustomerAgreement.SourceServicePrincipal.Auth.Credential.Plaintext
}
}
- // metering SP client secret
- if obfuscated.Azure.Metering != nil && plain.Azure.Metering != nil {
- if obfuscated.Azure.Metering.ServicePrincipal.CredentialsAuthClientSecret != nil &&
- plain.Azure.Metering.ServicePrincipal.CredentialsAuthClientSecret != nil &&
- *obfuscated.Azure.Metering.ServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
- obfuscated.Azure.Metering.ServicePrincipal.CredentialsAuthClientSecret = plain.Azure.Metering.ServicePrincipal.CredentialsAuthClientSecret
+ // metering SP client secret - only restore plaintext if it was obfuscated (nil) from API
+ if target.Azure.Metering != nil && input.Azure.Metering != nil {
+ if target.Azure.Metering.ServicePrincipal.Auth.Credential != nil &&
+ input.Azure.Metering.ServicePrincipal.Auth.Credential != nil &&
+ target.Azure.Metering.ServicePrincipal.Auth.Credential.Plaintext == nil &&
+ input.Azure.Metering.ServicePrincipal.Auth.Credential.Plaintext != nil {
+ target.Azure.Metering.ServicePrincipal.Auth.Credential.Plaintext = input.Azure.Metering.ServicePrincipal.Auth.Credential.Plaintext
}
}
}
case "azurerg":
- if obfuscated.AzureRg != nil && plain.AzureRg != nil {
- // replication SP client secret
- if obfuscated.AzureRg.Replication != nil && plain.AzureRg.Replication != nil &&
- obfuscated.AzureRg.Replication.ServicePrincipal.CredentialsAuthClientSecret != nil &&
- plain.AzureRg.Replication.ServicePrincipal.CredentialsAuthClientSecret != nil &&
- *obfuscated.AzureRg.Replication.ServicePrincipal.CredentialsAuthClientSecret == obfuscatedValue {
- obfuscated.AzureRg.Replication.ServicePrincipal.CredentialsAuthClientSecret = plain.AzureRg.Replication.ServicePrincipal.CredentialsAuthClientSecret
+ if target.AzureRg != nil && input.AzureRg != nil {
+ // replication SP client secret - only restore plaintext if it was obfuscated (nil) from API
+ if target.AzureRg.Replication != nil && input.AzureRg.Replication != nil &&
+ target.AzureRg.Replication.ServicePrincipal.Auth.Credential != nil &&
+ input.AzureRg.Replication.ServicePrincipal.Auth.Credential != nil &&
+ target.AzureRg.Replication.ServicePrincipal.Auth.Credential.Plaintext == nil &&
+ input.AzureRg.Replication.ServicePrincipal.Auth.Credential.Plaintext != nil {
+ target.AzureRg.Replication.ServicePrincipal.Auth.Credential.Plaintext = input.AzureRg.Replication.ServicePrincipal.Auth.Credential.Plaintext
}
}
case "kubernetes":
- if obfuscated.Kubernetes != nil && plain.Kubernetes != nil {
- // replication access token
- if obfuscated.Kubernetes.Replication != nil && plain.Kubernetes.Replication != nil &&
- obfuscated.Kubernetes.Replication.ClientConfig.AccessToken == obfuscatedValue {
- obfuscated.Kubernetes.Replication.ClientConfig.AccessToken = plain.Kubernetes.Replication.ClientConfig.AccessToken
+ if target.Kubernetes != nil && input.Kubernetes != nil {
+ // replication access token - only restore plaintext if it was obfuscated (nil) from API
+ if target.Kubernetes.Replication != nil && input.Kubernetes.Replication != nil &&
+ target.Kubernetes.Replication.ClientConfig.AccessToken.Plaintext == nil && input.Kubernetes.Replication.ClientConfig.AccessToken.Plaintext != nil {
+ target.Kubernetes.Replication.ClientConfig.AccessToken.Plaintext = input.Kubernetes.Replication.ClientConfig.AccessToken.Plaintext
}
- // metering access token
- if obfuscated.Kubernetes.Metering != nil && plain.Kubernetes.Metering != nil &&
- obfuscated.Kubernetes.Metering.ClientConfig.AccessToken == obfuscatedValue {
- obfuscated.Kubernetes.Metering.ClientConfig.AccessToken = plain.Kubernetes.Metering.ClientConfig.AccessToken
+ // metering access token - only restore plaintext if it was obfuscated (nil) from API
+ if target.Kubernetes.Metering != nil && input.Kubernetes.Metering != nil &&
+ target.Kubernetes.Metering.ClientConfig.AccessToken.Plaintext == nil && input.Kubernetes.Metering.ClientConfig.AccessToken.Plaintext != nil {
+ target.Kubernetes.Metering.ClientConfig.AccessToken.Plaintext = input.Kubernetes.Metering.ClientConfig.AccessToken.Plaintext
}
}
case "gcp":
- if obfuscated.Gcp != nil && plain.Gcp != nil {
- // replication service account credentials
- if obfuscated.Gcp.Replication != nil && plain.Gcp.Replication != nil &&
- obfuscated.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig != nil &&
- plain.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig != nil &&
- obfuscated.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig.ServiceAccountCredentialsB64 == obfuscatedValue {
- obfuscated.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig = plain.Gcp.Replication.ServiceAccountConfig.ServiceAccountCredentialsConfig
+ if target.Gcp != nil && input.Gcp != nil {
+ // replication service account credentials - only restore plaintext if it was obfuscated (nil) from API
+ if target.Gcp.Replication != nil && input.Gcp.Replication != nil &&
+ target.Gcp.Replication.ServiceAccount.Credential != nil &&
+ input.Gcp.Replication.ServiceAccount.Credential != nil &&
+ target.Gcp.Replication.ServiceAccount.Credential.Plaintext == nil &&
+ input.Gcp.Replication.ServiceAccount.Credential.Plaintext != nil {
+ target.Gcp.Replication.ServiceAccount.Credential.Plaintext = input.Gcp.Replication.ServiceAccount.Credential.Plaintext
}
- // metering service account credentials
- if obfuscated.Gcp.Metering != nil && plain.Gcp.Metering != nil &&
- obfuscated.Gcp.Metering.ServiceAccountConfig.ServiceAccountCredentialsConfig != nil &&
- plain.Gcp.Metering.ServiceAccountConfig.ServiceAccountCredentialsConfig != nil &&
- obfuscated.Gcp.Metering.ServiceAccountConfig.ServiceAccountCredentialsConfig.ServiceAccountCredentialsB64 == obfuscatedValue {
- obfuscated.Gcp.Metering.ServiceAccountConfig.ServiceAccountCredentialsConfig = plain.Gcp.Metering.ServiceAccountConfig.ServiceAccountCredentialsConfig
+ // metering service account credentials - only restore plaintext if it was obfuscated (nil) from API
+ if target.Gcp.Metering != nil && input.Gcp.Metering != nil &&
+ target.Gcp.Metering.ServiceAccount.Credential != nil &&
+ input.Gcp.Metering.ServiceAccount.Credential != nil &&
+ target.Gcp.Metering.ServiceAccount.Credential.Plaintext == nil &&
+ input.Gcp.Metering.ServiceAccount.Credential.Plaintext != nil {
+ target.Gcp.Metering.ServiceAccount.Credential.Plaintext = input.Gcp.Metering.ServiceAccount.Credential.Plaintext
}
}
case "openshift":
- if obfuscated.OpenShift != nil && plain.OpenShift != nil {
- // replication access token
- if obfuscated.OpenShift.Replication != nil && plain.OpenShift.Replication != nil &&
- obfuscated.OpenShift.Replication.ClientConfig.AccessToken == obfuscatedValue {
- obfuscated.OpenShift.Replication.ClientConfig.AccessToken = plain.OpenShift.Replication.ClientConfig.AccessToken
+ if target.OpenShift != nil && input.OpenShift != nil {
+ // replication access token - only restore plaintext if it was obfuscated (nil) from API
+ if target.OpenShift.Replication != nil && input.OpenShift.Replication != nil &&
+ target.OpenShift.Replication.ClientConfig.AccessToken.Plaintext == nil &&
+ input.OpenShift.Replication.ClientConfig.AccessToken.Plaintext != nil {
+ target.OpenShift.Replication.ClientConfig.AccessToken.Plaintext = input.OpenShift.Replication.ClientConfig.AccessToken.Plaintext
}
- // metering access token
- if obfuscated.OpenShift.Metering != nil && plain.OpenShift.Metering != nil &&
- obfuscated.OpenShift.Metering.ClientConfig.AccessToken == obfuscatedValue {
- obfuscated.OpenShift.Metering.ClientConfig.AccessToken = plain.OpenShift.Metering.ClientConfig.AccessToken
+ // metering access token - only restore plaintext if it was obfuscated (nil) from API
+ if target.OpenShift.Metering != nil && input.OpenShift.Metering != nil &&
+ target.OpenShift.Metering.ClientConfig.AccessToken.Plaintext == nil &&
+ input.OpenShift.Metering.ClientConfig.AccessToken.Plaintext != nil {
+ target.OpenShift.Metering.ClientConfig.AccessToken.Plaintext = input.OpenShift.Metering.ClientConfig.AccessToken.Plaintext
}
}
}
diff --git a/internal/provider/platform_resource_schema_aws.go b/internal/provider/platform_resource_schema_aws.go
index 1267e95..ed4a8cb 100644
--- a/internal/provider/platform_resource_schema_aws.go
+++ b/internal/provider/platform_resource_schema_aws.go
@@ -2,6 +2,7 @@ package provider
import (
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
"github.com/hashicorp/terraform-plugin-framework/types"
)
@@ -33,28 +34,35 @@ func awsAccessConfigSchema() schema.Attribute {
MarkdownDescription: "ExternalId to enhance security in a multi account setup when assuming the organization root account role.",
Optional: true,
},
- "service_user_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service user configuration (alternative to `workload_identity_config`)",
- Optional: true,
+ "auth": schema.SingleNestedAttribute{
+ MarkdownDescription: "Authentication configuration",
+ Required: true,
Attributes: map[string]schema.Attribute{
- "access_key": schema.StringAttribute{
- MarkdownDescription: "AWS access key for service user",
- Required: true,
+ "type": schema.StringAttribute{
+ MarkdownDescription: "Authentication type (credential or workloadIdentity)",
+ Computed: true,
+ PlanModifiers: []planmodifier.String{authTypeDefault()},
},
- "secret_key": schema.StringAttribute{
- MarkdownDescription: "AWS secret key for service user",
- Required: true,
- Sensitive: true,
+ "credential": schema.SingleNestedAttribute{
+ MarkdownDescription: "Service user credential configuration",
+ Optional: true,
+ Attributes: map[string]schema.Attribute{
+ "access_key": schema.StringAttribute{
+ MarkdownDescription: "AWS access key for service user",
+ Required: true,
+ },
+ "secret_key": secretEmbeddedSchema("AWS secret key for service user", false),
+ },
},
- },
- },
- "workload_identity_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Workload identity configuration (alternative to `service_user_config`)",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "role_arn": schema.StringAttribute{
- MarkdownDescription: "ARN of the role that should be used as the entry point for meshStack by assuming it via web identity.",
- Required: true,
+ "workload_identity": schema.SingleNestedAttribute{
+ MarkdownDescription: "Workload identity configuration",
+ Optional: true,
+ Attributes: map[string]schema.Attribute{
+ "role_arn": schema.StringAttribute{
+ MarkdownDescription: "ARN of the role that should be used as the entry point for meshStack by assuming it via web identity.",
+ Required: true,
+ },
+ },
},
},
},
@@ -119,32 +127,7 @@ func awsReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "With a String Pattern you can define how the account email address of the created AWS account will be set. E.g. `aws+#{workspaceIdentifier}.#{projectIdentifier}@yourcompany.com`. Please consider that this email address is limited to 64 characters! Also have a look at our docs for more information.",
Required: true,
},
- "tenant_tags": schema.SingleNestedAttribute{
- MarkdownDescription: "Tenant tags configuration",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "namespace_prefix": schema.StringAttribute{
- MarkdownDescription: "Namespace prefix for tenant tags",
- Required: true,
- },
- "tag_mappers": schema.ListNestedAttribute{
- MarkdownDescription: "List of tag mappers for tenant tags",
- Optional: true,
- NestedObject: schema.NestedAttributeObject{
- Attributes: map[string]schema.Attribute{
- "key": schema.StringAttribute{
- MarkdownDescription: "Key for the tag mapper",
- Required: true,
- },
- "value_pattern": schema.StringAttribute{
- MarkdownDescription: "Value pattern for the tag mapper",
- Required: true,
- },
- },
- },
- },
- },
- },
+ "tenant_tags": tenantTagsAttribute(),
"aws_sso": schema.SingleNestedAttribute{
MarkdownDescription: "AWS SSO configuration",
Optional: true,
@@ -161,11 +144,7 @@ func awsReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "Configures the pattern that defines the desired name of AWS IAM Identity Center groups managed by meshStack. It follows the usual replicator string pattern features and provides the additional replacement 'platformGroupAlias', which contains the role name suffix, which is configurable via Role Mappings in this platform config or via a meshLandingZone. Operators must ensure the group names will be unique within the same AWS IAM Identity Center Instance with that configuration. meshStack will additionally prefix the group name with 'mst-' to be able to identify the groups that are managed by meshStack.",
Required: true,
},
- "sso_access_token": schema.StringAttribute{
- MarkdownDescription: "The AWS IAM Identity Center SCIM Access Token that was generated via the Automatic provisioning config in AWS IAM Identity Center.",
- Optional: true,
- Sensitive: true,
- },
+ "sso_access_token": secretEmbeddedSchema("The AWS IAM Identity Center SCIM Access Token that was generated via the Automatic provisioning config in AWS IAM Identity Center.", true),
"aws_role_mappings": schema.ListNestedAttribute{
MarkdownDescription: "AWS role mappings for AWS SSO",
Optional: true,
diff --git a/internal/provider/platform_resource_schema_azure.go b/internal/provider/platform_resource_schema_azure.go
index 1acc76a..53b49e9 100644
--- a/internal/provider/platform_resource_schema_azure.go
+++ b/internal/provider/platform_resource_schema_azure.go
@@ -1,7 +1,10 @@
package provider
import (
+ "github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+ "github.com/hashicorp/terraform-plugin-framework/schema/validator"
"github.com/hashicorp/terraform-plugin-framework/types"
)
@@ -35,19 +38,11 @@ func azureReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID",
Required: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)",
- Required: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Client secret (if authType is `CREDENTIALS`)",
- Optional: true,
- Sensitive: true,
- },
"object_id": schema.StringAttribute{
MarkdownDescription: "The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.",
Required: true,
},
+ "auth": azureAuthConfigDataSourceSchema(),
},
},
"provisioning": schema.SingleNestedAttribute{
@@ -93,15 +88,7 @@ func azureReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the \"Enterprise Application\" but can also be retrieved via the \"App Registration\" object as \"Application (Client) ID\".",
Required: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Must be one of `CREDENTIALS` or `WORKLOAD_IDENTITY`. Workload Identity Federation is the one that we recommend as it enables the most secure approach to provide access to your Azure tenant without using long lived credentials. Credential Authentication is an alternative approach where you have to provide a clientSecret manually to meshStack and meshStack stores it encrypted.",
- Required: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Must be set if and only if authType is CREDENTIALS. A valid secret for accessing the application. In Azure Portal, this can be configured on the \"App Registration\" under Certificates & secrets. [How is this information secured?](https://docs.meshcloud.io/operations/security-faq/#how-does-meshstack-securely-handle-my-cloud-platform-credentials)",
- Optional: true,
- Sensitive: true,
- },
+ "auth": azureAuthSchema(),
},
},
"destination_entra_id": schema.StringAttribute{
@@ -187,36 +174,8 @@ func azureReplicationConfigSchema() schema.Attribute {
},
},
},
- "tenant_tags": schema.SingleNestedAttribute{
- MarkdownDescription: "Tenant tagging configuration.",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "namespace_prefix": schema.StringAttribute{
- MarkdownDescription: "This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.",
- Required: true,
- },
- "tag_mappers": schema.ListNestedAttribute{
- MarkdownDescription: "List of tag mappers for tenant tags",
- Optional: true,
- NestedObject: schema.NestedAttributeObject{
- Attributes: map[string]schema.Attribute{
- "key": schema.StringAttribute{
- MarkdownDescription: "Key for the tag mapper",
- Required: true,
- },
- "value_pattern": schema.StringAttribute{
- MarkdownDescription: "Value pattern for the tag mapper",
- Required: true,
- },
- },
- },
- },
- },
- },
- "user_look_up_strategy": schema.StringAttribute{
- MarkdownDescription: "User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
- Required: true,
- },
+ "tenant_tags": tenantTagsAttribute(),
+ "user_lookup_strategy": azureUserLookupStrategySchema(),
"skip_user_group_permission_cleanup": schema.BoolAttribute{
MarkdownDescription: "Flag to skip user group permission cleanup. For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.",
Required: true,
@@ -246,19 +205,11 @@ func azureMeteringConfigSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID",
Required: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)",
- Required: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Client secret (if authType is `CREDENTIALS`)",
- Optional: true,
- Sensitive: true,
- },
"object_id": schema.StringAttribute{
MarkdownDescription: "The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.",
Required: true,
},
+ "auth": azureAuthSchema(),
},
},
"processing": meteringProcessingConfigSchema(),
@@ -295,19 +246,11 @@ func azureRgReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID",
Required: true,
},
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Authentication type (`CREDENTIALS` or `WORKLOAD_IDENTITY`)",
- Required: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Client secret (if authType is `CREDENTIALS`)",
- Optional: true,
- Sensitive: true,
- },
"object_id": schema.StringAttribute{
MarkdownDescription: "The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.",
Required: true,
},
+ "auth": azureAuthSchema(),
},
},
"subscription": schema.StringAttribute{
@@ -336,36 +279,8 @@ func azureRgReplicationConfigSchema() schema.Attribute {
},
},
},
- "user_look_up_strategy": schema.StringAttribute{
- MarkdownDescription: "User lookup strategy (`userPrincipalName` or `email`). Users can either be looked up in cloud platforms by email or UPN (User Principal Name). In most cases email is the matching way as it is the only identifier that is consistently used throughout all cloud platforms and meshStack.",
- Required: true,
- },
- "tenant_tags": schema.SingleNestedAttribute{
- MarkdownDescription: "Tenant tags configuration",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "namespace_prefix": schema.StringAttribute{
- MarkdownDescription: "This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.",
- Required: true,
- },
- "tag_mappers": schema.ListNestedAttribute{
- MarkdownDescription: "List of tag mappers for tenant tags",
- Optional: true,
- NestedObject: schema.NestedAttributeObject{
- Attributes: map[string]schema.Attribute{
- "key": schema.StringAttribute{
- MarkdownDescription: "Key for the tag mapper",
- Required: true,
- },
- "value_pattern": schema.StringAttribute{
- MarkdownDescription: "Value pattern for the tag mapper",
- Required: true,
- },
- },
- },
- },
- },
- },
+ "user_lookup_strategy": azureUserLookupStrategySchema(),
+ "tenant_tags": tenantTagsAttribute(),
"skip_user_group_permission_cleanup": schema.BoolAttribute{
MarkdownDescription: "For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the Azure platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.",
Required: true,
@@ -381,3 +296,27 @@ func azureRgReplicationConfigSchema() schema.Attribute {
},
}
}
+func azureUserLookupStrategySchema() schema.Attribute {
+ return schema.StringAttribute{
+ MarkdownDescription: "Strategy for user lookup in Azure (`UserByMailLookupStrategy` or `UserByUsernameLookupStrategy`)",
+ Required: true,
+ Validators: []validator.String{
+ stringvalidator.OneOf([]string{"UserByMailLookupStrategy", "UserByUsernameLookupStrategy"}...),
+ },
+ }
+}
+
+func azureAuthSchema() schema.Attribute {
+ return schema.SingleNestedAttribute{
+ MarkdownDescription: "Authentication configuration",
+ Required: true,
+ Attributes: map[string]schema.Attribute{
+ "type": schema.StringAttribute{
+ MarkdownDescription: "Authentication type (credential or workloadIdentity)",
+ Computed: true,
+ PlanModifiers: []planmodifier.String{authTypeDefault()},
+ },
+ "credential": secretEmbeddedSchema("Client secret (if type is credential)", true),
+ },
+ }
+}
diff --git a/internal/provider/platform_resource_schema_gcp.go b/internal/provider/platform_resource_schema_gcp.go
index bca9856..e70054b 100644
--- a/internal/provider/platform_resource_schema_gcp.go
+++ b/internal/provider/platform_resource_schema_gcp.go
@@ -2,6 +2,7 @@ package provider
import (
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+ "github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
)
func gcpPlatformSchema() schema.Attribute {
@@ -20,7 +21,7 @@ func gcpReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "GCP-specific replication configuration for the platform.",
Optional: true,
Attributes: map[string]schema.Attribute{
- "service_account_config": gcpServiceAccountConfigSchema(),
+ "service_account": gcpServiceAccountConfigSchema(),
"domain": schema.StringAttribute{
MarkdownDescription: "The domain used for cloud identity directory-groups created and managed by meshStack. meshStack maintains separate groups for each meshProject role on each managed GCP project.",
Required: true,
@@ -70,32 +71,7 @@ func gcpReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "Configuration flag to enable or disable hierarchical folder assignment in GCP. If set to true: Projects can be moved to sub folders of the folder defined in the Landing Zone. This is useful if you want to manage the project location with a deeper and more granular hierarchy. If set to false: Projects will always be moved directly to the folder defined in the Landing Zone.",
Required: true,
},
- "tenant_tags": schema.SingleNestedAttribute{
- MarkdownDescription: "Tenant tags configuration",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "namespace_prefix": schema.StringAttribute{
- MarkdownDescription: "Namespace prefix for tenant tags",
- Required: true,
- },
- "tag_mappers": schema.ListNestedAttribute{
- MarkdownDescription: "List of tag mappers for tenant tags",
- Optional: true,
- NestedObject: schema.NestedAttributeObject{
- Attributes: map[string]schema.Attribute{
- "key": schema.StringAttribute{
- MarkdownDescription: "Key for the tag mapper",
- Required: true,
- },
- "value_pattern": schema.StringAttribute{
- MarkdownDescription: "Value pattern for the tag mapper",
- Required: true,
- },
- },
- },
- },
- },
- },
+ "tenant_tags": tenantTagsAttribute(),
"skip_user_group_permission_cleanup": schema.BoolAttribute{
MarkdownDescription: "For certain use cases you might want to preserve user groups and replicated permission after a tenant was deleted on the GCP platform. Checking this option preserves those permissions. Please keep in mind that the platform operator is then responsible for cleaning them up later.",
Required: true,
@@ -106,22 +82,17 @@ func gcpReplicationConfigSchema() schema.Attribute {
func gcpServiceAccountConfigSchema() schema.Attribute {
return schema.SingleNestedAttribute{
- MarkdownDescription: "Service account configuration. Either `serviceAccountCredentialsConfig` or `serviceAccountWorkloadIdentityConfig` must be provided.",
+ MarkdownDescription: "Service account configuration. Either credential or workload_identity must be provided.",
Required: true,
Attributes: map[string]schema.Attribute{
- "service_account_credentials_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service account credentials configuration (alternative to serviceAccountWorkloadIdentityConfig)",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "service_account_credentials_b64": schema.StringAttribute{
- MarkdownDescription: "Base64 encoded credentials.json file for a GCP ServiceAccount. The replicator uses this Service Account to automate GCP API operations (IAM, ResourceManager etc.).",
- Required: true,
- Sensitive: true,
- },
- },
- },
- "service_account_workload_identity_config": schema.SingleNestedAttribute{
- MarkdownDescription: "Service account workload identity configuration (alternative to serviceAccountCredentialsConfig)",
+ "type": schema.StringAttribute{
+ MarkdownDescription: "Service account type",
+ Computed: true,
+ PlanModifiers: []planmodifier.String{authTypeDefault()},
+ },
+ "credential": secretEmbeddedSchema("Base64 encoded credentials.json file for a GCP ServiceAccount.", true),
+ "workload_identity": schema.SingleNestedAttribute{
+ MarkdownDescription: "Workload identity configuration.",
Optional: true,
Attributes: map[string]schema.Attribute{
"audience": schema.StringAttribute{
@@ -143,7 +114,7 @@ func gcpMeteringConfigSchema() schema.Attribute {
MarkdownDescription: "Metering configuration for GCP (optional, but required for metering)",
Optional: true,
Attributes: map[string]schema.Attribute{
- "service_account_config": gcpServiceAccountConfigSchema(),
+ "service_account": gcpServiceAccountConfigSchema(),
"bigquery_table": schema.StringAttribute{
MarkdownDescription: "BigQuery table for metering data.",
Required: true,
diff --git a/internal/provider/platform_resource_schema_kubernetes.go b/internal/provider/platform_resource_schema_kubernetes.go
index 5943cf0..100e946 100644
--- a/internal/provider/platform_resource_schema_kubernetes.go
+++ b/internal/provider/platform_resource_schema_kubernetes.go
@@ -7,24 +7,30 @@ import (
// Vanilla Kubernetes
+func kubernetesBasedPlatformAttributes(platformName string, exampleBaseUrl string) map[string]schema.Attribute {
+ return map[string]schema.Attribute{
+ "base_url": schema.StringAttribute{
+ MarkdownDescription: "This is the base URL to your " + platformName + " cluster, which is used to call the APIs to create new " + platformName + " tenants, get raw data for metering the " + platformName + " tenants, etc. An example base URL is: " + exampleBaseUrl,
+ Required: true,
+ },
+ "disable_ssl_validation": schema.BoolAttribute{
+ MarkdownDescription: "Flag to disable SSL validation for the " + platformName + " cluster. SSL Validation should at best never be disabled, but for integration of some private cloud platforms in an early state, they might not yet be using valid SSL certificates. In that case it can make sense to disable SSL validation here to already test integration of these platforms.",
+ Optional: true,
+ Computed: true,
+ Default: booldefault.StaticBool(false),
+ },
+ }
+}
+
func kubernetesPlatformSchema() schema.Attribute {
+ attributes := kubernetesBasedPlatformAttributes("Kubernetes", "https://k8s.dev.eu-de-central.msh.host:6443")
+ attributes["replication"] = kubernetesReplicationConfigSchema()
+ attributes["metering"] = kubernetesMeteringConfigSchema()
+
return schema.SingleNestedAttribute{
MarkdownDescription: "Kubernetes platform configuration.",
Optional: true,
- Attributes: map[string]schema.Attribute{
- "base_url": schema.StringAttribute{
- MarkdownDescription: "This URL is the base URL to your Kubernetes Cluster, which is used to call the APIs to create new Kubernetes projects, get raw data for metering the Kubernetes projects, etc. An example base URL is: https://k8s.dev.eu-de-central.msh.host:6443",
- Required: true,
- },
- "disable_ssl_validation": schema.BoolAttribute{
- MarkdownDescription: "Flag to disable SSL validation for the Kubernetes cluster. SSL Validation should at best never be disabled, but for integration of some private cloud platforms in an early state, they might not yet be using valid SSL certificates. In that case it can make sense to disable SSL validation here to already test integration of these platforms.",
- Optional: true,
- Computed: true,
- Default: booldefault.StaticBool(false),
- },
- "replication": kubernetesReplicationConfigSchema(),
- "metering": kubernetesMeteringConfigSchema(),
- },
+ Attributes: attributes,
}
}
@@ -33,11 +39,7 @@ func kubernetesClientConfigSchema(description string) schema.Attribute {
MarkdownDescription: description,
Required: true,
Attributes: map[string]schema.Attribute{
- "access_token": schema.StringAttribute{
- MarkdownDescription: "The Access Token of the service account for replicator access.",
- Required: true,
- Sensitive: true,
- },
+ "access_token": secretEmbeddedSchema("The Access Token of the service account for replicator access.", false),
},
}
}
@@ -56,37 +58,31 @@ func kubernetesReplicationConfigSchema() schema.Attribute {
}
}
-func kubernetesMeteringConfigSchema() schema.Attribute {
+func kubernetesBasedMeteringConfigSchema(platformName string) schema.Attribute {
return schema.SingleNestedAttribute{
- MarkdownDescription: "Metering configuration for Kubernetes (optional, but required for metering)",
+ MarkdownDescription: "Metering configuration for " + platformName + " (optional, but required for metering)",
Optional: true,
Attributes: map[string]schema.Attribute{
- "client_config": kubernetesClientConfigSchema("Client configuration for Kubernetes metering"),
+ "client_config": kubernetesClientConfigSchema("Client configuration for " + platformName + " metering"),
"processing": meteringProcessingConfigSchema(),
},
}
}
+func kubernetesMeteringConfigSchema() schema.Attribute {
+ return kubernetesBasedMeteringConfigSchema("Kubernetes")
+}
+
// OpenShift (OKD)
func openShiftPlatformSchema() schema.Attribute {
+ attributes := kubernetesBasedPlatformAttributes("OpenShift", "https://api.okd4.dev.eu-de-central.msh.host:6443")
+ attributes["replication"] = openShiftReplicationConfigSchema()
+ attributes["metering"] = openShiftMeteringConfigSchema()
return schema.SingleNestedAttribute{
MarkdownDescription: "OpenShift platform configuration.",
Optional: true,
- Attributes: map[string]schema.Attribute{
- "base_url": schema.StringAttribute{
- MarkdownDescription: "This URL is the base URL to your OpenShift Cluster, which is used to call the APIs to create new OpenShift projects, get raw data for metering the OpenShift projects, etc. An example base URL is: https://api.okd4.dev.eu-de-central.msh.host:6443",
- Required: true,
- },
- "disable_ssl_validation": schema.BoolAttribute{
- MarkdownDescription: "Flag to disable SSL validation for the OpenShift cluster. SSL Validation should at best never be disabled, but for integration of some private cloud platforms in an early state, they might not yet be using valid SSL certificates. In that case it can make sense to disable SSL validation here to already test integration of these platforms.",
- Optional: true,
- Computed: true,
- Default: booldefault.StaticBool(false),
- },
- "replication": openShiftReplicationConfigSchema(),
- "metering": openShiftMeteringConfigSchema(),
- },
+ Attributes: attributes,
}
}
func openShiftReplicationConfigSchema() schema.Attribute {
@@ -124,67 +120,25 @@ func openShiftReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "Identity provider name",
Required: true,
},
- "tenant_tags": schema.SingleNestedAttribute{
- MarkdownDescription: "Tenant tags configuration",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "namespace_prefix": schema.StringAttribute{
- MarkdownDescription: "This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.",
- Required: true,
- },
- "tag_mappers": schema.ListNestedAttribute{
- MarkdownDescription: "List of tag mappers for tenant tags",
- Optional: true,
- NestedObject: schema.NestedAttributeObject{
- Attributes: map[string]schema.Attribute{
- "key": schema.StringAttribute{
- MarkdownDescription: "Key for the tag mapper",
- Required: true,
- },
- "value_pattern": schema.StringAttribute{
- MarkdownDescription: "Value pattern for the tag mapper",
- Required: true,
- },
- },
- },
- },
- },
- },
+ "tenant_tags": tenantTagsAttribute(),
},
}
}
func openShiftMeteringConfigSchema() schema.Attribute {
- return schema.SingleNestedAttribute{
- MarkdownDescription: "Metering configuration for OpenShift (optional, but required for metering)",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "client_config": kubernetesClientConfigSchema("Client configuration for OpenShift metering"),
- "processing": meteringProcessingConfigSchema(),
- },
- }
+ return kubernetesBasedMeteringConfigSchema("OpenShift")
}
// AKS
func aksPlatformSchema() schema.Attribute {
+ attributes := kubernetesBasedPlatformAttributes("AKS", "https://myaks-dns.westeurope.azmk8s.io:443")
+ attributes["replication"] = aksReplicationConfigSchema()
+ attributes["metering"] = aksMeteringConfigSchema()
return schema.SingleNestedAttribute{
MarkdownDescription: "Azure Kubernetes Service configuration",
Optional: true,
- Attributes: map[string]schema.Attribute{
- "base_url": schema.StringAttribute{
- MarkdownDescription: "Base URL of the AKS cluster",
- Required: true,
- },
- "disable_ssl_validation": schema.BoolAttribute{
- MarkdownDescription: "Flag to disable SSL validation for the AKS cluster. (SSL Validation should at best never be disabled, but for integration of some private cloud platforms in an early state, they might not yet be using valid SSL certificates. In that case it can make sense to disable SSL validation here to already test integration of these platforms.)",
- Optional: true,
- Computed: true,
- Default: booldefault.StaticBool(false),
- },
- "replication": aksReplicationConfigSchema(),
- "metering": aksMeteringConfigSchema(),
- },
+ Attributes: attributes,
}
}
@@ -193,11 +147,7 @@ func aksReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "Replication configuration for AKS (optional, but required for replication)",
Optional: true,
Attributes: map[string]schema.Attribute{
- "access_token": schema.StringAttribute{
- MarkdownDescription: "The Access Token of the service account for replicator access.",
- Required: true,
- Sensitive: true,
- },
+ "access_token": secretEmbeddedSchema("The Access Token of the service account for replicator access.", false),
"namespace_name_pattern": schema.StringAttribute{
MarkdownDescription: "Pattern for naming namespaces in AKS",
Required: true,
@@ -210,19 +160,6 @@ func aksReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "Service principal configuration for AKS",
Required: true,
Attributes: map[string]schema.Attribute{
- "client_id": schema.StringAttribute{
- MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID'.",
- Required: true,
- },
- "auth_type": schema.StringAttribute{
- MarkdownDescription: "Authentication type for the service principal (`CREDENTIALS` or `WORKLOAD_IDENTITY`)",
- Required: true,
- },
- "credentials_auth_client_secret": schema.StringAttribute{
- MarkdownDescription: "Client secret for the service principal (if `authType` is `CREDENTIALS`)",
- Optional: true,
- Sensitive: true,
- },
"entra_tenant": schema.StringAttribute{
MarkdownDescription: "Domain name or ID of the Entra Tenant that holds the Service Principal.",
Required: true,
@@ -231,6 +168,11 @@ func aksReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "The Object ID of the Enterprise Application. You can get this Object ID via the API (e.g. when using our Terraform provider) or from Enterprise applications pane in Microsoft Entra admin center.",
Required: true,
},
+ "client_id": schema.StringAttribute{
+ MarkdownDescription: "The Application (Client) ID. In Azure Portal, this is the Application ID of the 'Enterprise Application' but can also be retrieved via the 'App Registration' object as 'Application (Client) ID'.",
+ Required: true,
+ },
+ "auth": azureAuthSchema(),
},
},
"aks_subscription_id": schema.StringAttribute{
@@ -253,10 +195,7 @@ func aksReplicationConfigSchema() schema.Attribute {
MarkdownDescription: "Flag to send Azure invitation emails. When true, meshStack instructs Azure to send out Invitation mails to invited users.",
Required: true,
},
- "user_look_up_strategy": schema.StringAttribute{
- MarkdownDescription: "Strategy for user lookup in Azure (`userPrincipalName` or `email`)",
- Required: true,
- },
+ "user_lookup_strategy": azureUserLookupStrategySchema(),
"administrative_unit_id": schema.StringAttribute{
MarkdownDescription: "If you enter an administrative unit ID the replicated (and potentially existing) groups will be put into this AU. This can be used to limit the permission scopes which are required for the replicator principal. If you remove the AU ID again or change it, the groups will not be removed from the old AU.",
Optional: true,
@@ -266,12 +205,5 @@ func aksReplicationConfigSchema() schema.Attribute {
}
func aksMeteringConfigSchema() schema.Attribute {
- return schema.SingleNestedAttribute{
- MarkdownDescription: "Metering configuration for AKS (optional, but required for metering)",
- Optional: true,
- Attributes: map[string]schema.Attribute{
- "client_config": kubernetesClientConfigSchema("Client configuration for AKS metering"),
- "processing": meteringProcessingConfigSchema(),
- },
- }
+ return kubernetesBasedMeteringConfigSchema("AKS")
}
diff --git a/internal/provider/schema_utils.go b/internal/provider/schema_utils.go
index b3c4e3f..feed84b 100644
--- a/internal/provider/schema_utils.go
+++ b/internal/provider/schema_utils.go
@@ -33,3 +33,32 @@ func meshProjectRoleAttribute(computed bool) schema.SingleNestedAttribute {
},
}
}
+
+func tenantTagsAttribute() schema.SingleNestedAttribute {
+ return schema.SingleNestedAttribute{
+ MarkdownDescription: "Tenant tags configuration",
+ Optional: true,
+ Attributes: map[string]schema.Attribute{
+ "namespace_prefix": schema.StringAttribute{
+ MarkdownDescription: "This is the prefix for all labels created by meshStack. It helps to keep track of which labels are managed by meshStack. It is recommended to let this prefix end with a delimiter like an underscore.",
+ Required: true,
+ },
+ "tag_mappers": schema.ListNestedAttribute{
+ MarkdownDescription: "List of tag mappers for tenant tags",
+ Optional: true,
+ NestedObject: schema.NestedAttributeObject{
+ Attributes: map[string]schema.Attribute{
+ "key": schema.StringAttribute{
+ MarkdownDescription: "Key for the tag mapper",
+ Required: true,
+ },
+ "value_pattern": schema.StringAttribute{
+ MarkdownDescription: "Value pattern for the tag mapper",
+ Required: true,
+ },
+ },
+ },
+ },
+ },
+ }
+}