Feature/platform secret changes

CHANGELOG.md

@@ -1,4 +1,12 @@
+## v0.15.1
+
+FEATURES:
+
+- Restructured `meshstack_platform` authentication configuration for all platforms.
+- Renamed fields: `user_look_up_strategy` → `user_lookup_strategy`, `service_account_config` → `service_account`.
+- Secrets now use nested `plaintext` field within credential objects.
 ## v0.15.0
+
 FEATURES:
 
 - Support multi select building block inputs.

client/client.go

@@ -111,7 +111,7 @@ func (c *MeshStackProviderClient) login() error {
 	if err != nil {
 		return err
 	} else if res.StatusCode != 200 {
-		return errors.New(fmt.Sprintf("Status %d: %s", res.StatusCode, ERROR_AUTHENTICATION_FAILURE))
+		return fmt.Errorf("Status %d: %s", res.StatusCode, ERROR_AUTHENTICATION_FAILURE)
 	}
 
 	defer res.Body.Close()

client/platform.go

@@ -39,6 +39,11 @@ type MeshPlatformSpec struct {
 	QuotaDefinitions       []QuotaDefinition    `json:"quotaDefinitions" tfsdk:"quota_definitions"`
 }
 
+type SecretEmbedded struct {
+	Plaintext *string `json:"plaintext,omitempty" tfsdk:"plaintext"`
+	// TODO: add Hash field
+}
+
 type QuotaDefinition struct {
 	QuotaKey              string `json:"quotaKey" tfsdk:"quota_key"`
 	MinValue              int    `json:"minValue" tfsdk:"min_value"`

client/platform_config_aks.go

@@ -8,7 +8,7 @@ type AksPlatformConfig struct {
 }
 
 type AksReplicationConfig struct {
-	AccessToken             string                    `json:"accessToken" tfsdk:"access_token"`
+	AccessToken             SecretEmbedded            `json:"accessToken" tfsdk:"access_token"`
 	NamespaceNamePattern    string                    `json:"namespaceNamePattern" tfsdk:"namespace_name_pattern"`
 	GroupNamePattern        string                    `json:"groupNamePattern" tfsdk:"group_name_pattern"`
 	ServicePrincipal        AksServicePrincipalConfig `json:"servicePrincipal" tfsdk:"service_principal"`
@@ -17,16 +17,15 @@ type AksReplicationConfig struct {
 	AksResourceGroup        string                    `json:"aksResourceGroup" tfsdk:"aks_resource_group"`
 	RedirectUrl             *string                   `json:"redirectUrl,omitempty" tfsdk:"redirect_url"`
 	SendAzureInvitationMail bool                      `json:"sendAzureInvitationMail" tfsdk:"send_azure_invitation_mail"`
-	UserLookUpStrategy      string                    `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+	UserLookupStrategy      string                    `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
 	AdministrativeUnitId    *string                   `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
 }
 
 type AksServicePrincipalConfig struct {
-	ClientId                    string  `json:"clientId" tfsdk:"client_id"`
-	AuthType                    string  `json:"authType" tfsdk:"auth_type"`
-	CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
-	EntraTenant                 string  `json:"entraTenant" tfsdk:"entra_tenant"`
-	ObjectId                    string  `json:"objectId" tfsdk:"object_id"`
+	EntraTenant string          `json:"entraTenant" tfsdk:"entra_tenant"`
+	ObjectId    string          `json:"objectId" tfsdk:"object_id"`
+	ClientId    string          `json:"clientId" tfsdk:"client_id"`
+	Auth        AzureAuthConfig `json:"auth" tfsdk:"auth"`
 }
 
 type AksMeteringConfig struct {

client/platform_config_aws.go

@@ -24,26 +24,31 @@ type AwsReplicationConfig struct {
 }
 
 type AwsAccessConfig struct {
-	OrganizationRootAccountRole       string                     `json:"organizationRootAccountRole" tfsdk:"organization_root_account_role"`
-	OrganizationRootAccountExternalId *string                    `json:"organizationRootAccountExternalId,omitempty" tfsdk:"organization_root_account_external_id"`
-	ServiceUserConfig                 *AwsServiceUserConfig      `json:"serviceUserConfig,omitempty" tfsdk:"service_user_config"`
-	WorkloadIdentityConfig            *AwsWorkloadIdentityConfig `json:"workloadIdentityConfig,omitempty" tfsdk:"workload_identity_config"`
+	OrganizationRootAccountRole       string  `json:"organizationRootAccountRole" tfsdk:"organization_root_account_role"`
+	OrganizationRootAccountExternalId *string `json:"organizationRootAccountExternalId,omitempty" tfsdk:"organization_root_account_external_id"`
+	Auth                              AwsAuth `json:"auth" tfsdk:"auth"`
 }
 
-type AwsServiceUserConfig struct {
-	AccessKey string `json:"accessKey" tfsdk:"access_key"`
-	SecretKey string `json:"secretKey" tfsdk:"secret_key"`
+type AwsAuth struct {
+	Type             string                         `json:"type" tfsdk:"type"`
+	Credential       *AwsServiceUserCredential      `json:"credential,omitempty" tfsdk:"credential"`
+	WorkloadIdentity *AwsWorkloadIdentityCredential `json:"workloadIdentity,omitempty" tfsdk:"workload_identity"`
 }
 
-type AwsWorkloadIdentityConfig struct {
+type AwsServiceUserCredential struct {
+	AccessKey string         `json:"accessKey" tfsdk:"access_key"`
+	SecretKey SecretEmbedded `json:"secretKey" tfsdk:"secret_key"`
+}
+
+type AwsWorkloadIdentityCredential struct {
 	RoleArn string `json:"roleArn" tfsdk:"role_arn"`
 }
 
 type AwsSsoConfig struct {
 	ScimEndpoint     string              `json:"scimEndpoint" tfsdk:"scim_endpoint"`
 	Arn              string              `json:"arn" tfsdk:"arn"`
 	GroupNamePattern string              `json:"groupNamePattern" tfsdk:"group_name_pattern"`
-	SsoAccessToken   string              `json:"ssoAccessToken" tfsdk:"sso_access_token"`
+	SsoAccessToken   SecretEmbedded      `json:"ssoAccessToken" tfsdk:"sso_access_token"`
 	AwsRoleMappings  []AwsSsoRoleMapping `json:"awsRoleMappings" tfsdk:"aws_role_mappings"`
 	SignInUrl        string              `json:"signInUrl" tfsdk:"sign_in_url"`
 }

client/platform_config_azure.go

@@ -16,23 +16,26 @@ type AzureReplicationConfig struct {
 	BlueprintLocation                          string                               `json:"blueprintLocation" tfsdk:"blueprint_location"`
 	AzureRoleMappings                          []AzureRoleMapping                   `json:"azureRoleMappings" tfsdk:"azure_role_mappings"`
 	TenantTags                                 *MeshTenantTags                      `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
-	UserLookUpStrategy                         string                               `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+	UserLookUpStrategy                         string                               `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
 	SkipUserGroupPermissionCleanup             bool                                 `json:"skipUserGroupPermissionCleanup" tfsdk:"skip_user_group_permission_cleanup"`
 	AdministrativeUnitId                       *string                              `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`
 	AllowHierarchicalManagementGroupAssignment bool                                 `json:"allowHierarchicalManagementGroupAssignment" tfsdk:"allow_hierarchical_management_group_assignment"`
 }
 
 type AzureServicePrincipalConfig struct {
-	ClientId                    string  `json:"clientId" tfsdk:"client_id"`
-	AuthType                    string  `json:"authType" tfsdk:"auth_type"`
-	CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
-	ObjectId                    string  `json:"objectId" tfsdk:"object_id"`
+	ClientId string          `json:"clientId" tfsdk:"client_id"`
+	ObjectId string          `json:"objectId" tfsdk:"object_id"`
+	Auth     AzureAuthConfig `json:"auth" tfsdk:"auth"`
+}
+
+type AzureAuthConfig struct {
+	Type       string          `json:"type" tfsdk:"type"`
+	Credential *SecretEmbedded `json:"credential,omitempty" tfsdk:"credential"`
 }
 
 type AzureGraphApiCredentials struct {
-	ClientId                    string  `json:"clientId" tfsdk:"client_id"`
-	AuthType                    string  `json:"authType" tfsdk:"auth_type"`
-	CredentialsAuthClientSecret *string `json:"credentialsAuthClientSecret,omitempty" tfsdk:"credentials_auth_client_secret"`
+	ClientId string          `json:"clientId" tfsdk:"client_id"`
+	Auth     AzureAuthConfig `json:"auth" tfsdk:"auth"`
 }
 
 type AzureSubscriptionProvisioningConfig struct {

client/platform_config_azurerg.go

@@ -11,7 +11,7 @@ type AzureRgReplicationConfig struct {
 	ResourceGroupNamePattern                   string                      `json:"resourceGroupNamePattern" tfsdk:"resource_group_name_pattern"`
 	UserGroupNamePattern                       string                      `json:"userGroupNamePattern" tfsdk:"user_group_name_pattern"`
 	B2bUserInvitation                          *AzureInviteB2BUserConfig   `json:"b2bUserInvitation,omitempty" tfsdk:"b2b_user_invitation"`
-	UserLookUpStrategy                         string                      `json:"userLookUpStrategy" tfsdk:"user_look_up_strategy"`
+	UserLookUpStrategy                         string                      `json:"userLookUpStrategy" tfsdk:"user_lookup_strategy"`
 	TenantTags                                 *MeshTenantTags             `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
 	SkipUserGroupPermissionCleanup             bool                        `json:"skipUserGroupPermissionCleanup" tfsdk:"skip_user_group_permission_cleanup"`
 	AdministrativeUnitId                       *string                     `json:"administrativeUnitId,omitempty" tfsdk:"administrative_unit_id"`

client/platform_config_gcp.go

@@ -6,7 +6,7 @@ type GcpPlatformConfig struct {
 }
 
 type GcpReplicationConfig struct {
-	ServiceAccountConfig              GcpServiceAccountConfig  `json:"serviceAccountConfig" tfsdk:"service_account_config"`
+	ServiceAccount                    GcpServiceAccountConfig  `json:"serviceAccount" tfsdk:"service_account"`
 	Domain                            string                   `json:"domain" tfsdk:"domain"`
 	CustomerId                        string                   `json:"customerId" tfsdk:"customer_id"`
 	GroupNamePattern                  string                   `json:"groupNamePattern" tfsdk:"group_name_pattern"`
@@ -22,12 +22,9 @@ type GcpReplicationConfig struct {
 }
 
 type GcpServiceAccountConfig struct {
-	ServiceAccountCredentialsConfig      *GcpServiceAccountCredentialsConfig      `json:"serviceAccountCredentialsConfig,omitempty" tfsdk:"service_account_credentials_config"`
-	ServiceAccountWorkloadIdentityConfig *GcpServiceAccountWorkloadIdentityConfig `json:"serviceAccountWorkloadIdentityConfig,omitempty" tfsdk:"service_account_workload_identity_config"`
-}
-
-type GcpServiceAccountCredentialsConfig struct {
-	ServiceAccountCredentialsB64 string `json:"serviceAccountCredentialsB64" tfsdk:"service_account_credentials_b64"`
+	Type             string                                   `json:"type" tfsdk:"type"`
+	Credential       *SecretEmbedded                          `json:"credential,omitempty" tfsdk:"credential"`
+	WorkloadIdentity *GcpServiceAccountWorkloadIdentityConfig `json:"workloadIdentity,omitempty" tfsdk:"workload_identity"`
 }
 
 type GcpServiceAccountWorkloadIdentityConfig struct {
@@ -41,7 +38,7 @@ type GcpPlatformRoleMapping struct {
 }
 
 type GcpMeteringConfig struct {
-	ServiceAccountConfig                    GcpServiceAccountConfig              `json:"serviceAccountConfig" tfsdk:"service_account_config"`
+	ServiceAccount                          GcpServiceAccountConfig              `json:"serviceAccount" tfsdk:"service_account"`
 	BigqueryTable                           string                               `json:"bigqueryTable" tfsdk:"bigquery_table"`
 	BigqueryTableForCarbonFootprint         *string                              `json:"bigqueryTableForCarbonFootprint,omitempty" tfsdk:"bigquery_table_for_carbon_footprint"`
 	CarbonFootprintDataCollectionStartMonth *string                              `json:"carbonFootprintDataCollectionStartMonth,omitempty" tfsdk:"carbon_footprint_data_collection_start_month"`

client/platform_config_kubernetes.go

@@ -13,7 +13,7 @@ type KubernetesReplicationConfig struct {
 }
 
 type KubernetesClientConfig struct {
-	AccessToken string `json:"accessToken" tfsdk:"access_token"`
+	AccessToken SecretEmbedded `json:"accessToken" tfsdk:"access_token"`
 }
 
 type KubernetesMeteringConfig struct {

client/platform_config_openshift.go

@@ -12,7 +12,7 @@ type OpenShiftReplicationConfig struct {
 	WebConsoleUrl               *string                        `json:"webConsoleUrl,omitempty" tfsdk:"web_console_url"`
 	ProjectNamePattern          string                         `json:"projectNamePattern" tfsdk:"project_name_pattern"`
 	EnableTemplateInstantiation bool                           `json:"enableTemplateInstantiation" tfsdk:"enable_template_instantiation"`
-	OpenShiftRoleMappings       []OpenShiftPlatformRoleMapping `json:"openshiftRoleMappings" tfsdk:"openshift_role_mappings"`
+	OpenshiftRoleMappings       []OpenShiftPlatformRoleMapping `json:"openshiftRoleMappings" tfsdk:"openshift_role_mappings"`
 	IdentityProviderName        string                         `json:"identityProviderName" tfsdk:"identity_provider_name"`
 	TenantTags                  *MeshTenantTags                `json:"tenantTags,omitempty" tfsdk:"tenant_tags"`
 }
@@ -24,5 +24,5 @@ type OpenShiftMeteringConfig struct {
 
 type OpenShiftPlatformRoleMapping struct {
 	MeshProjectRoleRef MeshProjectRoleRefV2 `json:"projectRoleRef" tfsdk:"project_role_ref"`
-	OpenShiftRole      string               `json:"openshiftRole" tfsdk:"openshift_role"`
+	OpenshiftRole      string               `json:"openshiftRole" tfsdk:"openshift_role"`
 }