Username Password Credential Provider

internal/provider/provider.go

@@ -62,29 +62,30 @@ func New() *schema.Provider {
 			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
-			"boundary_account":                  resourceAccount(),
-			"boundary_account_password":         resourceAccountPassword(),
-			"boundary_account_oidc":             resourceAccountOidc(),
-			"boundary_auth_method":              resourceAuthMethod(),
-			"boundary_auth_method_password":     resourceAuthMethodPassword(),
-			"boundary_auth_method_oidc":         resourceAuthMethodOidc(),
-			"boundary_credential_library_vault": resourceCredentialLibraryVault(),
-			"boundary_credential_store_vault":   resourceCredentialStoreVault(),
-			"boundary_credential_store_static":  resourceCredentialStoreStatic(),
-			"boundary_managed_group":            resourceManagedGroup(),
-			"boundary_group":                    resourceGroup(),
-			"boundary_host":                     resourceHost(),
-			"boundary_host_static":              resourceHostStatic(),
-			"boundary_host_catalog":             resourceHostCatalog(),
-			"boundary_host_catalog_static":      resourceHostCatalogStatic(),
-			"boundary_host_catalog_plugin":      resourceHostCatalogPlugin(),
-			"boundary_host_set":                 resourceHostSet(),
-			"boundary_host_set_static":          resourceHostSetStatic(),
-			"boundary_host_set_plugin":          resourceHostSetPlugin(),
-			"boundary_role":                     resourceRole(),
-			"boundary_scope":                    resourceScope(),
-			"boundary_target":                   resourceTarget(),
-			"boundary_user":                     resourceUser(),
+			"boundary_account":                      resourceAccount(),
+			"boundary_account_password":             resourceAccountPassword(),
+			"boundary_account_oidc":                 resourceAccountOidc(),
+			"boundary_auth_method":                  resourceAuthMethod(),
+			"boundary_auth_method_password":         resourceAuthMethodPassword(),
+			"boundary_auth_method_oidc":             resourceAuthMethodOidc(),
+			"boundary_credential_library_vault":     resourceCredentialLibraryVault(),
+			"boundary_credential_store_vault":       resourceCredentialStoreVault(),
+			"boundary_credential_store_static":      resourceCredentialStoreStatic(),
+			"boundary_credential_username_password": resourceCredentialUsernamePassword(),
+			"boundary_managed_group":                resourceManagedGroup(),
+			"boundary_group":                        resourceGroup(),
+			"boundary_host":                         resourceHost(),
+			"boundary_host_static":                  resourceHostStatic(),
+			"boundary_host_catalog":                 resourceHostCatalog(),
+			"boundary_host_catalog_static":          resourceHostCatalogStatic(),
+			"boundary_host_catalog_plugin":          resourceHostCatalogPlugin(),
+			"boundary_host_set":                     resourceHostSet(),
+			"boundary_host_set_static":              resourceHostSetStatic(),
+			"boundary_host_set_plugin":              resourceHostSetPlugin(),
+			"boundary_role":                         resourceRole(),
+			"boundary_scope":                        resourceScope(),
+			"boundary_target":                       resourceTarget(),
+			"boundary_user":                         resourceUser(),
 		},
 	}
 

internal/provider/resource_credential_username_password.go

@@ -0,0 +1,238 @@
+package provider
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/hashicorp/boundary/api"
+	"github.com/hashicorp/boundary/api/credentials"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+const (
+	credentialUsernamePasswordUsernameKey     = "username"
+	credentialUsernamePasswordPasswordKey     = "password"
+	credentialUsernamePasswordPasswordHmacKey = "password_hmac"
+	credentialUsernamePasswordCredentialType  = "username_password"
+)
+
+func resourceCredentialUsernamePassword() *schema.Resource {
+	return &schema.Resource{
+		Description: "The username/password credential resource allows you to configure a credential using a username and password pair.",
+
+		CreateContext: resourceCredentialUsernamePasswordCreate,
+		ReadContext:   resourceCredentialUsernamePasswordRead,
+		UpdateContext: resourceCredentialUsernamePasswordUpdate,
+		DeleteContext: resourceCredentialUsernamePasswordDelete,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+
+		Schema: map[string]*schema.Schema{
+			IDKey: {
+				Description: "The ID of this username and password pair.",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
+			NameKey: {
+				Description: "The name of this username and password pair. Defaults to the resource name.",
+				Type:        schema.TypeString,
+				Optional:    true,
+			},
+			DescriptionKey: {
+				Description: "The description of this username and password pair.",
+				Type:        schema.TypeString,
+				Optional:    true,
+			},
+			credentialStoreIdKey: {
+				Description: "The credential store in which to save this username and password pair.",
+				Type:        schema.TypeString,
+				ForceNew:    true,
+				Required:    true,
+			},
+			credentialUsernamePasswordUsernameKey: {
+				Description: "The username of this username/password pairing.",
+				Type:        schema.TypeString,
+				Required:    true,
+			},
+			credentialUsernamePasswordPasswordKey: {
+				Description: "The password of this username/password pairing.",
+				Type:        schema.TypeString,
+				Required:    true,
+			},
+			credentialUsernamePasswordPasswordHmacKey: {
+				Description: "The password hmac.",
+				Type:        schema.TypeString,
+				Computed:    true,
+			},
+		},
+	}
+}
+
+func setFromCredentialUsernamePasswordResponseMap(d *schema.ResourceData, raw map[string]interface{}, fromRead bool) error {
+	// TODO: this needs to be updated for username/password fields
+	if err := d.Set(NameKey, raw[NameKey]); err != nil {
+		return err
+	}
+	if err := d.Set(DescriptionKey, raw[DescriptionKey]); err != nil {
+		return err
+	}
+	if err := d.Set(credentialStoreIdKey, raw[credentialStoreIdKey]); err != nil {
+		return err
+	}
+
+	if attrsVal, ok := raw["attributes"]; ok {
+		// is username in attributes or in raw?
+		attrs := attrsVal.(map[string]interface{})
+		if err := d.Set(credentialUsernamePasswordUsernameKey, attrs[credentialUsernamePasswordUsernameKey]); err != nil {
+			return err
+		}
+
+		statePasswordHmac := d.Get(credentialUsernamePasswordPasswordHmacKey)
+		boundaryPasswordHmac := attrs[credentialUsernamePasswordPasswordHmacKey].(string)
+		if statePasswordHmac.(string) != boundaryPasswordHmac && fromRead {
+			// PasswordHmac has changed in Boundary, therefore the token has changed.
+			// Update password value to force tf to attempt update.
+			if err := d.Set(credentialUsernamePasswordPasswordKey, "(changed in Boundary)"); err != nil {
+				return err
+			}
+		}
+		if err := d.Set(credentialUsernamePasswordPasswordHmacKey, boundaryPasswordHmac); err != nil {
+			return err
+		}
+	}
+
+	d.SetId(raw["id"].(string))
+
+	return nil
+}
+
+func resourceCredentialUsernamePasswordCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	md := meta.(*metaData)
+
+	var opts []credentials.Option
+	if v, ok := d.GetOk(NameKey); ok {
+		opts = append(opts, credentials.WithName(v.(string)))
+	}
+	if v, ok := d.GetOk(DescriptionKey); ok {
+		opts = append(opts, credentials.WithDescription(v.(string)))
+	}
+	if v, ok := d.GetOk(credentialUsernamePasswordUsernameKey); ok {
+		opts = append(opts, credentials.WithUsernamePasswordCredentialUsername(v.(string)))
+	}
+	if v, ok := d.GetOk(credentialUsernamePasswordPasswordKey); ok {
+		opts = append(opts, credentials.WithUsernamePasswordCredentialPassword(v.(string)))
+	}
+
+	var credential_store_id string
+	retrievedStoreId, ok := d.GetOk(credentialStoreIdKey)
+	if ok {
+		credential_store_id = retrievedStoreId.(string)
+	} else {
+		return diag.Errorf("credential store id is unset")
+	}
+
+	client := credentials.NewClient(md.client)
+	cr, err := client.Create(ctx, credentialUsernamePasswordCredentialType, credential_store_id, opts...)
+	if err != nil {
+		return diag.Errorf("error creating credential: %v", err)
+	}
+	if cr == nil {
+		return diag.Errorf("nil credential after create")
+	}
+
+	if err := setFromCredentialUsernamePasswordResponseMap(d, cr.GetResponse().Map, false); err != nil {
+		return diag.Errorf("error generating credential from response map: %v", err)
+	}
+
+	return nil
+}
+
+func resourceCredentialUsernamePasswordRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	md := meta.(*metaData)
+	client := credentials.NewClient(md.client)
+
+	cr, err := client.Read(ctx, d.Id())
+	if err != nil {
+		if apiErr := api.AsServerError(err); apiErr != nil && apiErr.Response().StatusCode() == http.StatusNotFound {
+			d.SetId("")
+			return nil
+		}
+		return diag.Errorf("error reading credential: %v", err)
+	}
+	if cr == nil {
+		return diag.Errorf("credential nil after read")
+	}
+
+	if err := setFromCredentialUsernamePasswordResponseMap(d, cr.GetResponse().Map, true); err != nil {
+		return diag.Errorf("error generating credential from response map: %v", err)
+	}
+
+	return nil
+}
+
+func resourceCredentialUsernamePasswordUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	md := meta.(*metaData)
+	client := credentials.NewClient(md.client)
+
+	var opts []credentials.Option
+	if d.HasChange(NameKey) {
+		opts = append(opts, credentials.DefaultName())
+		nameVal, ok := d.GetOk(NameKey)
+		if ok {
+			opts = append(opts, credentials.WithName(nameVal.(string)))
+		}
+	}
+
+	if d.HasChange(DescriptionKey) {
+		opts = append(opts, credentials.DefaultDescription())
+		descVal, ok := d.GetOk(DescriptionKey)
+		if ok {
+			opts = append(opts, credentials.WithDescription(descVal.(string)))
+		}
+	}
+
+	if d.HasChange(credentialUsernamePasswordUsernameKey) {
+		usernameVal, ok := d.GetOk(credentialUsernamePasswordUsernameKey)
+		if ok {
+			opts = append(opts, credentials.WithUsernamePasswordCredentialUsername(usernameVal.(string)))
+		}
+	}
+
+	if d.HasChange(credentialUsernamePasswordPasswordKey) {
+		passwordVal, ok := d.GetOk(credentialUsernamePasswordPasswordKey)
+		if ok {
+			opts = append(opts, credentials.WithUsernamePasswordCredentialPassword(passwordVal.(string)))
+		}
+	}
+
+	if len(opts) > 0 {
+		opts = append(opts, credentials.WithAutomaticVersioning(true))
+		crUpdate, err := client.Update(ctx, d.Id(), 0, opts...)
+		if err != nil {
+			return diag.Errorf("error updating credential: %v", err)
+		}
+		if crUpdate == nil {
+			return diag.Errorf("credential nil after update")
+		}
+
+		if err = setFromCredentialUsernamePasswordResponseMap(d, crUpdate.GetResponse().Map, false); err != nil {
+			return diag.Errorf("error generating credential from response map: %v", err)
+		}
+	}
+
+	return nil
+}
+
+func resourceCredentialUsernamePasswordDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	md := meta.(*metaData)
+	client := credentials.NewClient(md.client)
+
+	_, err := client.Delete(ctx, d.Id())
+	if err != nil {
+		return diag.Errorf("error deleting credential: %v", err)
+	}
+
+	return nil
+}