Secret data source support for versions in path

secrethub · Feb 21, 2019 · b7c0b32 · b7c0b32
1 parent 26f4a5a
commit b7c0b32
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 24 deletions.
diff --git a/secrethub/data_source_secret.go b/secrethub/data_source_secret.go
@@ -11,7 +11,7 @@ func dataSourceSecret() *schema.Resource {
 			"path": {
 				Type:        schema.TypeString,
 				Required:    true,
-				Description: "The path where the secret is stored.",
+				Description: "The path where the secret is stored. To use a specific version, append the version number to the path, separated by a colon (path:version). Defaults to the latest version.",
 			},
 			"path_prefix": {
 				Type:        schema.TypeString,
@@ -20,9 +20,8 @@ func dataSourceSecret() *schema.Resource {
 			},
 			"version": {
 				Type:        schema.TypeInt,
-				Optional:    true,
 				Computed:    true,
-				Description: "The version of the secret. Defaults to the latest.",
+				Description: "The version of the secret.",
 			},
 			"data": {
 				Type:        schema.TypeString,
@@ -43,25 +42,13 @@ func dataSourceSecretRead(d *schema.ResourceData, m interface{}) error {
 		return err
 	}
 
-	remote, err := client.Secrets().Get(path)
+	secret, err := client.Secrets().Versions().GetWithData(path)
 	if err != nil {
 		return err
 	}
 
-	version := d.Get("version").(int)
-	if version == 0 {
-		d.Set("version", remote.LatestVersion)
-	}
-
-	if d.Get("data") == "" || d.Get("version") != remote.LatestVersion {
-		// Only fetch the secret contents if it hasn't been fetched before or if the version is out of sync
-		updated, err := client.Secrets().Versions().GetWithData(path)
-		if err != nil {
-			return err
-		}
-		d.Set("data", string(updated.Data))
-		d.Set("version", updated.Version)
-	}
+	d.Set("data", string(secret.Data))
+	d.Set("version", secret.Version)
 
 	d.SetId(string(path))
 

diff --git a/secrethub/data_source_secret_test.go b/secrethub/data_source_secret_test.go
@@ -46,6 +46,65 @@ func TestAccDataSourceSecret_absPath(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceSecret_absPathVersioned(t *testing.T) {
+	configInit := fmt.Sprintf(`
+		provider "secrethub" {
+			credential = "${file("~/.secrethub/credential")}"
+		}
+
+		resource "secrethub_secret" "%v" {
+			path = "%v"
+			data = "secretpasswordv1"
+		}
+
+		data "secrethub_secret" "%v" {
+			path = "${secrethub_secret.%v.path}:1"
+		}
+	`, testAcc.secretName, testAcc.path, testAcc.secretName, testAcc.secretName)
+
+	configVersioned := fmt.Sprintf(`
+		provider "secrethub" {
+			credential = "${file("~/.secrethub/credential")}"
+		}
+
+		resource "secrethub_secret" "%v" {
+			path = "%v"
+			data = "secretpasswordv2"
+		}
+
+		data "secrethub_secret" "%v" {
+			path = "${secrethub_secret.%v.path}:1"
+		}
+	`, testAcc.secretName, testAcc.path, testAcc.secretName, testAcc.secretName)
+
+	resource.Test(t, resource.TestCase{
+		Providers: testAccProviders,
+		PreCheck:  testAccPreCheck(t),
+		Steps: []resource.TestStep{
+			{
+				Config: configInit,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						fmt.Sprintf("data.secrethub_secret.%v", testAcc.secretName),
+						"data",
+						"secretpasswordv1",
+					),
+				),
+			},
+			{
+				Config: configVersioned,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						fmt.Sprintf("data.secrethub_secret.%v", testAcc.secretName),
+						"data",
+						"secretpasswordv1",
+					),
+				),
+			},
+		},
+	})
+}
+
 func TestAccDataSourceSecret_prefPath(t *testing.T) {
 	config := fmt.Sprintf(`
 		provider "secrethub" {

diff --git a/secrethub/resource_secret.go b/secrethub/resource_secret.go
@@ -95,6 +95,10 @@ func resourceSecretCreate(d *schema.ResourceData, m interface{}) error {
 		return err
 	}
 
+	if path.HasVersion() {
+		return fmt.Errorf("path '%v' should not have a version number", path)
+	}
+
 	res, err := client.Secrets().Write(path, data)
 	if err != nil {
 		return err
@@ -168,10 +172,6 @@ func getSecretPath(d *schema.ResourceData, provider *providerMeta) (api.SecretPa
 		return path, err
 	}
 
-	if path.HasVersion() {
-		return path, fmt.Errorf("path '%v' should not have a version number", path)
-	}
-
 	return path, nil
 }
 

diff --git a/website/docs/d/secrethub_secret.html.markdown b/website/docs/d/secrethub_secret.html.markdown
@@ -20,12 +20,12 @@ data "secrethub_secret" "db_password" {
 
 ## Argument Reference
 
-* `path` - (Required) The path where the secret is stored.
+* `path` - (Required) "The path where the secret is stored. To use a specific version, append the version number to the path, separated by a colon (path:version). Defaults to the latest version.
 * `path_prefix` - (Optional) Overrides the `path_prefix` defined in the provider.
-* `version` - (Optional) The version of the secret read. Defaults to the latest.
 
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
 * `data` - The secret contents.
+* `version` - The version of the secret.