ENG-14083: Add Azure Key Vault user account auth scheme (#542)

* Add Azure Key Vault user account auth scheme * Update model.go * Update model.go * Update docs * Add tests
cyralinc · Jun 5, 2024 · e8d106c · e8d106c
1 parent ab97804
commit e8d106c
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 1 deletion.
diff --git a/cyral/internal/repository/useraccount/model.go b/cyral/internal/repository/useraccount/model.go
@@ -16,6 +16,7 @@ type AuthScheme struct {
 	EnvironmentVariable *AuthSchemeEnvironmentVariable `json:"environmentVariable"`
 	KubernetesSecret    *AuthSchemeKubernetesSecret    `json:"kubernetesSecret"`
 	GCPSecretManager    *AuthSchemeGCPSecretManager    `json:"gcpSecretManager"`
+	AzureKeyVault       *AuthSchemeAzureKeyVault       `json:"azureKeyVault"`
 }
 
 type AuthSchemeAWSIAM struct {
@@ -48,6 +49,10 @@ type AuthSchemeGCPSecretManager struct {
 	SecretName string `json:"secretName,omitempty"`
 }
 
+type AuthSchemeAzureKeyVault struct {
+	SecretURL string `json:"secretUrl,omitempty"`
+}
+
 type ApprovalConfig struct {
 	AutomaticGrant            bool   `json:"automaticGrant,omitempty"`
 	MaxAutomaticGrantDuration string `json:"maxAutomaticGrantDuration,omitempty"`
@@ -158,6 +163,16 @@ func (resource *UserAccountResource) WriteToSchema(d *schema.ResourceData) error
 				},
 			},
 		}
+	case resource.AuthScheme.AzureKeyVault != nil:
+		authScheme = []interface{}{
+			map[string]interface{}{
+				"azure_key_vault": []interface{}{
+					map[string]interface{}{
+						"secret_url": resource.AuthScheme.AzureKeyVault.SecretURL,
+					},
+				},
+			},
+		}
 	case resource.AuthScheme.HashicorpVault != nil:
 		authScheme = []interface{}{
 			map[string]interface{}{
@@ -279,6 +294,12 @@ func (userAccount *UserAccountResource) ReadFromSchema(d *schema.ResourceData) e
 					SecretName: m["secret_name"].(string),
 				},
 			}
+		case "azure_key_vault":
+			userAccount.AuthScheme = &AuthScheme{
+				AzureKeyVault: &AuthSchemeAzureKeyVault{
+					SecretURL: m["secret_url"].(string),
+				},
+			}
 		default:
 			return fmt.Errorf("unexpected auth_scheme [%s]", k)
 		}

diff --git a/cyral/internal/repository/useraccount/resource.go b/cyral/internal/repository/useraccount/resource.go
@@ -21,6 +21,7 @@ var allAuthSchemes = []string{
 	"environment_variable",
 	"kubernetes_secret",
 	"gcp_secrets_manager",
+	"azure_key_vault",
 }
 
 var urlFactory = func(d *schema.ResourceData, c *client.Client) string {
@@ -317,6 +318,24 @@ func resourceSchema() *schema.Resource {
 								},
 							},
 						},
+
+						"azure_key_vault": {
+							Description: "Credential option to set the repository user account from " +
+								"Azure Key Vault.",
+							Optional:     true,
+							Type:         schema.TypeSet,
+							ExactlyOneOf: authSchemeTypesFullScopes,
+							MaxItems:     1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"secret_url": {
+										Description: "The URL of the secret in the Azure Key Vault.",
+										Type:        schema.TypeString,
+										Required:    true,
+									},
+								},
+							},
+						},
 					},
 				},
 			},

diff --git a/cyral/internal/repository/useraccount/resource_test.go b/cyral/internal/repository/useraccount/resource_test.go
@@ -151,6 +151,14 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
 			},
 		},
 	}
+	azureKeyVault := useraccount.UserAccountResource{
+		Name: "azure-useracc",
+		AuthScheme: &useraccount.AuthScheme{
+			AzureKeyVault: &useraccount.AuthSchemeAzureKeyVault{
+				SecretURL: "https://vaultName.vault.azure.net/secrets/secretName",
+			},
+		},
+	}
 	awsIAMTest := setupRepositoryUserAccountTest(
 		"aws_iam_test", awsIAM)
 	awsSecretsManagerTest := setupRepositoryUserAccountTest(
@@ -165,6 +173,8 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
 		"kubernetes_secret_test", kubernetesSecret)
 	gcpSecretManagerTest := setupRepositoryUserAccountTest(
 		"gcp_secret_manager_test", gcpSecretManager)
+	azureKeyVaultTest := setupRepositoryUserAccountTest(
+		"azure_key_vault_test", azureKeyVault)
 
 	// Test with multiple user accounts
 	userAccount1ResName := "multiple_accounts_test_1"
@@ -216,6 +226,7 @@ func TestAccRepositoryUserAccountResource(t *testing.T) {
 			environmentVariableTest,
 			kubernetesSecretTest,
 			gcpSecretManagerTest,
+			azureKeyVaultTest,
 
 			// Test with multiple user accounts
 			multipleAccountsTest,
@@ -307,6 +318,11 @@ func setupRepositoryUserAccountCheck(resName string, userAccount useraccount.Use
 			resource.TestCheckResourceAttr(resFullName,
 				authSchemeScope+"gcp_secrets_manager.0.secret_name",
 				authScheme.GCPSecretManager.SecretName))
+	case authScheme.AzureKeyVault != nil:
+		checkFuncs = append(checkFuncs,
+			resource.TestCheckResourceAttr(resFullName,
+				authSchemeScope+"azure_key_vault.0.secret_url",
+				authScheme.AzureKeyVault.SecretURL))
 	case authScheme.HashicorpVault != nil:
 		checkFuncs = append(checkFuncs, []resource.TestCheckFunc{
 			resource.TestCheckResourceAttr(resFullName,
@@ -360,6 +376,11 @@ func setupRepositoryUserAccountConfig(resName string, userAccount useraccount.Us
 			gcp_secrets_manager {
 				secret_name = "%s"
 			}`, authScheme.GCPSecretManager.SecretName)
+	case authScheme.AzureKeyVault != nil:
+		authSchemeStr = fmt.Sprintf(`
+			azure_key_vault {
+				secret_url = "%s"
+			}`, authScheme.AzureKeyVault.SecretURL)
 	case authScheme.HashicorpVault != nil:
 		authSchemeStr = fmt.Sprintf(`
 			hashicorp_vault {

diff --git a/docs/resources/repository_user_account.md b/docs/resources/repository_user_account.md
@@ -69,6 +69,18 @@ resource "cyral_repository_user_account" "gcp_secrets" {
   }
 }
 
+# cyral_repository_user_account with auth scheme azure_key_vault will be created
+resource "cyral_repository_user_account" "azure_key_vault" {
+  name          = "hbf_azure_key_vault"
+  repository_id = cyral_repository.tf_test_repo.id
+
+  auth_scheme {
+    azure_key_vault {
+      secret_url = "https://vaultName.vault.azure.net/secrets/secretName"
+    }
+  }
+}
+
 # cyral_repository_user_account with auth scheme hashicorp will be created
 resource "cyral_repository_user_account" "hashicorp" {
   name          = "hbf_hashicorp"
@@ -109,7 +121,8 @@ resource "cyral_repository_user_account" "kubernetes" {
     -   `hashicorp_vault`
     -   `environment_variable`
     -   `kubernetes_secret`
-    -   `gcp_secrets_manager` (see [below for nested schema](#nestedblock--auth_scheme))
+    -   `gcp_secrets_manager`
+    -   `azure_key_vault` (see [below for nested schema](#nestedblock--auth_scheme))
 -   `name` (String) The name of the User Account.
 -   `repository_id` (String) ID of the repository.
 
@@ -131,6 +144,7 @@ Optional:
 
 -   `aws_iam` (Block Set, Max: 1) Credential option to set the repository user account from AWS IAM. (see [below for nested schema](#nestedblock--auth_scheme--aws_iam))
 -   `aws_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from AWS Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--aws_secrets_manager))
+-   `azure_key_vault` (Block Set, Max: 1) Credential option to set the repository user account from Azure Key Vault. (see [below for nested schema](#nestedblock--auth_scheme--azure_key_vault))
 -   `cyral_storage` (Block Set, Max: 1) Credential option to set the repository user account from Cyral Storage. (see [below for nested schema](#nestedblock--auth_scheme--cyral_storage))
 -   `environment_variable` (Block Set, Max: 1) Credential option to set the repository user account from Environment Variable. (see [below for nested schema](#nestedblock--auth_scheme--environment_variable))
 -   `gcp_secrets_manager` (Block Set, Max: 1) Credential option to set the repository user account from GCP Secrets Manager. (see [below for nested schema](#nestedblock--auth_scheme--gcp_secrets_manager))
@@ -153,6 +167,14 @@ Required:
 
 -   `secret_arn` (String) The AWS Secrets Manager secretARN to gain access to the database.
 
+<a id="nestedblock--auth_scheme--azure_key_vault"></a>
+
+### Nested Schema for `auth_scheme.azure_key_vault`
+
+Required:
+
+-   `secret_url` (String) The URL of the secret in the Azure Key Vault.
+
 <a id="nestedblock--auth_scheme--cyral_storage"></a>
 
 ### Nested Schema for `auth_scheme.cyral_storage`

diff --git a/examples/resources/cyral_repository_user_account/resource.tf b/examples/resources/cyral_repository_user_account/resource.tf
@@ -58,6 +58,18 @@ resource "cyral_repository_user_account" "gcp_secrets" {
   }
 }
 
+# cyral_repository_user_account with auth scheme azure_key_vault will be created
+resource "cyral_repository_user_account" "azure_key_vault" {
+  name          = "hbf_azure_key_vault"
+  repository_id = cyral_repository.tf_test_repo.id
+
+  auth_scheme {
+    azure_key_vault {
+      secret_url = "https://vaultName.vault.azure.net/secrets/secretName"
+    }
+  }
+}
+
 # cyral_repository_user_account with auth scheme hashicorp will be created
 resource "cyral_repository_user_account" "hashicorp" {
   name          = "hbf_hashicorp"