Merge pull request #42 from DopplerHQ/terraform-integrations-config-s…

…yncs Add integration and sync resources for AWS Secrets Manager and AWS Parameter Store
DopplerHQ · Mar 29, 2023 · 90120f2 · 90120f2
2 parents 3b2b5de + 88fa9f1
commit 90120f2
Show file tree

Hide file tree

Showing 31 changed files with 1,234 additions and 169 deletions.
diff --git a/.gitignore b/.gitignore
@@ -63,3 +63,6 @@ override.tf.json
 .terraformrc
 terraform.rc
 terraform
+
+# IDEs
+.idea/
diff --git a/Makefile b/Makefile
@@ -5,7 +5,7 @@ NAME=doppler
 BINARY=terraform-provider-${NAME}
 # Only used for local development
 VERSION=0.0.1
-OS_ARCH=darwin_amd64
+OS_ARCH=darwin_$$(uname -m)
 
 default: install
 

diff --git a/docs/data-sources/secrets.md b/docs/data-sources/secrets.md
@@ -37,10 +37,10 @@ output "json_parsing_values" {
 
 ### Optional
 
-- **config** (String) The name of the Doppler config (required for personal tokens)
-- **id** (String) The ID of this resource.
-- **project** (String) The name of the Doppler project (required for personal tokens)
+- `config` (String) The name of the Doppler config (required for personal tokens)
+- `project` (String) The name of the Doppler project (required for personal tokens)
 
 ### Read-Only
 
-- **map** (Map of String, Sensitive) A mapping of secret names to computed secret values
+- `id` (String) The ID of this resource.
+- `map` (Map of String, Sensitive) A mapping of secret names to computed secret values
diff --git a/docs/index.md b/docs/index.md
@@ -21,12 +21,12 @@ provider "doppler" {
 
 ### Required
 
-- **doppler_token** (String) A Doppler token, either a personal or service token
+- `doppler_token` (String) A Doppler token, either a personal or service token
 
 ### Optional
 
-- **host** (String) The Doppler API host (i.e. https://api.doppler.com)
-- **verify_tls** (Boolean) Whether or not to verify TLS
+- `host` (String) The Doppler API host (i.e. https://api.doppler.com)
+- `verify_tls` (Boolean) Whether or not to verify TLS
 
 ## Getting Help
 

diff --git a/docs/resources/config.md b/docs/resources/config.md
@@ -24,10 +24,10 @@ resource "doppler_config" "backend_ci_github" {
 
 ### Required
 
-- **environment** (String) The name of the Doppler environment where the config is located
-- **name** (String) The name of the Doppler config
-- **project** (String) The name of the Doppler project where the config is located
+- `environment` (String) The name of the Doppler environment where the config is located
+- `name` (String) The name of the Doppler config
+- `project` (String) The name of the Doppler project where the config is located
 
-### Optional
+### Read-Only
 
-- **id** (String) The ID of this resource.
+- `id` (String) The ID of this resource.
diff --git a/docs/resources/environment.md b/docs/resources/environment.md
@@ -24,10 +24,10 @@ resource "doppler_environment" "backend_ci" {
 
 ### Required
 
-- **name** (String) The name of the Doppler environment
-- **project** (String) The name of the Doppler project where the environment is located
-- **slug** (String) The slug of the Doppler environment
+- `name` (String) The name of the Doppler environment
+- `project` (String) The name of the Doppler project where the environment is located
+- `slug` (String) The slug of the Doppler environment
 
-### Optional
+### Read-Only
 
-- **id** (String) The ID of this resource.
+- `id` (String) The ID of this resource.
diff --git a/docs/resources/integration_aws_parameter_store.md b/docs/resources/integration_aws_parameter_store.md
@@ -0,0 +1,93 @@
+---
+page_title: "doppler_integration_aws_parameter_store Resource - terraform-provider-doppler"
+subcategory: ""
+description: |-
+	Manage an AWS Parameter Store Doppler integration.
+---
+
+# doppler_integration_aws_parameter_store (Resource)
+
+Manage an AWS Parameter Store Doppler integration.
+
+## Example Usage
+
+```terraform
+resource "aws_iam_role" "doppler_parameter_store" {
+  name = "doppler_parameter_store"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          AWS = "arn:aws:iam::299900769157:user/doppler-integration-operator"
+        },
+        Condition = {
+          StringEquals = {
+            "sts:ExternalId" = "<YOUR_WORKPLACE_SLUG>"
+          }
+        }
+      },
+    ]
+  })
+
+  inline_policy {
+    name = "doppler_secret_manager"
+
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+
+            "ssm:PutParameter",
+            "ssm:LabelParameterVersion",
+            "ssm:DeleteParameter",
+            "ssm:RemoveTagsFromResource",
+            "ssm:GetParameterHistory",
+            "ssm:AddTagsToResource",
+            "ssm:GetParametersByPath",
+            "ssm:GetParameters",
+            "ssm:GetParameter",
+            "ssm:DeleteParameters"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+          # Limit Doppler to only access certain names
+        },
+      ]
+    })
+  }
+}
+
+
+resource "doppler_integration_aws_parameter_store" "prod" {
+  name            = "Production"
+  assume_role_arn = aws_iam_role.doppler_parameter_store.arn
+}
+
+resource "doppler_secrets_sync_aws_parameter_store" "backend_prod" {
+  integration = doppler_integration_aws_parameter_store.prod.id
+  project     = "backend"
+  config      = "prd"
+
+  region        = "us-east-1"
+  path          = "/backend/"
+  secure_string = true
+  tags          = { myTag = "enabled" }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `assume_role_arn` (String) The ARN of the AWS role for Doppler to assume
+- `name` (String) The name of the integration
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
diff --git a/docs/resources/integration_aws_secrets_manager.md b/docs/resources/integration_aws_secrets_manager.md
@@ -0,0 +1,87 @@
+---
+page_title: "doppler_integration_aws_secrets_manager Resource - terraform-provider-doppler"
+subcategory: ""
+description: |-
+	Manage an AWS Secrets Manager Doppler integration.
+---
+
+# doppler_integration_aws_secrets_manager (Resource)
+
+Manage an AWS Secrets Manager Doppler integration.
+
+## Example Usage
+
+```terraform
+resource "aws_iam_role" "doppler_secrets_manager" {
+  name = "doppler_secrets_manager"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRole"
+        Principal = {
+          AWS = "arn:aws:iam::299900769157:user/doppler-integration-operator"
+        },
+        Condition = {
+          StringEquals = {
+            "sts:ExternalId" = "<YOUR_WORKPLACE_SLUG>"
+          }
+        }
+      },
+    ]
+  })
+
+  inline_policy {
+    name = "doppler_secret_manager"
+
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:DescribeSecret",
+            "secretsmanager:PutSecretValue",
+            "secretsmanager:CreateSecret",
+            "secretsmanager:DeleteSecret",
+            "secretsmanager:TagResource",
+            "secretsmanager:UpdateSecret"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+          # Limit Doppler to only access certain secret names
+        },
+      ]
+    })
+  }
+}
+
+resource "doppler_integration_aws_secrets_manager" "prod" {
+  name            = "Production"
+  assume_role_arn = aws_iam_role.doppler_secrets_manager.arn
+}
+
+resource "doppler_secrets_sync_aws_secrets_manager" "backend_prod" {
+  integration = doppler_integration_aws_secrets_manager.prod.id
+  project     = "backend"
+  config      = "prd"
+
+  region = "us-east-1"
+  path   = "/backend/"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `assume_role_arn` (String) The ARN of the AWS role for Doppler to assume
+- `name` (String) The name of the integration
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
diff --git a/docs/resources/project.md b/docs/resources/project.md
@@ -23,9 +23,12 @@ resource "doppler_project" "backend" {
 
 ### Required
 
-- **name** (String) The name of the Doppler project
+- `name` (String) The name of the Doppler project
 
 ### Optional
 
-- **description** (String) The description of the Doppler project
-- **id** (String) The ID of this resource.
+- `description` (String) The description of the Doppler project
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
diff --git a/docs/resources/secret.md b/docs/resources/secret.md
@@ -36,15 +36,12 @@ output "resource_value" {
 
 ### Required
 
-- **config** (String) The name of the Doppler config
-- **name** (String) The name of the Doppler secret
-- **project** (String) The name of the Doppler project
-- **value** (String, Sensitive) The raw secret value
-
-### Optional
-
-- **id** (String) The ID of this resource.
+- `config` (String) The name of the Doppler config
+- `name` (String) The name of the Doppler secret
+- `project` (String) The name of the Doppler project
+- `value` (String, Sensitive) The raw secret value
 
 ### Read-Only
 
-- **computed** (String, Sensitive) The computed secret value, after resolving secret references
+- `computed` (String, Sensitive) The computed secret value, after resolving secret references
+- `id` (String) The ID of this resource.