Skip to content

Commit

Permalink
fix: Suppress diff on sensitive values (#221)
Browse files Browse the repository at this point in the history
* fix: Suppress diff on sensitive values

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* style: Formatting

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* fix: Set variable as sensitive

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* test: Fix gcp pub sub private key id assertion

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* test: Remove private key assertion

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* test: disable TestAlertChannelEmailCreate

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* test: Use ApplyAndIdempotent function in gcp_pub_sub test

Signed-off-by: Darren Murray <darren.murray@lacework.net>

* chore: update integration/resource_lacework_alert_channel_email_test.go

* fix: suppress diff on sensitive values

Signed-off-by: Salim Afiune Maya <afiune@lacework.net>

Co-authored-by: Salim Afiune <afiune@lacework.net>
  • Loading branch information
dmurray-lacework and afiune authored Nov 9, 2021
1 parent cc7609b commit 4a569cd
Show file tree
Hide file tree
Showing 6 changed files with 44 additions and 213 deletions.
12 changes: 2 additions & 10 deletions examples/resource_lacework_alert_channel_gcp_pub_sub/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ variable "private_key" {
}

variable "private_key_id" {
type = string
sensitive = true
type = string
}

resource "lacework_alert_channel_gcp_pub_sub" "example" {
Expand Down Expand Up @@ -83,12 +84,3 @@ output "client_id" {
output "client_email" {
value = lacework_alert_channel_gcp_pub_sub.example.credentials[0].client_email
}

output "private_key" {
value = lacework_alert_channel_gcp_pub_sub.example.credentials[0].private_key
sensitive = true
}

output "private_key_id" {
value = lacework_alert_channel_gcp_pub_sub.example.credentials[0].private_key_id
}
4 changes: 2 additions & 2 deletions examples/resource_lacework_integration_gar/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,6 @@ variable "private_key" {
sensitive = true
}
variable "non_os_package_support" {
type = bool
default = false
type = bool
default = false
}
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ func TestAlertChannelGcpPubSubCreate(t *testing.T) {
defer terraform.Destroy(t, terraformOptions)

// Create new GCP Pub Sub Alert Channel
create := terraform.InitAndApply(t, terraformOptions)
create := terraform.InitAndApplyAndIdempotent(t, terraformOptions)
assert.Equal(t, "My GCP Pub Sub Example", GetIntegrationName(create))

// Update GCP Pub Sub Alert Channel
Expand All @@ -50,7 +50,7 @@ func TestAlertChannelGcpPubSubCreate(t *testing.T) {
"TF_VAR_private_key": gcreds.PrivateKey,
}

update := terraform.Apply(t, terraformOptions)
update := terraform.ApplyAndIdempotent(t, terraformOptions)

// Verify that the lacework integration was created with the correct information
updateProps := GetAlertChannelProps(update)
Expand All @@ -62,7 +62,6 @@ func TestAlertChannelGcpPubSubCreate(t *testing.T) {
assert.Equal(t, "Resources", data["issueGrouping"])
assert.Equal(t, gcreds.ClientEmail, data["credentials"].(map[string]interface{})["clientEmail"])
assert.Equal(t, gcreds.ClientID, data["credentials"].(map[string]interface{})["clientId"])
assert.Equal(t, gcreds.PrivateKeyID, data["credentials"].(map[string]interface{})["privateKeyId"])

// Verify that the terraform resource has the correct information as expected
actualChannelName := terraform.Output(t, terraformOptions, "name")
Expand All @@ -71,15 +70,13 @@ func TestAlertChannelGcpPubSubCreate(t *testing.T) {
actualIssueGrouping := terraform.Output(t, terraformOptions, "issue_grouping")
actualClientId := terraform.Output(t, terraformOptions, "client_id")
actualClientEmail := terraform.Output(t, terraformOptions, "client_email")
actualPrivateKeyId := terraform.Output(t, terraformOptions, "private_key_id")

assert.Equal(t, "My GCP Pub Sub Example Updated", actualChannelName)
assert.Equal(t, gcreds.ProjectID, actualProjectID)
assert.Equal(t, data["topicId"], actualTopicID)
assert.Equal(t, data["issueGrouping"], actualIssueGrouping)
assert.Equal(t, data["credentials"].(map[string]interface{})["clientId"], actualClientId)
assert.Equal(t, data["credentials"].(map[string]interface{})["clientEmail"], actualClientEmail)
assert.Equal(t, data["credentials"].(map[string]interface{})["privateKeyId"], actualPrivateKeyId)
}
}
}
27 changes: 18 additions & 9 deletions lacework/resource_lacework_alert_channel_gcp_pub_sub.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,20 +81,31 @@ func resourceLaceworkAlertChannelGcpPubSub() *schema.Resource {
Sensitive: true,
Description: "The service account private key ID",
DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
if d.HasChanges(
"name", "project_id", "topic_id", "org_level", "enabled", "issue_grouping",
"credentials.0.client_id", "credentials.0.private_key_id",
// @afiune we can't compare this element since our API, for security reasons,
// does NOT return the private key configured in the Lacework server. So if
// any other element changed from the credentials then we trigger a diff
return !d.HasChanges(
"name", "project_id", "topic_id", "enabled", "issue_grouping",
"credentials.0.client_id",
"credentials.0.client_email",
) {
return false
}
return true
)
},
},
"private_key_id": {
Type: schema.TypeString,
Sensitive: true,
Required: true,
Description: "The service account private key",
DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
// @afiune we can't compare this element since our API, for security reasons,
// does NOT return the private key configured in the Lacework server. So if
// any other element changed from the credentials then we trigger a diff
return !d.HasChanges(
"name", "project_id", "topic_id", "enabled", "issue_grouping",
"credentials.0.client_id",
"credentials.0.client_email",
)
},
},
},
},
Expand Down Expand Up @@ -202,8 +213,6 @@ func resourceLaceworkAlertChannelGcpPubSubRead(d *schema.ResourceData, meta inte
creds := make(map[string]string)
creds["client_id"] = response.Data.Data.Credentials.ClientID
creds["client_email"] = response.Data.Data.Credentials.ClientEmail
creds["private_key"] = response.Data.Data.Credentials.PrivateKey
creds["private_key_id"] = response.Data.Data.Credentials.PrivateKeyID

d.Set("credentials", []map[string]string{creds})

Expand Down
174 changes: 0 additions & 174 deletions lacework/resource_lacework_alert_channel_gcp_pub_sub_test.go

This file was deleted.

33 changes: 20 additions & 13 deletions lacework/resource_lacework_integration_gar.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,14 +92,25 @@ func resourceLaceworkIntegrationGar() *schema.Resource {
Type: schema.TypeString,
Required: true,
},
"private_key_id": {
Type: schema.TypeString,
Required: true,
},
"client_email": {
Type: schema.TypeString,
Required: true,
},
"private_key_id": {
Type: schema.TypeString,
Sensitive: true,
Required: true,
DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
// @afiune we can't compare this element since our API, for security reasons,
// does NOT return the private key configured in the Lacework server. So if
// any other element changed from the credentials then we trigger a diff
return !d.HasChanges(
"name", "registry_domain", "enabled", "non_os_package_support",
"limit_by_tags", "limit_by_label", "limit_by_repositories",
"limit_num_imgs", "credentials.0.client_id", "credentials.0.client_email",
)
},
},
"private_key": {
Type: schema.TypeString,
Required: true,
Expand All @@ -108,14 +119,11 @@ func resourceLaceworkIntegrationGar() *schema.Resource {
// @afiune we can't compare this element since our API, for security reasons,
// does NOT return the private key configured in the Lacework server. So if
// any other element changed from the credentials then we trigger a diff
if d.HasChanges(
"credentials.0.client_id",
"credentials.0.private_key_id",
"credentials.0.client_email",
) {
return false
}
return true
return !d.HasChanges(
"name", "registry_domain", "enabled", "non_os_package_support",
"limit_by_tags", "limit_by_label", "limit_by_repositories",
"limit_num_imgs", "credentials.0.client_id", "credentials.0.client_email",
)
},
},
},
Expand Down Expand Up @@ -260,7 +268,6 @@ func resourceLaceworkIntegrationGarRead(d *schema.ResourceData, meta interface{}
creds := make(map[string]string)
creds["client_id"] = response.Data.Data.Credentials.ClientID
creds["client_email"] = response.Data.Data.Credentials.ClientEmail
creds["private_key_id"] = response.Data.Data.Credentials.PrivateKeyID
d.Set("credentials", []map[string]string{creds})
d.Set("registry_domain", response.Data.Data.RegistryDomain)
d.Set("limit_num_imgs", response.Data.Data.LimitNumImg)
Expand Down

0 comments on commit 4a569cd

Please sign in to comment.