这是indexloc提供的服务,不要输入任何密码
Skip to content

Validate sensitive environment variable config when creating env vars #185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 13, 2024
Merged

Validate sensitive environment variable config when creating env vars #185

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9c121b1
Validate sensitive environment variable config when creating env vars
dglsparsons May 13, 2024
38b4402
Merge branch 'main' into dgls/sensitive-env-policy
dglsparsons May 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package client

import (
"context"
"net/http"
"time"
)
Expand All @@ -9,7 +10,7 @@ import (
type Client struct {
token string
client *http.Client
_teamID string
team Team
baseURL string
}

Expand All @@ -33,17 +34,24 @@ func New(token string) *Client {
}
}

func (c *Client) WithTeamID(teamID string) *Client {
c._teamID = teamID
func (c *Client) WithTeam(team Team) *Client {
c.team = team
return c
}

func (c *Client) Team(ctx context.Context, teamID string) (Team, error) {
if teamID != "" {
return c.GetTeam(ctx, teamID)
}
return c.team, nil
}

// teamID is a helper method to return one of two values based on specificity.
// It will return an explicitly passed teamID if it is defined. If not defined,
// it will fall back to the teamID configured on the client.
func (c *Client) teamID(teamID string) string {
if teamID != "" {
return teamID
}
return c._teamID
return c.team.ID
}
11 changes: 6 additions & 5 deletions client/team.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,14 @@ type TeamCreateRequest struct {
Name string `json:"name"`
}

// TeamResponse is the information returned by the vercel api when a team is created.
type TeamResponse struct {
ID string `json:"id"`
// Team is the information returned by the vercel api when a team is created.
type Team struct {
ID string `json:"id"`
SensitiveEnvironmentVariablePolicy *string `json:"sensitiveEnvironmentVariablePolicy"`
}

// CreateTeam creates a team within vercel.
func (c *Client) CreateTeam(ctx context.Context, request TeamCreateRequest) (r TeamResponse, err error) {
func (c *Client) CreateTeam(ctx context.Context, request TeamCreateRequest) (r Team, err error) {
url := fmt.Sprintf("%s/v1/teams", c.baseURL)

payload := string(mustMarshal(request))
Expand Down Expand Up @@ -51,7 +52,7 @@ func (c *Client) DeleteTeam(ctx context.Context, teamID string) error {
}

// GetTeam returns information about an existing team within vercel.
func (c *Client) GetTeam(ctx context.Context, idOrSlug string) (r TeamResponse, err error) {
func (c *Client) GetTeam(ctx context.Context, idOrSlug string) (r Team, err error) {
url := fmt.Sprintf("%s/v2/teams/%s", c.baseURL, idOrSlug)
tflog.Info(ctx, "getting team", map[string]interface{}{
"url": url,
Expand Down
11 changes: 7 additions & 4 deletions sweep/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ func main() {
//lintignore:R009
panic("VERCEL_TERRAFORM_TESTING_DOMAIN environment variable not set")
}
clearDNS := os.Getenv("VERCEL_TERRAFORM_CLEAR_DNS") != ""
ctx := context.Background()

// delete both for the testing team, and for without a team
Expand All @@ -34,10 +35,12 @@ func main() {
//lintignore:R009
panic(err)
}
err = deleteAllDNSRecords(ctx, c, domain, teamID)
if err != nil {
//lintignore:R009
panic(err)
if clearDNS {
err = deleteAllDNSRecords(ctx, c, domain, teamID)
if err != nil {
//lintignore:R009
panic(err)
}
}
err = deleteAllSharedEnvironmentVariables(ctx, c, teamID)
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion vercel/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ func (p *vercelProvider) Configure(ctx context.Context, req provider.ConfigureRe
)
return
}
vercelClient = vercelClient.WithTeamID(res.ID)
vercelClient = vercelClient.WithTeam(res)
}

resp.DataSourceData = vercelClient
Expand Down
71 changes: 70 additions & 1 deletion vercel/resource_project.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (

"github.com/hashicorp/terraform-plugin-framework/attr"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
Expand All @@ -28,6 +29,7 @@ var (
_ resource.Resource = &projectResource{}
_ resource.ResourceWithConfigure = &projectResource{}
_ resource.ResourceWithImportState = &projectResource{}
_ resource.ResourceWithModifyPlan = &projectResource{}
)

func newProjectResource() resource.Resource {
Expand Down Expand Up @@ -949,7 +951,8 @@ func convertResponseToProject(ctx context.Context, response client.ProjectRespon
return Project{}, fmt.Errorf("error reading project environment variables: %s", err)
}
for _, p := range environment {
if p.Sensitive.ValueBool() && p.Key.ValueString() == e.Key && hasSameTarget(p, e.Target) {
if p.Key.ValueString() == e.Key && hasSameTarget(p, e.Target) {

value = p.Value
break
}
Expand Down Expand Up @@ -1042,6 +1045,72 @@ func convertResponseToProject(ctx context.Context, response client.ProjectRespon
}, nil
}

func (r *projectResource) ModifyPlan(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse) {
if req.Plan.Raw.IsNull() {
return
}
var config Project
diags := req.Plan.Get(ctx, &config)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}

environment, err := config.environment(ctx)
if err != nil {
resp.Diagnostics.AddError(
"Error parsing project environment variables",
"Could not read environment variables, unexpected error: "+err.Error(),
)
return
}

// work out if there are any new env vars that are specifying sensitive = false
var nonSensitiveEnvVars []path.Path
for i, e := range environment {
if e.ID.ValueString() != "" {
continue
}
if e.Sensitive.IsUnknown() || e.Sensitive.IsNull() || e.Sensitive.ValueBool() {
continue
}
nonSensitiveEnvVars = append(
nonSensitiveEnvVars,
path.Root("environment").
AtSetValue(config.Environment.Elements()[i]).
AtName("sensitive"),
)
}

if len(nonSensitiveEnvVars) == 0 {
return
}

// if sensitive is explicitly set to `false`, then validate that an env var can be created with the given
// team sensitive environment variable policy.
team, err := r.client.Team(ctx, config.TeamID.ValueString())
if err != nil {
resp.Diagnostics.AddError(
"Error validating project environment variable",
"Could not validate project environment variable, unexpected error: "+err.Error(),
)
return
}

if team.SensitiveEnvironmentVariablePolicy == nil || *team.SensitiveEnvironmentVariablePolicy != "on" {
// the policy isn't enabled
return
}

for _, p := range nonSensitiveEnvVars {
resp.Diagnostics.AddAttributeError(
p,
"Project Invalid",
"This team has a policy that forces all environment variables to be sensitive. Please remove the `sensitive` field for your environment variables or set the `sensitive` field to `true` in your configuration.",
)
}
}

// Create will create a project within Vercel by calling the Vercel API.
// This is called automatically by the provider when a new resource should be created.
func (r *projectResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
Expand Down
51 changes: 49 additions & 2 deletions vercel/resource_project_environment_variable.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"fmt"
"strings"

"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
Expand All @@ -17,8 +18,10 @@ import (
)

var (
_ resource.Resource = &projectEnvironmentVariableResource{}
_ resource.ResourceWithConfigure = &projectEnvironmentVariableResource{}
_ resource.Resource = &projectEnvironmentVariableResource{}
_ resource.ResourceWithConfigure = &projectEnvironmentVariableResource{}
_ resource.ResourceWithImportState = &projectEnvironmentVariableResource{}
_ resource.ResourceWithModifyPlan = &projectEnvironmentVariableResource{}
)

func newProjectEnvironmentVariableResource() resource.Resource {
Expand Down Expand Up @@ -108,6 +111,7 @@ At this time you cannot use a Vercel Project resource with in-line ` + "`environ
Description: "Whether the Environment Variable is sensitive or not. (May be affected by a [team-wide environment variable policy](https://vercel.com/docs/projects/environment-variables/sensitive-environment-variables#environment-variables-policy))",
Optional: true,
Computed: true,
Validators: []validator.Bool{},
PlanModifiers: []planmodifier.Bool{boolplanmodifier.RequiresReplace()},
},
},
Expand All @@ -126,6 +130,49 @@ type ProjectEnvironmentVariable struct {
Sensitive types.Bool `tfsdk:"sensitive"`
}

func (r *projectEnvironmentVariableResource) ModifyPlan(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse) {
if req.Plan.Raw.IsNull() {
return
}
var config ProjectEnvironmentVariable
diags := req.Config.Get(ctx, &config)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}

if config.ID.ValueString() != "" {
// The resource already exists, so this is okay.
return
}
if config.Sensitive.IsUnknown() || config.Sensitive.IsNull() || config.Sensitive.ValueBool() {
// Sensitive is either true, or computed, which is fine.
return
}

// if sensitive is explicitly set to `false`, then validate that an env var can be created with the given
// team sensitive environment variable policy.
team, err := r.client.Team(ctx, config.TeamID.ValueString())
if err != nil {
resp.Diagnostics.AddError(
"Error validating project environment variable",
"Could not validate project environment variable, unexpected error: "+err.Error(),
)
return
}

if team.SensitiveEnvironmentVariablePolicy == nil || *team.SensitiveEnvironmentVariablePolicy != "on" {
// the policy isn't enabled
return
}

resp.Diagnostics.AddAttributeError(
path.Root("sensitive"),
"Project Environment Variable Invalid",
"This team has a policy that forces all environment variables to be sensitive. Please remove the `sensitive` field or set the `sensitive` field to `true` in your configuration.",
)
}

func (e *ProjectEnvironmentVariable) toCreateEnvironmentVariableRequest() client.CreateEnvironmentVariableRequest {
target := []string{}
for _, t := range e.Target {
Expand Down
19 changes: 19 additions & 0 deletions vercel/resource_project_environment_variable_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,14 @@ func TestAcc_ProjectEnvironmentVariables(t *testing.T) {
resource.TestCheckResourceAttr("vercel_project_environment_variable.example_sensitive", "value", "bar-sensitive"),
resource.TestCheckTypeSetElemAttr("vercel_project_environment_variable.example_sensitive", "target.*", "production"),
resource.TestCheckResourceAttr("vercel_project_environment_variable.example_sensitive", "sensitive", "true"),

/*
testAccProjectEnvironmentVariableExists("vercel_project_environment_variable.example_not_sensitive", testTeam()),
resource.TestCheckResourceAttr("vercel_project_environment_variable.example_not_sensitive", "key", "foo_not_sensitive"),
resource.TestCheckResourceAttr("vercel_project_environment_variable.example_not_sensitive", "value", "bar-not-sensitive"),
resource.TestCheckTypeSetElemAttr("vercel_project_environment_variable.example_not_sensitive", "target.*", "production"),
resource.TestCheckResourceAttr("vercel_project_environment_variable.example_not_sensitive", "sensitive", "false"),
*/
),
},
{
Expand Down Expand Up @@ -179,6 +187,17 @@ resource "vercel_project_environment_variable" "example_sensitive" {
target = ["production"]
sensitive = true
}

/*
resource "vercel_project_environment_variable" "example_not_sensitive" {
project_id = vercel_project.example.id
%[3]s
key = "foo_not_sensitive"
value = "bar-not-sensitive"
target = ["production"]
sensitive = false
}
*/
`, projectName, testGithubRepo(), teamIDConfig())
}

Expand Down
2 changes: 1 addition & 1 deletion vercel/resource_project_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -526,7 +526,7 @@ resource "vercel_project" "test_git" {
git_repository = {
type = "github"
repo = "%s"
production_branch = "staging"
production_branch = "production"
deploy_hooks = [
{
ref = "main"
Expand Down
50 changes: 48 additions & 2 deletions vercel/resource_shared_environment_variable.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (

"github.com/hashicorp/terraform-plugin-framework/attr"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
Expand All @@ -19,8 +20,10 @@ import (
)

var (
_ resource.Resource = &sharedEnvironmentVariableResource{}
_ resource.ResourceWithConfigure = &sharedEnvironmentVariableResource{}
_ resource.Resource = &sharedEnvironmentVariableResource{}
_ resource.ResourceWithConfigure = &sharedEnvironmentVariableResource{}
_ resource.ResourceWithImportState = &sharedEnvironmentVariableResource{}
_ resource.ResourceWithModifyPlan = &sharedEnvironmentVariableResource{}
)

func newSharedEnvironmentVariableResource() resource.Resource {
Expand All @@ -31,6 +34,49 @@ type sharedEnvironmentVariableResource struct {
client *client.Client
}

func (r *sharedEnvironmentVariableResource) ModifyPlan(ctx context.Context, req resource.ModifyPlanRequest, resp *resource.ModifyPlanResponse) {
if req.Plan.Raw.IsNull() {
return
}
var config SharedEnvironmentVariable
diags := req.Plan.Get(ctx, &config)
resp.Diagnostics.Append(diags...)
if resp.Diagnostics.HasError() {
return
}

if config.ID.ValueString() != "" {
// The resource already exists, so this is okay.
return
}
if config.Sensitive.IsUnknown() || config.Sensitive.IsNull() || config.Sensitive.ValueBool() {
// Sensitive is either true, or computed, which is fine.
return
}

// if sensitive is explicitly set to `false`, then validate that an env var can be created with the given
// team sensitive environment variable policy.
team, err := r.client.Team(ctx, config.TeamID.ValueString())
if err != nil {
resp.Diagnostics.AddError(
"Error validating shared environment variable",
"Could not validate shared environment variable, unexpected error: "+err.Error(),
)
return
}

if team.SensitiveEnvironmentVariablePolicy == nil || *team.SensitiveEnvironmentVariablePolicy != "on" {
// the policy isn't enabled
return
}

resp.Diagnostics.AddAttributeError(
path.Root("sensitive"),
"Shared Environment Variable Invalid",
"This team has a policy that forces all environment variables to be sensitive. Please remove the `sensitive` field or set the `sensitive` field to `true` in your configuration.",
)
}

func (r *sharedEnvironmentVariableResource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
resp.TypeName = req.ProviderTypeName + "_shared_environment_variable"
}
Expand Down