Feature Request: client_secret in or from apiintegrations

[danjamf]

I see a couple of ways of doing this:-

1) split out as another resource/ds. API Integration is required for the generation of client_secret.

2) add within existing API Integration resource/ds. Optional but will add additional calls if flag set to true and might go against the atomic nature of what other resources do. PoC but would need additional logic on read/update/object etc and could get rather messy

[danjamf]

Although there is no Read/Update/Delete for client_secret, which would mean making it its own resource very weak.

[ShocOne]

hi @danjamf , what's the usecase for this scenario ? thanks

[danjamf]

Taking the client_secret and passing into other providers or tools for integration. Eg Jamf Security Cloud.

[ShocOne]

I'll take a look at this next week. You can .source fields in hcl, i just need to run some tests on what the api returns for this field.

[danjamf]

Thanks. I'm fairly happy with the functionality of the PoC I posted. Able to use the variable referenced across with other providers etc. I'm just unsure on the design decision of having this additional create inside a resource and whether to allow it with an update too etc.

[ShocOne]

Can i ask why during your workflow you would not use a credential manager to store your client id and secret, and then reference them during your pipeline as .hcl env vars ? Since you are doing this anyway to run this provider, why not have a second one for sharing between this and other providers as needed ? This would be more secure and avoids storing the client secret in state which in some cases means clear text.

[danjamf]

Fair point! I think if a client_secret can be generated, we leave it to the best practices of the pipeline owner of where and how they store secrets in general.

[danjamf]

I looked into how the AWS provider does this with IAM secrets. They do have the option of an unencrypted output but also note the preferred option of providing a pgp_key and obtaining an encrypted secret. A working example using their vault helper service is provided for IAM and their Lightsail service (exporting the generated SSH key). Might this be an appropriate approach?