Support sensu secrets

[kurtmc]

I am keen to see sensu secrets get added to this provider. I am happy to help implement it.

I am thinking it could look something like this:

resource "sensu_secret" "check_1" {
  name     = "pagerduty_key"
  namespace = "default"
  spec {
    id = "SENSU_PAGERDUTY_KEY"
    provider = "env"
  }
}

I had a quick look at the sensu client code (https://github.com/jtopjian/terraform-provider-sensu/tree/master/vendor/github.com/sensu/sensu-go/cli/client) but it was not clear to me how to create/delete/update sensu secrets from there, I would definitely appreciate some pointers to where I could find that if you know!

[jtopjian]

@kurtmc Thanks for opening this issue.

I agree that secrets would be great to have, but it's currently a commercial feature. This is probably why the client API code isn't available - I could be totally wrong, though.

[amdprophet]

@kurtmc The API for secrets can be found in the docs: https://docs.sensu.io/sensu-go/latest/api/secrets/. Is this what you were looking for?

[jtopjian]

@amdprophet Those are the API docs for secrets, yes, but this provider is built using the Sensu Go client library. For example:

• https://github.com/jtopjian/terraform-provider-sensu/blob/master/sensu/resource_check.go#L198-L239
• https://github.com/sensu/sensu-go/tree/main/cli/client

Unless I'm mistaken, the client library does not have support for secrets, though. Technically it would be possible to send raw GET, POST, etc requests to interact with the service-side secrets API, but that might require a good amount of work to handle authentication, data parsing, etc - all of which are already done in the client library for the other resource types.

It's a tough situation to be in. On one hand, I don't want to outright say "if it's not part of the open source version, it's not supported in this provider". On the other hand, implementing this might require duplicating a lot of functionality to perform "raw" REST requests that is already available in the client library. In addition, ensuring these features are supported in the CI environment might also be difficult.

[amdprophet]

@jtopjian I'll see about adding support to the CLI client. It's possible we just missed adding support for secrets to it.

[jtopjian]

@amdprophet That would be awesome - thank you 🙂

[duckfez]

Related, other sensu objects (handlers, for instance) have a secrets: component to their definition as well to refer to secrets. I'm not sure if the same CLI issues exist there or not. I'd be glad to try to help, but my golang skills aren't quite up to the task I don't think.

[rshutt-va]

Well ain't this just a buzzkill. I was evaluating this provider and while I could go and write my own code, it seems to make little sense given the holdup is actually on https://github.com/sensu/sensu-go/issues/4337. I can't imagine trying to decouple the secrets attrrib of the checks, handlers, etc... and go outside of the sensu-go client lib for those checks that require a secrets entry or for the creation of secrets themselves.

EDIT - I wonder how much work would be involved in strapping on the required types and their entanglements into the client library. And I wonder if we could ever fully integrate the code given that the CI environment likely cannot support integrated testing of the required bits of code since it is likely that the non-commercial version is used in testing.