diff --git a/docs/stackit_secrets-manager_instance.md b/docs/stackit_secrets-manager_instance.md index 37c116261..6fe9357c2 100644 --- a/docs/stackit_secrets-manager_instance.md +++ b/docs/stackit_secrets-manager_instance.md @@ -32,4 +32,5 @@ stackit secrets-manager instance [flags] * [stackit secrets-manager instance delete](./stackit_secrets-manager_instance_delete.md) - Deletes a Secrets Manager instance * [stackit secrets-manager instance describe](./stackit_secrets-manager_instance_describe.md) - Shows details of a Secrets Manager instance * [stackit secrets-manager instance list](./stackit_secrets-manager_instance_list.md) - Lists all Secrets Manager instances +* [stackit secrets-manager instance update](./stackit_secrets-manager_instance_update.md) - Updates a Secrets Manager instance diff --git a/docs/stackit_secrets-manager_instance_create.md b/docs/stackit_secrets-manager_instance_create.md index bb59b1982..fde1cdfa0 100644 --- a/docs/stackit_secrets-manager_instance_create.md +++ b/docs/stackit_secrets-manager_instance_create.md @@ -15,11 +15,15 @@ stackit secrets-manager instance create [flags] ``` Create a Secrets Manager instance with name "my-instance" $ stackit secrets-manager instance create --name my-instance + + Create a Secrets Manager instance with name "my-instance" and specify IP range which is allowed to access it + $ stackit secrets-manager instance create --name my-instance --acl 1.2.3.0/24 ``` ### Options ``` + --acl strings List of IP networks in CIDR notation which are allowed to access this instance (default []) -h, --help Help for "stackit secrets-manager instance create" -n, --name string Instance name ``` diff --git a/docs/stackit_secrets-manager_instance_update.md b/docs/stackit_secrets-manager_instance_update.md new file mode 100644 index 000000000..c755bb294 --- /dev/null +++ b/docs/stackit_secrets-manager_instance_update.md @@ -0,0 +1,39 @@ +## stackit secrets-manager instance update + +Updates a Secrets Manager instance + +### Synopsis + +Updates a Secrets Manager instance. + +``` +stackit secrets-manager instance update INSTANCE_ID [flags] +``` + +### Examples + +``` + Update the range of IPs allowed to access a Secrets Manager instance with ID "xxx" + $ stackit secrets-manager instance update xxx --acl 1.2.3.0/24 +``` + +### Options + +``` + --acl strings List of IP networks in CIDR notation which are allowed to access this instance (default []) + -h, --help Help for "stackit secrets-manager instance update" +``` + +### Options inherited from parent commands + +``` + -y, --assume-yes If set, skips all confirmation prompts + --async If set, runs the command asynchronously + -o, --output-format string Output format, one of ["json" "pretty"] + -p, --project-id string Project ID +``` + +### SEE ALSO + +* [stackit secrets-manager instance](./stackit_secrets-manager_instance.md) - Provides functionality for Secrets Manager instances + diff --git a/go.mod b/go.mod index fd70a2211..f9c0aea9a 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/stackitcloud/stackit-sdk-go/services/opensearch v0.10.1 github.com/stackitcloud/stackit-sdk-go/services/postgresflex v0.10.0 github.com/stackitcloud/stackit-sdk-go/services/resourcemanager v0.7.7 - github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.5.6 + github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.6.0 github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.3.6 github.com/stackitcloud/stackit-sdk-go/services/ske v0.10.1 github.com/zalando/go-keyring v0.2.4 diff --git a/go.sum b/go.sum index 6e5879821..7fb5fcfc2 100644 --- a/go.sum +++ b/go.sum @@ -97,8 +97,8 @@ github.com/stackitcloud/stackit-sdk-go/services/redis v0.10.1 h1:/tRad17HUcGRm44 github.com/stackitcloud/stackit-sdk-go/services/redis v0.10.1/go.mod h1:vR/0cYTcVrPTTAHJGH2VT0H2g1D+wlx1n2WiAo6r5LI= github.com/stackitcloud/stackit-sdk-go/services/resourcemanager v0.7.7 h1:yFxTdMj5al2pR4ZIOKKxoN8CHo2kTylurArt+jJMzxI= github.com/stackitcloud/stackit-sdk-go/services/resourcemanager v0.7.7/go.mod h1:GvNV2GR0x0VGHzixGNgAJibqjwiVFwbxakpyu+qdijc= -github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.5.6 h1:SC9p/+HP6e90NorFD6bRg6G+0VxJ7kRoihhbfjw2Mbs= -github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.5.6/go.mod h1:vwyWRIKMD7J6S4qlnNP8uefouHtIZba9WpnoihSZByU= +github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.6.0 h1:VC7VWadRo8r0eQUXMrYv6vEyS/5acW8faMSv9lxQMgw= +github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.6.0/go.mod h1:KRoLXZdH8yuO6FBu2Grl5VGqW9arH03qYAC0P6H8h9o= github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.3.6 h1:3kkNh2kHi55w9dgh0MC1Zbn8fDpYxcXl3tvYjH8t9xo= github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.3.6/go.mod h1:OOciROyQxPOYLo8OM/DE5ESH11+DvAyRt6wg7R+HVkg= github.com/stackitcloud/stackit-sdk-go/services/ske v0.10.1 h1:MZABtJ8HFOKG3KCCv5duibxBSAU1zTFAO0V9bso3N9M= diff --git a/internal/cmd/secrets-manager/instance/create/create.go b/internal/cmd/secrets-manager/instance/create/create.go index d0ba99d49..42964c1e9 100644 --- a/internal/cmd/secrets-manager/instance/create/create.go +++ b/internal/cmd/secrets-manager/instance/create/create.go @@ -12,6 +12,7 @@ import ( "github.com/stackitcloud/stackit-cli/internal/pkg/globalflags" "github.com/stackitcloud/stackit-cli/internal/pkg/projectname" "github.com/stackitcloud/stackit-cli/internal/pkg/services/secrets-manager/client" + "github.com/stackitcloud/stackit-cli/internal/pkg/utils" "github.com/stackitcloud/stackit-sdk-go/services/secretsmanager" "github.com/spf13/cobra" @@ -19,12 +20,14 @@ import ( const ( instanceNameFlag = "name" + aclFlag = "acl" ) type inputModel struct { *globalflags.GlobalFlagModel InstanceName *string + Acls *[]string } func NewCmd() *cobra.Command { @@ -37,6 +40,9 @@ func NewCmd() *cobra.Command { examples.NewExample( `Create a Secrets Manager instance with name "my-instance"`, `$ stackit secrets-manager instance create --name my-instance`), + examples.NewExample( + `Create a Secrets Manager instance with name "my-instance" and specify IP range which is allowed to access it`, + `$ stackit secrets-manager instance create --name my-instance --acl 1.2.3.0/24`), ), RunE: func(cmd *cobra.Command, args []string) error { ctx := context.Background() @@ -65,14 +71,26 @@ func NewCmd() *cobra.Command { } } - // Call API - req := buildRequest(ctx, model, apiClient) + // Call API to create instance + req := buildCreateInstanceRequest(ctx, model, apiClient) resp, err := req.Execute() if err != nil { return fmt.Errorf("create Secrets Manager instance: %w", err) } instanceId := *resp.Id + // Call API to create ACLs for instance, if ACLs are provided + if model.Acls != nil { + updateReq := buildUpdateACLsRequest(ctx, model, instanceId, apiClient) + err = updateReq.Execute() + if err != nil { + return fmt.Errorf(`the Secrets Manager instance was successfully created, but the configuration of the ACLs failed. The default behavior is to have no ACL. + +If you want to retry configuring the ACLs, you can do it via: + $ stackit secrets-manager instance update %s --acl %s`, instanceId, *model.Acls) + } + } + cmd.Printf("Created instance for project %q. Instance ID: %s\n", projectLabel, instanceId) return nil }, @@ -83,6 +101,7 @@ func NewCmd() *cobra.Command { func configureFlags(cmd *cobra.Command) { cmd.Flags().StringP(instanceNameFlag, "n", "", "Instance name") + cmd.Flags().Var(flags.CIDRSliceFlag(), aclFlag, "List of IP networks in CIDR notation which are allowed to access this instance") err := flags.MarkFlagsRequired(cmd, instanceNameFlag) cobra.CheckErr(err) @@ -97,10 +116,11 @@ func parseInput(cmd *cobra.Command) (*inputModel, error) { return &inputModel{ GlobalFlagModel: globalFlags, InstanceName: flags.FlagToStringPointer(cmd, instanceNameFlag), + Acls: flags.FlagToStringSlicePointer(cmd, aclFlag), }, nil } -func buildRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiCreateInstanceRequest { +func buildCreateInstanceRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiCreateInstanceRequest { req := apiClient.CreateInstance(ctx, model.ProjectId) req = req.CreateInstancePayload(secretsmanager.CreateInstancePayload{ @@ -109,3 +129,17 @@ func buildRequest(ctx context.Context, model *inputModel, apiClient *secretsmana return req } + +func buildUpdateACLsRequest(ctx context.Context, model *inputModel, instanceId string, apiClient *secretsmanager.APIClient) secretsmanager.ApiUpdateACLsRequest { + req := apiClient.UpdateACLs(ctx, model.ProjectId, instanceId) + + cidrs := make([]secretsmanager.AclUpdate, len(*model.Acls)) + + for i, acl := range *model.Acls { + cidrs[i] = secretsmanager.AclUpdate{Cidr: utils.Ptr(acl)} + } + + req = req.UpdateACLsPayload(secretsmanager.UpdateACLsPayload{Cidrs: &cidrs}) + + return req +} diff --git a/internal/cmd/secrets-manager/instance/create/create_test.go b/internal/cmd/secrets-manager/instance/create/create_test.go index 45d9b81df..936ec21bf 100644 --- a/internal/cmd/secrets-manager/instance/create/create_test.go +++ b/internal/cmd/secrets-manager/instance/create/create_test.go @@ -19,11 +19,13 @@ type testCtxKey struct{} var testCtx = context.WithValue(context.Background(), testCtxKey{}, "foo") var testClient = &secretsmanager.APIClient{} var testProjectId = uuid.NewString() +var testInstanceId = uuid.NewString() func fixtureFlagValues(mods ...func(flagValues map[string]string)) map[string]string { flagValues := map[string]string{ projectIdFlag: testProjectId, instanceNameFlag: "example", + aclFlag: "198.51.100.14/24", } for _, mod := range mods { mod(flagValues) @@ -37,6 +39,7 @@ func fixtureInputModel(mods ...func(model *inputModel)) *inputModel { ProjectId: testProjectId, }, InstanceName: utils.Ptr("example"), + Acls: utils.Ptr([]string{"198.51.100.14/24"}), } for _, mod := range mods { mod(model) @@ -55,10 +58,24 @@ func fixtureRequest(mods ...func(request *secretsmanager.ApiCreateInstanceReques return request } +func fixtureUpdateACLsRequest(mods ...func(request *secretsmanager.ApiUpdateACLsRequest)) secretsmanager.ApiUpdateACLsRequest { + request := testClient.UpdateACLs(testCtx, testProjectId, testInstanceId) + request = request.UpdateACLsPayload(secretsmanager.UpdateACLsPayload{ + Cidrs: utils.Ptr([]secretsmanager.AclUpdate{ + {Cidr: utils.Ptr("198.51.100.14/24")}, + })}) + + for _, mod := range mods { + mod(&request) + } + return request +} + func TestParseInput(t *testing.T) { tests := []struct { description string flagValues map[string]string + aclValues []string isValid bool expectedModel *inputModel }{ @@ -94,6 +111,55 @@ func TestParseInput(t *testing.T) { }), isValid: false, }, + { + description: "acl missing", + flagValues: fixtureFlagValues(func(flagValues map[string]string) { + delete(flagValues, aclFlag) + }), + isValid: true, + expectedModel: fixtureInputModel(func(model *inputModel) { + model.Acls = nil + }), + }, + { + description: "acl empty", + flagValues: fixtureFlagValues(func(flagValues map[string]string) { + flagValues[aclFlag] = "" + }), + isValid: false, + }, + { + description: "repeated acl flags", + flagValues: fixtureFlagValues(), + aclValues: []string{"198.51.100.14/24", "198.51.100.14/32"}, + isValid: true, + expectedModel: fixtureInputModel(func(model *inputModel) { + model.Acls = utils.Ptr( + append(*model.Acls, "198.51.100.14/24", "198.51.100.14/32"), + ) + }), + }, + { + description: "repeated acl flag with list value", + flagValues: fixtureFlagValues(), + aclValues: []string{"198.51.100.14/24,198.51.100.14/32"}, + isValid: true, + expectedModel: fixtureInputModel(func(model *inputModel) { + model.Acls = utils.Ptr( + append(*model.Acls, "198.51.100.14/24", "198.51.100.14/32"), + ) + }), + }, + { + description: "multiple acls", + flagValues: fixtureFlagValues(func(flagValues map[string]string) { + flagValues[aclFlag] = "198.51.100.14/24,1.2.3.4/32" + }), + isValid: true, + expectedModel: fixtureInputModel(func(model *inputModel) { + *model.Acls = append(*model.Acls, "1.2.3.4/32") + }), + }, { description: "project id missing", flagValues: fixtureFlagValues(func(flagValues map[string]string) { @@ -135,6 +201,16 @@ func TestParseInput(t *testing.T) { } } + for _, value := range tt.aclValues { + err := cmd.Flags().Set(aclFlag, value) + if err != nil { + if !tt.isValid { + return + } + t.Fatalf("setting flag --%s=%s: %v", aclFlag, value, err) + } + } + err = cmd.ValidateRequiredFlags() if err != nil { if !tt.isValid { @@ -162,7 +238,7 @@ func TestParseInput(t *testing.T) { } } -func TestBuildRequest(t *testing.T) { +func TestBuildCreateInstanceRequest(t *testing.T) { tests := []struct { description string model *inputModel @@ -177,7 +253,45 @@ func TestBuildRequest(t *testing.T) { for _, tt := range tests { t.Run(tt.description, func(t *testing.T) { - request := buildRequest(testCtx, tt.model, testClient) + request := buildCreateInstanceRequest(testCtx, tt.model, testClient) + + diff := cmp.Diff(request, tt.expectedRequest, + cmp.AllowUnexported(tt.expectedRequest), + cmpopts.EquateComparable(testCtx), + ) + if diff != "" { + t.Fatalf("Data does not match: %s", diff) + } + }) + } +} +func TestBuildCreateACLRequests(t *testing.T) { + tests := []struct { + description string + model *inputModel + expectedRequest secretsmanager.ApiUpdateACLsRequest + }{ + { + description: "base", + model: fixtureInputModel(), + expectedRequest: fixtureUpdateACLsRequest(), + }, + { + description: "multiple ACLs", + model: fixtureInputModel(func(model *inputModel) { + *model.Acls = append(*model.Acls, "1.2.3.4/32") + }), + expectedRequest: fixtureUpdateACLsRequest().UpdateACLsPayload(secretsmanager.UpdateACLsPayload{ + Cidrs: utils.Ptr([]secretsmanager.AclUpdate{ + {Cidr: utils.Ptr("198.51.100.14/24")}, + {Cidr: utils.Ptr("1.2.3.4/32")}, + })}), + }, + } + + for _, tt := range tests { + t.Run(tt.description, func(t *testing.T) { + request := buildUpdateACLsRequest(testCtx, tt.model, testInstanceId, testClient) diff := cmp.Diff(request, tt.expectedRequest, cmp.AllowUnexported(tt.expectedRequest), diff --git a/internal/cmd/secrets-manager/instance/describe/describe.go b/internal/cmd/secrets-manager/instance/describe/describe.go index de466a50c..559f42f73 100644 --- a/internal/cmd/secrets-manager/instance/describe/describe.go +++ b/internal/cmd/secrets-manager/instance/describe/describe.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "strings" "github.com/stackitcloud/stackit-cli/internal/pkg/args" "github.com/stackitcloud/stackit-cli/internal/pkg/errors" @@ -52,14 +53,21 @@ func NewCmd() *cobra.Command { return err } - // Call API - req := buildRequest(ctx, model, apiClient) - resp, err := req.Execute() + // Call API to get instance details + req := buildGetInstanceRequest(ctx, model, apiClient) + instance, err := req.Execute() if err != nil { return fmt.Errorf("read Secrets Manager instance: %w", err) } - return outputResult(cmd, model.OutputFormat, resp) + // Call API to get instance acls + listACLsReq := buildListACLsRequest(ctx, model, apiClient) + aclList, err := listACLsReq.Execute() + if err != nil { + return fmt.Errorf("read Secrets Manager instance ACLs: %w", err) + } + + return outputResult(cmd, model.OutputFormat, instance, aclList) }, } return cmd @@ -79,12 +87,17 @@ func parseInput(cmd *cobra.Command, inputArgs []string) (*inputModel, error) { }, nil } -func buildRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiGetInstanceRequest { +func buildGetInstanceRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiGetInstanceRequest { req := apiClient.GetInstance(ctx, model.ProjectId, model.InstanceId) return req } -func outputResult(cmd *cobra.Command, outputFormat string, instance *secretsmanager.Instance) error { +func buildListACLsRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiListACLsRequest { + req := apiClient.ListACLs(ctx, model.ProjectId, model.InstanceId) + return req +} + +func outputResult(cmd *cobra.Command, outputFormat string, instance *secretsmanager.Instance, aclList *secretsmanager.AclList) error { switch outputFormat { case globalflags.PrettyOutputFormat: @@ -101,6 +114,16 @@ func outputResult(cmd *cobra.Command, outputFormat string, instance *secretsmana table.AddSeparator() table.AddRow("CREATION DATE", *instance.CreationStartDate) table.AddSeparator() + // Only show ACL if it's present and not empty + if aclList != nil && aclList.Acls != nil && len(*aclList.Acls) > 0 { + var cidrs []string + + for _, acl := range *aclList.Acls { + cidrs = append(cidrs, *acl.Cidr) + } + + table.AddRow("ACL", strings.Join(cidrs, ",")) + } err := table.Display(cmd) if err != nil { return fmt.Errorf("render table: %w", err) @@ -108,7 +131,12 @@ func outputResult(cmd *cobra.Command, outputFormat string, instance *secretsmana return nil default: - details, err := json.MarshalIndent(instance, "", " ") + output := struct { + *secretsmanager.Instance + *secretsmanager.AclList + }{instance, aclList} + + details, err := json.MarshalIndent(output, "", " ") if err != nil { return fmt.Errorf("marshal Secrets Manager instance: %w", err) } diff --git a/internal/cmd/secrets-manager/instance/describe/describe_test.go b/internal/cmd/secrets-manager/instance/describe/describe_test.go index 0c03949fe..da65fa1cc 100644 --- a/internal/cmd/secrets-manager/instance/describe/describe_test.go +++ b/internal/cmd/secrets-manager/instance/describe/describe_test.go @@ -54,7 +54,7 @@ func fixtureInputModel(mods ...func(model *inputModel)) *inputModel { return model } -func fixtureRequest(mods ...func(request *secretsmanager.ApiGetInstanceRequest)) secretsmanager.ApiGetInstanceRequest { +func fixtureGetInstanceRequest(mods ...func(request *secretsmanager.ApiGetInstanceRequest)) secretsmanager.ApiGetInstanceRequest { request := testClient.GetInstance(testCtx, testProjectId, testInstanceId) for _, mod := range mods { mod(&request) @@ -62,6 +62,14 @@ func fixtureRequest(mods ...func(request *secretsmanager.ApiGetInstanceRequest)) return request } +func fixtureListACLsRequest(mods ...func(request *secretsmanager.ApiListACLsRequest)) secretsmanager.ApiListACLsRequest { + request := testClient.ListACLs(testCtx, testProjectId, testInstanceId) + for _, mod := range mods { + mod(&request) + } + return request +} + func TestParseInput(t *testing.T) { tests := []struct { description string @@ -186,7 +194,7 @@ func TestParseInput(t *testing.T) { } } -func TestBuildRequest(t *testing.T) { +func TestBuildGetInstanceRequest(t *testing.T) { tests := []struct { description string model *inputModel @@ -195,13 +203,41 @@ func TestBuildRequest(t *testing.T) { { description: "base", model: fixtureInputModel(), - expectedRequest: fixtureRequest(), + expectedRequest: fixtureGetInstanceRequest(), + }, + } + + for _, tt := range tests { + t.Run(tt.description, func(t *testing.T) { + request := buildGetInstanceRequest(testCtx, tt.model, testClient) + + diff := cmp.Diff(request, tt.expectedRequest, + cmp.AllowUnexported(tt.expectedRequest), + cmpopts.EquateComparable(testCtx), + ) + if diff != "" { + t.Fatalf("Data does not match: %s", diff) + } + }) + } +} + +func TestBuildGetACLsRequest(t *testing.T) { + tests := []struct { + description string + model *inputModel + expectedRequest secretsmanager.ApiListACLsRequest + }{ + { + description: "base", + model: fixtureInputModel(), + expectedRequest: fixtureListACLsRequest(), }, } for _, tt := range tests { t.Run(tt.description, func(t *testing.T) { - request := buildRequest(testCtx, tt.model, testClient) + request := buildListACLsRequest(testCtx, tt.model, testClient) diff := cmp.Diff(request, tt.expectedRequest, cmp.AllowUnexported(tt.expectedRequest), diff --git a/internal/cmd/secrets-manager/instance/instance.go b/internal/cmd/secrets-manager/instance/instance.go index fbcb44e10..9a3283638 100644 --- a/internal/cmd/secrets-manager/instance/instance.go +++ b/internal/cmd/secrets-manager/instance/instance.go @@ -5,6 +5,7 @@ import ( "github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/delete" "github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/describe" "github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/list" + "github.com/stackitcloud/stackit-cli/internal/cmd/secrets-manager/instance/update" "github.com/stackitcloud/stackit-cli/internal/pkg/args" "github.com/stackitcloud/stackit-cli/internal/pkg/utils" @@ -28,4 +29,5 @@ func addSubcommands(cmd *cobra.Command) { cmd.AddCommand(create.NewCmd()) cmd.AddCommand(delete.NewCmd()) cmd.AddCommand(describe.NewCmd()) + cmd.AddCommand(update.NewCmd()) } diff --git a/internal/cmd/secrets-manager/instance/update/update.go b/internal/cmd/secrets-manager/instance/update/update.go new file mode 100644 index 000000000..cb38c6d71 --- /dev/null +++ b/internal/cmd/secrets-manager/instance/update/update.go @@ -0,0 +1,124 @@ +package update + +import ( + "context" + "fmt" + + "github.com/stackitcloud/stackit-cli/internal/pkg/args" + "github.com/stackitcloud/stackit-cli/internal/pkg/confirm" + cliErr "github.com/stackitcloud/stackit-cli/internal/pkg/errors" + "github.com/stackitcloud/stackit-cli/internal/pkg/examples" + "github.com/stackitcloud/stackit-cli/internal/pkg/flags" + + "github.com/stackitcloud/stackit-cli/internal/pkg/globalflags" + "github.com/stackitcloud/stackit-cli/internal/pkg/services/secrets-manager/client" + secretsManagerUtils "github.com/stackitcloud/stackit-cli/internal/pkg/services/secrets-manager/utils" + "github.com/stackitcloud/stackit-cli/internal/pkg/utils" + + "github.com/spf13/cobra" + "github.com/stackitcloud/stackit-sdk-go/services/secretsmanager" +) + +const ( + instanceIdArg = "INSTANCE_ID" + + aclFlag = "acl" +) + +type inputModel struct { + *globalflags.GlobalFlagModel + InstanceId string + + Acls *[]string +} + +func NewCmd() *cobra.Command { + cmd := &cobra.Command{ + Use: fmt.Sprintf("update %s", instanceIdArg), + Short: "Updates a Secrets Manager instance", + Long: "Updates a Secrets Manager instance.", + Args: args.SingleArg(instanceIdArg, utils.ValidateUUID), + Example: examples.Build( + examples.NewExample( + `Update the range of IPs allowed to access a Secrets Manager instance with ID "xxx"`, + "$ stackit secrets-manager instance update xxx --acl 1.2.3.0/24"), + ), + RunE: func(cmd *cobra.Command, args []string) error { + ctx := context.Background() + model, err := parseInput(cmd, args) + if err != nil { + return err + } + + // Configure API client + apiClient, err := client.ConfigureClient(cmd) + if err != nil { + return err + } + + instanceLabel, err := secretsManagerUtils.GetInstanceName(ctx, apiClient, model.ProjectId, model.InstanceId) + if err != nil { + instanceLabel = model.InstanceId + } + + if !model.AssumeYes { + prompt := fmt.Sprintf("Are you sure you want to update instance %q?", instanceLabel) + err = confirm.PromptForConfirmation(cmd, prompt) + if err != nil { + return err + } + } + + // Call API + req := buildRequest(ctx, model, apiClient) + err = req.Execute() + if err != nil { + return fmt.Errorf("update Secrets Manager instance: %w", err) + } + + cmd.Printf("Updated instance %q\n", instanceLabel) + return nil + }, + } + configureFlags(cmd) + return cmd +} + +func configureFlags(cmd *cobra.Command) { + cmd.Flags().Var(flags.CIDRSliceFlag(), aclFlag, "List of IP networks in CIDR notation which are allowed to access this instance") +} + +func parseInput(cmd *cobra.Command, inputArgs []string) (*inputModel, error) { + instanceId := inputArgs[0] + + globalFlags := globalflags.Parse(cmd) + if globalFlags.ProjectId == "" { + return nil, &cliErr.ProjectIdError{} + } + + acls := flags.FlagToStringSlicePointer(cmd, aclFlag) + + if acls == nil { + return nil, &cliErr.EmptyUpdateError{} + } + + return &inputModel{ + GlobalFlagModel: globalFlags, + InstanceId: instanceId, + Acls: acls, + }, nil +} + +func buildRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiUpdateACLsRequest { + req := apiClient.UpdateACLs(ctx, model.ProjectId, model.InstanceId) + + cidrs := []secretsmanager.AclUpdate{} + + for _, acl := range *model.Acls { + cidrs = append(cidrs, secretsmanager.AclUpdate{Cidr: utils.Ptr(acl)}) + } + + req = req.UpdateACLsPayload(secretsmanager.UpdateACLsPayload{Cidrs: &cidrs}) + + return req +} diff --git a/internal/cmd/secrets-manager/instance/update/update_test.go b/internal/cmd/secrets-manager/instance/update/update_test.go new file mode 100644 index 000000000..fdaf807c5 --- /dev/null +++ b/internal/cmd/secrets-manager/instance/update/update_test.go @@ -0,0 +1,292 @@ +package update + +import ( + "context" + "testing" + + "github.com/stackitcloud/stackit-cli/internal/pkg/globalflags" + "github.com/stackitcloud/stackit-cli/internal/pkg/utils" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/google/uuid" + "github.com/stackitcloud/stackit-sdk-go/services/secretsmanager" +) + +const ( + testACL1 = "1.2.3.4/24" + testACL2 = "4.3.2.1/12" +) + +var projectIdFlag = globalflags.ProjectIdFlag + +type testCtxKey struct{} + +var testCtx = context.WithValue(context.Background(), testCtxKey{}, "foo") +var testClient = &secretsmanager.APIClient{} + +var ( + testProjectId = uuid.NewString() + testInstanceId = uuid.NewString() +) + +func fixtureArgValues(mods ...func(argValues []string)) []string { + argValues := []string{ + testInstanceId, + } + for _, mod := range mods { + mod(argValues) + } + return argValues +} + +func fixtureFlagValues(mods ...func(flagValues map[string]string)) map[string]string { + flagValues := map[string]string{ + projectIdFlag: testProjectId, + aclFlag: testACL1, + } + for _, mod := range mods { + mod(flagValues) + } + return flagValues +} + +func fixtureInputModel(mods ...func(model *inputModel)) *inputModel { + model := &inputModel{ + GlobalFlagModel: &globalflags.GlobalFlagModel{ + ProjectId: testProjectId, + }, + InstanceId: testInstanceId, + Acls: utils.Ptr([]string{testACL1}), + } + for _, mod := range mods { + mod(model) + } + return model +} + +func fixtureRequest(mods ...func(request *secretsmanager.ApiUpdateACLsRequest)) secretsmanager.ApiUpdateACLsRequest { + request := testClient.UpdateACLs(testCtx, testProjectId, testInstanceId) + request = request.UpdateACLsPayload(secretsmanager.UpdateACLsPayload{ + Cidrs: utils.Ptr([]secretsmanager.AclUpdate{ + {Cidr: utils.Ptr(testACL1)}, + })}) + + for _, mod := range mods { + mod(&request) + } + return request +} + +func TestParseInput(t *testing.T) { + tests := []struct { + description string + argValues []string + flagValues map[string]string + aclValues []string + isValid bool + expectedModel *inputModel + }{ + { + description: "base", + argValues: fixtureArgValues(), + flagValues: fixtureFlagValues(), + isValid: true, + expectedModel: fixtureInputModel(), + }, + { + description: "no values", + argValues: []string{}, + flagValues: map[string]string{}, + isValid: false, + }, + { + description: "no arg values", + argValues: []string{}, + flagValues: fixtureFlagValues(), + isValid: false, + }, + { + description: "no flag values", + argValues: fixtureArgValues(), + flagValues: map[string]string{}, + isValid: false, + }, + { + description: "required flags only (no values to update)", + argValues: fixtureArgValues(), + flagValues: map[string]string{ + projectIdFlag: testProjectId, + }, + isValid: false, + }, + { + description: "zero values", + argValues: fixtureArgValues(), + flagValues: map[string]string{ + projectIdFlag: testProjectId, + aclFlag: "", + }, + isValid: false, + }, + { + description: "project id missing", + argValues: fixtureArgValues(), + flagValues: fixtureFlagValues(func(flagValues map[string]string) { + delete(flagValues, projectIdFlag) + }), + isValid: false, + }, + { + description: "project id invalid 1", + argValues: fixtureArgValues(), + flagValues: fixtureFlagValues(func(flagValues map[string]string) { + flagValues[projectIdFlag] = "" + }), + isValid: false, + }, + { + description: "project id invalid 2", + argValues: fixtureArgValues(), + flagValues: fixtureFlagValues(func(flagValues map[string]string) { + flagValues[projectIdFlag] = "invalid-uuid" + }), + isValid: false, + }, + { + description: "instance id invalid 1", + argValues: []string{""}, + flagValues: fixtureFlagValues(), + isValid: false, + }, + { + description: "instance id invalid 2", + argValues: []string{"invalid-uuid"}, + flagValues: fixtureFlagValues(), + isValid: false, + }, + { + description: "repeated acl flags", + argValues: fixtureArgValues(), + flagValues: fixtureFlagValues(), + aclValues: []string{testACL1, testACL1}, + isValid: true, + expectedModel: fixtureInputModel(func(model *inputModel) { + model.Acls = utils.Ptr( + append(*model.Acls, testACL1, testACL1)) + }), + }, + { + description: "repeated acl flag with list value", + argValues: fixtureArgValues(), + flagValues: fixtureFlagValues(), + aclValues: []string{"198.51.100.14/24,198.51.100.14/32"}, + isValid: true, + expectedModel: fixtureInputModel(func(model *inputModel) { + model.Acls = utils.Ptr( + append(*model.Acls, "198.51.100.14/24", "198.51.100.14/32"), + ) + }), + }, + } + + for _, tt := range tests { + t.Run(tt.description, func(t *testing.T) { + cmd := NewCmd() + err := globalflags.Configure(cmd.Flags()) + if err != nil { + t.Fatalf("configure global flags: %v", err) + } + + for flag, value := range tt.flagValues { + err := cmd.Flags().Set(flag, value) + if err != nil { + if !tt.isValid { + return + } + t.Fatalf("setting flag --%s=%s: %v", flag, value, err) + } + } + + for _, value := range tt.aclValues { + err := cmd.Flags().Set(aclFlag, value) + if err != nil { + if !tt.isValid { + return + } + t.Fatalf("setting flag --%s=%s: %v", aclFlag, value, err) + } + } + + err = cmd.ValidateArgs(tt.argValues) + if err != nil { + if !tt.isValid { + return + } + t.Fatalf("error validating args: %v", err) + } + + err = cmd.ValidateRequiredFlags() + if err != nil { + if !tt.isValid { + return + } + t.Fatalf("error validating flags: %v", err) + } + + model, err := parseInput(cmd, tt.argValues) + if err != nil { + if !tt.isValid { + return + } + t.Fatalf("error parsing flags: %v", err) + } + + if !tt.isValid { + t.Fatalf("did not fail on invalid input") + } + diff := cmp.Diff(model, tt.expectedModel) + if diff != "" { + t.Fatalf("Data does not match: %s", diff) + } + }) + } +} +func TestBuildRequest(t *testing.T) { + tests := []struct { + description string + model *inputModel + expectedRequest secretsmanager.ApiUpdateACLsRequest + }{ + { + description: "base", + model: fixtureInputModel(), + expectedRequest: fixtureRequest(), + }, + { + description: "multiple ACLs", + model: fixtureInputModel(func(model *inputModel) { + *model.Acls = append(*model.Acls, testACL2) + }), + expectedRequest: fixtureRequest().UpdateACLsPayload(secretsmanager.UpdateACLsPayload{ + Cidrs: utils.Ptr([]secretsmanager.AclUpdate{ + {Cidr: utils.Ptr(testACL1)}, + {Cidr: utils.Ptr(testACL2)}, + })}), + }, + } + + for _, tt := range tests { + t.Run(tt.description, func(t *testing.T) { + request := buildRequest(testCtx, tt.model, testClient) + + diff := cmp.Diff(request, tt.expectedRequest, + cmp.AllowUnexported(tt.expectedRequest), + cmpopts.EquateComparable(testCtx), + ) + if diff != "" { + t.Fatalf("Data does not match: %s", diff) + } + }) + } +}