Onboard Secrets Manager (ACL) (#172)

* Onboard Secrets Manager (ACLs): create command (#163)

* Onboard Secrets Manager (ACL): update command (#167)

* Onboard Secrets Manager (ACL): describe command (#168)

Author: DiogoFerrao

docs/stackit_secrets-manager_instance.md

@@ -32,4 +32,5 @@ stackit secrets-manager instance [flags]
 * [stackit secrets-manager instance delete](./stackit_secrets-manager_instance_delete.md)	 - Deletes a Secrets Manager instance
 * [stackit secrets-manager instance describe](./stackit_secrets-manager_instance_describe.md)	 - Shows details of a Secrets Manager instance
 * [stackit secrets-manager instance list](./stackit_secrets-manager_instance_list.md)	 - Lists all Secrets Manager instances
+* [stackit secrets-manager instance update](./stackit_secrets-manager_instance_update.md)	 - Updates a Secrets Manager instance
 

docs/stackit_secrets-manager_instance_create.md

@@ -15,11 +15,15 @@ stackit secrets-manager instance create [flags]
 ```
   Create a Secrets Manager instance with name "my-instance"
   $ stackit secrets-manager instance create --name my-instance
+
+  Create a Secrets Manager instance with name "my-instance" and specify IP range which is allowed to access it
+  $ stackit secrets-manager instance create --name my-instance --acl 1.2.3.0/24
 ```
 
 ### Options
 
 ```
+      --acl strings   List of IP networks in CIDR notation which are allowed to access this instance (default [])
   -h, --help          Help for "stackit secrets-manager instance create"
   -n, --name string   Instance name
 ```

docs/stackit_secrets-manager_instance_update.md

@@ -0,0 +1,39 @@
+## stackit secrets-manager instance update
+
+Updates a Secrets Manager instance
+
+### Synopsis
+
+Updates a Secrets Manager instance.
+
+```
+stackit secrets-manager instance update INSTANCE_ID [flags]
+```
+
+### Examples
+
+```
+  Update the range of IPs allowed to access a Secrets Manager instance with ID "xxx"
+  $ stackit secrets-manager instance update xxx --acl 1.2.3.0/24
+```
+
+### Options
+
+```
+      --acl strings   List of IP networks in CIDR notation which are allowed to access this instance (default [])
+  -h, --help          Help for "stackit secrets-manager instance update"
+```
+
+### Options inherited from parent commands
+
+```
+  -y, --assume-yes             If set, skips all confirmation prompts
+      --async                  If set, runs the command asynchronously
+  -o, --output-format string   Output format, one of ["json" "pretty"]
+  -p, --project-id string      Project ID
+```
+
+### SEE ALSO
+
+* [stackit secrets-manager instance](./stackit_secrets-manager_instance.md)	 - Provides functionality for Secrets Manager instances
+

internal/cmd/secrets-manager/instance/create/create.go

@@ -12,19 +12,22 @@ import (
 	"github.com/stackitcloud/stackit-cli/internal/pkg/globalflags"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/projectname"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/services/secrets-manager/client"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
 	"github.com/stackitcloud/stackit-sdk-go/services/secretsmanager"
 
 	"github.com/spf13/cobra"
 )
 
 const (
 	instanceNameFlag = "name"
+	aclFlag          = "acl"
 )
 
 type inputModel struct {
 	*globalflags.GlobalFlagModel
 
 	InstanceName *string
+	Acls         *[]string
 }
 
 func NewCmd() *cobra.Command {
@@ -37,6 +40,9 @@ func NewCmd() *cobra.Command {
 			examples.NewExample(
 				`Create a Secrets Manager instance with name "my-instance"`,
 				`$ stackit secrets-manager instance create --name my-instance`),
+			examples.NewExample(
+				`Create a Secrets Manager instance with name "my-instance" and specify IP range which is allowed to access it`,
+				`$ stackit secrets-manager instance create --name my-instance --acl 1.2.3.0/24`),
 		),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := context.Background()
@@ -65,14 +71,26 @@ func NewCmd() *cobra.Command {
 				}
 			}
 
-			// Call API
-			req := buildRequest(ctx, model, apiClient)
+			// Call API to create instance
+			req := buildCreateInstanceRequest(ctx, model, apiClient)
 			resp, err := req.Execute()
 			if err != nil {
 				return fmt.Errorf("create Secrets Manager instance: %w", err)
 			}
 			instanceId := *resp.Id
 
+			// Call API to create ACLs for instance, if ACLs are provided
+			if model.Acls != nil {
+				updateReq := buildUpdateACLsRequest(ctx, model, instanceId, apiClient)
+				err = updateReq.Execute()
+				if err != nil {
+					return fmt.Errorf(`the Secrets Manager instance was successfully created, but the configuration of the ACLs failed. The default behavior is to have no ACL.
+
+If you want to retry configuring the ACLs, you can do it via: 
+  $ stackit secrets-manager instance update %s --acl %s`, instanceId, *model.Acls)
+				}
+			}
+
 			cmd.Printf("Created instance for project %q. Instance ID: %s\n", projectLabel, instanceId)
 			return nil
 		},
@@ -83,6 +101,7 @@ func NewCmd() *cobra.Command {
 
 func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().StringP(instanceNameFlag, "n", "", "Instance name")
+	cmd.Flags().Var(flags.CIDRSliceFlag(), aclFlag, "List of IP networks in CIDR notation which are allowed to access this instance")
 
 	err := flags.MarkFlagsRequired(cmd, instanceNameFlag)
 	cobra.CheckErr(err)
@@ -97,10 +116,11 @@ func parseInput(cmd *cobra.Command) (*inputModel, error) {
 	return &inputModel{
 		GlobalFlagModel: globalFlags,
 		InstanceName:    flags.FlagToStringPointer(cmd, instanceNameFlag),
+		Acls:            flags.FlagToStringSlicePointer(cmd, aclFlag),
 	}, nil
 }
 
-func buildRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiCreateInstanceRequest {
+func buildCreateInstanceRequest(ctx context.Context, model *inputModel, apiClient *secretsmanager.APIClient) secretsmanager.ApiCreateInstanceRequest {
 	req := apiClient.CreateInstance(ctx, model.ProjectId)
 
 	req = req.CreateInstancePayload(secretsmanager.CreateInstancePayload{
@@ -109,3 +129,17 @@ func buildRequest(ctx context.Context, model *inputModel, apiClient *secretsmana
 
 	return req
 }
+
+func buildUpdateACLsRequest(ctx context.Context, model *inputModel, instanceId string, apiClient *secretsmanager.APIClient) secretsmanager.ApiUpdateACLsRequest {
+	req := apiClient.UpdateACLs(ctx, model.ProjectId, instanceId)
+
+	cidrs := make([]secretsmanager.AclUpdate, len(*model.Acls))
+
+	for i, acl := range *model.Acls {
+		cidrs[i] = secretsmanager.AclUpdate{Cidr: utils.Ptr(acl)}
+	}
+
+	req = req.UpdateACLsPayload(secretsmanager.UpdateACLsPayload{Cidrs: &cidrs})
+
+	return req
+}

internal/cmd/secrets-manager/instance/create/create_test.go

@@ -19,11 +19,13 @@ type testCtxKey struct{}
 var testCtx = context.WithValue(context.Background(), testCtxKey{}, "foo")
 var testClient = &secretsmanager.APIClient{}
 var testProjectId = uuid.NewString()
+var testInstanceId = uuid.NewString()
 
 func fixtureFlagValues(mods ...func(flagValues map[string]string)) map[string]string {
 	flagValues := map[string]string{
 		projectIdFlag:    testProjectId,
 		instanceNameFlag: "example",
+		aclFlag:          "198.51.100.14/24",
 	}
 	for _, mod := range mods {
 		mod(flagValues)
@@ -37,6 +39,7 @@ func fixtureInputModel(mods ...func(model *inputModel)) *inputModel {
 			ProjectId: testProjectId,
 		},
 		InstanceName: utils.Ptr("example"),
+		Acls:         utils.Ptr([]string{"198.51.100.14/24"}),
 	}
 	for _, mod := range mods {
 		mod(model)
@@ -55,10 +58,24 @@ func fixtureRequest(mods ...func(request *secretsmanager.ApiCreateInstanceReques
 	return request
 }
 
+func fixtureUpdateACLsRequest(mods ...func(request *secretsmanager.ApiUpdateACLsRequest)) secretsmanager.ApiUpdateACLsRequest {
+	request := testClient.UpdateACLs(testCtx, testProjectId, testInstanceId)
+	request = request.UpdateACLsPayload(secretsmanager.UpdateACLsPayload{
+		Cidrs: utils.Ptr([]secretsmanager.AclUpdate{
+			{Cidr: utils.Ptr("198.51.100.14/24")},
+		})})
+
+	for _, mod := range mods {
+		mod(&request)
+	}
+	return request
+}
+
 func TestParseInput(t *testing.T) {
 	tests := []struct {
 		description   string
 		flagValues    map[string]string
+		aclValues     []string
 		isValid       bool
 		expectedModel *inputModel
 	}{
@@ -94,6 +111,55 @@ func TestParseInput(t *testing.T) {
 			}),
 			isValid: false,
 		},
+		{
+			description: "acl missing",
+			flagValues: fixtureFlagValues(func(flagValues map[string]string) {
+				delete(flagValues, aclFlag)
+			}),
+			isValid: true,
+			expectedModel: fixtureInputModel(func(model *inputModel) {
+				model.Acls = nil
+			}),
+		},
+		{
+			description: "acl empty",
+			flagValues: fixtureFlagValues(func(flagValues map[string]string) {
+				flagValues[aclFlag] = ""
+			}),
+			isValid: false,
+		},
+		{
+			description: "repeated acl flags",
+			flagValues:  fixtureFlagValues(),
+			aclValues:   []string{"198.51.100.14/24", "198.51.100.14/32"},
+			isValid:     true,
+			expectedModel: fixtureInputModel(func(model *inputModel) {
+				model.Acls = utils.Ptr(
+					append(*model.Acls, "198.51.100.14/24", "198.51.100.14/32"),
+				)
+			}),
+		},
+		{
+			description: "repeated acl flag with list value",
+			flagValues:  fixtureFlagValues(),
+			aclValues:   []string{"198.51.100.14/24,198.51.100.14/32"},
+			isValid:     true,
+			expectedModel: fixtureInputModel(func(model *inputModel) {
+				model.Acls = utils.Ptr(
+					append(*model.Acls, "198.51.100.14/24", "198.51.100.14/32"),
+				)
+			}),
+		},
+		{
+			description: "multiple acls",
+			flagValues: fixtureFlagValues(func(flagValues map[string]string) {
+				flagValues[aclFlag] = "198.51.100.14/24,1.2.3.4/32"
+			}),
+			isValid: true,
+			expectedModel: fixtureInputModel(func(model *inputModel) {
+				*model.Acls = append(*model.Acls, "1.2.3.4/32")
+			}),
+		},
 		{
 			description: "project id missing",
 			flagValues: fixtureFlagValues(func(flagValues map[string]string) {
@@ -135,6 +201,16 @@ func TestParseInput(t *testing.T) {
 				}
 			}
 
+			for _, value := range tt.aclValues {
+				err := cmd.Flags().Set(aclFlag, value)
+				if err != nil {
+					if !tt.isValid {
+						return
+					}
+					t.Fatalf("setting flag --%s=%s: %v", aclFlag, value, err)
+				}
+			}
+
 			err = cmd.ValidateRequiredFlags()
 			if err != nil {
 				if !tt.isValid {
@@ -162,7 +238,7 @@ func TestParseInput(t *testing.T) {
 	}
 }
 
-func TestBuildRequest(t *testing.T) {
+func TestBuildCreateInstanceRequest(t *testing.T) {
 	tests := []struct {
 		description     string
 		model           *inputModel
@@ -177,7 +253,45 @@ func TestBuildRequest(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.description, func(t *testing.T) {
-			request := buildRequest(testCtx, tt.model, testClient)
+			request := buildCreateInstanceRequest(testCtx, tt.model, testClient)
+
+			diff := cmp.Diff(request, tt.expectedRequest,
+				cmp.AllowUnexported(tt.expectedRequest),
+				cmpopts.EquateComparable(testCtx),
+			)
+			if diff != "" {
+				t.Fatalf("Data does not match: %s", diff)
+			}
+		})
+	}
+}
+func TestBuildCreateACLRequests(t *testing.T) {
+	tests := []struct {
+		description     string
+		model           *inputModel
+		expectedRequest secretsmanager.ApiUpdateACLsRequest
+	}{
+		{
+			description:     "base",
+			model:           fixtureInputModel(),
+			expectedRequest: fixtureUpdateACLsRequest(),
+		},
+		{
+			description: "multiple ACLs",
+			model: fixtureInputModel(func(model *inputModel) {
+				*model.Acls = append(*model.Acls, "1.2.3.4/32")
+			}),
+			expectedRequest: fixtureUpdateACLsRequest().UpdateACLsPayload(secretsmanager.UpdateACLsPayload{
+				Cidrs: utils.Ptr([]secretsmanager.AclUpdate{
+					{Cidr: utils.Ptr("198.51.100.14/24")},
+					{Cidr: utils.Ptr("1.2.3.4/32")},
+				})}),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.description, func(t *testing.T) {
+			request := buildUpdateACLsRequest(testCtx, tt.model, testInstanceId, testClient)
 
 			diff := cmp.Diff(request, tt.expectedRequest,
 				cmp.AllowUnexported(tt.expectedRequest),