Merge pull request #1322 from chlunde/elasticache-connection-details

ElastiCache ReplicationGroup auth token generation and connection details
crossplane-contrib · Jun 6, 2024 · 21d4916 · 21d4916
2 parents 4b4cac4 + 2f905a6
commit 21d4916
Show file tree

Hide file tree

Showing 5 changed files with 150 additions and 9 deletions.
diff --git a/apis/elasticache/v1beta2/zz_generated.deepcopy.go b/apis/elasticache/v1beta2/zz_generated.deepcopy.go
diff --git a/apis/elasticache/v1beta2/zz_replicationgroup_types.go b/apis/elasticache/v1beta2/zz_replicationgroup_types.go
diff --git a/config/elasticache/config.go b/config/elasticache/config.go
@@ -5,14 +5,20 @@
 package elasticache
 
 import (
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+	"github.com/pkg/errors"
 
 	xpresource "github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/upjet/pkg/config"
 	"github.com/crossplane/upjet/pkg/config/conversion"
+	"github.com/crossplane/upjet/pkg/types/comments"
 
 	"github.com/upbound/provider-aws/apis/elasticache/v1beta1"
 	"github.com/upbound/provider-aws/apis/elasticache/v1beta2"
+	"github.com/upbound/provider-aws/config/common"
 )
 
 // Configure adds configurations for the elasticache group.
@@ -53,6 +59,46 @@ func Configure(p *config.Provider) { //nolint:gocyclo
 		delete(r.References, "log_delivery_configuration.destination")
 		r.UseAsync = true
 
+		r.Sensitive.AdditionalConnectionDetailsFn = func(attr map[string]any) (map[string][]byte, error) {
+			conn := map[string][]byte{}
+			if a, ok := attr["configuration_endpoint_address"].(string); ok {
+				conn["configuration_endpoint_address"] = []byte(a)
+			}
+			if a, ok := attr["primary_endpoint_address"].(string); ok {
+				conn["primary_endpoint_address"] = []byte(a)
+			}
+			if a, ok := attr["reader_endpoint_address"].(string); ok {
+				conn["reader_endpoint_address"] = []byte(a)
+			}
+			if a, ok := attr["port"]; ok {
+				conn["port"] = []byte(fmt.Sprintf("%v", a))
+			}
+			return conn, nil
+		}
+
+		// Auth token generation
+		desc, err := comments.New("If true, the auth token will be auto-generated and"+
+			" stored in the Secret referenced by the authTokenSecretRef field.",
+			comments.WithTFTag("-"))
+		if err != nil {
+			panic(errors.Wrap(err, "cannot configure the generated comment for the auto_generate_auth_token argument of the aws_elasticache_replication_group resource"))
+		}
+
+		r.TerraformResource.Schema["auto_generate_auth_token"] = &schema.Schema{
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Description: desc.String(),
+		}
+		r.InitializerFns = append(r.InitializerFns,
+			common.PasswordGenerator(
+				"spec.forProvider.authTokenSecretRef",
+				"spec.forProvider.autoGenerateAuthToken",
+			))
+		r.TerraformResource.Schema["auth_token"].Description = "If you set" +
+			" autoGenerateAuthToken to true, the Secret referenced here will be" +
+			" created or updated with generated auth token if it does not already" +
+			" contain one."
+
 		r.Version = "v1beta2"
 		r.Conversions = append(r.Conversions,
 			conversion.NewCustomConverter("v1beta1", "v1beta2", func(src, target xpresource.Managed) error {

diff --git a/examples/elasticache/v1beta2/replicationgroup.yaml b/examples/elasticache/v1beta2/replicationgroup.yaml
@@ -2,25 +2,100 @@
 #
 # SPDX-License-Identifier: CC0-1.0
 
+apiVersion: elasticache.aws.upbound.io/v1beta1
+kind: SubnetGroup
+metadata:
+  annotations:
+    meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup
+  labels:
+    testing.upbound.io/example-name: replicationgroup
+  name: subnet-group
+spec:
+  forProvider:
+    region: us-east-1
+    subnetIdSelector:
+      matchLabels:
+        testing.upbound.io/example-name: replicationgroup
+---
+apiVersion: ec2.aws.upbound.io/v1beta1
+kind: Subnet
+metadata:
+  annotations:
+    meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup
+  labels:
+    testing.upbound.io/example-name: replicationgroup
+  name: foo-1a
+spec:
+  forProvider:
+    availabilityZone: us-east-1a
+    cidrBlock: 10.0.1.0/24
+    region: us-east-1
+    vpcIdSelector:
+      matchLabels:
+        testing.upbound.io/example-name: replicationgroup
+---
+apiVersion: ec2.aws.upbound.io/v1beta1
+kind: Subnet
+metadata:
+  annotations:
+    meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup
+  labels:
+    testing.upbound.io/example-name: replicationgroup
+  name: foo-1b
+spec:
+  forProvider:
+    availabilityZone: us-east-1b
+    cidrBlock: 10.0.2.0/24
+    region: us-east-1
+    vpcIdSelector:
+      matchLabels:
+        testing.upbound.io/example-name: replicationgroup
+---
+apiVersion: ec2.aws.upbound.io/v1beta1
+kind: VPC
+metadata:
+  annotations:
+    meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup
+  labels:
+    testing.upbound.io/example-name: replicationgroup
+  name: foo
+spec:
+  forProvider:
+    cidrBlock: 10.0.0.0/16
+    region: us-east-1
+---
 apiVersion: elasticache.aws.upbound.io/v1beta2
 kind: ReplicationGroup
 metadata:
   annotations:
-    meta.upbound.io/example-id: elasticache/v1beta1/replicationgroup
+    meta.upbound.io/example-id: elasticache/v1beta2/replicationgroup
     uptest.upbound.io/timeout: "3600"
   labels:
     testing.upbound.io/example-name: example
   name: example
 spec:
   forProvider:
     automaticFailoverEnabled: true
+    atRestEncryptionEnabled: true
+    autoGenerateAuthToken: true
+    authTokenSecretRef:
+      name: redis-auth-token
+      namespace: upbound-system
+      key: auth-token
     description: example description
     maintenanceWindow: sun:05:00-sun:09:00
-    nodeType: cache.m4.large
+    nodeType: cache.t4g.small
     numCacheClusters: 2
+    transitEncryptionEnabled: true
     parameterGroupName: default.redis7
     port: 6379
+    subnetGroupNameSelector:
+      matchLabels:
+        testing.upbound.io/example-name: replicationgroup
     preferredCacheClusterAzs:
-      - us-west-1a
-      - us-west-1b
-    region: us-west-1
+      - us-east-1a
+      - us-east-1b
+    region: us-east-1
+  writeConnectionSecretToRef:
+    name: redis-conn
+    namespace: upbound-system
diff --git a/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml b/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml
@@ -1630,8 +1630,9 @@ spec:
                     description: Whether to enable encryption at rest.
                     type: boolean
                   authTokenSecretRef:
-                    description: Password used to access a password protected server.
-                      Can be specified only if transit_encryption_enabled = true.
+                    description: |-
+                      Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true.
+                      If you set autoGenerateAuthToken to true, the Secret referenced here will be created or updated with generated auth token if it does not already contain one.
                     properties:
                       key:
                         description: The key to select.
@@ -1651,6 +1652,11 @@ spec:
                     description: Strategy to use when updating the auth_token. Valid
                       values are SET, ROTATE, and DELETE. Defaults to ROTATE.
                     type: string
+                  autoGenerateAuthToken:
+                    description: |-
+                      Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true.
+                      If true, the auth token will be auto-generated and stored in the Secret referenced by the authTokenSecretRef field.
+                    type: boolean
                   autoMinorVersionUpgrade:
                     description: |-
                       Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window.
@@ -2122,8 +2128,9 @@ spec:
                     description: Whether to enable encryption at rest.
                     type: boolean
                   authTokenSecretRef:
-                    description: Password used to access a password protected server.
-                      Can be specified only if transit_encryption_enabled = true.
+                    description: |-
+                      Password used to access a password protected server. Can be specified only if transit_encryption_enabled = true.
+                      If you set autoGenerateAuthToken to true, the Secret referenced here will be created or updated with generated auth token if it does not already contain one.
                     properties:
                       key:
                         description: The key to select.