Generate secret references for the sensitive fields under the spec.initProvider API tree

config/provider.go

@@ -6,14 +6,13 @@ package config
 
 import (
 	"context"
-
-	"github.com/crossplane/upjet/pkg/config/conversion"
-
 	// Note(turkenh): we are importing this to embed provider schema document
 	_ "embed"
 
 	ujconfig "github.com/crossplane/upjet/pkg/config"
+	"github.com/crossplane/upjet/pkg/config/conversion"
 	"github.com/crossplane/upjet/pkg/registry/reference"
+	"github.com/crossplane/upjet/pkg/schema/traverser"
 	conversiontfjson "github.com/crossplane/upjet/pkg/types/conversion/tfjson"
 	tfjson "github.com/hashicorp/terraform-json"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -68,15 +67,24 @@ func getProviderSchema(s string) (*schema.Provider, error) {
 
 // GetProvider returns provider configuration
 func GetProvider(ctx context.Context, generationProvider bool) (*ujconfig.Provider, error) {
-	var p *schema.Provider
-	var err error
-	if generationProvider {
-		p, err = getProviderSchema(providerSchema)
-	} else {
-		p, err = xpprovider.GetProviderSchema(ctx)
-	}
+	sdkProvider, err := xpprovider.GetProviderSchema(ctx)
 	if err != nil {
-		return nil, errors.Wrapf(err, "cannot get the Terraform provider schema with generation mode set to %t", generationProvider)
+		return nil, errors.Wrap(err, "cannot get the Terraform SDK provider")
+	}
+
+	if generationProvider {
+		p, err := getProviderSchema(providerSchema)
+		if err != nil {
+			return nil, errors.Wrap(err, "cannot read the Terraform SDK provider from the JSON schema for code generation")
+		}
+		if err := traverser.TFResourceSchema(sdkProvider.ResourcesMap).TraverseTFSchemas(traverser.NewMaxItemsSync(p.ResourcesMap)); err != nil {
+			return nil, errors.Wrap(err, "cannot sync the MaxItems constraints between the Go schema and the JSON schema")
+		}
+		// use the JSON schema to temporarily prevent float64->int64
+		// conversions in the CRD APIs.
+		// We would like to convert to int64s with the next major release of
+		// the provider.
+		sdkProvider = p
 	}
 
 	pc := ujconfig.NewProvider([]byte(providerSchema), resourcePrefix, modulePath, []byte(providerMetadata),
@@ -87,7 +95,7 @@ func GetProvider(ctx context.Context, generationProvider bool) (*ujconfig.Provid
 		),
 		ujconfig.WithReferenceInjectors([]ujconfig.ReferenceInjector{reference.NewInjector(modulePath)}),
 		ujconfig.WithFeaturesPackage("internal/features"),
-		ujconfig.WithTerraformProvider(p),
+		ujconfig.WithTerraformProvider(sdkProvider),
 		ujconfig.WithSchemaTraversers(&ujconfig.SingletonListEmbedder{}),
 	)
 

go.mod

@@ -151,3 +151,5 @@ require (
 replace github.com/hashicorp/terraform-provider-azuread => github.com/upbound/terraform-provider-azuread v0.0.0-20240311141618-ce1f46c21020
 
 replace github.com/hashicorp/terraform-plugin-sdk/v2 => github.com/hashicorp/terraform-plugin-sdk/v2 v2.29.0
+
+replace github.com/crossplane/upjet => github.com/ulucinar/upbound-upjet v0.0.0-20240530235240-f4f87bab8535

go.sum

@@ -700,8 +700,6 @@ github.com/crossplane/crossplane-runtime v1.16.0-rc.2.0.20240510094504-3f697876f
 github.com/crossplane/crossplane-runtime v1.16.0-rc.2.0.20240510094504-3f697876fa57/go.mod h1:Pz2tdGVMF6KDGzHZOkvKro0nKc8EzK0sb/nSA7pH4Dc=
 github.com/crossplane/crossplane-tools v0.0.0-20230925130601-628280f8bf79 h1:HigXs5tEQxWz0fcj8hzbU2UAZgEM7wPe0XRFOsrtF8Y=
 github.com/crossplane/crossplane-tools v0.0.0-20230925130601-628280f8bf79/go.mod h1:+e4OaFlOcmr0JvINHl/yvEYBrZawzTgj6pQumOH1SS0=
-github.com/crossplane/upjet v1.4.0-rc.0.0.20240515193317-92d1af84d242 h1:ylmj67qVNh+AIDK+CH8BiXu41PlGSKBzAwMZApDEOds=
-github.com/crossplane/upjet v1.4.0-rc.0.0.20240515193317-92d1af84d242/go.mod h1:3pDVtCgyBc5f2Zx4K5HEPxxhjndmOc5CHCJNpIivK/g=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
 github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/dave/jennifer v1.4.1 h1:XyqG6cn5RQsTj3qlWQTKlRGAyrTcsk1kUmWdZBzRjDw=
@@ -1182,6 +1180,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ=
 github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w=
+github.com/ulucinar/upbound-upjet v0.0.0-20240530235240-f4f87bab8535 h1:D/tIcJSNk7idLCeCU4ZWRwhVwpVXruAlDn0iQG2Qvjc=
+github.com/ulucinar/upbound-upjet v0.0.0-20240530235240-f4f87bab8535/go.mod h1:3pDVtCgyBc5f2Zx4K5HEPxxhjndmOc5CHCJNpIivK/g=
 github.com/upbound/terraform-provider-azuread v0.0.0-20240311141618-ce1f46c21020 h1:BP26QEhnXcWxbJpbOT+e4bP+c9FTvqhGbtnkwXerOhA=
 github.com/upbound/terraform-provider-azuread v0.0.0-20240311141618-ce1f46c21020/go.mod h1:iVryf2s08Hi6HLHh4W40fudtInXuK5Y1cWVOM/3szT8=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=

package/crds/applications.azuread.upbound.io_certificates.yaml

@@ -487,6 +487,27 @@ spec:
                       The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.
                       The type of key/certificate
                     type: string
+                  valueSecretRef:
+                    description: |-
+                      The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.
+                      The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the `encoding` argument
+                    properties:
+                      key:
+                        description: The key to select.
+                        type: string
+                      name:
+                        description: Name of the secret.
+                        type: string
+                      namespace:
+                        description: Namespace of the secret.
+                        type: string
+                    required:
+                    - key
+                    - name
+                    - namespace
+                    type: object
+                required:
+                - valueSecretRef
                 type: object
               managementPolicies:
                 default:

package/crds/serviceprincipals.azuread.upbound.io_certificates.yaml

@@ -327,6 +327,27 @@ spec:
                       The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.
                       The type of key/certificate
                     type: string
+                  valueSecretRef:
+                    description: |-
+                      The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER. See also the encoding argument.
+                      The certificate data, which can be PEM encoded, base64 encoded DER or hexadecimal encoded DER
+                    properties:
+                      key:
+                        description: The key to select.
+                        type: string
+                      name:
+                        description: Name of the secret.
+                        type: string
+                      namespace:
+                        description: Namespace of the secret.
+                        type: string
+                    required:
+                    - key
+                    - name
+                    - namespace
+                    type: object
+                required:
+                - valueSecretRef
                 type: object
               managementPolicies:
                 default:

package/crds/synchronization.azuread.upbound.io_secrets.yaml

@@ -100,8 +100,6 @@ spec:
                           - name
                           - namespace
                           type: object
-                      required:
-                      - valueSecretRef
                       type: object
                     type: array
                   servicePrincipalId:
@@ -208,6 +206,27 @@ spec:
                             The key of the secret.
                             Name for this key-value pair.
                           type: string
+                        valueSecretRef:
+                          description: |-
+                            The value of the secret.
+                            Value for this key-value pair.
+                          properties:
+                            key:
+                              description: The key to select.
+                              type: string
+                            name:
+                              description: Name of the secret.
+                              type: string
+                            namespace:
+                              description: Namespace of the secret.
+                              type: string
+                          required:
+                          - key
+                          - name
+                          - namespace
+                          type: object
+                      required:
+                      - valueSecretRef
                       type: object
                     type: array
                   servicePrincipalId:

package/crds/users.azuread.upbound.io_users.yaml

@@ -415,6 +415,25 @@ spec:
                       type: string
                     type: array
                     x-kubernetes-list-type: set
+                  passwordSecretRef:
+                    description: |-
+                      The password for the user. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters. This property is required when creating a new user.
+                      The password for the user. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters. This property is required when creating a new user
+                    properties:
+                      key:
+                        description: The key to select.
+                        type: string
+                      name:
+                        description: Name of the secret.
+                        type: string
+                      namespace:
+                        description: Namespace of the secret.
+                        type: string
+                    required:
+                    - key
+                    - name
+                    - namespace
+                    type: object
                   postalCode:
                     description: |-
                       The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code.