Add initial implementation

Author: hypnoglow

.gitignore

@@ -0,0 +1,7 @@
+/bin
+/vendor
+
+.terraform
+terraform-provider-oryhydra
+terraform.tfstate
+terraform.tfstate.*

Makefile

@@ -0,0 +1,7 @@
+.PHONY: build
+build:
+	@go build -o ./bin/terraform-provider-oryhydra
+
+.PHONY: prepare-examples
+prepare-examples:
+	@ln -s $(shell pwd)/bin/terraform-provider-oryhydra ./examples/oryhydra_oauth2_client/terraform-provider-oryhydra

README.md

@@ -0,0 +1,11 @@
+# ORY Hydra Terraform Provider
+
+Terraform provider for [ORY Hydra](https://github.com/ory/hydra).
+
+## Usage
+
+For example usage see [examples](examples/README.md).
+
+## Implemented resources
+
+- OAuth2 Client - `oryhydra_oauth2_client`

examples/README.md

@@ -0,0 +1,31 @@
+# Examples
+
+First of all you need to build the provider and link it to the examples:
+
+```shell script
+make build
+make prepare-examples
+```
+
+To test examples, you need a running Hydra instance. For demonstrational purposes,
+we can run Hydra locally as a Docker container:
+
+```shell script
+docker container run -i -t --rm --name hydra \
+  -p 4444:4444 \
+  -p 4445:4445 \
+  -e LOG_LEVEL=debug \
+  -e DSN=memory \
+  oryd/hydra:v1.4.10 serve all --dangerous-force-http
+```
+
+Then you can simply run examples as usual terraform project. Enter a particular example directory (e.g. `cd examples/oryhydra_oauth2_client`)
+and run:
+
+```shell script
+terraform init
+
+terraform plan
+
+terraform apply
+```

examples/oryhydra_oauth2_client/main.tf

@@ -0,0 +1,30 @@
+provider "oryhydra" {
+  url = "http://localhost:4445"
+}
+
+resource "oryhydra_oauth2_client" "example_1" {
+  client_name = "Example 1"
+}
+
+resource "oryhydra_oauth2_client" "example_2" {
+  client_id     = "example_2"
+  client_name   = "Example 2"
+  client_secret = "super-secret!"
+}
+
+resource "oryhydra_oauth2_client" "example_3" {
+  client_name = "Example 3"
+  client_metadata = {
+    "Foo" = "Bar"
+  }
+
+  scopes         = ["offline", "openid"]
+  grant_types    = ["refresh_token", "authorization_code"]
+  response_types = ["code"]
+
+  audience      = ["http://localhost:8080"]
+  redirect_uris = ["http://localhost:8080/redirect.html"]
+
+  subject_type               = "public"
+  token_endpoint_auth_method = "none"
+}

go.mod

@@ -0,0 +1,10 @@
+module github.com/hypnoglow/terraform-provider-oryhydra
+
+go 1.14
+
+require (
+	github.com/go-openapi/runtime v0.19.15
+	github.com/hashicorp/go-cleanhttp v0.5.1
+	github.com/hashicorp/terraform-plugin-sdk v1.13.0
+	github.com/ory/hydra-client-go v1.4.10
+)

go.sum

@@ -0,0 +1,16 @@
+package main
+
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/plugin"
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+
+	"github.com/hypnoglow/terraform-provider-oryhydra/oryhydra"
+)
+
+func main() {
+	plugin.Serve(&plugin.ServeOpts{
+		ProviderFunc: func() terraform.ResourceProvider {
+			return oryhydra.Provider()
+		},
+	})
+}

main.go

@@ -0,0 +1,44 @@
+package oryhydra
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"time"
+)
+
+var (
+	lg logger = nopLogger{}
+)
+
+func init() {
+	fpath := os.Getenv("TERRAFORM_PROVIDER_ORYHYDRA_LOG_FILE_PATH")
+	if fpath == "" {
+		return
+	}
+
+	f, err := os.OpenFile(fpath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
+	if err != nil {
+		panic(fmt.Errorf("open log file: %v", err))
+	}
+
+	lg = log.New(f, "", 0)
+	lg.Printf("----- %s -----", time.Now().Format(time.RFC3339))
+
+	log.SetOutput(f)
+}
+
+type logger interface {
+	Print(v ...interface{})
+	Printf(format string, v ...interface{})
+}
+
+type nopLogger struct{}
+
+func (n nopLogger) Print(v ...interface{}) {
+	return
+}
+
+func (n nopLogger) Printf(format string, v ...interface{}) {
+	return
+}

oryhydra/logger.go

@@ -0,0 +1,59 @@
+package oryhydra
+
+import (
+	"fmt"
+	"net/url"
+
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	hydra "github.com/ory/hydra-client-go/client"
+	"github.com/ory/hydra-client-go/client/admin"
+)
+
+func Provider() *schema.Provider {
+	return &schema.Provider{
+		Schema: map[string]*schema.Schema{
+			"url": {
+				Type:        schema.TypeString,
+				Required:    true,
+				DefaultFunc: schema.EnvDefaultFunc("ORY_HYDRA_URL", nil),
+			},
+		},
+		ResourcesMap: map[string]*schema.Resource{
+			"oryhydra_oauth2_client": resourceOAuth2Client(),
+		},
+		ConfigureFunc: configure,
+	}
+}
+
+func configure(data *schema.ResourceData) (interface{}, error) {
+	adminURL := data.Get("url").(string)
+	client, err := newHydraClient(adminURL)
+	return client, err
+}
+
+// newHydraClient returns a new configured hydra client.
+func newHydraClient(hydraAdminURL string) (admin.ClientService, error) {
+	u, err := url.Parse(hydraAdminURL)
+	if err != nil {
+		return nil, fmt.Errorf("parse hydra url: %v", err)
+	}
+
+	config := hydra.DefaultTransportConfig()
+	config.Schemes = []string{u.Scheme}
+	config.Host = u.Host
+	if u.Path != "" {
+		config.BasePath = u.Path
+	}
+
+	transport := httptransport.NewWithClient(
+		config.Host,
+		config.BasePath,
+		config.Schemes,
+		cleanhttp.DefaultClient(),
+	)
+
+	client := hydra.New(transport, nil)
+	return client.Admin, nil
+}

oryhydra/provider.go

@@ -0,0 +1,343 @@
+package oryhydra
+
+import (
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+	"github.com/ory/hydra-client-go/client/admin"
+	"github.com/ory/hydra-client-go/models"
+)
+
+func resourceOAuth2Client() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceOAuth2ClientCreate,
+		Read:   resourceOAuth2ClientRead,
+		Update: resourceOAuth2ClientUpdate,
+		Delete: resourceOAuth2ClientDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+		Schema: map[string]*schema.Schema{
+			"client_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+				// client_id must not be empty string. It must be either unspecified (to make hydra generate the id)
+				// or specified as id string.
+				ValidateFunc: validation.NoZeroValues,
+			},
+			"client_secret": {
+				Type:      schema.TypeString,
+				Optional:  true,
+				Computed:  true,
+				Sensitive: true,
+			},
+			"client_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"client_metadata": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"scopes": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"grant_types": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+					ValidateFunc: validation.StringInSlice([]string{
+						"refresh_token", "authorization_code", "client_credentials", "implicit",
+					}, false),
+				},
+			},
+			"response_types": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+					ValidateFunc: validation.StringInSlice([]string{
+						"token", "code", "id_token",
+					}, false),
+				},
+			},
+			"audience": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"post_logout_redirect_uris": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"redirect_uris": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"owner": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"policy_uri": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"allowed_cors_origins": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"tos_uri": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"client_uri": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"logo_uri": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"contacts": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"subject_type": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "public",
+				Computed: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"public", "pairwise",
+				}, false),
+			},
+			"token_endpoint_auth_method": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  "none",
+				Computed: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					"none", "client_secret_basic", "client_secret_post", "private_key_jwt",
+				}, false),
+			},
+		},
+	}
+}
+
+func resourceOAuth2ClientCreate(d *schema.ResourceData, m interface{}) error {
+	lg.Print("resourceOAuth2ClientCreate")
+
+	cli := m.(*admin.Client)
+
+	resp, err := cli.CreateOAuth2Client(
+		admin.NewCreateOAuth2ClientParams().
+			WithBody(expandClient(d)),
+	)
+	if err != nil {
+		return err
+	}
+
+	client := resp.Payload
+
+	d.SetId(client.ClientID)
+
+	// NOTE: client secret is only returned on create/update, not read.
+	d.Set("client_secret", client.ClientSecret)
+
+	return resourceOAuth2ClientRead(d, m)
+}
+
+func resourceOAuth2ClientRead(d *schema.ResourceData, m interface{}) error {
+	lg.Print("resourceOAuth2ClientRead")
+
+	cli := m.(*admin.Client)
+
+	resp, err := cli.GetOAuth2Client(
+		admin.NewGetOAuth2ClientParams().
+			WithID(d.Id()),
+	)
+	if err != nil {
+		return err
+	}
+
+	client := resp.Payload
+
+	flattenClient(d, client)
+
+	return nil
+}
+
+func resourceOAuth2ClientUpdate(d *schema.ResourceData, m interface{}) error {
+	lg.Print("resourceOAuth2ClientUpdate")
+
+	client := expandClient(d)
+
+	cli := m.(*admin.Client)
+
+	_, err := cli.UpdateOAuth2Client(
+		admin.NewUpdateOAuth2ClientParams().
+			WithID(d.Id()).
+			WithBody(client),
+	)
+	if err != nil {
+		return err
+	}
+
+	// NOTE: client secret is only returned on create/update, not read.
+	d.Set("client_secret", client.ClientSecret)
+
+	return resourceOAuth2ClientRead(d, m)
+}
+
+func resourceOAuth2ClientDelete(d *schema.ResourceData, m interface{}) error {
+	lg.Print("resourceOAuth2ClientDelete")
+
+	cli := m.(*admin.Client)
+
+	_, err := cli.DeleteOAuth2Client(
+		admin.NewDeleteOAuth2ClientParams().
+			WithID(d.Id()),
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func expandClient(d *schema.ResourceData) *models.OAuth2Client {
+	lg.Print("expandClient")
+
+	clientID := d.Get("client_id").(string)
+	clientSecret := d.Get("client_secret").(string)
+	clientName := d.Get("client_name").(string)
+	clientMetadata := d.Get("client_metadata")
+	lg.Printf("metadata: %T %v", clientMetadata, clientMetadata)
+
+	var scopeArray []string
+	for _, sc := range d.Get("scopes").([]interface{}) {
+		scopeArray = append(scopeArray, sc.(string))
+	}
+	scope := strings.Join(scopeArray, " ")
+
+	var grantTypes []string
+	for _, gt := range d.Get("grant_types").([]interface{}) {
+		grantTypes = append(grantTypes, gt.(string))
+	}
+
+	var responseTypes []string
+	for _, rt := range d.Get("response_types").([]interface{}) {
+		responseTypes = append(responseTypes, rt.(string))
+	}
+
+	var audience []string
+	for _, aud := range d.Get("audience").([]interface{}) {
+		audience = append(audience, aud.(string))
+	}
+
+	var postLogoutRedirectUris []string
+	for _, ru := range d.Get("post_logout_redirect_uris").([]interface{}) {
+		postLogoutRedirectUris = append(postLogoutRedirectUris, ru.(string))
+	}
+
+	var redirectUris []string
+	for _, ru := range d.Get("redirect_uris").([]interface{}) {
+		redirectUris = append(redirectUris, ru.(string))
+	}
+
+	owner := d.Get("owner").(string)
+	policyURI := d.Get("policy_uri").(string)
+
+	var allowedCorsOrigins []string
+	for _, aco := range d.Get("allowed_cors_origins").([]interface{}) {
+		allowedCorsOrigins = append(allowedCorsOrigins, aco.(string))
+	}
+
+	tosURI := d.Get("tos_uri").(string)
+	clientURI := d.Get("client_uri").(string)
+	logoURI := d.Get("logo_uri").(string)
+
+	var contacts []string
+	for _, c := range d.Get("contacts").([]interface{}) {
+		contacts = append(contacts, c.(string))
+	}
+
+	subjectType := d.Get("subject_type").(string)
+	tokenEndpointAuthMethod := d.Get("token_endpoint_auth_method").(string)
+
+	return &models.OAuth2Client{
+		ClientID:                clientID,
+		ClientName:              clientName,
+		ClientSecret:            clientSecret,
+		Metadata:                clientMetadata,
+		Scope:                   scope,
+		GrantTypes:              grantTypes,
+		ResponseTypes:           responseTypes,
+		Audience:                audience,
+		PostLogoutRedirectUris:  postLogoutRedirectUris,
+		RedirectUris:            redirectUris,
+		Owner:                   owner,
+		PolicyURI:               policyURI,
+		AllowedCorsOrigins:      allowedCorsOrigins,
+		TosURI:                  tosURI,
+		ClientURI:               clientURI,
+		LogoURI:                 logoURI,
+		Contacts:                contacts,
+		SubjectType:             subjectType,
+		TokenEndpointAuthMethod: tokenEndpointAuthMethod,
+	}
+}
+
+func flattenClient(d *schema.ResourceData, client *models.OAuth2Client) {
+	lg.Print("flattenClient")
+
+	d.Set("client_id", client.ClientID)
+	d.Set("client_name", client.ClientName)
+	d.Set("client_metadata", client.Metadata)
+
+	lg.Printf("metadata: %T %v", client.Metadata, client.Metadata)
+
+	// NOTE: client secret is never returned from read operations, so don't set this field.
+
+	d.Set("scopes", strings.Split(client.Scope, " "))
+	d.Set("grant_types", client.GrantTypes)
+	d.Set("response_types", client.ResponseTypes)
+	d.Set("audience", client.Audience)
+	d.Set("post_logout_redirect_uris", client.PostLogoutRedirectUris)
+	d.Set("redirect_uris", client.RedirectUris)
+	d.Set("owner", client.Owner)
+	d.Set("policy_uri", client.PolicyURI)
+	d.Set("allowed_cors_origins", client.AllowedCorsOrigins)
+	d.Set("tos_uri", client.TosURI)
+	d.Set("client_uri", client.ClientURI)
+	d.Set("logo_uri", client.LogoURI)
+	d.Set("contacts", client.Contacts)
+	d.Set("subject_type", client.SubjectType)
+	d.Set("token_endpoint_auth_method", client.TokenEndpointAuthMethod)
+}