mirror of
synced 2025-02-20 11:48:24 -06:00
Previously the consul_keys resource did double-duty as both a reader and writer of values from the Consul key/value store, but that made its interface rather confusing and complex, as well as having all of the other general problems associated with read-only resources. Here we split the functionality such that reading is done with the consul_keys data source while writing is done with the consul_keys resource. The old read behavior of the resource is still supported, but it's no longer documented (except as a deprecation note) and will generate deprecation warnings when used. In future it should be possible to simplify the consul_keys resource by removing all of the read support, but that is deferred for now to give users a chance to gracefully migrate to the new data source.
341 lines
7.8 KiB
341 lines
7.8 KiB
package consul
import (
consulapi "github.com/hashicorp/consul/api"
func resourceConsulKeys() *schema.Resource {
return &schema.Resource{
Create: resourceConsulKeysCreate,
Update: resourceConsulKeysUpdate,
Read: resourceConsulKeysRead,
Delete: resourceConsulKeysDelete,
SchemaVersion: 1,
MigrateState: resourceConsulKeysMigrateState,
Schema: map[string]*schema.Schema{
"datacenter": &schema.Schema{
Type: schema.TypeString,
Optional: true,
Computed: true,
ForceNew: true,
"token": &schema.Schema{
Type: schema.TypeString,
Optional: true,
"key": &schema.Schema{
Type: schema.TypeSet,
Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"name": &schema.Schema{
Type: schema.TypeString,
Optional: true,
Deprecated: "Using consul_keys resource to *read* is deprecated; please use consul_keys data source instead",
"path": &schema.Schema{
Type: schema.TypeString,
Required: true,
"value": &schema.Schema{
Type: schema.TypeString,
Optional: true,
Computed: true,
"default": &schema.Schema{
Type: schema.TypeString,
Optional: true,
"delete": &schema.Schema{
Type: schema.TypeBool,
Optional: true,
Default: false,
"var": &schema.Schema{
Type: schema.TypeMap,
Computed: true,
func resourceConsulKeysCreate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*consulapi.Client)
kv := client.KV()
token := d.Get("token").(string)
dc, err := getDC(d, client)
if err != nil {
return err
keyClient := newKeyClient(kv, dc, token)
keys := d.Get("key").(*schema.Set).List()
for _, raw := range keys {
_, path, sub, err := parseKey(raw)
if err != nil {
return err
value := sub["value"].(string)
if value == "" {
if err := keyClient.Put(path, value); err != nil {
return err
// The ID doesn't matter, since we use provider config, datacenter,
// and key paths to address consul properly. So we just need to fill it in
// with some value to indicate the resource has been created.
return resourceConsulKeysRead(d, meta)
func resourceConsulKeysUpdate(d *schema.ResourceData, meta interface{}) error {
client := meta.(*consulapi.Client)
kv := client.KV()
token := d.Get("token").(string)
dc, err := getDC(d, client)
if err != nil {
return err
keyClient := newKeyClient(kv, dc, token)
if d.HasChange("key") {
o, n := d.GetChange("key")
if o == nil {
o = new(schema.Set)
if n == nil {
n = new(schema.Set)
os := o.(*schema.Set)
ns := n.(*schema.Set)
remove := os.Difference(ns).List()
add := ns.Difference(os).List()
// We'll keep track of what keys we add so that if a key is
// in both the "remove" and "add" sets -- which will happen if
// its value is changed in-place -- we will avoid writing the
// value and then immediately removing it.
addedPaths := make(map[string]bool)
// We add before we remove because then it's possible to change
// a key name (which will result in both an add and a remove)
// without very temporarily having *neither* value in the store.
// Instead, both will briefly be present, which should be less
// disruptive in most cases.
for _, raw := range add {
_, path, sub, err := parseKey(raw)
if err != nil {
return err
value := sub["value"].(string)
if value == "" {
if err := keyClient.Put(path, value); err != nil {
return err
addedPaths[path] = true
for _, raw := range remove {
_, path, sub, err := parseKey(raw)
if err != nil {
return err
// Don't delete something we've just added.
// (See explanation at the declaration of this variable above.)
if addedPaths[path] {
shouldDelete, ok := sub["delete"].(bool)
if !ok || !shouldDelete {
if err := keyClient.Delete(path); err != nil {
return err
// Store the datacenter on this resource, which can be helpful for reference
// in case it was read from the provider
d.Set("datacenter", dc)
return resourceConsulKeysRead(d, meta)
func resourceConsulKeysRead(d *schema.ResourceData, meta interface{}) error {
client := meta.(*consulapi.Client)
kv := client.KV()
token := d.Get("token").(string)
dc, err := getDC(d, client)
if err != nil {
return err
keyClient := newKeyClient(kv, dc, token)
vars := make(map[string]string)
keys := d.Get("key").(*schema.Set).List()
for _, raw := range keys {
key, path, sub, err := parseKey(raw)
if err != nil {
return err
value, err := keyClient.Get(path)
if err != nil {
return err
value = attributeValue(sub, value)
if key != "" {
// If key is set then we'll update vars, for backward-compatibilty
// with the pre-0.7 capability to read from Consul with this
// resource.
vars[key] = value
// If there is already a "value" attribute present for this key
// then it was created as a "write" block. We need to update the
// given value within the block itself so that Terraform can detect
// when the Consul-stored value has drifted from what was most
// recently written by Terraform.
// We don't do this for "read" blocks; that causes confusing diffs
// because "value" should not be set for read-only key blocks.
if oldValue := sub["value"]; oldValue != "" {
sub["value"] = value
if err := d.Set("var", vars); err != nil {
return err
if err := d.Set("key", keys); err != nil {
return err
// Store the datacenter on this resource, which can be helpful for reference
// in case it was read from the provider
d.Set("datacenter", dc)
return nil
func resourceConsulKeysDelete(d *schema.ResourceData, meta interface{}) error {
client := meta.(*consulapi.Client)
kv := client.KV()
token := d.Get("token").(string)
dc, err := getDC(d, client)
if err != nil {
return err
keyClient := newKeyClient(kv, dc, token)
// Clean up any keys that we're explicitly managing
keys := d.Get("key").(*schema.Set).List()
for _, raw := range keys {
_, path, sub, err := parseKey(raw)
if err != nil {
return err
// Skip if the key is non-managed
shouldDelete, ok := sub["delete"].(bool)
if !ok || !shouldDelete {
if err := keyClient.Delete(path); err != nil {
return err
// Clear the ID
return nil
// parseKey is used to parse a key into a name, path, config or error
func parseKey(raw interface{}) (string, string, map[string]interface{}, error) {
sub, ok := raw.(map[string]interface{})
if !ok {
return "", "", nil, fmt.Errorf("Failed to unroll: %#v", raw)
key := sub["name"].(string)
path, ok := sub["path"].(string)
if !ok {
return "", "", nil, fmt.Errorf("Failed to get path for key '%s'", key)
return key, path, sub, nil
// attributeValue determines the value for a key, potentially
// using a default value if provided.
func attributeValue(sub map[string]interface{}, readValue string) string {
// Use the value if given
if readValue != "" {
return readValue
// Use a default if given
if raw, ok := sub["default"]; ok {
switch def := raw.(type) {
case string:
return def
case bool:
return strconv.FormatBool(def)
// No value
return ""
// getDC is used to get the datacenter of the local agent
func getDC(d *schema.ResourceData, client *consulapi.Client) (string, error) {
if v, ok := d.GetOk("datacenter"); ok {
return v.(string), nil
info, err := client.Agent().Self()
if err != nil {
return "", fmt.Errorf("Failed to get datacenter from Consul agent: %v", err)
return info["Config"]["Datacenter"].(string), nil