Release v1.1.8: Go upgrade and security fixes, PAM Record Type Support #62
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Implemented pamDirectory resource and data source for Active Directory and OpenLDAP - Fixed Schedule field structure to match Go SDK (6 fields) - Fixed login/password field reading in all PAM data sources (directory, machine, database, user) - Created examples for pamDirectory resources and data sources - Documented AllowedSettings investigation in field comments
Bumps the go_modules group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.42.0 to 0.45.0 - [Commits](golang/crypto@v0.42.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com>
KSM-527: Add support for PAM record types
stas-schaller
changed the title
Fixed pre-existing compilation errors: - Changed ProviderFactories to Providers (testAccProviders) - Replaced undefined variables with testAcc helpers - Fixed PreCheck function call syntax The test now compiles but still requires TF_ACC=1 and test data to run.
Added GitHub Actions workflow to run tests on pull requests: - Builds provider binary - Runs go vet and go fmt checks - Runs unit tests and provider validation - Based on pattern from secrets-manager-go repository Acceptance tests require TF_ACC=1 and test credentials, so they should be run manually or in a separate workflow.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+11
to
+52
| strategy: | ||
| matrix: | ||
| go-version: [ '1.24.8' ] | ||
| os: [ ubuntu-latest ] | ||
| runs-on: ${{ matrix.os }} | ||
| name: Test with Go ${{ matrix.go-version }} | ||
|
|
||
| steps: | ||
| - name: Install Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: ${{ matrix.go-version }} | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Download dependencies | ||
| run: go mod download | ||
|
|
||
| - name: Build provider | ||
| run: go build -v . | ||
|
|
||
| - name: Run go vet | ||
| run: go vet ./... | ||
|
|
||
| - name: Run go fmt check | ||
| run: | | ||
| if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then | ||
| echo "Go files are not formatted:" | ||
| gofmt -s -d . | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Run unit tests | ||
| run: go test -v -timeout=10m ./... | ||
|
|
||
| - name: Run provider validation | ||
| run: go test -v -run TestProvider ./secretsmanager | ||
|
|
||
| # Acceptance tests require secrets and test data | ||
| # Run these manually with TF_ACC=1 and KEEPER_CREDENTIAL set locally | ||
| # or add them to a separate protected workflow with secrets |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
To fix this issue, you should add an explicit permissions block in your workflow YAML, specifying least privilege, which is sufficient for your workflow's needs. Since none of the steps require writing to the repo, a read-only permission on contents is sufficient. The most concise and maintainable way is to add the following block at the root of the workflow file (before jobs:), so it applies to all jobs unless overridden. Insert it after the on: block and before jobs:. No additional libraries or imports are needed; this is simply a YAML configuration change.
Suggested changeset
1
.github/workflows/test.yml
| @@ -6,6 +6,8 @@ | ||
|
|
||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| test-terraform-provider: | ||
| strategy: |
Copilot is powered by AI and may make mistakes. Always verify output.
Changed test files to properly skip tests when TF_ACC is not set instead of failing. This prevents CI from failing when running unit tests without acceptance test credentials. Files fixed: - data_source_folder_test.go: removed nil pointer dereference - resource_folder_test.go: changed t.Fail() to t.Skip() - resource_pam_machine_test.go: changed t.Fatal() to t.Skip() - resource_pam_database_test.go: changed t.Fatal() to t.Skip()
- Add resource_pam_user_test.go with 4 acceptance tests (create, update, delete, import) - Add resource_pam_directory_test.go with 4 acceptance tests - Enable PAM Database update test (was disabled due to SDK concerns) - Add examples for PAM User resources and data sources - Fix test data formats (checkbox values, database_type lowercase, distinguished_name labels) - All 16 PAM acceptance tests now pass (Database, Directory, Machine, User) Note: Update tests only test fields that work with current SDK (v1.6.4). Fields using ApplyFieldChange() have known SDK limitation where RecordDict changes don't sync to RawJson. Workaround: tests focus on fields using SetStandardFieldValue().
Updated version constraints in PAM resource and data source examples:
- examples/data-sources/pam_{database,machine,user}.tf
- examples/resources/pam_{database,machine,user}.tf
All PAM examples now consistently require provider version >= 1.1.8
which includes the PAM record type support added in KSM-527.
Ensure go mod tidy runs with -compat=1.24.8 to maintain compatibility with the Go version specified in go.mod during releases, regardless of the Go version installed on the release machine.
…modules-dd7da38a6b Bump golang.org/x/crypto from 0.42.0 to 0.45.0 in the go_modules group across 1 directory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Release v1.1.8 of the Terraform Provider for Keeper Secrets Manager, including security fixes, critical bug fixes, and major PAM (Privileged Access Management) feature additions.
Changes
Security Fixes (KSM-707)
Bug Fixes
New Features: PAM Record Type Support (KSM-527)
Added comprehensive support for Keeper Privileged Access Management (PAM) record types:
New Resources
New Data Sources
Core PAM Features
PAM Test Coverage
PAM Examples
Comprehensive Terraform examples for:
Documentation
Files Changed
Modified Files (10)
Created Files (10)
Updated Files (43)
Related Issues
Release Type
This is a minor version release (1.1.7 → 1.1.8) containing:
Testing
PAM tests can be run with:
```bash
TF_ACC=1 go test ./secretsmanager -v -run "TestAccResourcePamMachine"
TF_ACC=1 go test ./secretsmanager -v -run "TestAccResourcePamDatabase"
```
Notes