Release v1.1.8: Go upgrade and security fixes, PAM Record Type Support #62
+7,452
−1,872
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Implemented pamDirectory resource and data source for Active Directory and OpenLDAP - Fixed Schedule field structure to match Go SDK (6 fields) - Fixed login/password field reading in all PAM data sources (directory, machine, database, user) - Created examples for pamDirectory resources and data sources - Documented AllowedSettings investigation in field comments
Bumps the go_modules group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.42.0 to 0.45.0 - [Commits](golang/crypto@v0.42.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <[email protected]>
KSM-527: Add support for PAM record types
stas-schaller
changed the title
Fixed pre-existing compilation errors: - Changed ProviderFactories to Providers (testAccProviders) - Replaced undefined variables with testAcc helpers - Fixed PreCheck function call syntax The test now compiles but still requires TF_ACC=1 and test data to run.
Added GitHub Actions workflow to run tests on pull requests: - Builds provider binary - Runs go vet and go fmt checks - Runs unit tests and provider validation - Based on pattern from secrets-manager-go repository Acceptance tests require TF_ACC=1 and test credentials, so they should be run manually or in a separate workflow.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Changed test files to properly skip tests when TF_ACC is not set instead of failing. This prevents CI from failing when running unit tests without acceptance test credentials. Files fixed: - data_source_folder_test.go: removed nil pointer dereference - resource_folder_test.go: changed t.Fail() to t.Skip() - resource_pam_machine_test.go: changed t.Fatal() to t.Skip() - resource_pam_database_test.go: changed t.Fatal() to t.Skip()
- Add resource_pam_user_test.go with 4 acceptance tests (create, update, delete, import) - Add resource_pam_directory_test.go with 4 acceptance tests - Enable PAM Database update test (was disabled due to SDK concerns) - Add examples for PAM User resources and data sources - Fix test data formats (checkbox values, database_type lowercase, distinguished_name labels) - All 16 PAM acceptance tests now pass (Database, Directory, Machine, User) Note: Update tests only test fields that work with current SDK (v1.6.4). Fields using ApplyFieldChange() have known SDK limitation where RecordDict changes don't sync to RawJson. Workaround: tests focus on fields using SetStandardFieldValue().
Updated version constraints in PAM resource and data source examples:
- examples/data-sources/pam_{database,machine,user}.tf
- examples/resources/pam_{database,machine,user}.tf
All PAM examples now consistently require provider version >= 1.1.8
which includes the PAM record type support added in KSM-527.
Ensure go mod tidy runs with -compat=1.24.8 to maintain compatibility with the Go version specified in go.mod during releases, regardless of the Go version installed on the release machine.
…modules-dd7da38a6b Bump golang.org/x/crypto from 0.42.0 to 0.45.0 in the go_modules group across 1 directory
…o 'connectDatabase'
…er_group, provider_region, alternative_ips fields
Fix gofmt indentation issues in pamDirectory resource and data source files.
idimov-keeper
requested changes
Dec 9, 2025
secretsmanager/provider.go
Outdated
| // simple value - Int64 (converted to float/float64 by JSON) | ||
| ftSchema["value"] = int64(num) | ||
| } else if boolVal, ok := fiv.(bool); ok { | ||
| // simple value - bool (for checkbox fields that expect a list) |
Contributor
There was a problem hiding this comment.
which checkbox field expects a list i.e. multiple (values)
Collaborator
Author
There was a problem hiding this comment.
I tested it with the Go SDK directly and it looks like checkbox values (useSSL, managed) return as single element arrays, ie [true] or [false]. The schema has MaxItems: 1 on the field so I updated the comment to be a little more explicit about what's going on here
| Optional: true, | ||
| AtLeastOneOf: []string{"folder_uid", "uid"}, | ||
| Description: "The folder UID where the secret is stored. The parent shared folder must be non empty.", | ||
| Description: "The folder UID where the secret is stored. Ensure the folder is shared to your KSM application with 'Can Edit' permissions.", |
Contributor
There was a problem hiding this comment.
IIRC Recent SDKs support sub-folders so AFAIK this is the direct parent which may or may not be a shared folder (hence "The parent shared folder must ...") consider changing "Ensure the folder is shared..."
Collaborator
Author
There was a problem hiding this comment.
Gotcha, went with "the folder or its parent shared folder must be accessible" instead of "ensure the folder is shared."
* feat(data-source): add regex pattern support to records data source Implement title_patterns parameter for secretsmanager_records data source, allowing users to filter records using Go regex patterns. This addresses GitHub issue #14 and Jira ticket KSM-389. Features: - Add title_patterns schema field accepting list of regex patterns - Compile and validate patterns at runtime - Match records against any provided pattern - Support combining UIDs, titles, and patterns in single query - Fetch all records once when patterns used (optimization) Tests: - TestAccDataSourceRecords_WithTitlePatterns: Basic pattern matching - TestAccDataSourceRecords_InvalidPattern: Invalid regex error handling - TestAccDataSourceRecords_CombinedWithPatterns: Mixed query types - TestAccDataSourceRecords_MultiplePatterns: Multiple pattern support Documentation: - Updated docs/data-sources/records.md with pattern examples - Added regex usage examples to examples/data-sources/records.tf - Documented performance considerations for pattern matching References: GitHub issue #14, Jira KSM-389 * test(records): fix wildcard UIDs and map checks in acceptance tests
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release v1.1.8: Security Fixes, Bug Fixes, and PAM Support
Release Date: 2025-12-08
Type: Minor version (1.1.7 → 1.1.8)
Compatibility: Backward compatible, no breaking changes
Summary
Release v1.1.8 of the Terraform Provider for Keeper Secrets Manager addresses critical security vulnerabilities in Go, fixes the long-standing shortcuts/linked records issue, adds comprehensive support for Privileged Access Management (PAM) record types with complete CRUD operations, testing, and documentation, and introduces regex pattern matching for flexible record filtering.
Security
Upgrade Go to Address Critical Vulnerabilities (KSM-707)
Impact: Closes #61
Fixed
Fix Shortcuts/Linked Records Error (KSM-522)
Impact: Closes #52, resolves long-standing issue affecting multi-folder setups
Added
Add Comprehensive PAM Record Type Support (KSM-527)
Complete implementation of Keeper Privileged Access Management (PAM) record types with CRUD operations, field validation, testing, and documentation.
New Resources
secretsmanager_pam_machine: Manage SSH, RDP, and other remote machine credentials
secretsmanager_pam_database: Manage PostgreSQL, MySQL, MongoDB, and other database credentials
secretsmanager_pam_directory: Manage Active Directory and LDAP directory credentials (5371c78)
Enhanced Data Sources
Core PAM Features
pamSettings field: Protocol-specific connection configuration as JSON
Schema functions in
record_fields_pam.go:schemaPamSettingsField(): Unified pamSettings schemaschemaPamHostnameField(): Hostname + port complex fieldschemaScriptField(): Rotation scripts with command/fileRef/recordRefComprehensive Test Coverage
Examples & Documentation
Add 6 comprehensive example files:
examples/resources/pam_machine.tf: SSH servers, Windows RDP, AWS EC2 instancesexamples/resources/pam_database.tf: PostgreSQL, MySQL, MongoDB, AWS RDS configurationsexamples/resources/pam_directory.tf: Active Directory, OpenLDAP configurationsexamples/data-sources/pam_machine.tf: Reading machine credentials, parsing pamSettingsexamples/data-sources/pam_database.tf: Building database connection stringsexamples/data-sources/pam_directory.tf: Extracting directory configurationUpdate version references across all 44 existing example files (3b4fc53)
Code Quality
Impact: Enable Terraform management of privileged access credentials, merge PR #63
Add Regex Pattern Support to Records Data Source (KSM-389)
Enable flexible record filtering with regex pattern matching in the
secretsmanager_recordsdata source (8b0b49a).New Features
title_patterns parameter: Filter records using Go regular expressions
"^Production.*Database$","^Prod.*DB.*"Pattern validation: Runtime regex compilation with clear error messages
Optimized fetching: Fetches all records once when patterns are used (efficient bulk operations)
Test Coverage
TestAccDataSourceRecords_WithTitlePatterns: Basic pattern matching functionalityTestAccDataSourceRecords_InvalidPattern: Invalid regex error handlingTestAccDataSourceRecords_CombinedWithPatterns: Mixed UIDs, titles, and patternsTestAccDataSourceRecords_MultiplePatterns: Multiple pattern supportDocumentation & Examples
docs/data-sources/records.mdwith regex pattern examplesexamples/data-sources/records.tfExample Usage:
Impact: Closes #14, merges PR #64
Testing
Running Tests Locally
PAM acceptance tests:
Records data source tests:
All acceptance tests:
Test Results: ✅ All 108 tests passing
Files Changed
102 files changed: 7,457 additions, 1,872 deletions
Modified Core Files
go.mod- Go version 1.24.0 → 1.24.8.github/workflows/terraform-provider-release-process.yml- Go version updatesREADME.md,docs/index.md- Version references 1.1.7 → 1.1.8secretsmanager/provider.go- PAM data sources/resources registration + shortcuts fixsecretsmanager/record_fields_pam.go- PAM field schema functions (pamSettings, pamHostname, rotation_scripts)secretsmanager/data_source_records.go- Regex pattern matching supportsecretsmanager/data_source_pam_user.go- Enhanced schema with private_pem_key supportCreated PAM Files
secretsmanager/resource_pam_directory.go- PAM directory resource (Active Directory, LDAP)secretsmanager/data_source_pam_directory.go- PAM directory data sourcesecretsmanager/resource_pam_machine_test.go- 4 acceptance testssecretsmanager/resource_pam_database_test.go- 4 acceptance testssecretsmanager/resource_pam_directory_test.go- 4 acceptance testssecretsmanager/resource_pam_user_test.go- 4 acceptance testsexamples/resources/pam_machine.tf- Machine resource examplesexamples/resources/pam_database.tf- Database resource examplesexamples/resources/pam_directory.tf- Directory resource examplesexamples/data-sources/pam_machine.tf- Machine data source examplesexamples/data-sources/pam_database.tf- Database data source examplesexamples/data-sources/pam_directory.tf- Directory data source examplesUpdated Files
secretsmanager/data_source_records_test.go- Added 4 regex pattern testsdocs/data-sources/records.md- Regex pattern documentationexamples/data-sources/records.tf- Regex pattern examplesRelated Issues