feat: Multi-cloud provider support (Google Cloud, Azure)

[mpyw]

Summary

Add support for Google Cloud and Azure secret/config management services, making suve a truly unified tool across cloud providers.

Target Services

Provider	Parameter Store	Secrets Manager	E2E Emulator
AWS	SSM Parameter Store	Secrets Manager	LocalStack
Google Cloud	-	Secret Manager	gcp-secret-manager-emulator
Azure	App Configuration	Key Vault	Official / KV Emulator

---

Implementation Roadmap

Phase A: Foundation (Complete ✅)

• feat: A.1 - Define Scope type for multi-cloud support #132 - A.1: Define Scope type
• feat: A.2 - Define Model types (Parameter, Secret) #134 - A.2: Define Model types (Parameter, Secret) + AWS-specific field migration
• feat: A.3 - Define Provider interfaces #137 - A.3: Define Provider interfaces
• feat: B.2 - Add Scope support to Store #138 - B.2: Add Scope support to Store
• feat(provider): add model types and provider interfaces for multi-cloud support #145 - Model types and Provider interfaces for multi-cloud
• refactor(usecase): migrate tag operations to provider interfaces #147 - Tag operations migrated to provider interfaces

Phase B: AWS Refactoring (In Progress)

Migrate UseCase/Staging layers from paramapi.*/secretapi.* to provider.* interfaces.

• feat: B.1 - Implement AWS Adapter #133 - B.1: Implement AWS Adapter
• PR refactor: move output package to cli/output #2 - Read UseCase Migration (show, log, list, diff)
• PR refactor: add usecase layer for staging operations #3 - Write UseCase Migration (create, update, delete, restore)
• PR refactor: add usecase layer for param operations #4 - Staging Strategy Migration
• PR Add usecase layer for secret operations #5 - Version Resolution Abstraction
• refactor: move internal/api to provider-specific location #148 - Move/cleanup internal/api

Phase C: Multi-cloud (Future)

• feat: C.1 - Add Google Cloud Secret Manager support #135 - C.1: Add Google Cloud Secret Manager support
• feat: C.2 - Add Azure support (Key Vault + App Configuration) #136 - C.2: Add Azure support (Key Vault + App Configuration)

---

PR Plan Details

PR #2: Read UseCase Migration

Files:

• internal/usecase/param/show.go, log.go, list.go, diff.go
• internal/usecase/secret/show.go, log.go, list.go, diff.go

Interface mapping:

Old	New
paramapi.GetParameterAPI	provider.ParameterReader.GetParameter
paramapi.GetParameterHistoryAPI	provider.ParameterReader.GetParameterHistory
paramapi.DescribeParametersAPI	provider.ParameterReader.ListParameters
secretapi.GetSecretValueAPI	provider.SecretReader.GetSecret
secretapi.ListSecretVersionIDsAPI	provider.SecretReader.GetSecretVersions
secretapi.ListSecretsAPI	provider.SecretReader.ListSecrets
secretapi.DescribeSecretAPI	provider.SecretDescriber.DescribeSecret

PR #3: Write UseCase Migration

Files:

• internal/usecase/param/create.go, update.go, delete.go
• internal/usecase/secret/create.go, update.go, delete.go, restore.go

PR #4: Staging Strategy Migration

Files:

• internal/staging/param.go, secret.go
• internal/staging/cli/*.go
• internal/cli/commands/stage/param/, secret/

PR #5: Version Resolution Abstraction

Provider-agnostic version resolution interface:

type VersionSpec interface {
    Name() string
    HasAbsolute() bool
    Shift() int
}

type VersionResolver interface {
    ResolveVersion(ctx context.Context, spec VersionSpec) (string, error)
}

---

Dependency Graph

[Phase A: Complete] ✅
    |
    +---> PR #2 (Read UseCase)
    |         |
    |         +---> PR #5 (Version Resolution)
    |
    +---> PR #3 (Write UseCase)
              |
              +---> PR #4 (Staging Strategy)
                        |
                        +---> Phase C (Multi-cloud)

---

CLI Structure (Future)

# AWS: --region required
suve aws --region=ap-northeast-1 param show /my/param
suve aws --region=ap-northeast-1 secret show my-secret

# Google Cloud: --project required
suve gcloud --project=my-project secret show my-secret

# Azure: --resource-group, --vault/--store required
suve azure --resource-group=my-rg keyvault --vault=my-vault show my-secret
suve azure --resource-group=my-rg appconfig --store=my-store show my-key

---

References

• AWS SDK for Go v2
• Google Cloud Go SDK
• Azure SDK for Go

[mpyw]

PoC 調査結果 (suve-poc-multi-providers)

SDK の自動解決範囲（検証済み）

SDK	認証	リージョン等	API呼び出し時	suveでの対応
AWS SDK v2	✅自動	✅Region自動	指定不要	不要
GCP SDK	✅自動	⚠️取得可能	明示的指定必要	必要
Azure SDK	✅自動	❌取得しない	明示的指定必要	必要

エビデンス:

• AWS: resolveEC2IMDSRegion() が config/resolve.go に実装
• GCP: API は Resource Name ベース (projects/{PROJECT}/secrets/{NAME})
• Azure: NewResourceGroupsClient(subscriptionID, cred, nil) で明示的指定必要

---

改良版フォールバックチェーン

Issue 本文の設計から改良:

GCP Project

1. --project フラグ
2. CLOUDSDK_CORE_PROJECT
3. GOOGLE_CLOUD_PROJECT
4. gcloud config (~/.config/gcloud/configurations/config_default) ← CLI不要、直接読み込み
5. ADC (project_id / quota_project_id) ← 追加
6. メタデータサーバー ← 追加

Azure Resource Group

1. --resource-group フラグ
2. AZURE_DEFAULTS_GROUP
3. ~/.azure/config [defaults] group ← CLI不要、直接読み込み
4. Azure IMDS ← 追加

---

実装済み機能

• GCP ADC project_id 抽出: サービスアカウント + ユーザー認証 (quota_project_id) 対応
• GCP メタデータサーバー: http://metadata.google.internal/computeMetadata/v1/project/project-id
• Azure IMDS: http://169.254.169.254/metadata/instance/compute?api-version=2021-02-01
• Azure 名前→URL 変換: myvault → https://myvault.vault.azure.net
• リソース一覧取得 (Control Plane):
  • GCPProjectLister
  • AzureSubscriptionLister (認証情報からサブスクリプション自動取得)
  • AzureResourceGroupLister
  • AzureKeyVaultLister
  • AzureAppConfigLister

---

タグ/ラベルの違い（重要）

クラウド	所属先	変更時
AWS SSM/SM	Resource	バージョン不変
GCP SM	Secret	バージョン不変
Azure KV	SecretVersion	新バージョン作成
Azure AppConfig	Setting	バージョン不変

→ Azure KV のみ特殊。tag コマンドで新バージョン作成を明示する必要あり。

---

GCP 固有: Replication Policy

シークレット作成時に必須（変更不可）:

• Automatic: Google が自動選択（推奨）
• User-Managed: リージョン明示指定

suve gcp secret create my-secret                              # Automatic
suve gcp secret create my-secret --regions asia-northeast1    # User-Managed

---

注意事項

• Control Plane API: エミュレータでテスト不可（実クレデンシャル必要）
• Azure Data Plane: Subscription/RG 不要、Vault URL だけで動作
• 設定ファイル直接読み込み: exec.Command("gcloud", ...) ではなく INI パース推奨