Skip to content

Commit

Permalink
secret/ssh: handle state upgrade for key_type field (#2308)
Browse files Browse the repository at this point in the history
* secret/ssh: handle state upgrade for key_type field

* changelog

* use const for key_type

* add state upgrade acc test
  • Loading branch information
fairclothjm authored Aug 5, 2024
1 parent feafccd commit 2605365
Show file tree
Hide file tree
Showing 3 changed files with 74 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
## Unreleased

BUGS:
* fix `vault_ssh_secret_backend_ca` where a schema change forced the resource to be replaced ([#2308](https://github.com/hashicorp/terraform-provider-vault/pull/2308))
* fix a bug where a read on non-existent auth or secret mount resulted in an error that prevented the provider from completing successfully ([#2289](https://github.com/hashicorp/terraform-provider-vault/pull/2289))

## 4.3.0 (Jun 17, 2024)

FEATURES:
Expand Down
43 changes: 42 additions & 1 deletion vault/resource_ssh_secret_backend_ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package vault

import (
"context"
"fmt"
"log"
"strings"
Expand All @@ -14,6 +15,8 @@ import (
"github.com/hashicorp/terraform-provider-vault/internal/provider"
)

const defaultKeyTypeSSH = "ssh-rsa"

func sshSecretBackendCAResource() *schema.Resource {
return &schema.Resource{
Create: sshSecretBackendCACreate,
Expand All @@ -22,6 +25,14 @@ func sshSecretBackendCAResource() *schema.Resource {
Importer: &schema.ResourceImporter{
State: schema.ImportStatePassthrough,
},
SchemaVersion: 1,
StateUpgraders: []schema.StateUpgrader{
{
Version: 0,
Type: sshSecretBackendCAResourceV0().CoreConfigSchema().ImpliedType(),
Upgrade: sshSecretBackendCAUpgradeV0,
},
},

Schema: map[string]*schema.Schema{
"backend": {
Expand All @@ -43,7 +54,7 @@ func sshSecretBackendCAResource() *schema.Resource {
},
"key_type": {
Type: schema.TypeString,
Default: "ssh-rsa",
Default: defaultKeyTypeSSH,
Optional: true,
ForceNew: true,
Description: "Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.",
Expand Down Expand Up @@ -162,3 +173,33 @@ func sshSecretBackendCADelete(d *schema.ResourceData, meta interface{}) error {

return nil
}

func sshSecretBackendCAResourceV0() *schema.Resource {
return &schema.Resource{
Schema: map[string]*schema.Schema{
"key_type": {
Type: schema.TypeString,
Default: defaultKeyTypeSSH,
Optional: true,
ForceNew: true,
Description: "Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.",
},
},
}
}

// sshSecretBackendCAUpgradeV0 allows update the state for the vault_ssh_secret_backend_ca
// resource that was provisioned with older schema configurations.
//
// Upgrading the Vault provider from 4.2.0 to 4.3.0 results in
// vault_ssh_secret_backend_ca being replaced although no other changes have
// been made. The key_type attribute, introduced in #1454, gets added
// (implicit, using the default value) and forces the resource to be replaced.
// See https://github.com/hashicorp/terraform-provider-vault/issues/2281
func sshSecretBackendCAUpgradeV0(_ context.Context, rawState map[string]interface{}, _ interface{}) (map[string]interface{}, error) {
if rawState["key_type"] == nil {
rawState["key_type"] = defaultKeyTypeSSH
}

return rawState, nil
}
28 changes: 28 additions & 0 deletions vault/resource_ssh_secret_backend_ca_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,34 @@ func TestAccSSHSecretBackend_import(t *testing.T) {
})
}

// TestAccSSHSecretBackendCA_Upgrade_key_type uses ExternalProviders (vault) to
// generate a state file with a previous version of the provider and then
// verify that there are no planned changes after migrating to an updated
// schema to validate the sshSecretBackendCAUpgradeV0 state upgrader.
func TestAccSSHSecretBackendCA_Upgrade_key_type(t *testing.T) {
backend := "ssh-" + acctest.RandString(10)
resource.Test(t, resource.TestCase{
Steps: []resource.TestStep{
{
ExternalProviders: map[string]resource.ExternalProvider{
"vault": {
// 4.2.0 does not have the key_type field
VersionConstraint: "4.2.0",
Source: "hashicorp/vault",
},
},
Config: testAccSSHSecretBackendCAConfigGenerated(backend),
Check: testAccSSHSecretBackendCACheck(backend),
},
{
ProviderFactories: providerFactories,
Config: testAccSSHSecretBackendCAConfigGenerated(backend),
PlanOnly: true,
},
},
})
}

func testAccCheckSSHSecretBackendCADestroy(s *terraform.State) error {
for _, rs := range s.RootModule().Resources {
if rs.Type != "vault_ssh_secret_backend_ca" {
Expand Down

0 comments on commit 2605365

Please sign in to comment.