From 2605365cc6a975244b680a1876ba2018594c9b7a Mon Sep 17 00:00:00 2001 From: John-Michael Faircloth Date: Mon, 5 Aug 2024 14:36:48 -0500 Subject: [PATCH] secret/ssh: handle state upgrade for key_type field (#2308) * secret/ssh: handle state upgrade for key_type field * changelog * use const for key_type * add state upgrade acc test --- CHANGELOG.md | 4 ++ vault/resource_ssh_secret_backend_ca.go | 43 +++++++++++++++++++- vault/resource_ssh_secret_backend_ca_test.go | 28 +++++++++++++ 3 files changed, 74 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c255839c9..2b42051218 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +BUGS: +* fix `vault_ssh_secret_backend_ca` where a schema change forced the resource to be replaced ([#2308](https://github.com/hashicorp/terraform-provider-vault/pull/2308)) +* fix a bug where a read on non-existent auth or secret mount resulted in an error that prevented the provider from completing successfully ([#2289](https://github.com/hashicorp/terraform-provider-vault/pull/2289)) + ## 4.3.0 (Jun 17, 2024) FEATURES: diff --git a/vault/resource_ssh_secret_backend_ca.go b/vault/resource_ssh_secret_backend_ca.go index 25e8836856..b9b4aa80f3 100644 --- a/vault/resource_ssh_secret_backend_ca.go +++ b/vault/resource_ssh_secret_backend_ca.go @@ -4,6 +4,7 @@ package vault import ( + "context" "fmt" "log" "strings" @@ -14,6 +15,8 @@ import ( "github.com/hashicorp/terraform-provider-vault/internal/provider" ) +const defaultKeyTypeSSH = "ssh-rsa" + func sshSecretBackendCAResource() *schema.Resource { return &schema.Resource{ Create: sshSecretBackendCACreate, @@ -22,6 +25,14 @@ func sshSecretBackendCAResource() *schema.Resource { Importer: &schema.ResourceImporter{ State: schema.ImportStatePassthrough, }, + SchemaVersion: 1, + StateUpgraders: []schema.StateUpgrader{ + { + Version: 0, + Type: sshSecretBackendCAResourceV0().CoreConfigSchema().ImpliedType(), + Upgrade: sshSecretBackendCAUpgradeV0, + }, + }, Schema: map[string]*schema.Schema{ "backend": { @@ -43,7 +54,7 @@ func sshSecretBackendCAResource() *schema.Resource { }, "key_type": { Type: schema.TypeString, - Default: "ssh-rsa", + Default: defaultKeyTypeSSH, Optional: true, ForceNew: true, Description: "Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.", @@ -162,3 +173,33 @@ func sshSecretBackendCADelete(d *schema.ResourceData, meta interface{}) error { return nil } + +func sshSecretBackendCAResourceV0() *schema.Resource { + return &schema.Resource{ + Schema: map[string]*schema.Schema{ + "key_type": { + Type: schema.TypeString, + Default: defaultKeyTypeSSH, + Optional: true, + ForceNew: true, + Description: "Specifies the desired key type for the generated SSH CA key when `generate_signing_key` is set to `true`.", + }, + }, + } +} + +// sshSecretBackendCAUpgradeV0 allows update the state for the vault_ssh_secret_backend_ca +// resource that was provisioned with older schema configurations. +// +// Upgrading the Vault provider from 4.2.0 to 4.3.0 results in +// vault_ssh_secret_backend_ca being replaced although no other changes have +// been made. The key_type attribute, introduced in #1454, gets added +// (implicit, using the default value) and forces the resource to be replaced. +// See https://github.com/hashicorp/terraform-provider-vault/issues/2281 +func sshSecretBackendCAUpgradeV0(_ context.Context, rawState map[string]interface{}, _ interface{}) (map[string]interface{}, error) { + if rawState["key_type"] == nil { + rawState["key_type"] = defaultKeyTypeSSH + } + + return rawState, nil +} diff --git a/vault/resource_ssh_secret_backend_ca_test.go b/vault/resource_ssh_secret_backend_ca_test.go index 2a0ee2235f..462eeeb6b8 100644 --- a/vault/resource_ssh_secret_backend_ca_test.go +++ b/vault/resource_ssh_secret_backend_ca_test.go @@ -67,6 +67,34 @@ func TestAccSSHSecretBackend_import(t *testing.T) { }) } +// TestAccSSHSecretBackendCA_Upgrade_key_type uses ExternalProviders (vault) to +// generate a state file with a previous version of the provider and then +// verify that there are no planned changes after migrating to an updated +// schema to validate the sshSecretBackendCAUpgradeV0 state upgrader. +func TestAccSSHSecretBackendCA_Upgrade_key_type(t *testing.T) { + backend := "ssh-" + acctest.RandString(10) + resource.Test(t, resource.TestCase{ + Steps: []resource.TestStep{ + { + ExternalProviders: map[string]resource.ExternalProvider{ + "vault": { + // 4.2.0 does not have the key_type field + VersionConstraint: "4.2.0", + Source: "hashicorp/vault", + }, + }, + Config: testAccSSHSecretBackendCAConfigGenerated(backend), + Check: testAccSSHSecretBackendCACheck(backend), + }, + { + ProviderFactories: providerFactories, + Config: testAccSSHSecretBackendCAConfigGenerated(backend), + PlanOnly: true, + }, + }, + }) +} + func testAccCheckSSHSecretBackendCADestroy(s *terraform.State) error { for _, rs := range s.RootModule().Resources { if rs.Type != "vault_ssh_secret_backend_ca" {