Skip to content

Commit

Permalink
update changelog
Browse files Browse the repository at this point in the history
  • Loading branch information
@vinay-gopalan
vinay-gopalan committed Nov 11, 2024
2 parents bc827db + d8d1353 commit 350741c
Show file tree
Hide file tree
Showing 15 changed files with 182 additions and 67 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@
FEATURES:

* Update `vault_database_secret_backend_connection` to support inline TLS config for PostgreSQL ([#2339](https://github.com/hashicorp/terraform-provider-vault/pull/2339))
* Update `vault_database_secret_backend_connection` to support skip_verification config for Cassandra ([#2346](https://github.com/hashicorp/terraform-provider-vault/pull/2346))
* Update `vault_approle_auth_backend_role_secret_id` to support `num_uses` and `ttl` fields ([#2345](https://github.com/hashicorp/terraform-provider-vault/pull/2345))
* Add support for `use_annotations_as_alias_metadata` field for the `vault_kubernetes_auth_backend_config` resource ([#2206](https://github.com/hashicorp/terraform-provider-vault/pull/2206))
* Add support for `allow_empty_principals` field for the `vault_ssh_secret_backend_role` resource ([#2354](https://github.com/hashicorp/terraform-provider-vault/pull/2354))
* Add support for Rootless Configuration for Static Roles to Postgres DB ([#2341](https://github.com/hashicorp/terraform-provider-vault/pull/2341))

## 4.4.0 (Aug 7, 2024)
Expand Down
13 changes: 13 additions & 0 deletions vault/data_source_kubernetes_auth_backend_config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ func kubernetesAuthBackendConfigDataSource() *schema.Resource {
Optional: true,
Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.",
},
fieldUseAnnotationsAsAliasMetadata: {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Use annotations from the client token's associated service account as alias metadata for the Vault entity.",
},
},
}
}
Expand Down Expand Up @@ -105,5 +111,12 @@ func kubernetesAuthBackendConfigDataSourceRead(d *schema.ResourceData, meta inte
d.Set(consts.FieldDisableISSValidation, resp.Data[consts.FieldDisableISSValidation])
d.Set(consts.FieldDisableLocalCAJWT, resp.Data[consts.FieldDisableLocalCAJWT])

if provider.IsAPISupported(meta, provider.VaultVersion116) {
err := d.Set(fieldUseAnnotationsAsAliasMetadata, resp.Data[fieldUseAnnotationsAsAliasMetadata])
if err != nil {
return err
}
}

return nil
}
13 changes: 13 additions & 0 deletions vault/data_source_kubernetes_auth_backend_config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"

"github.com/hashicorp/terraform-provider-vault/internal/consts"
"github.com/hashicorp/terraform-provider-vault/internal/provider"
"github.com/hashicorp/terraform-provider-vault/testutil"
)

Expand Down Expand Up @@ -62,6 +63,7 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
issuer := "kubernetes/serviceaccount"
disableIssValidation := true
disableLocalCaJwt := true
useAnnotationsAsAliasMetadata := true

resource.Test(t, resource.TestCase{
PreCheck: func() { testutil.TestAccPreCheck(t) },
Expand Down Expand Up @@ -115,6 +117,17 @@ func TestAccKubernetesAuthBackendConfigDataSource_full(t *testing.T) {
consts.FieldDisableLocalCAJWT, strconv.FormatBool(disableLocalCaJwt)),
),
},
{
SkipFunc: func() (bool, error) {
meta := testProvider.Meta().(*provider.ProviderMeta)
return !meta.IsAPISupported(provider.VaultVersion116), nil
},
Config: testAccKubernetesAuthBackendConfig_useAnnotations(backend, jwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
fieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(useAnnotationsAsAliasMetadata)),
),
},
},
})
}
Expand Down
29 changes: 29 additions & 0 deletions vault/resource_approle_auth_backend_role_secret_id.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,22 @@ func approleAuthBackendRoleSecretIDResource(name string) *schema.Resource {
},
},

consts.FieldTTL: {
Type: schema.TypeInt,
Required: false,
Optional: true,
ForceNew: true,
Description: "The TTL duration of the SecretID.",
},

consts.FieldNumUses: {
Type: schema.TypeInt,
Required: false,
Optional: true,
ForceNew: true,
Description: "The number of uses for the secret-id.",
},

consts.FieldBackend: {
Type: schema.TypeString,
Optional: true,
Expand Down Expand Up @@ -162,6 +178,14 @@ func approleAuthBackendRoleSecretIDCreate(ctx context.Context, d *schema.Resourc
} else {
data["metadata"] = ""
}

if v, ok := d.GetOk(consts.FieldTTL); ok {
data["ttl"] = v
}

if v, ok := d.GetOk(consts.FieldNumUses); ok {
data["num_uses"] = v
}
withWrappedAccessor := d.Get(consts.FieldWithWrappedAccessor).(bool)

wrappingTTL, wrapped := d.GetOk(consts.FieldWrappingTTL)
Expand Down Expand Up @@ -293,12 +317,17 @@ func approleAuthBackendRoleSecretIDRead(ctx context.Context, d *schema.ResourceD
return diag.Errorf("error encoding metadata for SecretID %q to JSON: %s", id, err)
}

ttl := resp.Data["secret_id_ttl"]
numUses := resp.Data["secret_id_num_uses"]

fields := map[string]interface{}{
consts.FieldBackend: backend,
consts.FieldRoleName: role,
consts.FieldCIDRList: cidrs,
consts.FieldMetadata: string(metadata),
consts.FieldAccessor: accessor,
consts.FieldTTL: ttl,
consts.FieldNumUses: numUses,
}

for k, v := range fields {
Expand Down
4 changes: 4 additions & 0 deletions vault/resource_approle_auth_backend_role_secret_id_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,8 @@ func TestAccAppRoleAuthBackendRoleSecretID_full(t *testing.T) {
resource.TestCheckResourceAttrSet(secretIDResource, "accessor"),
resource.TestCheckResourceAttr(secretIDResource, "cidr_list.#", "2"),
resource.TestCheckResourceAttr(secretIDResource, consts.FieldMetadata, `{"hello":"world"}`),
resource.TestCheckResourceAttr(secretIDResource, "ttl", "700"),
resource.TestCheckResourceAttr(secretIDResource, "num_uses", "2"),
),
},
},
Expand Down Expand Up @@ -254,6 +256,8 @@ resource "vault_approle_auth_backend_role_secret_id" "secret_id" {
role_name = vault_approle_auth_backend_role.role.role_name
backend = vault_auth_backend.approle.path
cidr_list = ["10.148.0.0/20", "10.150.0.0/20"]
ttl = 700
num_uses = 2
metadata = <<EOF
{
"hello": "world"
Expand Down
12 changes: 12 additions & 0 deletions vault/resource_database_secret_backend_connection.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,12 @@ func getDatabaseSchema(typ schema.ValueType) schemaMap {
Default: 5,
Description: "The number of seconds to use as a connection timeout.",
},
"skip_verification": {
Type: schema.TypeBool,
Optional: true,
Default: false,
Description: "Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.",
},
},
},
MaxItems: 1,
Expand Down Expand Up @@ -1048,6 +1054,9 @@ func setCassandraDatabaseConnectionData(d *schema.ResourceData, prefix string, d
if v, ok := d.GetOkExists(prefix + "connect_timeout"); ok {
data["connect_timeout"] = v.(int)
}
if v, ok := d.GetOkExists(prefix + "skip_verification"); ok {
data["skip_verification"] = v.(bool)
}
}

func getConnectionDetailsFromResponse(d *schema.ResourceData, prefix string, resp *api.Secret) map[string]interface{} {
Expand Down Expand Up @@ -2088,6 +2097,9 @@ func getConnectionDetailsCassandra(d *schema.ResourceData, prefix string, resp *
}
result["connect_timeout"] = timeout
}
if v, ok := data["skip_verification"]; ok {
result["skip_verification"] = v.(bool)
}
return result, nil
}
return nil, nil
Expand Down
2 changes: 2 additions & 0 deletions vault/resource_database_secret_backend_connection_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ func TestAccDatabaseSecretBackendConnection_cassandra(t *testing.T) {
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.pem_json", ""),
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.protocol_version", "4"),
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.connect_timeout", "5"),
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.skip_verification", "false"),
),
},
},
Expand Down Expand Up @@ -159,6 +160,7 @@ func TestAccDatabaseSecretBackendConnection_cassandraProtocol(t *testing.T) {
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.pem_json", ""),
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.protocol_version", "5"),
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.connect_timeout", "5"),
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.skip_verification", "false"),
),
},
},
Expand Down
25 changes: 25 additions & 0 deletions vault/resource_kubernetes_auth_backend_config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ import (
"github.com/hashicorp/terraform-provider-vault/internal/provider"
)

const fieldUseAnnotationsAsAliasMetadata = "use_annotations_as_alias_metadata"

var (
kubernetesAuthBackendConfigFromPathRegex = regexp.MustCompile("^auth/(.+)/config$")
// overrideKubernetesFieldsMap maps resource IDs to a slice of strings containing
Expand Down Expand Up @@ -82,6 +84,12 @@ func kubernetesAuthBackendConfigResource() *schema.Resource {
Optional: true,
Description: "Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod.",
},
fieldUseAnnotationsAsAliasMetadata: {
Type: schema.TypeBool,
Computed: true,
Optional: true,
Description: "Use annotations from the client token's associated service account as alias metadata for the Vault entity.",
},
}
return &schema.Resource{
Create: kubernetesAuthBackendConfigCreate,
Expand Down Expand Up @@ -177,6 +185,13 @@ func kubernetesAuthBackendConfigCreate(d *schema.ResourceData, meta interface{})
if v, ok := d.GetOk(consts.FieldDisableLocalCAJWT); ok {
data[consts.FieldDisableLocalCAJWT] = v
}

if provider.IsAPISupported(meta, provider.VaultVersion116) {
if v := d.Get(fieldUseAnnotationsAsAliasMetadata); v != nil {
data[fieldUseAnnotationsAsAliasMetadata] = v
}
}

_, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error writing Kubernetes auth backend config %q: %s", path, err)
Expand Down Expand Up @@ -243,9 +258,13 @@ func kubernetesAuthBackendConfigRead(d *schema.ResourceData, meta interface{}) e
consts.FieldDisableISSValidation,
consts.FieldDisableLocalCAJWT,
consts.FieldPEMKeys,
fieldUseAnnotationsAsAliasMetadata,
}

for _, k := range params {
if k == fieldUseAnnotationsAsAliasMetadata && !provider.IsAPISupported(meta, provider.VaultVersion116) {
continue
}
v := resp.Data[k]
if err := d.Set(k, v); err != nil {
return err
Expand Down Expand Up @@ -302,6 +321,12 @@ func kubernetesAuthBackendConfigUpdate(d *schema.ResourceData, meta interface{})
setData(consts.FieldDisableLocalCAJWT, v)
}

if provider.IsAPISupported(meta, provider.VaultVersion116) {
if v := d.Get(fieldUseAnnotationsAsAliasMetadata); v != nil {
data[fieldUseAnnotationsAsAliasMetadata] = v
}
}

_, err := client.Logical().Write(path, data)
if err != nil {
return fmt.Errorf("error updating Kubernetes auth backend config %q: %s", path, err)
Expand Down
54 changes: 36 additions & 18 deletions vault/resource_kubernetes_auth_backend_config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) {
backend := acctest.RandomWithPrefix("kubernetes")
jwt := kubernetesJWT
issuer := "api"
testResource := "vault_kubernetes_auth_backend_config.config"

resource.Test(t, resource.TestCase{
PreCheck: func() { testutil.TestAccPreCheck(t) },
Expand All @@ -237,24 +238,25 @@ func TestAccKubernetesAuthBackendConfig_full(t *testing.T) {
Config: testAccKubernetesAuthBackendConfigConfig_full(backend, kubernetesCAcert, jwt, issuer,
true, true, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"backend", backend),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldKubernetesHost, "http://example.com:443"),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldKubernetesCACert, kubernetesCAcert),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"token_reviewer_jwt", jwt),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"pem_keys.#", "1"),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
"pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldIssuer, "api"),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableISSValidation, strconv.FormatBool(true)),
resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config",
consts.FieldDisableLocalCAJWT, strconv.FormatBool(true)),
resource.TestCheckResourceAttr(testResource, "backend", backend),
resource.TestCheckResourceAttr(testResource, consts.FieldKubernetesHost, "http://example.com:443"),
resource.TestCheckResourceAttr(testResource, consts.FieldKubernetesCACert, kubernetesCAcert),
resource.TestCheckResourceAttr(testResource, "token_reviewer_jwt", jwt),
resource.TestCheckResourceAttr(testResource, "pem_keys.#", "1"),
resource.TestCheckResourceAttr(testResource, "pem_keys.0", kubernetesPEMfile),
resource.TestCheckResourceAttr(testResource, consts.FieldIssuer, "api"),
resource.TestCheckResourceAttr(testResource, consts.FieldDisableISSValidation, strconv.FormatBool(true)),
resource.TestCheckResourceAttr(testResource, consts.FieldDisableLocalCAJWT, strconv.FormatBool(true)),
),
},
{
SkipFunc: func() (bool, error) {
meta := testProvider.Meta().(*provider.ProviderMeta)
return !meta.IsAPISupported(provider.VaultVersion116), nil
},
Config: testAccKubernetesAuthBackendConfig_useAnnotations(backend, jwt),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(testResource, fieldUseAnnotationsAsAliasMetadata, strconv.FormatBool(true)),
),
},
},
Expand Down Expand Up @@ -428,6 +430,22 @@ resource "vault_kubernetes_auth_backend_config" "config" {
return config + "}"
}

func testAccKubernetesAuthBackendConfig_useAnnotations(backend, jwt string) string {
return fmt.Sprintf(`
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
path = "%s"
}
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "http://example.com:443"
token_reviewer_jwt = %q
use_annotations_as_alias_metadata = true
}
`, backend, jwt)
}

func testAccKubernetesAuthBackendConfigConfig_full(backend, caCert, jwt, issuer string,
disableIssValidation, disableLocalCaJwt, omitCA bool,
) string {
Expand Down
16 changes: 14 additions & 2 deletions vault/resource_ssh_secret_backend_role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,11 @@ func sshSecretBackendRoleResource() *schema.Resource {
Optional: true,
Computed: true,
},
"allow_empty_principals": {
Type: schema.TypeBool,
Optional: true,
Default: false,
},
}

return &schema.Resource{
Expand Down Expand Up @@ -261,6 +266,9 @@ func sshSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {

data["allowed_domains_template"] = d.Get("allowed_domains_template")
}
if provider.IsAPISupported(meta, provider.VaultVersion117) {
data["allow_empty_principals"] = d.Get("allow_empty_principals").(bool)
}

if v, ok := d.GetOk("key_id_format"); ok {
data["key_id_format"] = v.(string)
Expand Down Expand Up @@ -359,9 +367,13 @@ func sshSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
if provider.IsAPISupported(meta, provider.VaultVersion112) {
fields = append(fields, []string{"default_user_template", "allowed_domains_template"}...)
}
if provider.IsAPISupported(meta, provider.VaultVersion117) {
fields = append(fields, []string{"allow_empty_principals"}...)
}

// cidr_list cannot be read from the API
// potential for drift here
// cannot be read from the API, potential for drift here:
// - cidr_list
// - allow_empty_principals
for _, k := range fields {
if err := d.Set(k, role.Data[k]); err != nil {
return err
Expand Down
Loading

0 comments on commit 350741c

Please sign in to comment.