secret/ssh: add support for allow_empty_principals on roles

hashicorp · Nov 6, 2024 · 6d3d0b0 · 6d3d0b0
1 parent 3418cb7
commit 6d3d0b0
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 36 deletions.
diff --git a/vault/resource_ssh_secret_backend_role.go b/vault/resource_ssh_secret_backend_role.go
@@ -183,6 +183,11 @@ func sshSecretBackendRoleResource() *schema.Resource {
 			Optional:    true,
 			Computed:    true,
 		},
+		"allow_empty_principals": {
+			Type:     schema.TypeBool,
+			Optional: true,
+			Default:  false,
+		},
 	}
 
 	return &schema.Resource{
@@ -261,6 +266,9 @@ func sshSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 
 		data["allowed_domains_template"] = d.Get("allowed_domains_template")
 	}
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		data["allow_empty_principals"] = d.Get("allow_empty_principals").(bool)
+	}
 
 	if v, ok := d.GetOk("key_id_format"); ok {
 		data["key_id_format"] = v.(string)
@@ -359,9 +367,13 @@ func sshSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	if provider.IsAPISupported(meta, provider.VaultVersion112) {
 		fields = append(fields, []string{"default_user_template", "allowed_domains_template"}...)
 	}
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		fields = append(fields, []string{"allow_empty_principals"}...)
+	}
 
-	// cidr_list cannot be read from the API
-	// potential for drift here
+	// cannot be read from the API, potential for drift here:
+	// - cidr_list
+	// - allow_empty_principals
 	for _, k := range fields {
 		if err := d.Set(k, role.Data[k]); err != nil {
 			return err

diff --git a/vault/resource_ssh_secret_backend_role_test.go b/vault/resource_ssh_secret_backend_role_test.go
@@ -50,6 +50,7 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 		// 30s is the default value vault uese.
 		// https://developer.hashicorp.com/vault/api-docs/secret/ssh#not_before_duration
 		resource.TestCheckResourceAttr(resourceName, "not_before_duration", "30"),
+		resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "false"),
 	)
 
 	updateCheckFuncs := append(commonCheckFuncs,
@@ -73,6 +74,7 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 		resource.TestCheckResourceAttr(resourceName, "ttl", "43200"),
 		// 50m (3000 seconds)
 		resource.TestCheckResourceAttr(resourceName, "not_before_duration", "3000"),
+		resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "true"),
 	)
 
 	getCheckFuncs := func(isUpdate bool) resource.TestCheckFunc {
@@ -84,19 +86,10 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 				checks = append(checks, initialCheckFuncs...)
 			}
 
-			meta := testProvider.Meta().(*provider.ProviderMeta)
-			isVaultVersion112 := meta.IsAPISupported(provider.VaultVersion112)
-			if isVaultVersion112 {
-				if isUpdate {
-					checks = append(checks,
-						resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "true"),
-					)
-				} else {
-					checks = append(checks,
-						resource.TestCheckResourceAttr(resourceName, "allowed_domains_template", "false"),
-					)
-				}
-			}
+			// can append version-dependent checks here:
+			// meta := testProvider.Meta().(*provider.ProviderMeta)
+			// isVaultVersion117 := meta.IsAPISupported(provider.VaultVersion117)
+
 			return resource.ComposeAggregateTestCheckFunc(checks...)(state)
 		}
 	}
@@ -137,27 +130,14 @@ func TestAccSSHSecretBackendRole(t *testing.T) {
 		}
 	}
 
-	t.Run("vault-1.11-and-below", func(t *testing.T) {
-		resource.Test(t, resource.TestCase{
-			ProviderFactories: providerFactories,
-			PreCheck: func() {
-				testutil.TestAccPreCheck(t)
-				SkipIfAPIVersionGTE(t, testProvider.Meta(), provider.VaultVersion112)
-			},
-			CheckDestroy: testAccSSHSecretBackendRoleCheckDestroy,
-			Steps:        getSteps(""),
-		})
-	})
-	t.Run("vault-1.12-and-up", func(t *testing.T) {
-		resource.Test(t, resource.TestCase{
-			ProviderFactories: providerFactories,
-			PreCheck: func() {
-				testutil.TestAccPreCheck(t)
-				SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion112)
-			},
-			CheckDestroy: testAccSSHSecretBackendRoleCheckDestroy,
-			Steps:        getSteps("allowed_domains_template = true"),
-		})
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion117)
+		},
+		CheckDestroy: testAccSSHSecretBackendRoleCheckDestroy,
+		Steps:        getSteps(""),
 	})
 }
 
@@ -289,6 +269,7 @@ resource "vault_ssh_secret_backend_role" "test_role" {
   allow_user_key_ids       = true
   allowed_critical_options = "foo,bar"
   allowed_domains          = "example.com,foo.com"
+  allowed_domains_template = true
   allowed_extensions       = "ext1,ext2"
   default_extensions       = { "ext1" = "" }
   default_critical_options = { "opt1" = "" }