Merge branch 'main' into VAULT-18672/aws-secrets-sync-loop

.github/workflows/build.yml

@@ -68,6 +68,7 @@ jobs:
         - "vault-enterprise:1.13.8-ent"
         - "vault-enterprise:1.14.4-ent"
         - "vault-enterprise:1.15.0-ent"
+        - "vault:1.15.0"
     services:
       vault:
         image: hashicorp/${{ matrix.image }}
@@ -198,7 +199,12 @@ jobs:
           LDAP_BINDPASS: "adminpassword"
           LDAP_URL: "ldap://openldap:1389"
         run: |
-          make testacc-ent TESTARGS='-test.v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true TF_ACC_K8S_SKIP_IN_CLUSTER=true
+          if [[ ${{ matrix.image }} =~ "-ent" ]]; then
+            target="testacc-ent"
+          else
+            target="testacc"
+          fi
+          make $target TESTARGS='-test.v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true TF_ACC_K8S_SKIP_IN_CLUSTER=true
       - name: "Generate Vault API Path Coverage Report"
         run: |
           go run cmd/coverage/main.go -openapi-doc=./testdata/openapi.json

CHANGELOG.md

@@ -1,5 +1,18 @@
 ## Unreleased
 
+FEATURES:
+* Add support for `ext_key_usage_oids` in `vault_pki_secret_backend_role` ([#2108](https://github.com/hashicorp/terraform-provider-vault/pull/2108))
+* Adds support to `vault_gcp_auth_backend` for common backend tune parameters ([#1997](https://github.com/terraform-providers/terraform-provider-vault/pull/1997)).
+
+BUGS:
+* fix `vault_kv_secret_v2` drift when "data" is in secret name/path ([#2104](https://github.com/hashicorp/terraform-provider-vault/pull/2104))
+* fix `vault_database_secret_backend_connection`: allow mysql_rds,mysql_aurora,mysql_legacy options of vault_database_secret_backend_connection terraform resource to allow specifying tls_ca and tls_certificate_key ([#2106](https://github.com/hashicorp/terraform-provider-vault/pull/2106))
+
+## 3.23.0 (Nov 15, 2023)
+
+FEATURES:
+* Add support for lazily authenticating to Vault: ([#2049](https://github.com/hashicorp/terraform-provider-vault/pull/2049))
+
 BUGS:
 * Fix `vault_identity_group` loses externally managed policies on updates when `external_policies = true` ([#2084](https://github.com/hashicorp/terraform-provider-vault/pull/2084))
 * Fix regression in `vault_azure_access_credentials` where we returned prematurely on 401 responses:([#2086](https://github.com/hashicorp/terraform-provider-vault/pull/2086))
@@ -16,6 +29,7 @@ FEATURES:
 BUGS:
 * Fix panic when reading `client_secret` from a public oidc client ([#2048](https://github.com/hashicorp/terraform-provider-vault/pull/2048))
 * Fix API request missing `roles` field for `mongodbatlas_secret_role` resource ([#2047](https://github.com/hashicorp/terraform-provider-vault/pull/2047))
+* Fix ignored `description` updates for `aws_secret_backend` resource ([#2057](https://github.com/hashicorp/terraform-provider-vault/pull/2057))
 * Fix bug when updating `vault_azure_secret_backend_role`: ([#2063](https://github.com/hashicorp/terraform-provider-vault/pull/2063))
 * Fix audience string ordering for `auth_login_gcp` causing GCE auth to fail ([#2064](https://github.com/hashicorp/terraform-provider-vault/pull/2064))
 

internal/consts/consts.go

@@ -280,6 +280,7 @@ const (
 	FieldEmailProtectionFlag           = "email_protection_flag"
 	FieldKeyUsage                      = "key_usage"
 	FieldExtKeyUsage                   = "ext_key_usage"
+	FieldExtKeyUsageOIDs               = "ext_key_usage_oids"
 	FieldUseCSRCommonName              = "use_csr_common_name"
 	FieldUseCSRSans                    = "use_csr_sans"
 	FieldOU                            = "ou"
@@ -364,8 +365,17 @@ const (
 	FieldDisableISSValidation          = "disable_iss_validation"
 	FieldPEMKeys                       = "pem_keys"
 	FieldSetNamespaceFromToken         = "set_namespace_from_token"
-	FieldCustomTags                    = "custom_tags"
+	FieldAzureRoles                    = "azure_roles"
+	FieldRoleID                        = "role_id"
+	FieldAzureGroups                   = "azure_groups"
+	FieldObjectID                      = "object_id"
+	FieldApplicationObjectID           = "application_object_id"
+	FieldPermanentlyDelete             = "permanently_delete"
+	FieldSignInAudience                = "sign_in_audience"
+	FieldTags                          = "tags"
+  FieldCustomTags                    = "custom_tags"
 	FieldSecretNameTemplate            = "secret_name_template"
+
 	/*
 		common environment variables
 	*/

testutil/testutil.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"math/big"
 	"net"
 	"net/http"
@@ -41,6 +42,7 @@ import (
 
 const (
 	EnvVarSkipVaultNext = "SKIP_VAULT_NEXT_TESTS"
+	EnvVarTfAccEnt      = "TF_ACC_ENTERPRISE"
 )
 
 func TestAccPreCheck(t *testing.T) {
@@ -61,7 +63,7 @@ func SkipTestAcc(t *testing.T) {
 
 func SkipTestAccEnt(t *testing.T) {
 	t.Helper()
-	SkipTestEnvUnset(t, "TF_ACC_ENTERPRISE")
+	SkipTestEnvUnset(t, EnvVarTfAccEnt)
 }
 
 // SkipTestEnvSet skips the test if any of the provided environment variables
@@ -803,6 +805,37 @@ func GetImportTestStep(resourceName string, skipVerify bool, check resource.Impo
 	return ts
 }
 
+func TestAccCheckAuthMountExists(n string, out *api.AuthMount, c *api.Client) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		return AuthMountExistsHelper(n, s, out, c)
+	}
+}
+
+func AuthMountExistsHelper(resourceName string, s *terraform.State, out *api.AuthMount, c *api.Client) error {
+	rs, ok := s.RootModule().Resources[resourceName]
+	if !ok {
+		return fmt.Errorf("Not found: %s", resourceName)
+	}
+
+	if rs.Primary.ID == "" {
+		return fmt.Errorf("No id for %s is set", resourceName)
+	}
+
+	auths, err := c.Sys().ListAuth()
+	if err != nil {
+		return fmt.Errorf("error reading from Vault: %s", err)
+	}
+
+	resp := auths[strings.Trim(rs.Primary.ID, "/")+"/"]
+	if resp == nil {
+		return fmt.Errorf("auth mount %s not present", rs.Primary.ID)
+	}
+	log.Printf("[INFO] Auth mount resource '%v' confirmed to exist at path: %v", resourceName, rs.Primary.ID)
+	*out = *resp
+
+	return nil
+}
+
 // GetNamespaceImportStateCheck checks that the namespace was properly imported into the state.
 func GetNamespaceImportStateCheck(ns string) resource.ImportStateCheckFunc {
 	return func(states []*terraform.InstanceState) error {

vault/resource_auth_backend_test.go

@@ -204,6 +204,8 @@ func testResourceAuth_initialCheck(expectedPath string) resource.TestCheckFunc {
 }
 
 func TestResourceAuthTune(t *testing.T) {
+	testutil.SkipTestAcc(t)
+
 	backend := acctest.RandomWithPrefix("github")
 	resName := "vault_auth_backend.test"
 	var resAuthFirst api.AuthMount
@@ -214,7 +216,9 @@ func TestResourceAuthTune(t *testing.T) {
 			{
 				Config: testResourceAuthTune_initialConfig(backend),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAuthMountExists(resName, &resAuthFirst),
+					testutil.TestAccCheckAuthMountExists(resName,
+						&resAuthFirst,
+						testProvider.Meta().(*provider.ProviderMeta).MustGetClient()),
 					resource.TestCheckResourceAttr(resName, "path", backend),
 					resource.TestCheckResourceAttr(resName, "id", backend),
 					resource.TestCheckResourceAttr(resName, "type", "github"),
@@ -283,7 +287,7 @@ func checkAuthMount(backend string, checker func(*api.AuthMount) error) resource
 		for serverPath, serverAuth := range auths {
 			if serverPath == backend+"/" {
 				found = true
-				if serverAuth.Type != "github" {
+				if serverAuth.Type != "github" && serverAuth.Type != "gcp" {
 					return fmt.Errorf("unexpected auth type")
 				}
 

vault/resource_aws_secret_backend.go

@@ -287,8 +287,10 @@ func awsSecretBackendUpdate(d *schema.ResourceData, meta interface{}) error {
 		return err
 	}
 
-	if d.HasChange("default_lease_ttl_seconds") || d.HasChange("max_lease_ttl_seconds") {
+	if d.HasChange("default_lease_ttl_seconds") || d.HasChange("max_lease_ttl_seconds") || d.HasChange("description") {
+		description := d.Get("description").(string)
 		config := api.MountConfigInput{
+			Description:     &description,
 			DefaultLeaseTTL: fmt.Sprintf("%ds", d.Get("default_lease_ttl_seconds")),
 			MaxLeaseTTL:     fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds")),
 		}

vault/resource_aws_secret_backend_test.go

@@ -45,7 +45,7 @@ func TestAccAWSSecretBackend_basic(t *testing.T) {
 				Config: testAccAWSSecretBackendConfig_updated(path, accessKey, secretKey),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, consts.FieldPath, path),
-					resource.TestCheckResourceAttr(resourceName, "description", "test description"),
+					resource.TestCheckResourceAttr(resourceName, "description", "test description updated"),
 					resource.TestCheckResourceAttr(resourceName, "default_lease_ttl_seconds", "1800"),
 					resource.TestCheckResourceAttr(resourceName, "max_lease_ttl_seconds", "43200"),
 					resource.TestCheckResourceAttr(resourceName, "access_key", accessKey),
@@ -80,7 +80,8 @@ func TestAccAWSSecretBackend_usernameTempl(t *testing.T) {
 	resourceType := "vault_aws_secret_backend"
 	resourceName := resourceType + ".test"
 	accessKey, secretKey := testutil.GetTestAWSCreds(t)
-	templ := fmt.Sprintf(`{{ printf "vault-%%s-%%s-%%s" (printf "%%s-%%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}`)
+	templ := fmt.Sprintf(`{{ printf \"vault-%%s-%%s-%%s\" (printf \"%%s-%%s\" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}`)
+	expectedTempl := fmt.Sprintf(`{{ printf "vault-%%s-%%s-%%s" (printf "%%s-%%s" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}`)
 	resource.Test(t, resource.TestCase{
 		ProviderFactories: providerFactories,
 		PreCheck:          func() { testutil.TestAccPreCheck(t) },
@@ -89,7 +90,7 @@ func TestAccAWSSecretBackend_usernameTempl(t *testing.T) {
 			{
 				Config: testAccAWSSecretBackendConfig_userTemplate(path, accessKey, secretKey, templ),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr(resourceName, "username_template", templ),
+					resource.TestCheckResourceAttr(resourceName, "username_template", expectedTempl),
 				),
 			},
 			testutil.GetImportTestStep(resourceName, false, nil, "secret_key", "disable_remount"),
@@ -146,7 +147,7 @@ func testAccAWSSecretBackendConfig_updated(path, accessKey, secretKey string) st
 	return fmt.Sprintf(`
 resource "vault_aws_secret_backend" "test" {
   path = "%s"
-  description = "test description"
+  description = "test description updated"
   default_lease_ttl_seconds = 1800
   max_lease_ttl_seconds = 43200
   access_key = "%s"