Merge branch 'main' into resource_jwt_auth_backend_role_bound_claims_fix

.github/workflows/build.yml

@@ -68,6 +68,7 @@ jobs:
         - "vault-enterprise:1.13.8-ent"
         - "vault-enterprise:1.14.4-ent"
         - "vault-enterprise:1.15.0-ent"
+        - "vault:1.15.0"
     services:
       vault:
         image: hashicorp/${{ matrix.image }}
@@ -198,7 +199,12 @@ jobs:
           LDAP_BINDPASS: "adminpassword"
           LDAP_URL: "ldap://openldap:1389"
         run: |
-          make testacc-ent TESTARGS='-test.v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true TF_ACC_K8S_SKIP_IN_CLUSTER=true
+          if [[ ${{ matrix.image }} =~ "-ent" ]]; then
+            target="testacc-ent"
+          else
+            target="testacc"
+          fi
+          make $target TESTARGS='-test.v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true TF_ACC_K8S_SKIP_IN_CLUSTER=true
       - name: "Generate Vault API Path Coverage Report"
         run: |
           go run cmd/coverage/main.go -openapi-doc=./testdata/openapi.json

CHANGELOG.md

@@ -1,8 +1,13 @@
 ## Unreleased
 
+FEATURES:
+* Add support for `ext_key_usage_oids` in `vault_pki_secret_backend_role` ([#2108](https://github.com/hashicorp/terraform-provider-vault/pull/2108))
+* Adds support to `vault_gcp_auth_backend` for common backend tune parameters ([#1997](https://github.com/terraform-providers/terraform-provider-vault/pull/1997)).
+
 BUGS:
 * fix `vault_kv_secret_v2` drift when "data" is in secret name/path ([#2104](https://github.com/hashicorp/terraform-provider-vault/pull/2104))
 * Fix `bound_claims` Set bound_claims values as per Vault format ([#2102](https://github.com/hashicorp/terraform-provider-vault/pull/2102))
+* fix `vault_database_secret_backend_connection`: allow mysql_rds,mysql_aurora,mysql_legacy options of vault_database_secret_backend_connection terraform resource to allow specifying tls_ca and tls_certificate_key ([#2106](https://github.com/hashicorp/terraform-provider-vault/pull/2106))
 
 ## 3.23.0 (Nov 15, 2023)
 

internal/consts/consts.go

@@ -280,6 +280,7 @@ const (
 	FieldEmailProtectionFlag           = "email_protection_flag"
 	FieldKeyUsage                      = "key_usage"
 	FieldExtKeyUsage                   = "ext_key_usage"
+	FieldExtKeyUsageOIDs               = "ext_key_usage_oids"
 	FieldUseCSRCommonName              = "use_csr_common_name"
 	FieldUseCSRSans                    = "use_csr_sans"
 	FieldOU                            = "ou"

testutil/testutil.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"math/big"
 	"net"
 	"net/http"
@@ -41,6 +42,7 @@ import (
 
 const (
 	EnvVarSkipVaultNext = "SKIP_VAULT_NEXT_TESTS"
+	EnvVarTfAccEnt      = "TF_ACC_ENTERPRISE"
 )
 
 func TestAccPreCheck(t *testing.T) {
@@ -61,7 +63,7 @@ func SkipTestAcc(t *testing.T) {
 
 func SkipTestAccEnt(t *testing.T) {
 	t.Helper()
-	SkipTestEnvUnset(t, "TF_ACC_ENTERPRISE")
+	SkipTestEnvUnset(t, EnvVarTfAccEnt)
 }
 
 // SkipTestEnvSet skips the test if any of the provided environment variables
@@ -803,6 +805,37 @@ func GetImportTestStep(resourceName string, skipVerify bool, check resource.Impo
 	return ts
 }
 
+func TestAccCheckAuthMountExists(n string, out *api.AuthMount, c *api.Client) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		return AuthMountExistsHelper(n, s, out, c)
+	}
+}
+
+func AuthMountExistsHelper(resourceName string, s *terraform.State, out *api.AuthMount, c *api.Client) error {
+	rs, ok := s.RootModule().Resources[resourceName]
+	if !ok {
+		return fmt.Errorf("Not found: %s", resourceName)
+	}
+
+	if rs.Primary.ID == "" {
+		return fmt.Errorf("No id for %s is set", resourceName)
+	}
+
+	auths, err := c.Sys().ListAuth()
+	if err != nil {
+		return fmt.Errorf("error reading from Vault: %s", err)
+	}
+
+	resp := auths[strings.Trim(rs.Primary.ID, "/")+"/"]
+	if resp == nil {
+		return fmt.Errorf("auth mount %s not present", rs.Primary.ID)
+	}
+	log.Printf("[INFO] Auth mount resource '%v' confirmed to exist at path: %v", resourceName, rs.Primary.ID)
+	*out = *resp
+
+	return nil
+}
+
 // GetNamespaceImportStateCheck checks that the namespace was properly imported into the state.
 func GetNamespaceImportStateCheck(ns string) resource.ImportStateCheckFunc {
 	return func(states []*terraform.InstanceState) error {

vault/resource_auth_backend_test.go

@@ -204,6 +204,8 @@ func testResourceAuth_initialCheck(expectedPath string) resource.TestCheckFunc {
 }
 
 func TestResourceAuthTune(t *testing.T) {
+	testutil.SkipTestAcc(t)
+
 	backend := acctest.RandomWithPrefix("github")
 	resName := "vault_auth_backend.test"
 	var resAuthFirst api.AuthMount
@@ -214,7 +216,9 @@ func TestResourceAuthTune(t *testing.T) {
 			{
 				Config: testResourceAuthTune_initialConfig(backend),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAuthMountExists(resName, &resAuthFirst),
+					testutil.TestAccCheckAuthMountExists(resName,
+						&resAuthFirst,
+						testProvider.Meta().(*provider.ProviderMeta).MustGetClient()),
 					resource.TestCheckResourceAttr(resName, "path", backend),
 					resource.TestCheckResourceAttr(resName, "id", backend),
 					resource.TestCheckResourceAttr(resName, "type", "github"),
@@ -283,7 +287,7 @@ func checkAuthMount(backend string, checker func(*api.AuthMount) error) resource
 		for serverPath, serverAuth := range auths {
 			if serverPath == backend+"/" {
 				found = true
-				if serverAuth.Type != "github" {
+				if serverAuth.Type != "github" && serverAuth.Type != "gcp" {
 					return fmt.Errorf("unexpected auth type")
 				}
 

vault/resource_database_secret_backend_connection.go

@@ -534,32 +534,26 @@ func getDatabaseSchema(typ schema.ValueType) schemaMap {
 			ConflictsWith: util.CalculateConflictsWith(dbEngineMySQL.Name(), dbEngineTypes),
 		},
 		dbEngineMySQLRDS.name: {
-			Type:        typ,
-			Optional:    true,
-			Description: "Connection parameters for the mysql-rds-database-plugin plugin.",
-			Elem: connectionStringResource(&connectionStringConfig{
-				includeUserPass: true,
-			}),
+			Type:          typ,
+			Optional:      true,
+			Description:   "Connection parameters for the mysql-rds-database-plugin plugin.",
+			Elem:          mysqlConnectionStringResource(),
 			MaxItems:      1,
 			ConflictsWith: util.CalculateConflictsWith(dbEngineMySQLRDS.Name(), dbEngineTypes),
 		},
 		dbEngineMySQLAurora.name: {
-			Type:        typ,
-			Optional:    true,
-			Description: "Connection parameters for the mysql-aurora-database-plugin plugin.",
-			Elem: connectionStringResource(&connectionStringConfig{
-				includeUserPass: true,
-			}),
+			Type:          typ,
+			Optional:      true,
+			Description:   "Connection parameters for the mysql-aurora-database-plugin plugin.",
+			Elem:          mysqlConnectionStringResource(),
 			MaxItems:      1,
 			ConflictsWith: util.CalculateConflictsWith(dbEngineMySQLAurora.Name(), dbEngineTypes),
 		},
 		dbEngineMySQLLegacy.name: {
-			Type:        typ,
-			Optional:    true,
-			Description: "Connection parameters for the mysql-legacy-database-plugin plugin.",
-			Elem: connectionStringResource(&connectionStringConfig{
-				includeUserPass: true,
-			}),
+			Type:          typ,
+			Optional:      true,
+			Description:   "Connection parameters for the mysql-legacy-database-plugin plugin.",
+			Elem:          mysqlConnectionStringResource(),
 			MaxItems:      1,
 			ConflictsWith: util.CalculateConflictsWith(dbEngineMySQLLegacy.Name(), dbEngineTypes),
 		},
@@ -912,11 +906,11 @@ func getDatabaseAPIDataForEngine(engine *dbEngine, idx int, d *schema.ResourceDa
 	case dbEngineMySQL:
 		setMySQLDatabaseConnectionData(d, prefix, data, meta)
 	case dbEngineMySQLRDS:
-		setDatabaseConnectionDataWithUserPass(d, prefix, data)
+		setMySQLDatabaseConnectionData(d, prefix, data, meta)
 	case dbEngineMySQLAurora:
-		setDatabaseConnectionDataWithUserPass(d, prefix, data)
+		setMySQLDatabaseConnectionData(d, prefix, data, meta)
 	case dbEngineMySQLLegacy:
-		setDatabaseConnectionDataWithUserPass(d, prefix, data)
+		setMySQLDatabaseConnectionData(d, prefix, data, meta)
 	case dbEngineOracle:
 		setDatabaseConnectionDataWithUserPass(d, prefix, data)
 	case dbEnginePostgres:
@@ -1890,11 +1884,11 @@ func getDBConnectionConfig(d *schema.ResourceData, engine *dbEngine, idx int,
 	case dbEngineMySQL:
 		result = getMySQLConnectionDetailsFromResponse(d, prefix, resp, meta)
 	case dbEngineMySQLRDS:
-		result = getConnectionDetailsFromResponseWithUserPass(d, prefix, resp)
+		result = getMySQLConnectionDetailsFromResponse(d, prefix, resp, meta)
 	case dbEngineMySQLAurora:
-		result = getConnectionDetailsFromResponseWithUserPass(d, prefix, resp)
+		result = getMySQLConnectionDetailsFromResponse(d, prefix, resp, meta)
 	case dbEngineMySQLLegacy:
-		result = getConnectionDetailsFromResponseWithUserPass(d, prefix, resp)
+		result = getMySQLConnectionDetailsFromResponse(d, prefix, resp, meta)
 	case dbEngineOracle:
 		result = getConnectionDetailsFromResponseWithUserPass(d, prefix, resp)
 	case dbEnginePostgres:

vault/resource_database_secret_backend_connection_test.go

@@ -749,10 +749,29 @@ func TestAccDatabaseSecretBackendConnection_mysql_tls(t *testing.T) {
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.max_connection_lifetime", "0"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "data.%", "1"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "data.password", password),
-					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.tlsCA", tlsCA+"\n"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.tls_ca", tlsCA+"\n"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.tls_certificate_key", tlsCertificateKey+"\n"),
 				),
 			},
+			{
+				Config: testAccDatabaseSecretBackendConnectionConfig_mysql_aurora_tls(name, backend, connURL, password, tlsCA, tlsCertificateKey),
+				Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName,
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.#", "2"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.0", "dev"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "root_rotation_statements.0", "FOOBAR"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "verify_connection", "true"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.connection_url", connURL),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.max_open_connections", "2"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.max_idle_connections", "0"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.max_connection_lifetime", "0"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "data.%", "1"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "data.password", password),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.tls_ca", tlsCA+"\n"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.tls_certificate_key", tlsCertificateKey+"\n"),
+				),
+			},
 		},
 	})
 }
@@ -1509,6 +1528,36 @@ EOT
 `, path, name, connURL, tls_ca, tls_certificate_key, password)
 }
 
+func testAccDatabaseSecretBackendConnectionConfig_mysql_aurora_tls(name, path, connURL, password, tls_ca, tls_certificate_key string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "db" {
+  path = "%s"
+  type = "database"
+}
+
+resource "vault_database_secret_backend_connection" "test" {
+  backend = vault_mount.db.path
+  name = "%s"
+  allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
+
+  mysql_aurora {
+	  connection_url = "%s"
+	  tls_ca              = <<EOT
+%s
+EOT
+	  tls_certificate_key = <<EOT
+%s
+EOT
+  }
+
+  data = {
+	  password            = "%s"
+  }
+}
+`, path, name, connURL, tls_ca, tls_certificate_key, password)
+}
+
 func testAccDatabaseSecretBackendConnectionConfigTemplated_mysql(name, path, connURL, username, password string, connLifetime int) string {
 	config := fmt.Sprintf(`
 resource "vault_mount" "db" {

vault/resource_gcp_auth_backend.go

@@ -93,6 +93,7 @@ func gcpAuthBackendResource() *schema.Resource {
 				Computed:    true,
 				Description: "The accessor of the auth backend",
 			},
+			"tune": authMountTuneSchema(),
 		},
 	}, false)
 }
@@ -194,14 +195,17 @@ func gcpAuthBackendUpdate(d *schema.ResourceData, meta interface{}) error {
 		return e
 	}
 
-	path := gcpAuthBackendConfigPath(d.Id())
+	gcpPath := d.Id()
+	gcpAuthPath := "auth/" + gcpPath
+	path := gcpAuthBackendConfigPath(gcpPath)
 
 	if !d.IsNewResource() {
 		newMount, err := util.Remount(d, client, consts.FieldPath, true)
 		if err != nil {
 			return err
 		}
 
+		gcpAuthPath = "auth/" + newMount
 		path = gcpAuthBackendConfigPath(newMount)
 	}
 
@@ -223,12 +227,34 @@ func gcpAuthBackendUpdate(d *schema.ResourceData, meta interface{}) error {
 		data["custom_endpoint"] = endpoints
 	}
 
-	log.Printf("[DEBUG] Writing gcp config %q", path)
+	if d.HasChange("tune") {
+		log.Printf("[INFO] %s Auth %q tune configuration changed", gcpAuthType, gcpAuthPath)
+		if raw, ok := d.GetOk("tune"); ok {
+			log.Printf("[DEBUG] Writing %s auth tune to %q", gcpAuthType, gcpAuthPath)
+			err := authMountTune(client, gcpAuthPath, raw)
+			if err != nil {
+				return nil
+			}
+		}
+	}
+
+	if d.HasChange("description") {
+		description := d.Get("description").(string)
+		tune := api.MountConfigInput{Description: &description}
+		err := client.Sys().TuneMount(gcpAuthPath, tune)
+		if err != nil {
+			log.Printf("[ERROR] Error updating %s auth description at %q", gcpAuthType, gcpAuthPath)
+			return err
+		}
+	}
+
+	log.Printf("[DEBUG] Writing %s config at path %q", gcpAuthType, path)
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
 		d.SetId("")
 		return fmt.Errorf("error writing gcp config %q: %s", path, err)
 	}
+
 	log.Printf("[DEBUG] Wrote gcp config %q", path)
 
 	return gcpAuthBackendRead(d, meta)
@@ -240,7 +266,9 @@ func gcpAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 		return e
 	}
 
-	path := gcpAuthBackendConfigPath(d.Id())
+	gcpPath := d.Id()
+	gcpAuthPath := "auth/" + gcpPath
+	path := gcpAuthBackendConfigPath(gcpPath)
 
 	log.Printf("[DEBUG] Reading gcp auth backend config %q", path)
 	resp, err := client.Logical().Read(path)
@@ -278,21 +306,35 @@ func gcpAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 			return err
 		}
 	}
+
 	// fetch AuthMount in order to set accessor attribute
-	mount, err := getAuthMountIfPresent(client, d.Id())
+	mount, err := getAuthMountIfPresent(client, gcpPath)
 	if err != nil {
 		return err
 	}
 	if mount == nil {
 		d.SetId("")
 		return nil
 	}
-	if err := d.Set("accessor", mount.Accessor); err != nil {
+	log.Printf("[DEBUG] Reading %s auth tune from '%s/tune'", gcpAuthType, gcpAuthPath)
+	rawTune, err := authMountTuneGet(client, gcpAuthPath)
+	if err != nil {
+		return fmt.Errorf("error reading tune information from Vault: %w", err)
+	}
+	data := map[string]interface{}{}
+	data["tune"] = []map[string]interface{}{rawTune}
+	if err := util.SetResourceData(d, data); err != nil {
 		return err
 	}
 
+	if err := d.Set("accessor", mount.Accessor); err != nil {
+		return err
+	}
+	if err := d.Set("description", mount.Description); err != nil {
+		return err
+	}
 	// set the auth backend's path
-	if err := d.Set("path", d.Id()); err != nil {
+	if err := d.Set("path", gcpPath); err != nil {
 		return err
 	}