Skip to content

Commit

Permalink
only support external_id on vault versions >= 1.17
Browse files Browse the repository at this point in the history
external_id support for aws auth sts configuration added in 1.17.0: hashicorp/vault#26628
  • Loading branch information
helenfufu committed Nov 20, 2024
1 parent 651c058 commit c5e7afa
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 33 deletions.
20 changes: 14 additions & 6 deletions vault/resource_aws_auth_backend_sts_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,11 @@ func awsAuthBackendSTSRoleCreate(d *schema.ResourceData, meta interface{}) error
path := awsAuthBackendSTSRolePath(backend, accountID)

data := map[string]interface{}{
"sts_role": stsRole,
consts.FieldExternalID: externalID,
"sts_role": stsRole,
}

if provider.IsAPISupported(meta, provider.VaultVersion117) {
data[consts.FieldExternalID] = externalID
}

log.Printf("[DEBUG] Writing STS role %q to AWS auth backend", path)
Expand Down Expand Up @@ -128,8 +131,10 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error {
d.Set("account_id", accountID)
d.Set("sts_role", resp.Data["sts_role"])

if v, ok := resp.Data[consts.FieldExternalID]; ok {
d.Set(consts.FieldExternalID, v)
if provider.IsAPISupported(meta, provider.VaultVersion117) {
if v, ok := resp.Data[consts.FieldExternalID]; ok {
d.Set(consts.FieldExternalID, v)
}
}

return nil
Expand All @@ -147,8 +152,11 @@ func awsAuthBackendSTSRoleUpdate(d *schema.ResourceData, meta interface{}) error
path := d.Id()

data := map[string]interface{}{
"sts_role": stsRole,
consts.FieldExternalID: externalID,
"sts_role": stsRole,
}

if provider.IsAPISupported(meta, provider.VaultVersion117) {
data[consts.FieldExternalID] = externalID
}

log.Printf("[DEBUG] Updating STS role %q in AWS auth backend", path)
Expand Down
69 changes: 42 additions & 27 deletions vault/resource_aws_auth_backend_sts_role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package vault
import (
"fmt"
"strconv"
"strings"
"testing"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
Expand All @@ -22,6 +23,13 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) {
accountID := strconv.Itoa(acctest.RandInt())
arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role")
externalID := "external-id"

importStateVerifyIgnore := make([]string, 0)
// Ignore external_id if Vault version is < 1.17.0.
if !provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) {
importStateVerifyIgnore = append(importStateVerifyIgnore, consts.FieldExternalID)
}

resource.Test(t, resource.TestCase{
PreCheck: func() { testutil.TestAccPreCheck(t) },
ProviderFactories: providerFactories,
Expand All @@ -32,9 +40,10 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) {
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
},
{
ResourceName: "vault_aws_auth_backend_sts_role.role",
ImportState: true,
ImportStateVerify: true,
ResourceName: "vault_aws_auth_backend_sts_role.role",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: importStateVerifyIgnore,
},
},
})
Expand All @@ -56,13 +65,18 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) {
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
},
{
// Update ARN.
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
},
{
// Add external ID.
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, externalID),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
},
{
// Update ARN and external ID.
// Update external ID.
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
},
Expand Down Expand Up @@ -130,9 +144,13 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string)
}

attrs := map[string]string{
"sts_role": "sts_role",
consts.FieldExternalID: consts.FieldExternalID,
"sts_role": "sts_role",
}
// Only check external_id if Vault version is >= 1.17.0
if provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) {
attrs[consts.FieldExternalID] = consts.FieldExternalID
}

for stateAttr, apiAttr := range attrs {
if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" {
continue
Expand All @@ -146,30 +164,27 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string)
}

func testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, stsRole, externalID string) string {
roleResource := fmt.Sprintf(`
resource "vault_aws_auth_backend_sts_role" "role" {
backend = vault_auth_backend.aws.path
account_id = "%s"
sts_role = "%s"
}
`, accountID, stsRole)
backendResource := fmt.Sprintf(`
resource "vault_auth_backend" "aws" {
type = "aws"
path = "%s"
}`, backend)

roleResourceOptionalFields := ""
if externalID != "" {
roleResource = fmt.Sprintf(`
roleResourceOptionalFields += fmt.Sprintf(`
external_id = "%s"`, externalID)
}

roleResource := fmt.Sprintf(`
resource "vault_aws_auth_backend_sts_role" "role" {
backend = vault_auth_backend.aws.path
account_id = "%s"
sts_role = "%s"
external_id = "%s"
sts_role = "%s"%s
}
`, accountID, stsRole, externalID)
}
`, accountID, stsRole, roleResourceOptionalFields)

return fmt.Sprintf(`
resource "vault_auth_backend" "aws" {
type = "aws"
path = "%s"
}
%s
`, backend, roleResource)
resources := []string{backendResource, roleResource}

return strings.Join(resources, "\n")
}

0 comments on commit c5e7afa

Please sign in to comment.