Merge branch 'main' into VAULT-24263/add-project-id-param-gcp

.github/workflows/golangci-lint.yml

@@ -0,0 +1,29 @@
+name: golangci-lint
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  # Required to use the `only-new-issues` option below
+  pull-requests: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        with:
+          go-version-file: '.go-version'
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804
+        with:
+          version: latest
+          args: --timeout 10m --verbose
+          # show only new issues if it's a pull request
+          only-new-issues: true

.go-version

@@ -1 +1 @@
-1.21.3
+1.21.6

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 BUGS:
 * Handle graceful destruction of resources when approle is deleted out-of-band ([#2142](https://github.com/hashicorp/terraform-provider-vault/pull/2142)).
+* Ensure errors are returned on read operations for `vault_ldap_secret_backend_static_role`, `vault_ldap_secret_backend_library_set`, and `vault_ldap_secret_backend_static_role` ([#2156](https://github.com/hashicorp/terraform-provider-vault/pull/2156)).
+* Ensure proper use of issuer endpoints for root sign intermediate resource: ([#2160](https://github.com/hashicorp/terraform-provider-vault/pull/2160))
+
+FEATURES:
+* Add support for PKI Secrets Engine cluster configuration with the `vault_pki_secret_backend_config_cluster` resource. Requires Vault 1.13+ ([#1949](https://github.com/hashicorp/terraform-provider-vault/pull/1949)).
+* Add support to `enable_templating` in `vault_pki_secret_backend_config_urls` ([#2147](https://github.com/hashicorp/terraform-provider-vault/pull/2147)).
+* Add support for `skip_import_rotation` and `skip_static_role_import_rotation` in `ldap_secret_backend_static_role` and `ldap_secret_backend` respectively. Requires Vault 1.16+ ([#2128](https://github.com/hashicorp/terraform-provider-vault/pull/2128)).
+* Improve logging to track full API exchanges between the provider and Vault ([#2139](https://github.com/hashicorp/terraform-provider-vault/pull/2139))
+
+IMPROVEMENTS:
+* Improve performance of READ operations across many resources: ([#2145](https://github.com/hashicorp/terraform-provider-vault/pull/2145)), ([#2152](https://github.com/hashicorp/terraform-provider-vault/pull/2152))
 
 ## 3.25.0 (Feb 14, 2024)
 

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/hashicorp/vault-plugin-auth-jwt v0.18.0
 	github.com/hashicorp/vault-plugin-auth-kerberos v0.10.1
 	github.com/hashicorp/vault-plugin-auth-oci v0.14.2
-	github.com/hashicorp/vault/api v1.11.1-0.20240201194553-aab72100fb2f
+	github.com/hashicorp/vault/api v1.12.1-0.20240216201659-6dd2389edd36
 	github.com/hashicorp/vault/sdk v0.10.2
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/mitchellh/go-homedir v1.1.0

go.sum

@@ -1617,8 +1617,8 @@ github.com/hashicorp/vault/api v1.4.1/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidg
 github.com/hashicorp/vault/api v1.9.1/go.mod h1:78kktNcQYbBGSrOjQfHjXN32OhhxXnbYl3zxpd2uPUs=
 github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
 github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
-github.com/hashicorp/vault/api v1.11.1-0.20240201194553-aab72100fb2f h1:p+fDsRR6J7c44vcQA9riGGH37GUI9Q//HhVO5F1kmHo=
-github.com/hashicorp/vault/api v1.11.1-0.20240201194553-aab72100fb2f/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
+github.com/hashicorp/vault/api v1.12.1-0.20240216201659-6dd2389edd36 h1:4ApyDglDAlhL3s9Nu/Fl8V8lS2N7cY0eA9DXDLNHIgM=
+github.com/hashicorp/vault/api v1.12.1-0.20240216201659-6dd2389edd36/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
 github.com/hashicorp/vault/sdk v0.1.14-0.20200519221530-14615acda45f/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10=
 github.com/hashicorp/vault/sdk v0.2.1/go.mod h1:WfUiO1vYzfBkz1TmoE4ZGU7HD0T0Cl/rZwaxjBkgN4U=
 github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=

helper/transport.go

@@ -10,6 +10,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"github.com/google/uuid"
 	"log"
 	"net/http"
 	"net/http/httputil"
@@ -56,6 +57,7 @@ func DefaultTransportOptions() *TransportOptions {
 	if logBody, err := strconv.ParseBool(os.Getenv(EnvLogBody)); err == nil {
 		opts.LogRequestBody = logBody
 		opts.LogResponseBody = logBody
+
 	} else {
 		if logRequestBody, err := strconv.ParseBool(os.Getenv(EnvLogRequestBody)); err == nil {
 			opts.LogRequestBody = logRequestBody
@@ -89,6 +91,7 @@ func (t *TransportWrapper) SetTLSConfig(c *tls.Config) error {
 }
 
 func (t *TransportWrapper) RoundTrip(req *http.Request) (*http.Response, error) {
+	transportID := uuid.New().String()
 	if logging.IsDebugOrHigher() {
 		var origHeaders http.Header
 		if len(t.options.HMACRequestHeaders) > 0 && len(req.Header) > 0 {
@@ -108,7 +111,7 @@ func (t *TransportWrapper) RoundTrip(req *http.Request) (*http.Response, error)
 
 		reqData, err := httputil.DumpRequestOut(req, t.options.LogRequestBody)
 		if err == nil {
-			log.Printf("[DEBUG] "+logReqMsg, t.name, prettyPrintJsonLines(reqData))
+			log.Printf("[DEBUG] "+logReqMsg, transportID, t.name, prettyPrintJsonLines(reqData))
 		} else {
 			log.Printf("[ERROR] %s API Request error: %#v", t.name, err)
 		}
@@ -126,7 +129,7 @@ func (t *TransportWrapper) RoundTrip(req *http.Request) (*http.Response, error)
 	if logging.IsDebugOrHigher() {
 		respData, err := httputil.DumpResponse(resp, t.options.LogResponseBody)
 		if err == nil {
-			log.Printf("[DEBUG] "+logRespMsg, t.name, prettyPrintJsonLines(respData))
+			log.Printf("[DEBUG] "+logRespMsg, transportID, t.name, prettyPrintJsonLines(respData))
 		} else {
 			log.Printf("[ERROR] %s API Response error: %#v", t.name, err)
 		}
@@ -157,12 +160,12 @@ func prettyPrintJsonLines(b []byte) string {
 	return strings.Join(parts, "\n")
 }
 
-const logReqMsg = `%s API Request Details:
+const logReqMsg = `[%s] %s API Request Details:
 ---[ REQUEST ]---------------------------------------
 %s
 -----------------------------------------------------`
 
-const logRespMsg = `%s API Response Details:
+const logRespMsg = `[%s] %s API Response Details:
 ---[ RESPONSE ]--------------------------------------
 %s
 -----------------------------------------------------`

internal/consts/consts.go

@@ -373,6 +373,8 @@ const (
 	FieldPermanentlyDelete             = "permanently_delete"
 	FieldSignInAudience                = "sign_in_audience"
 	FieldTags                          = "tags"
+	FieldSkipStaticRoleImportRotation  = "skip_static_role_import_rotation"
+	FieldSkipImportRotation            = "skip_import_rotation"
 	FieldCustomTags                    = "custom_tags"
 	FieldSecretNameTemplate            = "secret_name_template"
 	FieldIAMEndpoint                   = "iam_endpoint"
@@ -392,6 +394,7 @@ const (
 	FieldAppName                       = "app_name"
 	FieldInstallationID                = "installation_id"
 	FieldAppID                         = "app_id"
+	FieldAIAPath                       = "aia_path"
 
 	/*
 		common environment variables

util/mountutil/mountutil.go

@@ -0,0 +1,91 @@
+package mountutil
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+	"github.com/hashicorp/vault/api"
+)
+
+// Error strings that are returned by the Vault API.
+const (
+	ErrVaultSecretMountNotFound = "No secret engine mount at"
+	ErrVaultAuthMountNotFound   = "No auth engine at"
+)
+
+// Error strings that are used internally by TFVP
+var (
+	// ErrMountNotFound is used to signal to resources that a secret or auth
+	// mount does not exist and should be removed from state.
+	ErrMountNotFound = errors.New("mount not found")
+)
+
+// GetMount will fetch the secret mount at the given path.
+func GetMount(ctx context.Context, client *api.Client, path string) (*api.MountOutput, error) {
+	mount, err := client.Sys().GetMountWithContext(ctx, path)
+	// Hardcoding the error string check is not ideal, but Vault does not
+	// return 404 in this case
+	if err != nil && strings.Contains(err.Error(), ErrVaultSecretMountNotFound) {
+		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
+	}
+	// some other error occured, like 403, etc.
+	if err != nil {
+		return nil, fmt.Errorf("error reading from Vault: %s", err)
+	}
+	// no error but no mount either, so return not found
+	if mount == nil {
+		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
+	}
+	return mount, nil
+}
+
+// GetAuthMount will fetch the auth mount at the given path.
+func GetAuthMount(ctx context.Context, client *api.Client, path string) (*api.MountOutput, error) {
+	mount, err := client.Sys().GetAuthWithContext(ctx, path)
+	// Hardcoding the error string check is not ideal, but Vault does not
+	// return 404 in this case
+	if err != nil && strings.Contains(err.Error(), ErrVaultAuthMountNotFound) {
+		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
+	}
+	// some other error occured, like 403, etc.
+	if err != nil {
+		return nil, fmt.Errorf("error reading from Vault: %s", err)
+	}
+	// no error but no mount either, so return not found
+	if mount == nil {
+		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
+	}
+	return mount, nil
+}
+
+// NormalizeMountPath to be in a form valid for accessing values from api.MountOutput
+func NormalizeMountPath(path string) string {
+	return TrimSlashes(path) + consts.PathDelim
+}
+
+// TrimSlashes from path.
+func TrimSlashes(path string) string {
+	return strings.Trim(path, consts.PathDelim)
+}
+
+// CheckMountEnabledWithContext in Vault
+func CheckMountEnabledWithContext(ctx context.Context, client *api.Client, path string) (bool, error) {
+	_, err := GetMount(ctx, client, path)
+	if errors.Is(err, ErrMountNotFound) {
+		return false, err
+	}
+
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
+// CheckMountEnabled in Vault
+func CheckMountEnabled(client *api.Client, path string) (bool, error) {
+	return CheckMountEnabledWithContext(context.Background(), client, path)
+}

util/util.go

@@ -16,8 +16,6 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/vault/api"
-
-	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 )
 
 type (
@@ -281,28 +279,6 @@ func SetResourceData(d *schema.ResourceData, data map[string]interface{}) error
 	return nil
 }
 
-// NormalizeMountPath to be in a form valid for accessing values from api.MountOutput
-func NormalizeMountPath(path string) string {
-	return TrimSlashes(path) + consts.PathDelim
-}
-
-// TrimSlashes from path.
-func TrimSlashes(path string) string {
-	return strings.Trim(path, consts.PathDelim)
-}
-
-// CheckMountEnabled in Vault, path must contain a trailing '/',
-func CheckMountEnabled(client *api.Client, path string) (bool, error) {
-	mounts, err := client.Sys().ListMounts()
-	if err != nil {
-		return false, err
-	}
-
-	_, ok := mounts[NormalizeMountPath(path)]
-
-	return ok, nil
-}
-
 // GetAPIRequestDataWithMap to pass to Vault from schema.ResourceData.
 // The fieldMap specifies the schema field to its vault constituent.
 // If the vault field is empty, then two fields are mapped 1:1.

vault/auth_mount.go

@@ -6,7 +6,6 @@ package vault
 import (
 	"fmt"
 	"log"
-	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -77,19 +76,6 @@ func authMountTuneSchema() *schema.Schema {
 	}
 }
 
-func authMountInfoGet(client *api.Client, path string) (*api.AuthMount, error) {
-	auths, err := client.Sys().ListAuth()
-	if err != nil {
-		return nil, fmt.Errorf("error reading from auth mounts: %s", err)
-	}
-
-	authMount := auths[strings.Trim(path, "/")+"/"]
-	if authMount == nil {
-		return nil, fmt.Errorf("auth mount %s not present", path)
-	}
-	return authMount, nil
-}
-
 func authMountTune(client *api.Client, path string, configured interface{}) error {
 	input := expandAuthMethodTune(configured.(*schema.Set).List())
 
@@ -124,20 +110,3 @@ func authMountDisable(client *api.Client, path string) error {
 
 	return nil
 }
-
-func getAuthMountIfPresent(client *api.Client, path string) (*api.AuthMount, error) {
-	auths, err := client.Sys().ListAuth()
-	if err != nil {
-		return nil, fmt.Errorf("error reading from Vault: %s", err)
-	}
-
-	configuredPath := path + "/"
-
-	for authBackendPath, auth := range auths {
-		if authBackendPath == configuredPath {
-			return auth, nil
-		}
-	}
-
-	return nil, nil
-}

vault/data_source_auth_backend.go

@@ -4,12 +4,14 @@
 package vault
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/terraform-provider-vault/util/mountutil"
 )
 
 func authBackendDataSource() *schema.Resource {
@@ -66,29 +68,37 @@ func authBackendDataSourceRead(d *schema.ResourceData, meta interface{}) error {
 		return e
 	}
 
-	targetPath := d.Get("path").(string)
+	path := d.Get("path").(string)
 
-	auths, err := client.Sys().ListAuth()
+	auth, err := mountutil.GetAuthMount(context.Background(), client, path)
 	if err != nil {
 		return fmt.Errorf("error reading from Vault: %s", err)
 	}
 
-	for path, auth := range auths {
-		path = strings.TrimSuffix(path, "/")
-		if path == targetPath {
-			// Compatibility with resource_auth_backend id
-			d.SetId(path)
-			d.Set("type", auth.Type)
-			d.Set("description", auth.Description)
-			d.Set("accessor", auth.Accessor)
-			d.Set("default_lease_ttl_seconds", auth.Config.DefaultLeaseTTL)
-			d.Set("max_lease_ttl_seconds", auth.Config.MaxLeaseTTL)
-			d.Set("listing_visibility", auth.Config.ListingVisibility)
-			d.Set("local", auth.Local)
-			return nil
-		}
+	path = strings.TrimSuffix(path, "/")
+	d.SetId(path)
+
+	if err := d.Set("type", auth.Type); err != nil {
+		return err
+	}
+	if err := d.Set("description", auth.Description); err != nil {
+		return err
+	}
+	if err := d.Set("accessor", auth.Accessor); err != nil {
+		return err
+	}
+	if err := d.Set("default_lease_ttl_seconds", auth.Config.DefaultLeaseTTL); err != nil {
+		return err
+	}
+	if err := d.Set("max_lease_ttl_seconds", auth.Config.MaxLeaseTTL); err != nil {
+		return err
+	}
+	if err := d.Set("listing_visibility", auth.Config.ListingVisibility); err != nil {
+		return err
+	}
+	if err := d.Set("local", auth.Local); err != nil {
+		return err
 	}
 
-	// If we fell out here then we didn't find our Auth in the list.
 	return nil
 }