Adds support for configuring external_entropy_access on secrets engin…

…es (hashicorp#792)

go.mod

@@ -12,8 +12,8 @@ require (
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/hashicorp/terraform-plugin-sdk v1.4.1
 	github.com/hashicorp/vault v1.2.0
-	github.com/hashicorp/vault/api v1.0.5-0.20190730042357-746c0b111519
-	github.com/hashicorp/vault/sdk v0.1.14-0.20190730042320-0dc007d98cc8
+	github.com/hashicorp/vault/api v1.0.5-0.20191017173300-47a54ac8bc6c
+	github.com/hashicorp/vault/sdk v0.1.14-0.20191017173300-47a54ac8bc6c
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be // indirect
 	github.com/ulikunitz/xz v0.5.6 // indirect

go.sum

@@ -249,6 +249,8 @@ github.com/hashicorp/go-retryablehttp v0.5.3 h1:QlWt0KvWT0lq8MFppF9tsJGF+ynG7ztc
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-retryablehttp v0.5.4 h1:1BZvpawXoJCWX6pNtow9+rpEj+3itIlutiqnntI6jOE=
 github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
+github.com/hashicorp/go-retryablehttp v0.6.2 h1:bHM2aVXwBtBJWxHtkSrWuI4umABCUczs52eiUS9nSiw=
+github.com/hashicorp/go-retryablehttp v0.6.2/go.mod h1:gEx6HMUGxYYhJScX7W1Il64m6cc2C1mDaW3NQ9sY1FY=
 github.com/hashicorp/go-rootcerts v1.0.0 h1:Rqb66Oo1X/eSV1x66xbDccZjhJigjg0+e82kpwzSwCI=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-rootcerts v1.0.1 h1:DMo4fmknnz0E0evoNYnV48RjWndOsmd6OW+09R3cEP8=
@@ -263,6 +265,8 @@ github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdv
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1 h1:fv1ep09latC32wFoVwnqcnKJGnMSdBanPczbHAYm1BE=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.2-0.20191001231223-f32f5fe8d6a8 h1:PKbxRbsOP7R3f/TpdqcgXrO69T3yd9nLoR+RMRUxSxA=
+github.com/hashicorp/go-uuid v1.0.2-0.20191001231223-f32f5fe8d6a8/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-version v1.1.0 h1:bPIoEKD27tNdebFGGxxYwcL4nepeY4j1QP23PFRGzg0=
 github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
@@ -313,11 +317,17 @@ github.com/hashicorp/vault/api v1.0.1/go.mod h1:AV/+M5VPDpB90arloVX0rVDUIHkONiwz
 github.com/hashicorp/vault/api v1.0.4/go.mod h1:gDcqh3WGcR1cpF5AJz/B1UFheUEneMoIospckxBxk6Q=
 github.com/hashicorp/vault/api v1.0.5-0.20190730042357-746c0b111519 h1:2qdbEUXjHohC+OYHtVU5lujvPAHPKYR4IMs9rsiUTk8=
 github.com/hashicorp/vault/api v1.0.5-0.20190730042357-746c0b111519/go.mod h1:i9PKqwFko/s/aihU1uuHGh/FaQS+Xcgvd9dvnfAvQb0=
+github.com/hashicorp/vault/api v1.0.5-0.20191017173300-47a54ac8bc6c h1:H/+aHBglCDZZp2X7KUHc/gSbtxMjulGVyjgT7n1xZ6Q=
+github.com/hashicorp/vault/api v1.0.5-0.20191017173300-47a54ac8bc6c/go.mod h1:8vZ3PoohxqemJEi//WSVsaMKwwXyyfP8zt9KHgBVhKU=
 github.com/hashicorp/vault/sdk v0.1.8/go.mod h1:tHZfc6St71twLizWNHvnnbiGFo1aq0eD2jGPLtP8kAU=
 github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
 github.com/hashicorp/vault/sdk v0.1.14-0.20190729200543-e88721c7db1e/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
 github.com/hashicorp/vault/sdk v0.1.14-0.20190730042320-0dc007d98cc8 h1:fLUoZ8cI/pqlVCk09r88cVoY7ggKEl1A4e6Mujr3RvU=
 github.com/hashicorp/vault/sdk v0.1.14-0.20190730042320-0dc007d98cc8/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
+github.com/hashicorp/vault/sdk v0.1.14-0.20190919081434-645ac174deeb h1:nnEdUjkunowrFrXHAKV+iq6AXsHDtdBzKcSQMF8zklA=
+github.com/hashicorp/vault/sdk v0.1.14-0.20190919081434-645ac174deeb/go.mod h1:wcxXjskBz2VmyZm4MKNoLCOqsQEKkyBAUIP2YBTJL1g=
+github.com/hashicorp/vault/sdk v0.1.14-0.20191017173300-47a54ac8bc6c h1:oghjhKyqPIjgJUVgA85mAyR4rXtt4B2UTFZ6FGA+kus=
+github.com/hashicorp/vault/sdk v0.1.14-0.20191017173300-47a54ac8bc6c/go.mod h1:tXLVOeyErHGojiim3hA6DUSxcRisohZbpATIpln8JsE=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
@@ -432,6 +442,7 @@ github.com/ory/dockertest v3.3.4+incompatible h1:VrpM6Gqg7CrPm3bL4Wm1skO+zFWLbh7
 github.com/ory/dockertest v3.3.4+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs=
 github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pierrec/lz4 v2.0.5+incompatible h1:2xWsjqPFWcplujydGg4WmhC/6fZqK42wMM8aXeqhl0I=

vault/resource_mount.go

@@ -92,6 +92,14 @@ func mountResource() *schema.Resource {
 				Computed:    true,
 				Description: "Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability",
 			},
+
+			"external_entropy_access": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				ForceNew:    true,
+				Description: "Enable the secrets engine to access Vault's external entropy source",
+			},
 		},
 	}
 }
@@ -106,9 +114,10 @@ func mountWrite(d *schema.ResourceData, meta interface{}) error {
 			DefaultLeaseTTL: fmt.Sprintf("%ds", d.Get("default_lease_ttl_seconds")),
 			MaxLeaseTTL:     fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds")),
 		},
-		Local:    d.Get("local").(bool),
-		Options:  opts(d),
-		SealWrap: d.Get("seal_wrap").(bool),
+		Local:                 d.Get("local").(bool),
+		Options:               opts(d),
+		SealWrap:              d.Get("seal_wrap").(bool),
+		ExternalEntropyAccess: d.Get("external_entropy_access").(bool),
 	}
 
 	path := d.Get("path").(string)
@@ -218,6 +227,7 @@ func mountRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("local", mount.Local)
 	d.Set("options", mount.Options)
 	d.Set("seal_wrap", mount.SealWrap)
+	d.Set("external_entropy_access", mount.ExternalEntropyAccess)
 
 	return nil
 }

vault/resource_mount_test.go

@@ -140,6 +140,36 @@ func TestResourceMount_KVV2(t *testing.T) {
 	})
 }
 
+func TestResourceMount_ExternalEntropyAccess(t *testing.T) {
+	path := acctest.RandomWithPrefix("example")
+	resource.Test(t, resource.TestCase{
+		Providers: testProviders,
+		PreCheck:  func() { testAccPreCheck(t) },
+		Steps: []resource.TestStep{
+			{
+				Config: testResourceMount_InitialConfigExternalEntropyAccess(path),
+				Check:  testResourceMount_CheckExternalEntropyAccess(path, false),
+			},
+			{
+				Config: testResourceMount_UpdateConfigExternalEntropyAccess(path, true),
+				Check:  testResourceMount_CheckExternalEntropyAccess(path, true),
+			},
+			{
+				Config: testResourceMount_UpdateConfigExternalEntropyAccess(path, false),
+				Check:  testResourceMount_CheckExternalEntropyAccess(path, false),
+			},
+			{
+				Config: testResourceMount_UpdateConfigExternalEntropyAccess(path, true),
+				Check:  testResourceMount_CheckExternalEntropyAccess(path, true),
+			},
+			{
+				Config: testResourceMount_InitialConfigExternalEntropyAccess(path),
+				Check:  testResourceMount_CheckExternalEntropyAccess(path, false),
+			},
+		},
+	})
+}
+
 func testResourceMount_initialConfig(cfg mountConfig) string {
 	return fmt.Sprintf(`
 resource "vault_mount" "test" {
@@ -449,6 +479,67 @@ func testResourceMount_UpdateCheckSealWrap(s *terraform.State) error {
 	return nil
 }
 
+func testResourceMount_CheckExternalEntropyAccess(expectedPath string, expectedExternalEntropyAccess bool) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		resourceState := s.Modules[0].Resources["vault_mount.test"]
+		if resourceState == nil {
+			return fmt.Errorf("resource not found in state")
+		}
+
+		instanceState := resourceState.Primary
+		if instanceState == nil {
+			return fmt.Errorf("resource has no primary instance")
+		}
+
+		path := instanceState.ID
+
+		if path != instanceState.Attributes["path"] {
+			return fmt.Errorf("id %q doesn't match path %q", path, instanceState.Attributes["path"])
+		}
+
+		if path != expectedPath {
+			return fmt.Errorf("unexpected path %q, expected %q", path, expectedPath)
+		}
+
+		mount, err := findMount(path)
+		if err != nil {
+			return fmt.Errorf("error reading back mount %q: %s", path, err)
+		}
+
+		if mount.ExternalEntropyAccess != expectedExternalEntropyAccess {
+			return fmt.Errorf("external_entropy_access is %v; wanted %t", mount.ExternalEntropyAccess,
+				expectedExternalEntropyAccess)
+		}
+
+		return nil
+	}
+}
+
+func testResourceMount_InitialConfigExternalEntropyAccess(path string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "test" {
+	path = "%s"
+	type = "transit"
+	description = "Example mount for testing"
+	default_lease_ttl_seconds = 3600
+	max_lease_ttl_seconds = 36000
+}
+`, path)
+}
+
+func testResourceMount_UpdateConfigExternalEntropyAccess(path string, externalEntropyAccess bool) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "test" {
+	path = "%s"
+	type = "transit"
+	description = "Example mount for testing"
+	default_lease_ttl_seconds = 3600
+	max_lease_ttl_seconds = 36000
+	external_entropy_access = %t
+}
+`, path, externalEntropyAccess)
+}
+
 func findMount(path string) (*api.MountOutput, error) {
 	client := testProvider.Meta().(*api.Client)