auth_method: add token_name_format to resource_acl_auth_method (#403)

CHANGELOG.md

@@ -5,6 +5,7 @@ IMPROVEMENTS:
 * provider: update Go to 1.21.5 ([#399](https://github.com/hashicorp/terraform-provider-nomad/pull/399))
 * resource/nomad_csi_volume: changes to `capacity_min` or `capacity_max` may now expand the volume instead of forcing replacement,
   on Nomad version 1.6.3 or later, if the CSI plugin supports it ([#382](https://github.com/hashicorp/terraform-provider-nomad/pull/382))
+* resource/acl_auth_method: add support for `token_name_format` ([#403](https://github.com/hashicorp/terraform-provider-nomad/pull/403))
 
 BUG FIXES:
 * resource/nomad_acl_policy: fixed a bug where the namespace would be incorrectly calculated from a job identity ([#396](https://github.com/hashicorp/terraform-provider-nomad/pull/396))

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/hashicorp/vault v0.10.4
 	github.com/shoenig/test v1.7.0
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
+	golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb
 )
 
 require (
@@ -38,7 +38,7 @@ require (
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/uuid v1.3.1 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/hashicorp/cronexpr v1.1.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
@@ -79,10 +79,10 @@ require (
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/zclconf/go-cty v1.13.2 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/mod v0.13.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/crypto v0.16.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect

go.sum

@@ -77,8 +77,8 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
+github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/hashicorp/consul/api v1.26.1 h1:5oSXOO5fboPZeW5SN+TdGFP/BILDgBm19OrPZ/pICIM=
 github.com/hashicorp/consul/api v1.26.1/go.mod h1:B4sQTeaSO16NtynqrAdwOlahJ7IUDZM9cj2420xYL8A=
 github.com/hashicorp/cronexpr v1.1.2 h1:wG/ZYIKT+RT3QkOdgYc+xsKWVRgnxJ1OJtjjy84fJ9A=
@@ -259,13 +259,13 @@ golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb h1:c0vyKkb6yr3KR7jEfJaOSv4lG7xPkbN6r52aJz1d8a8=
+golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
-golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
@@ -275,8 +275,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -295,13 +295,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -314,8 +314,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
-golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=

nomad/provider_test.go

@@ -98,7 +98,7 @@ func testCheckVersion(t *testing.T, versionCheck func(version.Version) bool) {
 			t.Skip("could not parse node version: ", err)
 		} else {
 			if !versionCheck(*version) {
-				t.Skip(fmt.Sprintf("node version '%v' not appropriate for test", version.String()))
+				t.Skipf("node version '%v' not appropriate for test", version.String())
 			}
 		}
 	} else {

nomad/resource_acl_auth_method.go

@@ -54,6 +54,11 @@ func resourceACLAuthMethod() *schema.Resource {
 				Required:    true,
 				Type:        schema.TypeString,
 			},
+			"token_name_format": {
+				Description: "Defines the token format for the authenticated users. This can be lightly templated using HIL '${foo}' syntax.",
+				Optional:    true,
+				Type:        schema.TypeString,
+			},
 			"default": {
 				Description: "Defines whether this ACL Auth Method is to be set as default.",
 				Optional:    true,
@@ -219,6 +224,7 @@ func resourceACLAuthMethodRead(d *schema.ResourceData, meta interface{}) error {
 	_ = d.Set("type", authMethod.Type)
 	_ = d.Set("token_locality", authMethod.TokenLocality)
 	_ = d.Set("max_token_ttl", authMethod.MaxTokenTTL.String())
+	_ = d.Set("token_name_format", authMethod.TokenNameFormat)
 	_ = d.Set("default", authMethod.Default)
 	_ = d.Set("config", flattenACLAuthMethodConfig(authMethod.Config))
 
@@ -248,10 +254,11 @@ func resourceACLAuthMethodExists(d *schema.ResourceData, meta interface{}) (bool
 func generateNomadACLAuthMethod(d *schema.ResourceData) (*api.ACLAuthMethod, error) {
 
 	aclAuthMethod := api.ACLAuthMethod{
-		Name:          d.Get("name").(string),
-		Type:          d.Get("type").(string),
-		TokenLocality: d.Get("token_locality").(string),
-		Default:       d.Get("default").(bool),
+		Name:            d.Get("name").(string),
+		Type:            d.Get("type").(string),
+		TokenLocality:   d.Get("token_locality").(string),
+		TokenNameFormat: d.Get("token_name_format").(string),
+		Default:         d.Get("default").(bool),
 	}
 
 	// Pull the string value of the token TTL and parse this as a time

nomad/resource_acl_auth_method_test.go

@@ -43,11 +43,12 @@ func TestResourceACLAuthMethod(t *testing.T) {
 func testResourceACLAuthMethodConfig(name, uiCallback string, defaultVal bool) string {
 	return fmt.Sprintf(`
 resource "nomad_acl_auth_method" "test" {
-  name           = "%s"
-  type           = "OIDC"
-  token_locality = "global"
-  max_token_ttl  = "10m0s"
-  default        = %v
+  name           	= "%s"
+  type           	= "OIDC"
+  token_locality 	= "global"
+  token_name_format	= "$${auth_method_type}-$${auth_method_name}-$${value.user}"
+  max_token_ttl  	= "10m0s"
+  default        	= %v
 
   config {
     oidc_discovery_url    = "https://uk.auth0.com/"
@@ -78,6 +79,7 @@ func testResourceACLAuthMethodCheck(name, uiCallback, defaultVal string) resourc
 			expectedType             = "OIDC"
 			expectedTokenLocality    = "global"
 			expectedMaxTokenTTL      = "10m0s"
+			expectedTokenNameFormat  = "${auth_method_type}-${auth_method_name}-${value.user}"
 			expectedOIDCDiscoveryURL = "https://uk.auth0.com/"
 			expectedOIDCClientID     = "someclientid"
 			expectedOIDCClientSecret = "someclientsecret-t"
@@ -166,6 +168,9 @@ func testResourceACLAuthMethodCheck(name, uiCallback, defaultVal string) resourc
 		if authMethod.MaxTokenTTL.String() != expectedMaxTokenTTL {
 			return fmt.Errorf("expected max token TTL to be %q, is %q in API", expectedMaxTokenTTL, authMethod.MaxTokenTTL)
 		}
+		if authMethod.TokenNameFormat != expectedTokenNameFormat {
+			return fmt.Errorf("expected token name format to be %q, is %q in API", expectedTokenNameFormat, authMethod.TokenNameFormat)
+		}
 		if strconv.FormatBool(authMethod.Default) != defaultVal {
 			return fmt.Errorf(`expected default to be %q, is "%v" in API`, defaultVal, authMethod.Default)
 		}

nomad/resource_acl_binding_rule_test.go

@@ -57,11 +57,12 @@ func TestResourceACLManagementBindingRule(t *testing.T) {
 func testResourceACLBindingRuleConfig(description, bindingName string) string {
 	return fmt.Sprintf(`
 resource "nomad_acl_auth_method" "test" {
-	name           = "tf-provider-acl-binding-rule-test-auth-method"
-	type           = "OIDC"
-	token_locality = "global"
-	max_token_ttl  = "10m0s"
-	default        = true
+	name           	  = "tf-provider-acl-binding-rule-test-auth-method"
+	type           	  = "OIDC"
+	token_locality 	  = "global"
+	token_name_format = "$${auth_method_type}-$${auth_method_name}-$${value.user}"
+	max_token_ttl  	  = "10m0s"
+	default        	  = true
 
 	config {
 		oidc_discovery_url    = "https://uk.auth0.com/"
@@ -94,11 +95,12 @@ resource "nomad_acl_binding_rule" "test" {
 func testResourceACLBindingManagementRuleConfig() string {
 	return `
 resource "nomad_acl_auth_method" "test" {
-	name           = "tf-provider-acl-binding-rule-test-auth-method"
-	type           = "OIDC"
-	token_locality = "global"
-	max_token_ttl  = "10m0s"
-	default        = true
+	name              = "tf-provider-acl-binding-rule-test-auth-method"
+	type              = "OIDC"
+	token_locality 	  = "global"
+	token_name_format = "$${auth_method_type}-$${auth_method_name}-$${value.user}"
+	max_token_ttl     = "10m0s"
+	default           = true
 
 	config {
 		oidc_discovery_url    = "https://uk.auth0.com/"

website/docs/r/acl_auth_method.html.markdown

@@ -16,11 +16,12 @@ Creating an ALC Auth Method:
 
 ```hcl
 resource "nomad_acl_auth_method" "my_nomad_acl_auth_method" {
-  name           = "my-nomad-acl-auth-method"
-  type           = "OIDC"
-  token_locality = "global"
-  max_token_ttl  = "10m0s"
-  default        = true
+  name              = "my-nomad-acl-auth-method"
+  type              = "OIDC"
+  token_locality    = "global"
+  max_token_ttl     = "10m0s"
+  token_name_format = "$${auth_method_type}-$${value.user}"
+  default           = true
 
   config {
     oidc_discovery_url    = "https://uk.auth0.com/"
@@ -54,5 +55,9 @@ The following arguments are supported:
 - `max_token_ttl` `(string: <required>)` - Defines the maximum life of a token 
   created by this method and is specified as a time duration such as "15h".
 
+- `token_name_format` `(string: <optional>)` - Defines the token name format for the
+  generated tokens This can be lightly templated using HIL '${foo}' syntax. 
+  Defaults to `${auth_method_type}-${auth_method_name}`.
+
 - `default` `(bool: false)` - Defines whether this ACL Auth Method is to be set
   as default.