Skip to content

Commit

Permalink
only support external_id on vault versions >= 1.17
Browse files Browse the repository at this point in the history
external_id support for aws auth sts configuration added in 1.17.0: hashicorp/vault#26628
  • Loading branch information
helenfufu committed Nov 20, 2024
1 parent 651c058 commit 1eb7bdf
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 9 deletions.
20 changes: 14 additions & 6 deletions vault/resource_aws_auth_backend_sts_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,11 @@ func awsAuthBackendSTSRoleCreate(d *schema.ResourceData, meta interface{}) error
path := awsAuthBackendSTSRolePath(backend, accountID)

data := map[string]interface{}{
"sts_role": stsRole,
consts.FieldExternalID: externalID,
"sts_role": stsRole,
}

if provider.IsAPISupported(meta, provider.VaultVersion117) {
data[consts.FieldExternalID] = externalID
}

log.Printf("[DEBUG] Writing STS role %q to AWS auth backend", path)
Expand Down Expand Up @@ -128,8 +131,10 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error {
d.Set("account_id", accountID)
d.Set("sts_role", resp.Data["sts_role"])

if v, ok := resp.Data[consts.FieldExternalID]; ok {
d.Set(consts.FieldExternalID, v)
if provider.IsAPISupported(meta, provider.VaultVersion117) {
if v, ok := resp.Data[consts.FieldExternalID]; ok {
d.Set(consts.FieldExternalID, v)
}
}

return nil
Expand All @@ -147,8 +152,11 @@ func awsAuthBackendSTSRoleUpdate(d *schema.ResourceData, meta interface{}) error
path := d.Id()

data := map[string]interface{}{
"sts_role": stsRole,
consts.FieldExternalID: externalID,
"sts_role": stsRole,
}

if provider.IsAPISupported(meta, provider.VaultVersion117) {
data[consts.FieldExternalID] = externalID
}

log.Printf("[DEBUG] Updating STS role %q in AWS auth backend", path)
Expand Down
23 changes: 20 additions & 3 deletions vault/resource_aws_auth_backend_sts_role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,18 +56,35 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) {
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
},
{
// Update ARN.
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
},
{
// Add external ID.
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
SkipFunc: func() (bool, error) {
meta := testProvider.Meta().(*provider.ProviderMeta)
return !meta.IsAPISupported(provider.VaultVersion117), nil
},
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, externalID),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
},
{
// Update ARN and external ID.
// Update external ID.
SkipFunc: func() (bool, error) {
meta := testProvider.Meta().(*provider.ProviderMeta)
return !meta.IsAPISupported(provider.VaultVersion117), nil
},
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
},
{
// Remove external ID.
SkipFunc: func() (bool, error) {
meta := testProvider.Meta().(*provider.ProviderMeta)
return !meta.IsAPISupported(provider.VaultVersion117), nil
},
Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""),
Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
},
Expand Down

0 comments on commit 1eb7bdf

Please sign in to comment.