From 1eb7bdff53f09a8915d9afd3c8e3e1d7ea0a840d Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Tue, 19 Nov 2024 16:45:28 -0800 Subject: [PATCH] only support external_id on vault versions >= 1.17 external_id support for aws auth sts configuration added in 1.17.0: https://github.com/hashicorp/vault/pull/26628 --- vault/resource_aws_auth_backend_sts_role.go | 20 +++++++++++----- ...resource_aws_auth_backend_sts_role_test.go | 23 ++++++++++++++++--- 2 files changed, 34 insertions(+), 9 deletions(-) diff --git a/vault/resource_aws_auth_backend_sts_role.go b/vault/resource_aws_auth_backend_sts_role.go index 518c9f95e..0979259af 100644 --- a/vault/resource_aws_auth_backend_sts_role.go +++ b/vault/resource_aws_auth_backend_sts_role.go @@ -76,8 +76,11 @@ func awsAuthBackendSTSRoleCreate(d *schema.ResourceData, meta interface{}) error path := awsAuthBackendSTSRolePath(backend, accountID) data := map[string]interface{}{ - "sts_role": stsRole, - consts.FieldExternalID: externalID, + "sts_role": stsRole, + } + + if provider.IsAPISupported(meta, provider.VaultVersion117) { + data[consts.FieldExternalID] = externalID } log.Printf("[DEBUG] Writing STS role %q to AWS auth backend", path) @@ -128,8 +131,10 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("account_id", accountID) d.Set("sts_role", resp.Data["sts_role"]) - if v, ok := resp.Data[consts.FieldExternalID]; ok { - d.Set(consts.FieldExternalID, v) + if provider.IsAPISupported(meta, provider.VaultVersion117) { + if v, ok := resp.Data[consts.FieldExternalID]; ok { + d.Set(consts.FieldExternalID, v) + } } return nil @@ -147,8 +152,11 @@ func awsAuthBackendSTSRoleUpdate(d *schema.ResourceData, meta interface{}) error path := d.Id() data := map[string]interface{}{ - "sts_role": stsRole, - consts.FieldExternalID: externalID, + "sts_role": stsRole, + } + + if provider.IsAPISupported(meta, provider.VaultVersion117) { + data[consts.FieldExternalID] = externalID } log.Printf("[DEBUG] Updating STS role %q in AWS auth backend", path) diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go index 9ae552a54..1d7e2498d 100644 --- a/vault/resource_aws_auth_backend_sts_role_test.go +++ b/vault/resource_aws_auth_backend_sts_role_test.go @@ -56,18 +56,35 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) { Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, + { + // Update ARN. + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), + }, { // Add external ID. - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID), - Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + return !meta.IsAPISupported(provider.VaultVersion117), nil + }, + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, externalID), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, { - // Update ARN and external ID. + // Update external ID. + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + return !meta.IsAPISupported(provider.VaultVersion117), nil + }, Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, { // Remove external ID. + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + return !meta.IsAPISupported(provider.VaultVersion117), nil + }, Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), },