From 5837bf2f1e4ed47361f0e60357e04022604f16ae Mon Sep 17 00:00:00 2001
From: Anthony Dong <adongy@users.noreply.github.com>
Date: Fri, 13 Dec 2019 17:41:13 +0100
Subject: [PATCH] aws_secret_backend: credentials are optional

---
 vault/resource_aws_secret_backend.go      |  4 ++--
 vault/resource_aws_secret_backend_test.go | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/vault/resource_aws_secret_backend.go b/vault/resource_aws_secret_backend.go
index b264533fb..3d0ecc087 100644
--- a/vault/resource_aws_secret_backend.go
+++ b/vault/resource_aws_secret_backend.go
@@ -59,13 +59,13 @@ func awsSecretBackendResource() *schema.Resource {
 			},
 			"access_key": {
 				Type:        schema.TypeString,
-				Required:    true,
+				Optional:    true,
 				Description: "The AWS Access Key ID to use when generating new credentials.",
 				Sensitive:   true,
 			},
 			"secret_key": {
 				Type:        schema.TypeString,
-				Required:    true,
+				Optional:    true,
 				Description: "The AWS Secret Access Key to use when generating new credentials.",
 				Sensitive:   true,
 			},
diff --git a/vault/resource_aws_secret_backend_test.go b/vault/resource_aws_secret_backend_test.go
index 641bec20f..574ced3dc 100644
--- a/vault/resource_aws_secret_backend_test.go
+++ b/vault/resource_aws_secret_backend_test.go
@@ -43,6 +43,18 @@ func TestAccAWSSecretBackend_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "region", "us-west-1"),
 				),
 			},
+			{
+				Config: testAccAWSSecretBackendConfig_noCreds(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "path", path),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "description", "test description"),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "default_lease_ttl_seconds", "1800"),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "max_lease_ttl_seconds", "43200"),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "access_key", ""),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "secret_key", ""),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "region", "us-west-1"),
+				),
+			},
 		},
 	})
 }
@@ -125,3 +137,14 @@ resource "vault_aws_secret_backend" "test" {
   region = "us-west-1"
 }`, path, accessKey, secretKey)
 }
+
+func testAccAWSSecretBackendConfig_noCreds(path string) string {
+	return fmt.Sprintf(`
+resource "vault_aws_secret_backend" "test" {
+  path = "%s"
+  description = "test description"
+  default_lease_ttl_seconds = 1800
+  max_lease_ttl_seconds = 43200
+  region = "us-west-1"
+}`, path)
+}