Merge pull request #634 from adongy/adong/aws_secret_backend

aws_secret_backend: credentials are optional
hashicorp · Dec 19, 2019 · 854b02f · 854b02f
2 parents 278bbcf + a18383f
commit 854b02f
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 6 deletions.
diff --git a/vault/resource_aws_secret_backend.go b/vault/resource_aws_secret_backend.go
@@ -59,13 +59,13 @@ func awsSecretBackendResource() *schema.Resource {
 			},
 			"access_key": {
 				Type:        schema.TypeString,
-				Required:    true,
+				Optional:    true,
 				Description: "The AWS Access Key ID to use when generating new credentials.",
 				Sensitive:   true,
 			},
 			"secret_key": {
 				Type:        schema.TypeString,
-				Required:    true,
+				Optional:    true,
 				Description: "The AWS Secret Access Key to use when generating new credentials.",
 				Sensitive:   true,
 			},

diff --git a/vault/resource_aws_secret_backend_test.go b/vault/resource_aws_secret_backend_test.go
@@ -43,6 +43,18 @@ func TestAccAWSSecretBackend_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "region", "us-west-1"),
 				),
 			},
+			{
+				Config: testAccAWSSecretBackendConfig_noCreds(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "path", path),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "description", "test description"),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "default_lease_ttl_seconds", "1800"),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "max_lease_ttl_seconds", "43200"),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "access_key", ""),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "secret_key", ""),
+					resource.TestCheckResourceAttr("vault_aws_secret_backend.test", "region", "us-west-1"),
+				),
+			},
 		},
 	})
 }
@@ -125,3 +137,14 @@ resource "vault_aws_secret_backend" "test" {
   region = "us-west-1"
 }`, path, accessKey, secretKey)
 }
+
+func testAccAWSSecretBackendConfig_noCreds(path string) string {
+	return fmt.Sprintf(`
+resource "vault_aws_secret_backend" "test" {
+  path = "%s"
+  description = "test description"
+  default_lease_ttl_seconds = 1800
+  max_lease_ttl_seconds = 43200
+  region = "us-west-1"
+}`, path)
+}
diff --git a/website/docs/r/aws_secret_backend.html.md b/website/docs/r/aws_secret_backend.html.md
@@ -31,11 +31,11 @@ resource "vault_aws_secret_backend" "aws" {
 
 The following arguments are supported:
 
-* `access_key` - (Required) The AWS Access Key ID this backend should use to
-issue new credentials.
+* `access_key` - (Optional) The AWS Access Key ID this backend should use to
+issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
 
-* `secret_key` - (Required) The AWS Secret Key this backend should use to
-issue new credentials.
+* `secret_key` - (Optional) The AWS Secret Key this backend should use to
+issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.
 
 ~> **Important** Vault version 1.2.3 and older does not support reading the configured
 credentials back from the API, With these older versions, Terraform cannot detect and correct drift