Update Github roles

Update Github resources
hashicorp · Jul 31, 2019 · 958733a · 958733a
1 parent 7130669
commit 958733a
Show file tree

Hide file tree

Showing 5 changed files with 165 additions and 75 deletions.
diff --git a/vault/auth_token.go b/vault/auth_token.go
@@ -152,6 +152,7 @@ func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, crea
 		if d.HasChange("token_policies") {
 			data["token_policies"] = d.Get("token_policies").(*schema.Set).List()
 		}
+
 		if d.HasChange("token_explicit_max_ttl") {
 			data["token_explicit_max_ttl"] = d.Get("token_explicit_max_ttl").(int)
 		}

diff --git a/vault/resource_github_team.go b/vault/resource_github_team.go
@@ -10,6 +10,39 @@ import (
 )
 
 func githubTeamResource() *schema.Resource {
+	fields := map[string]*schema.Schema{
+		"backend": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "Auth backend to which team mapping will be congigured.",
+			ForceNew:    true,
+			Default:     "github",
+			// standardise on no beginning or trailing slashes
+			StateFunc: func(v interface{}) string {
+				return strings.Trim(v.(string), "/")
+			},
+		},
+		"team": {
+			Type:         schema.TypeString,
+			Required:     true,
+			ForceNew:     true,
+			Description:  "GitHub team name in \"slugified\" format.",
+			ValidateFunc: validateStringSlug,
+		},
+		"policies": {
+			Type:          schema.TypeList,
+			Optional:      true,
+			Elem:          &schema.Schema{Type: schema.TypeString},
+			Description:   "Policies to be assigned to this team.",
+			Deprecated:    "use `token_policies` instead",
+			ConflictsWith: []string{"token_policies"},
+		},
+	}
+
+	addTokenFields(fields, &addTokenFieldsConfig{
+		TokenPoliciesConflict: []string{"policies"},
+	})
+
 	return &schema.Resource{
 		Create: githubTeamCreate,
 		Read:   githubTeamRead,
@@ -18,55 +51,51 @@ func githubTeamResource() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
+		Schema: fields,
+	}
+}
 
-		Schema: map[string]*schema.Schema{
-			"backend": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Description: "Auth backend to which team mapping will be congigured.",
-				ForceNew:    true,
-				Default:     "github",
-				// standardise on no beginning or trailing slashes
-				StateFunc: func(v interface{}) string {
-					return strings.Trim(v.(string), "/")
-				},
-			},
-			"policies": {
-				Type:        schema.TypeList,
-				Optional:    true,
-				Elem:        &schema.Schema{Type: schema.TypeString},
-				Description: "Policies to be assigned to this team.",
-			},
-			"team": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ForceNew:     true,
-				Description:  "GitHub team name in \"slugified\" format.",
-				ValidateFunc: validateStringSlug,
-			},
-		},
+func githubTeamUpdateFields(d *schema.ResourceData, data map[string]interface{}) error {
+	// Always in "create" mode because this endpoint unsets fields that are omitted during updates
+	updateTokenFields(d, data, true)
+
+	data["key"] = d.Get("team").(string)
+	if v, ok := d.GetOk("policies"); ok {
+		vs := expandStringSlice(v.([]interface{}))
+		data["value"] = strings.Join(vs, ",")
 	}
+
+	return nil
 }
 
 func githubTeamCreate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*api.Client)
 	id := githubMapId(d.Get("backend").(string), d.Get("team").(string), "teams")
 	d.SetId(id)
 	d.MarkNewResource()
 
+	data := map[string]interface{}{}
+	githubTeamUpdateFields(d, data)
+
 	log.Printf("[INFO] Creating new github team map at '%v'", id)
-	return githubTeamUpdate(d, meta)
+
+	_, err := client.Logical().Write(id, data)
+	if err != nil {
+		d.SetId("")
+		return err
+	}
+
+	log.Printf("[INFO] Saved github team map at '%v'", id)
+
+	return githubTeamRead(d, meta)
 }
 
 func githubTeamUpdate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 	path := d.Id()
 
 	data := map[string]interface{}{}
-	data["key"] = d.Get("team").(string)
-	if v, ok := d.GetOk("policies"); ok {
-		vs := expandStringSlice(v.([]interface{}))
-		data["value"] = strings.Join(vs, ",")
-	}
+	githubTeamUpdateFields(d, data)
 
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
@@ -89,6 +118,17 @@ func githubTeamRead(d *schema.ResourceData, meta interface{}) error {
 		return err
 	}
 
+	readTokenFields(d, dt)
+
+	// Check if the user is using the deprecated `policies`
+	if _, deprecated := d.GetOk("policies"); deprecated {
+		// Then we see if `token_policies` was set and unset it
+		// Vault will still return `policies`
+		if _, ok := d.GetOk("token_policies"); ok {
+			d.Set("token_policies", nil)
+		}
+	}
+
 	if v, ok := dt.Data["key"]; ok {
 		d.Set("team", v.(string))
 	} else {

diff --git a/vault/resource_github_team_test.go b/vault/resource_github_team_test.go
@@ -17,6 +17,7 @@ func TestAccGithubTeam_basic(t *testing.T) {
 	backend := acctest.RandomWithPrefix("github")
 	resName := "vault_github_team.team"
 	team := "my-team-slugified"
+
 	resource.Test(t, resource.TestCase{
 		Providers:    testProviders,
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -28,9 +29,9 @@ func TestAccGithubTeam_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resName, "id", "auth/"+backend+"/map/teams/"+team),
 					resource.TestCheckResourceAttr(resName, "backend", backend),
 					resource.TestCheckResourceAttr(resName, "team", "my-team-slugified"),
-					resource.TestCheckResourceAttr(resName, "policies.#", "2"),
-					resource.TestCheckResourceAttr(resName, "policies.0", "admin"),
-					resource.TestCheckResourceAttr(resName, "policies.1", "security"),
+					resource.TestCheckResourceAttr(resName, "token_policies.#", "2"),
+					resource.TestCheckResourceAttr(resName, "token_ttl", "300"),
+					resource.TestCheckResourceAttr(resName, "token_max_ttl", "1800"),
 				),
 			},
 			{
@@ -39,7 +40,9 @@ func TestAccGithubTeam_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resName, "id", "auth/"+backend+"/map/teams/"+team),
 					resource.TestCheckResourceAttr(resName, "backend", backend),
 					resource.TestCheckResourceAttr(resName, "team", "my-team-slugified"),
-					resource.TestCheckResourceAttr(resName, "policies.#", "0"),
+					resource.TestCheckResourceAttr(resName, "token_policies.#", "0"),
+					resource.TestCheckResourceAttr(resName, "token_ttl", "300"),
+					resource.TestCheckResourceAttr(resName, "token_max_ttl", "1800"),
 				),
 			},
 		},
@@ -117,14 +120,16 @@ func testAccGithubTeamConfig_basic(backend string, team string, policies []strin
 	p, _ := json.Marshal(policies)
 	return fmt.Sprintf(`
 resource "vault_github_auth_backend" "gh" {
-	path = "%s"
-  	organization = "vault"
+  path = "%s"
+  organization = "vault"
 }
 
 resource "vault_github_team" "team" {
 	backend = "${vault_github_auth_backend.gh.id}"
 	team = "%s"
-	policies = %s
+	token_policies = %s
+	token_ttl = 300
+	token_max_ttl = 1800
 }
 `, backend, team, p)
 }
diff --git a/vault/resource_github_user.go b/vault/resource_github_user.go
@@ -10,6 +10,38 @@ import (
 )
 
 func githubUserResource() *schema.Resource {
+	fields := map[string]*schema.Schema{
+		"backend": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "Auth backend to which user mapping will be congigured.",
+			ForceNew:    true,
+			Default:     "github",
+			// standardise on no beginning or trailing slashes
+			StateFunc: func(v interface{}) string {
+				return strings.Trim(v.(string), "/")
+			},
+		},
+		"user": {
+			Type:        schema.TypeString,
+			Required:    true,
+			ForceNew:    true,
+			Description: "GitHub user name.",
+		},
+		"policies": {
+			Type:          schema.TypeList,
+			Optional:      true,
+			Elem:          &schema.Schema{Type: schema.TypeString},
+			Description:   "Policies to be assigned to this team.",
+			Deprecated:    "use `token_policies` instead",
+			ConflictsWith: []string{"token_policies"},
+		},
+	}
+
+	addTokenFields(fields, &addTokenFieldsConfig{
+		TokenPoliciesConflict: []string{"policies"},
+	})
+
 	return &schema.Resource{
 		Create: githubUserCreate,
 		Read:   githubUserRead,
@@ -18,54 +50,51 @@ func githubUserResource() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
+		Schema: fields,
+	}
+}
 
-		Schema: map[string]*schema.Schema{
-			"backend": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Description: "Auth backend to which user mapping will be congigured.",
-				ForceNew:    true,
-				Default:     "github",
-				// standardise on no beginning or trailing slashes
-				StateFunc: func(v interface{}) string {
-					return strings.Trim(v.(string), "/")
-				},
-			},
-			"policies": {
-				Type:        schema.TypeList,
-				Optional:    true,
-				Elem:        &schema.Schema{Type: schema.TypeString},
-				Description: "Policies to be assigned to this user.",
-			},
-			"user": {
-				Type:        schema.TypeString,
-				Required:    true,
-				ForceNew:    true,
-				Description: "GitHub user name.",
-			},
-		},
+func githubUserUpdateFields(d *schema.ResourceData, data map[string]interface{}) error {
+	// Always in "create" mode because this endpoint unsets fields that are omitted during updates
+	updateTokenFields(d, data, true)
+
+	data["key"] = d.Get("user").(string)
+	if v, ok := d.GetOk("policies"); ok {
+		vs := expandStringSlice(v.([]interface{}))
+		data["value"] = strings.Join(vs, ",")
 	}
+
+	return nil
 }
 
 func githubUserCreate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*api.Client)
+
 	id := githubMapId(d.Get("backend").(string), d.Get("user").(string), "users")
 	d.SetId(id)
 	d.MarkNewResource()
 
+	data := map[string]interface{}{}
+	githubUserUpdateFields(d, data)
+
 	log.Printf("[INFO] Creating new github user map at '%v'", id)
-	return githubUserUpdate(d, meta)
+	_, err := client.Logical().Write(id, data)
+	if err != nil {
+		d.SetId("")
+		return err
+	}
+
+	log.Printf("[INFO] Saved github user map at '%v'", id)
+
+	return githubUserRead(d, meta)
 }
 
 func githubUserUpdate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 	path := d.Id()
 
 	data := map[string]interface{}{}
-	data["key"] = d.Get("user").(string)
-	if v, ok := d.GetOk("policies"); ok {
-		vs := expandStringSlice(v.([]interface{}))
-		data["value"] = strings.Join(vs, ",")
-	}
+	githubUserUpdateFields(d, data)
 
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
@@ -88,6 +117,17 @@ func githubUserRead(d *schema.ResourceData, meta interface{}) error {
 		return err
 	}
 
+	readTokenFields(d, dt)
+
+	// Check if the user is using the deprecated `policies`
+	if _, deprecated := d.GetOk("policies"); deprecated {
+		// Then we see if `token_policies` was set and unset it
+		// Vault will still return `policies`
+		if _, ok := d.GetOk("token_policies"); ok {
+			d.Set("token_policies", nil)
+		}
+	}
+
 	if v, ok := dt.Data["key"]; ok {
 		d.Set("user", v.(string))
 	} else {

diff --git a/vault/resource_github_user_test.go b/vault/resource_github_user_test.go
@@ -27,9 +27,9 @@ func TestAccGithubUser_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resName, "id", "auth/"+backend+"/map/users/"+user),
 					resource.TestCheckResourceAttr(resName, "backend", backend),
 					resource.TestCheckResourceAttr(resName, "user", "john_doe"),
-					resource.TestCheckResourceAttr(resName, "policies.#", "2"),
-					resource.TestCheckResourceAttr(resName, "policies.0", "admin"),
-					resource.TestCheckResourceAttr(resName, "policies.1", "security"),
+					resource.TestCheckResourceAttr(resName, "token_policies.#", "2"),
+					resource.TestCheckResourceAttr(resName, "token_ttl", "300"),
+					resource.TestCheckResourceAttr(resName, "token_max_ttl", "1800"),
 				),
 			},
 			{
@@ -38,7 +38,9 @@ func TestAccGithubUser_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resName, "id", "auth/"+backend+"/map/users/"+user),
 					resource.TestCheckResourceAttr(resName, "backend", backend),
 					resource.TestCheckResourceAttr(resName, "user", "john_doe"),
-					resource.TestCheckResourceAttr(resName, "policies.#", "0"),
+					resource.TestCheckResourceAttr(resName, "token_policies.#", "0"),
+					resource.TestCheckResourceAttr(resName, "token_ttl", "300"),
+					resource.TestCheckResourceAttr(resName, "token_max_ttl", "1800"),
 				),
 			},
 		},
@@ -107,7 +109,9 @@ resource "vault_github_auth_backend" "gh" {
 resource "vault_github_user" "user" {
 	backend = "${vault_github_auth_backend.gh.id}"
 	user = "%s"
-	policies = %s
+	token_policies = %s
+	token_ttl = 300
+	token_max_ttl = 1800
 }
 `, backend, user, p)
 }