Merge branch 'master' of github.com:mbillow/terraform-provider-vault

* 'master' of github.com:mbillow/terraform-provider-vault:
  Add tests for local LDAP and cover more cases for JWT and Consul
  Add local option for Consul Secrets Backend
  Add local check to the JWT acceptance test suite
  Allow LDAP and JWT/OIDC resources to be local

vault/resource_consul_secret_backend.go

@@ -90,6 +90,13 @@ func consulSecretBackendResource() *schema.Resource {
 				Description: "Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.",
 				Sensitive:   true,
 			},
+			"local": {
+				Type:        schema.TypeBool,
+				ForceNew:    true,
+				Optional:    true,
+				Default:     false,
+				Description: "Specifies if the secret backend is local only",
+			},
 		},
 	}
 }
@@ -104,12 +111,14 @@ func consulSecretBackendCreate(d *schema.ResourceData, meta interface{}) error {
 	ca_cert := d.Get("ca_cert").(string)
 	client_cert := d.Get("client_cert").(string)
 	client_key := d.Get("client_key").(string)
+	local := d.Get("local").(bool)
 
 	configPath := consulSecretBackendConfigPath(path)
 
 	info := &api.MountInput{
 		Type:        "consul",
 		Description: d.Get("description").(string),
+		Local:       local,
 		Config: api.MountConfigInput{
 			DefaultLeaseTTL: fmt.Sprintf("%ds", d.Get("default_lease_ttl_seconds")),
 			MaxLeaseTTL:     fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds")),

vault/resource_consul_secret_backend_test.go

@@ -29,6 +29,23 @@ func TestConsulSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "127.0.0.1:8500"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "http"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "false"),
+					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "ca_cert"),
+					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_cert"),
+					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_key"),
+				),
+			},
+			{
+				Config: testConsulSecretBackend_initialConfigLocal(path, token),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "path", path),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "description", "test description"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "default_lease_ttl_seconds", "3600"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "max_lease_ttl_seconds", "86400"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "127.0.0.1:8500"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "http"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "true"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "ca_cert"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_cert"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_key"),
@@ -44,6 +61,7 @@ func TestConsulSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "consul.domain.tld:8501"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "https"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "false"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "ca_cert"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_cert"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_key"),
@@ -59,6 +77,7 @@ func TestConsulSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "consul.domain.tld:8501"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "https"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "false"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "ca_cert", "FAKE-CERT-MATERIAL"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "client_cert", "FAKE-CLIENT-CERT-MATERIAL"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "client_key", "FAKE-CLIENT-CERT-KEY-MATERIAL"),
@@ -74,6 +93,7 @@ func TestConsulSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "consul.domain.tld:8501"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "https"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "false"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "ca_cert", "FAKE-CERT-MATERIAL"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "client_cert", "UPDATED-FAKE-CLIENT-CERT-MATERIAL"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "client_key", "UPDATED-FAKE-CLIENT-CERT-KEY-MATERIAL"),
@@ -118,6 +138,19 @@ resource "vault_consul_secret_backend" "test" {
 }`, path, token)
 }
 
+func testConsulSecretBackend_initialConfigLocal(path, token string) string {
+	return fmt.Sprintf(`
+resource "vault_consul_secret_backend" "test" {
+  path = "%s"
+  description = "test description"
+  default_lease_ttl_seconds = 3600
+  max_lease_ttl_seconds = 86400
+  address = "127.0.0.1:8500"
+  token = "%s"
+  local = true
+}`, path, token)
+}
+
 func testConsulSecretBackend_updateConfig(path, token string) string {
 	return fmt.Sprintf(`
 resource "vault_consul_secret_backend" "test" {

vault/resource_jwt_auth_backend.go

@@ -122,6 +122,13 @@ func jwtAuthBackendResource() *schema.Resource {
 				Computed:    true,
 				Description: "The accessor of the JWT auth backend",
 			},
+			"local": {
+				Type:        schema.TypeBool,
+				ForceNew:    true,
+				Optional:    true,
+				Default:     false,
+				Description: "Specifies if the auth method is local only",
+			},
 			"provider_config": {
 				Type:        schema.TypeMap,
 				Optional:    true,
@@ -177,12 +184,16 @@ func jwtAuthBackendWrite(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 
 	authType := d.Get("type").(string)
-	desc := d.Get("description").(string)
 	path := getJwtPath(d)
+	options := &api.EnableAuthOptions{
+		Type:        authType,
+		Description: d.Get("description").(string),
+		Local:       d.Get("local").(bool),
+	}
 
 	log.Printf("[DEBUG] Writing auth %s to Vault", authType)
 
-	err := client.Sys().EnableAuth(path, authType, desc)
+	err := client.Sys().EnableAuthWithOptions(path, options)
 
 	if err != nil {
 		return fmt.Errorf("error writing to Vault: %s", err)
@@ -249,6 +260,7 @@ func jwtAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	d.Set("type", backend.Type)
+	d.Set("local", backend.Local)
 
 	d.Set("accessor", backend.Accessor)
 	for _, configOption := range matchingJwtMountConfigOptions {

vault/resource_jwt_auth_backend_test.go

@@ -27,6 +27,19 @@ func TestAccJWTAuthBackend(t *testing.T) {
 					resource.TestCheckResourceAttrSet("vault_jwt_auth_backend.jwt", "accessor"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "bound_issuer", ""),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "type", "jwt"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "local", "false"),
+				),
+			},
+			{
+				Config: testAccJWTAuthLocalBackendConfig(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "description", "JWT backend"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "oidc_discovery_url", "https://myco.auth0.com/"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "path", path),
+					resource.TestCheckResourceAttrSet("vault_jwt_auth_backend.jwt", "accessor"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "bound_issuer", ""),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "type", "jwt"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "local", "true"),
 				),
 			},
 			{
@@ -130,6 +143,17 @@ resource "vault_jwt_auth_backend" "jwt" {
 `, path)
 }
 
+func testAccJWTAuthLocalBackendConfig(path string) string {
+	return fmt.Sprintf(`
+resource "vault_jwt_auth_backend" "jwt" {
+  description = "JWT backend"
+  oidc_discovery_url = "https://myco.auth0.com/"
+  path = "%s"
+  local = true
+}
+`, path)
+}
+
 func testAccJWTAuthBackendConfigFullOIDC(path string, oidcDiscoveryUrl string, boundIssuer string, supportedAlgs string) string {
 	return fmt.Sprintf(`
 resource "vault_jwt_auth_backend" "jwt" {

vault/resource_ldap_auth_backend.go

@@ -118,7 +118,13 @@ func ldapAuthBackendResource() *schema.Resource {
 				return strings.Trim(v.(string), "/")
 			},
 		},
-
+		"local": {
+			Type:        schema.TypeBool,
+			ForceNew:    true,
+			Optional:    true,
+			Default:     false,
+			Description: "Specifies if the auth method is local only",
+		},
 		"accessor": {
 			Type:        schema.TypeString,
 			Computed:    true,
@@ -161,12 +167,15 @@ func ldapAuthBackendConfigPath(path string) string {
 func ldapAuthBackendWrite(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 
-	authType := ldapAuthType
 	path := d.Get("path").(string)
-	desc := d.Get("description").(string)
+	options := &api.EnableAuthOptions{
+		Type:        ldapAuthType,
+		Description: d.Get("description").(string),
+		Local:       d.Get("local").(bool),
+	}
 
 	log.Printf("[DEBUG] Enabling LDAP auth backend %q", path)
-	err := client.Sys().EnableAuth(path, authType, desc)
+	err := client.Sys().EnableAuthWithOptions(path, options)
 	if err != nil {
 		return fmt.Errorf("error enabling ldap auth backend %q: %s", path, err)
 	}
@@ -291,6 +300,7 @@ func ldapAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 
 	d.Set("description", authMount.Description)
 	d.Set("accessor", authMount.Accessor)
+	d.Set("local", authMount.Local)
 
 	path = ldapAuthBackendConfigPath(path)
 

vault/resource_ldap_auth_backend_test.go

@@ -22,7 +22,7 @@ func TestLDAPAuthBackend_import(t *testing.T) {
 		CheckDestroy: testLDAPAuthBackendDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testLDAPAuthBackendConfig_basic(path, "false"),
+				Config: testLDAPAuthBackendConfig_basic(path, "false", "false"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
@@ -44,15 +44,23 @@ func TestLDAPAuthBackend_basic(t *testing.T) {
 		CheckDestroy: testLDAPAuthBackendDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testLDAPAuthBackendConfig_basic(path, "true"),
+				Config: testLDAPAuthBackendConfig_basic(path, "true", "true"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
-				Config: testLDAPAuthBackendConfig_basic(path, "false"),
+				Config: testLDAPAuthBackendConfig_basic(path, "false", "true"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
-				Config: testLDAPAuthBackendConfig_basic(path, "true"),
+				Config: testLDAPAuthBackendConfig_basic(path, "true", "false"),
+				Check:  testLDAPAuthBackendCheck_attrs(path),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_basic(path, "false", "false"),
+				Check:  testLDAPAuthBackendCheck_attrs(path),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_basic(path, "true", "false"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 		},
@@ -68,15 +76,23 @@ func TestLDAPAuthBackend_tls(t *testing.T) {
 		CheckDestroy: testLDAPAuthBackendDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testLDAPAuthBackendConfig_tls(path, "true"),
+				Config: testLDAPAuthBackendConfig_tls(path, "true", "true"),
+				Check:  testLDAPAuthBackendCheck_attrs(path),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_tls(path, "false", "true"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
-				Config: testLDAPAuthBackendConfig_tls(path, "false"),
+				Config: testLDAPAuthBackendConfig_tls(path, "true", "false"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
-				Config: testLDAPAuthBackendConfig_tls(path, "true"),
+				Config: testLDAPAuthBackendConfig_tls(path, "false", "false"),
+				Check:  testLDAPAuthBackendCheck_attrs(path),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_tls(path, "true", "false"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 		},
@@ -137,6 +153,11 @@ func testLDAPAuthBackendCheck_attrs(path string) resource.TestCheckFunc {
 			return fmt.Errorf("accessor in state %s does not match accessor returned from vault %s", instanceState.Attributes["accessor"], authMount.Accessor)
 		}
 
+		l := instanceState.Attributes["local"] == "true"
+		if l != authMount.Local {
+			return fmt.Errorf("local bool in state for %s does not match value returned from vault: State: %t, Vault: %t", path, l, authMount.Local)
+		}
+
 		configPath := "auth/" + endpoint + "/config"
 
 		resp, err := client.Logical().Read(configPath)
@@ -243,11 +264,12 @@ func testLDAPAuthBackendCheck_attrs(path string) resource.TestCheckFunc {
 	}
 }
 
-func testLDAPAuthBackendConfig_basic(path, use_token_groups string) string {
+func testLDAPAuthBackendConfig_basic(path, use_token_groups string, local string) string {
 
 	return fmt.Sprintf(`
 resource "vault_ldap_auth_backend" "test" {
     path                   = "%s"
+    local                  = %s
     url                    = "ldaps://example.org"
     starttls               = true
     tls_min_version        = "tls11"
@@ -261,15 +283,16 @@ resource "vault_ldap_auth_backend" "test" {
 
     use_token_groups = %s
 }
-`, path, use_token_groups)
+`, path, local, use_token_groups)
 
 }
 
-func testLDAPAuthBackendConfig_tls(path, use_token_groups string) string {
+func testLDAPAuthBackendConfig_tls(path, use_token_groups string, local string) string {
 
 	return fmt.Sprintf(`
 resource "vault_ldap_auth_backend" "test" {
     path                   = "%s"
+    local                  = %s
     url                    = "ldaps://example.org"
     starttls               = true
     tls_min_version        = "tls11"
@@ -359,6 +382,6 @@ MvQzNd87hRypUZ9Hyx2C9RljNDHHjgwYwWv9JOT0xEOS4ZAaPfvTf20=
 EOT
     use_token_groups = %s
 }
-`, path, use_token_groups)
+`, path, local, use_token_groups)
 
 }

website/docs/r/consul_secret_backend.html.md

@@ -58,6 +58,8 @@ on `token`. Changing the value, however, _will_ overwrite the previously stored
 * `max_lease_ttl_seconds` - (Optional) The maximum TTL that can be requested
 for credentials issued by this backend.
 
+* `local` - (Optional) Specifies if the secret backend is local only.
+
 ## Attributes Reference
 
 No additional attributes are exported by this resource.

website/docs/r/jwt_auth_backend.html.md

@@ -91,6 +91,8 @@ The following arguments are supported:
 
 * `provider_config` - (Optional) Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
 
+* `local` - (Optional) Specifies if the auth method is local only.
+
 * tune - (Optional) Extra configuration block. Structure is documented below.
 
 The `tune` block is used to tune the auth backend:

website/docs/r/ldap_auth_backend.html.md

@@ -69,6 +69,8 @@ The following arguments are supported:
 
 * `description` - (Optional) Description for the LDAP auth backend mount
 
+* `local` - (Optional) Specifies if the auth method is local only.
+
 ### Common Token Arguments
 
 These arguments are common across several Authentication Token resources since Vault 1.2.