Update vault_aws_secret_backend_role to support setting session_tags …

…and external_id (#2290)

Adds support for setting session_tags and external_id. Which will be
released in vault 1.17.2

internal/consts/consts.go

@@ -436,6 +436,7 @@ const (
 	FieldPrivateKeyID                  = "private_key_id"
 	FieldTune                          = "tune"
 	FieldMaxRetries                    = "max_retries"
+	FieldSessionTags                   = "session_tags"
 
 	/*
 		common environment variables

vault/resource_aws_secret_backend_role.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
 )
@@ -84,6 +85,20 @@ func awsSecretBackendRoleResource(name string) *schema.Resource {
 				},
 				Description: "A map of strings representing key/value pairs used as tags for any IAM user created by this role.",
 			},
+			consts.FieldSessionTags: {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Description: fmt.Sprintf(`Session tags to be set for assume role creds created.`),
+			},
+			consts.FieldExternalID: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "External ID to set for assume role creds.",
+			},
+
 			"default_sts_ttl": {
 				Type:        schema.TypeInt,
 				Optional:    true,
@@ -133,6 +148,10 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 
 	iamTags := d.Get("iam_tags")
 
+	sessionTags := d.Get(consts.FieldSessionTags)
+
+	externalID := d.Get(consts.FieldExternalID)
+
 	if policyDocument == "" && len(policyARNs) == 0 && len(roleARNs) == 0 && len(iamGroups) == 0 {
 		return fmt.Errorf("at least one of: `policy_document`, `policy_arns`, `role_arns` or `iam_groups` must be set")
 	}
@@ -168,6 +187,12 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 	if d.HasChange("iam_tags") {
 		data["iam_tags"] = iamTags
 	}
+	if d.HasChange(consts.FieldSessionTags) {
+		data[consts.FieldSessionTags] = sessionTags
+	}
+	if d.HasChange(consts.FieldExternalID) {
+		data[consts.FieldExternalID] = externalID
+	}
 	if d.HasChange("user_path") {
 		if credentialType == "iam_user" {
 			data["user_path"] = userPath
@@ -255,6 +280,12 @@ func awsSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	if v, ok := secret.Data["iam_tags"]; ok {
 		d.Set("iam_tags", v)
 	}
+	if v, ok := secret.Data[consts.FieldSessionTags]; ok {
+		d.Set(consts.FieldSessionTags, v)
+	}
+	if v, ok := secret.Data[consts.FieldExternalID]; ok {
+		d.Set(consts.FieldExternalID, v)
+	}
 	if v, ok := secret.Data["permissions_boundary_arn"]; ok {
 		d.Set("permissions_boundary_arn", v)
 	}

vault/resource_aws_secret_backend_role_test.go

@@ -27,10 +27,6 @@ const (
 	testAccAWSSecretBackendRolePermissionsBoundaryArn_updated = "arn:aws:iam::123456789123:policy/boundary2"
 	testAccAWSSecretBackendRoleIamUserPath_basic              = "/path1/"
 	testAccAWSSecretBackendRoleIamUserPath_updated            = "/path2/"
-	testAccAWSSecretBackendRoleIamTag_key_basic               = "key1"
-	testAccAWSSecretBackendRoleIamTag_value_basic             = "value1"
-	testAccAWSSecretBackendRoleIamTag_key_updated             = "key2"
-	testAccAWSSecretBackendRoleIamTag_value_updated           = "value2"
 )
 
 func TestAccAWSSecretBackendRole_basic(t *testing.T) {
@@ -43,15 +39,15 @@ func TestAccAWSSecretBackendRole_basic(t *testing.T) {
 		CheckDestroy:      testAccAWSSecretBackendRoleCheckDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAWSSecretBackendRoleConfig_basic(name, backend, accessKey, secretKey),
+				Config: testAccAWSSecretBackendRoleConfigBasic(name, backend, accessKey, secretKey),
 				Check:  testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend),
 			},
 			{
-				Config: testAccAWSSecretBackendRoleConfig_updated(name, backend, accessKey, secretKey),
+				Config: testAccAWSSecretBackendRoleConfigUpdated(name, backend, accessKey, secretKey),
 				Check:  testAccAWSSecretBackendRoleCheckUpdatedAttributes(name, backend),
 			},
 			{
-				Config: testAccAWSSecretBackendRoleConfig_basic(name, backend, accessKey, secretKey),
+				Config: testAccAWSSecretBackendRoleConfigBasic(name, backend, accessKey, secretKey),
 				Check:  testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend),
 			},
 		},
@@ -68,7 +64,7 @@ func TestAccAWSSecretBackendRole_import(t *testing.T) {
 		CheckDestroy:      testAccAWSSecretBackendRoleCheckDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAWSSecretBackendRoleConfig_basic(name, backend, accessKey, secretKey),
+				Config: testAccAWSSecretBackendRoleConfigBasic(name, backend, accessKey, secretKey),
 				Check:  testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend),
 			},
 			{
@@ -110,11 +106,11 @@ func TestAccAWSSecretBackendRole_nested(t *testing.T) {
 		CheckDestroy:      testAccAWSSecretBackendRoleCheckDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAWSSecretBackendRoleConfig_basic(name, backend, accessKey, secretKey),
+				Config: testAccAWSSecretBackendRoleConfigBasic(name, backend, accessKey, secretKey),
 				Check:  testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend),
 			},
 			{
-				Config: testAccAWSSecretBackendRoleConfig_updated(name, backend, accessKey, secretKey),
+				Config: testAccAWSSecretBackendRoleConfigUpdated(name, backend, accessKey, secretKey),
 				Check:  testAccAWSSecretBackendRoleCheckUpdatedAttributes(name, backend),
 			},
 		},
@@ -172,7 +168,14 @@ func testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend string) resou
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "permissions_boundary_arn", testAccAWSSecretBackendRolePermissionsBoundaryArn_basic),
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "user_path", testAccAWSSecretBackendRoleIamUserPath_basic),
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "iam_tags.%", "1"),
-		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", fmt.Sprintf("iam_tags.%s", testAccAWSSecretBackendRoleIamTag_key_basic), testAccAWSSecretBackendRoleIamTag_value_basic),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "iam_tags.key1", "value1"),
+		// assume  role with session tags
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "name", fmt.Sprintf("%s-session-tags", name)),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "backend", backend),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "external_id", "ext1"),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "session_tags.%", "2"),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "session_tags.key1", "value1"),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "session_tags.key2", "value2"),
 	)
 }
 
@@ -212,11 +215,17 @@ func testAccAWSSecretBackendRoleCheckUpdatedAttributes(name, backend string) res
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "permissions_boundary_arn", testAccAWSSecretBackendRolePermissionsBoundaryArn_updated),
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "user_path", testAccAWSSecretBackendRoleIamUserPath_updated),
 		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "iam_tags.%", "1"),
-		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", fmt.Sprintf("iam_tags.%s", testAccAWSSecretBackendRoleIamTag_key_updated), testAccAWSSecretBackendRoleIamTag_value_updated),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "iam_tags.key2", "value2"),
+		// assume  role with session tags
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "name", fmt.Sprintf("%s-session-tags", name)),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "backend", backend),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "external_id", "ext2"),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "session_tags.%", "1"),
+		resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_assumed_role_session_tags", "session_tags.key1", "value1"),
 	)
 }
 
-func testAccAWSSecretBackendRoleConfig_basic(name, path, accessKey, secretKey string) string {
+func testAccAWSSecretBackendRoleConfigBasic(name, path, accessKey, secretKey string) string {
 	resources := []string{
 		fmt.Sprintf(`
 resource "vault_aws_secret_backend" "test" {
@@ -291,14 +300,28 @@ resource "vault_aws_secret_backend_role" "test_iam_user_type_optional_attributes
 			testAccAWSSecretBackendRolePolicyArn_basic,
 			testAccAWSSecretBackendRolePermissionsBoundaryArn_basic,
 			testAccAWSSecretBackendRoleIamUserPath_basic,
-			testAccAWSSecretBackendRoleIamTag_key_basic,
-			testAccAWSSecretBackendRoleIamTag_value_basic),
+			"key1",
+			"value1"),
+
+		fmt.Sprintf(`
+resource "vault_aws_secret_backend_role" "test_assumed_role_session_tags" {
+  name = "%s-session-tags"
+  role_arns = ["%s"]
+  credential_type = "assumed_role"
+  backend = vault_aws_secret_backend.test.path
+  external_id = "ext1"
+  session_tags = {
+	"key1" = "value1"
+	"key2" = "value2"
+  }
+}
+`, name, testAccAWSSecretBackendRoleRoleArn_basic),
 	}
 
 	return strings.Join(resources, "\n")
 }
 
-func testAccAWSSecretBackendRoleConfig_updated(name, path, accessKey, secretKey string) string {
+func testAccAWSSecretBackendRoleConfigUpdated(name, path, accessKey, secretKey string) string {
 	resources := []string{
 		fmt.Sprintf(`
 resource "vault_aws_secret_backend" "test" {
@@ -386,8 +409,20 @@ resource "vault_aws_secret_backend_role" "test_iam_user_type_optional_attributes
 			testAccAWSSecretBackendRolePolicyArn_updated,
 			testAccAWSSecretBackendRolePermissionsBoundaryArn_updated,
 			testAccAWSSecretBackendRoleIamUserPath_updated,
-			testAccAWSSecretBackendRoleIamTag_key_updated,
-			testAccAWSSecretBackendRoleIamTag_value_updated),
+			"key2",
+			"value2"),
+		fmt.Sprintf(`
+resource "vault_aws_secret_backend_role" "test_assumed_role_session_tags" {
+  name = "%s-session-tags"
+  role_arns = ["%s"]
+  credential_type = "assumed_role"
+  backend = vault_aws_secret_backend.test.path
+  external_id = "ext2"
+  session_tags = {
+	"key1" = "value1"
+  }
+}
+`, name, testAccAWSSecretBackendRoleRoleArn_basic),
 	}
 	return strings.Join(resources, "\n")
 }

website/docs/r/aws_secret_backend_role.html.md

@@ -93,6 +93,13 @@ The following arguments are supported:
 * `iam_tags` (Optional) - A map of strings representing key/value pairs
   to be used as tags for any IAM user that is created by this role.
 
+* `session_tags` (Optional) - A map of strings representing key/value pairs to be set
+  during assume role creds creation. Valid only when `credential_type` is set to 
+  `assumed_role`.
+
+* `external_id` (Optional) - External ID to set for assume role creds. 
+  Valid only when `credential_type` is set to `assumed_role`.
+
 * `default_sts_ttl` - (Optional) The default TTL in seconds for STS credentials.
   When a TTL is not specified when STS credentials are requested,
   and a default TTL is specified on the role,