diff --git a/vault/auth_token.go b/vault/auth_token.go index de430a62b1..cc48aed491 100644 --- a/vault/auth_token.go +++ b/vault/auth_token.go @@ -11,7 +11,7 @@ func commonTokenFields() []string { return []string{ "token_bound_cidrs", "token_explicit_max_ttl", - "token_no_default_policy", + "token_max_ttl", "token_no_default_policy", "token_period", "token_policies", @@ -22,16 +22,23 @@ func commonTokenFields() []string { } type addTokenFieldsConfig struct { - TokenBoundCidrsConflict []string - TokenMaxTTLConflict []string - TokenNumUsesConflict []string - TokenPeriodConflict []string - TokenPoliciesConflict []string - TokenTTLConflict []string + TokenBoundCidrsConflict []string + TokenExplicitMaxTTLConflict []string + TokenMaxTTLConflict []string + TokenNumUsesConflict []string + TokenPeriodConflict []string + TokenPoliciesConflict []string + TokenTTLConflict []string + + TokenTypeDefault string } // Common field schemas for Auth Backends func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConfig) { + if config.TokenTypeDefault == "" { + config.TokenTypeDefault = "default" + } + fields["token_bound_cidrs"] = &schema.Schema{ Type: schema.TypeSet, Elem: &schema.Schema{ @@ -39,21 +46,19 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf }, Description: "Specifies the blocks of IP addresses which are allowed to use the generated token", Optional: true, - Computed: true, } fields["token_explicit_max_ttl"] = &schema.Schema{ - Type: schema.TypeInt, - Description: "Generated Token's Explicit Maximum TTL in seconds", - Optional: true, - Computed: true, + Type: schema.TypeInt, + Description: "Generated Token's Explicit Maximum TTL in seconds", + Optional: true, + ConflictsWith: config.TokenExplicitMaxTTLConflict, } fields["token_max_ttl"] = &schema.Schema{ Type: schema.TypeInt, Description: "The maximum lifetime of the generated token", Optional: true, - Computed: true, ConflictsWith: config.TokenMaxTTLConflict, } @@ -61,21 +66,18 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf Type: schema.TypeBool, Description: "If true, the 'default' policy will not automatically be added to generated tokens", Optional: true, - Computed: true, } fields["token_period"] = &schema.Schema{ Type: schema.TypeInt, Description: "Generated Token's Period", Optional: true, - Computed: true, ConflictsWith: config.TokenPeriodConflict, } fields["token_policies"] = &schema.Schema{ Type: schema.TypeSet, Optional: true, - Computed: true, Elem: &schema.Schema{ Type: schema.TypeString, }, @@ -87,14 +89,13 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf Type: schema.TypeString, Description: "The type of token to generate, service or batch", Optional: true, - Computed: true, + Default: config.TokenTypeDefault, } fields["token_ttl"] = &schema.Schema{ Type: schema.TypeInt, Description: "The initial ttl of the token to generate in seconds", Optional: true, - Computed: true, ConflictsWith: config.TokenTTLConflict, } @@ -102,11 +103,93 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf Type: schema.TypeInt, Description: "The maximum number of times a token may be used, a value of zero means unlimited", Optional: true, - Computed: true, ConflictsWith: config.TokenNumUsesConflict, } } +func setTokenFields(d *schema.ResourceData, data map[string]interface{}, config *addTokenFieldsConfig) { + data["token_no_default_policy"] = d.Get("token_no_default_policy").(bool) + data["token_type"] = d.Get("token_type").(string) + + conflicted := false + for _, k := range config.TokenExplicitMaxTTLConflict { + if _, ok := d.GetOk(k); ok { + conflicted = true + break + } + } + if !conflicted { + data["token_explicit_max_ttl"] = d.Get("token_explicit_max_ttl").(int) + } + + conflicted = false + for _, k := range config.TokenMaxTTLConflict { + if _, ok := d.GetOk(k); ok { + conflicted = true + break + } + } + if !conflicted { + data["token_max_ttl"] = d.Get("token_max_ttl").(int) + } + + conflicted = false + for _, k := range config.TokenPeriodConflict { + if _, ok := d.GetOk(k); ok { + conflicted = true + break + } + } + if !conflicted { + data["token_period"] = d.Get("token_period").(int) + } + + conflicted = false + for _, k := range config.TokenPoliciesConflict { + if _, ok := d.GetOk(k); ok { + conflicted = true + break + } + } + if !conflicted { + data["token_policies"] = d.Get("token_policies").(*schema.Set).List() + } + + conflicted = false + for _, k := range config.TokenTTLConflict { + if _, ok := d.GetOk(k); ok { + conflicted = true + break + } + } + if !conflicted { + data["token_ttl"] = d.Get("token_ttl").(int) + } + + conflicted = false + for _, k := range config.TokenNumUsesConflict { + if _, ok := d.GetOk(k); ok { + conflicted = true + break + } + } + if !conflicted { + data["token_num_uses"] = d.Get("token_num_uses").(int) + } + + conflicted = false + for _, k := range config.TokenBoundCidrsConflict { + if _, ok := d.GetOk(k); ok { + conflicted = true + break + } + } + if !conflicted { + data["token_bound_cidrs"] = d.Get("token_bound_cidrs").(*schema.Set).List() + } + +} + func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, create bool) { if create { if v, ok := d.GetOk("token_bound_cidrs"); ok { diff --git a/vault/resource_github_team.go b/vault/resource_github_team.go index 554dac2a04..fec1eb4f91 100644 --- a/vault/resource_github_team.go +++ b/vault/resource_github_team.go @@ -9,6 +9,12 @@ import ( "github.com/hashicorp/vault/api" ) +func githubTeamTokenConfig() *addTokenFieldsConfig { + return &addTokenFieldsConfig{ + TokenPoliciesConflict: []string{"policies"}, + } +} + func githubTeamResource() *schema.Resource { fields := map[string]*schema.Schema{ "backend": { @@ -39,9 +45,7 @@ func githubTeamResource() *schema.Resource { }, } - addTokenFields(fields, &addTokenFieldsConfig{ - TokenPoliciesConflict: []string{"policies"}, - }) + addTokenFields(fields, githubTeamTokenConfig()) return &schema.Resource{ Create: githubTeamCreate, @@ -56,8 +60,7 @@ func githubTeamResource() *schema.Resource { } func githubTeamUpdateFields(d *schema.ResourceData, data map[string]interface{}) error { - // Always in "create" mode because this endpoint unsets fields that are omitted during updates - updateTokenFields(d, data, true) + setTokenFields(d, data, githubTeamTokenConfig()) data["key"] = d.Get("team").(string) if v, ok := d.GetOk("policies"); ok { diff --git a/vault/resource_github_user.go b/vault/resource_github_user.go index 312edea78f..ae9e6a8f27 100644 --- a/vault/resource_github_user.go +++ b/vault/resource_github_user.go @@ -9,6 +9,12 @@ import ( "github.com/hashicorp/vault/api" ) +func githubUserTokenConfig() *addTokenFieldsConfig { + return &addTokenFieldsConfig{ + TokenPoliciesConflict: []string{"policies"}, + } +} + func githubUserResource() *schema.Resource { fields := map[string]*schema.Schema{ "backend": { @@ -38,9 +44,7 @@ func githubUserResource() *schema.Resource { }, } - addTokenFields(fields, &addTokenFieldsConfig{ - TokenPoliciesConflict: []string{"policies"}, - }) + addTokenFields(fields, githubUserTokenConfig()) return &schema.Resource{ Create: githubUserCreate, @@ -55,8 +59,7 @@ func githubUserResource() *schema.Resource { } func githubUserUpdateFields(d *schema.ResourceData, data map[string]interface{}) error { - // Always in "create" mode because this endpoint unsets fields that are omitted during updates - updateTokenFields(d, data, true) + setTokenFields(d, data, githubUserTokenConfig()) data["key"] = d.Get("user").(string) if v, ok := d.GetOk("policies"); ok { diff --git a/vault/resource_jwt_auth_backend_role.go b/vault/resource_jwt_auth_backend_role.go index 7ffeaf93c0..fac291dce0 100644 --- a/vault/resource_jwt_auth_backend_role.go +++ b/vault/resource_jwt_auth_backend_role.go @@ -155,7 +155,7 @@ func jwtAuthBackendRoleResource() *schema.Resource { TokenNumUsesConflict: []string{"num_uses"}, TokenPeriodConflict: []string{"period", "ttl", "token_ttl"}, TokenPoliciesConflict: []string{"policies"}, - TokenTTLConflict: []string{"ttl", "period", "token_ttl"}, + TokenTTLConflict: []string{"ttl", "period", "token_period"}, }) return &schema.Resource{ diff --git a/vault/resource_token_auth_backend_role.go b/vault/resource_token_auth_backend_role.go index ec44a8c6b7..fe951a79fe 100644 --- a/vault/resource_token_auth_backend_role.go +++ b/vault/resource_token_auth_backend_role.go @@ -18,7 +18,92 @@ func tokenAuthBackendRoleEmptyStringSet() (interface{}, error) { return []string{}, nil } +func tokenAuthBackendRoleTokenConfig() *addTokenFieldsConfig { + return &addTokenFieldsConfig{ + TokenBoundCidrsConflict: []string{"bound_cidrs"}, + TokenExplicitMaxTTLConflict: []string{"explicit_max_ttl"}, + TokenPeriodConflict: []string{"period", "token_ttl"}, + TokenTTLConflict: []string{"period", "token_period"}, + + TokenTypeDefault: "default-service", + } +} + func tokenAuthBackendRoleResource() *schema.Resource { + fields := map[string]*schema.Schema{ + "role_name": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: "Name of the role.", + }, + "allowed_policies": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + DefaultFunc: tokenAuthBackendRoleEmptyStringSet, + Description: "List of allowed policies for given role.", + }, + "disallowed_policies": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + DefaultFunc: tokenAuthBackendRoleEmptyStringSet, + Description: "List of disallowed policies for given role.", + }, + "orphan": { + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "If true, tokens created against this policy will be orphan tokens.", + }, + + "renewable": { + Type: schema.TypeBool, + Optional: true, + Default: true, + Description: "Whether to disable the ability of the token to be renewed past its initial TTL.", + }, + "path_suffix": { + Type: schema.TypeString, + Optional: true, + Default: "", + Description: "Tokens created against this role will have the given suffix as part of their path in addition to the role name.", + }, + + // Deprecated + "period": { + Type: schema.TypeString, + Optional: true, + Description: "Number of seconds to set the TTL to for issued tokens upon renewal. Makes the token a periodic token, which will never expire as long as it is renewed before the TTL each period.", + ConflictsWith: []string{"token_period", "token_ttl"}, + Deprecated: "use `token_period` instead", + }, + "explicit_max_ttl": { + Type: schema.TypeString, + Optional: true, + Description: "Number of seconds after which issued tokens can no longer be renewed.", + Deprecated: "use `token_explicit_max_ttl` instead", + ConflictsWith: []string{"token_explicit_max_ttl"}, + }, + "bound_cidrs": { + Type: schema.TypeSet, + Optional: true, + Description: "List of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + Deprecated: "use `token_bound_cidrs` instead", + ConflictsWith: []string{"token_bound_cidrs"}, + }, + } + + addTokenFields(fields, tokenAuthBackendRoleTokenConfig()) + return &schema.Resource{ Create: tokenAuthBackendRoleCreate, Read: tokenAuthBackendRoleRead, @@ -28,91 +113,30 @@ func tokenAuthBackendRoleResource() *schema.Resource { Importer: &schema.ResourceImporter{ State: schema.ImportStatePassthrough, }, - - Schema: map[string]*schema.Schema{ - "role_name": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - Description: "Name of the role.", - }, - "allowed_policies": { - Type: schema.TypeSet, - Optional: true, - Elem: &schema.Schema{ - Type: schema.TypeString, - }, - DefaultFunc: tokenAuthBackendRoleEmptyStringSet, - Description: "List of allowed policies for given role.", - }, - "disallowed_policies": { - Type: schema.TypeSet, - Optional: true, - Elem: &schema.Schema{ - Type: schema.TypeString, - }, - DefaultFunc: tokenAuthBackendRoleEmptyStringSet, - Description: "List of disallowed policies for given role.", - }, - "orphan": { - Type: schema.TypeBool, - Optional: true, - Default: false, - Description: "If true, tokens created against this policy will be orphan tokens.", - }, - "period": { - Type: schema.TypeString, - Optional: true, - Default: "0", - Description: "The duration in which a token should be renewed. At each renewal, the token's TTL will be set to the value of this parameter.", - }, - "renewable": { - Type: schema.TypeBool, - Optional: true, - Default: true, - Description: "Whether to disable the ability of the token to be renewed past its initial TTL.", - }, - "explicit_max_ttl": { - Type: schema.TypeString, - Optional: true, - Default: "0", - Description: "If set, the token will have an explicit max TTL set upon it.", - }, - "path_suffix": { - Type: schema.TypeString, - Optional: true, - Default: "", - Description: "Tokens created against this role will have the given suffix as part of their path in addition to the role name.", - }, - "bound_cidrs": { - Type: schema.TypeSet, - Elem: &schema.Schema{ - Type: schema.TypeString, - }, - Optional: true, - DefaultFunc: tokenAuthBackendRoleEmptyStringSet, - Description: "If set, restricts usage of the generated token to client IPs falling within the range of the specified CIDR(s).", - }, - "token_type": { - Type: schema.TypeString, - Optional: true, - Default: "default-service", - Description: "Specifies the type of tokens that should be returned by the role. If either service or batch is specified, that kind of token will always be returned.", - }, - }, + Schema: fields, } } func tokenAuthBackendRoleUpdateFields(d *schema.ResourceData, data map[string]interface{}) { + setTokenFields(d, data, tokenAuthBackendRoleTokenConfig()) + data["allowed_policies"] = d.Get("allowed_policies").(*schema.Set).List() data["disallowed_policies"] = d.Get("disallowed_policies").(*schema.Set).List() - data["explicit_max_ttl"] = d.Get("explicit_max_ttl").(string) data["orphan"] = d.Get("orphan").(bool) - data["period"] = d.Get("period").(string) data["renewable"] = d.Get("renewable").(bool) data["path_suffix"] = d.Get("path_suffix").(string) - data["bound_cidrs"] = d.Get("bound_cidrs").(*schema.Set).List() data["token_type"] = d.Get("token_type").(string) + + // Deprecated + if v, ok := d.GetOk("period"); ok { + data["period"] = v.(string) + } + if v, ok := d.GetOk("explicit_max_ttl"); ok { + data["explicit_max_ttl"] = v.(string) + } + if v, ok := d.GetOk("bound_cidrs"); ok { + data["bound_cidrs"] = v.(*schema.Set).List() + } } func tokenAuthBackendRoleCreate(d *schema.ResourceData, meta interface{}) error { @@ -160,9 +184,50 @@ func tokenAuthBackendRoleRead(d *schema.ResourceData, meta interface{}) error { return nil } + readTokenFields(d, resp) + d.Set("role_name", roleName) - for _, k := range []string{"allowed_policies", "disallowed_policies", "orphan", "period", "explicit_max_ttl", "path_suffix", "renewable", "bound_cidrs", "token_type"} { + // Check if the user is using the deprecated `period` + if _, deprecated := d.GetOk("period"); deprecated { + // Then we see if `token_period` was set and unset it + // Vault will still return `period` + if _, ok := d.GetOk("token_period"); ok { + d.Set("token_period", nil) + } + + if v, ok := resp.Data["period"]; ok { + d.Set("period", v) + } + } + + // Check if the user is using the deprecated `period` + if _, deprecated := d.GetOk("explicit_max_ttl"); deprecated { + // Then we see if `token_explicit_max_ttl` was set and unset it + // Vault will still return `explicit_max_ttl` + if _, ok := d.GetOk("token_explicit_max_ttl"); ok { + d.Set("token_explicit_max_ttl", nil) + } + + if v, ok := resp.Data["explicit_max_ttl"]; ok { + d.Set("explicit_max_ttl", v) + } + } + + // Check if the user is using the deprecated `bound_cidrs` + if _, deprecated := d.GetOk("bound_cidrs"); deprecated { + // Then we see if `token_bound_cidrs` was set and unset it + // Vault will still return `bound_cidrs` + if _, ok := d.GetOk("token_bound_cidrs"); ok { + d.Set("token_bound_cidrs", nil) + } + + if v, ok := resp.Data["bound_cidrs"]; ok { + d.Set("bound_cidrs", v) + } + } + + for _, k := range []string{"allowed_policies", "disallowed_policies", "orphan", "path_suffix", "renewable"} { if err := d.Set(k, resp.Data[k]); err != nil { return fmt.Errorf("error reading %s for Token auth backend role %q: %q", k, path, err) } diff --git a/vault/resource_token_auth_backend_role_test.go b/vault/resource_token_auth_backend_role_test.go index 49a152e0a7..6d3e1b180d 100644 --- a/vault/resource_token_auth_backend_role_test.go +++ b/vault/resource_token_auth_backend_role_test.go @@ -73,12 +73,12 @@ func TestAccTokenAuthBackendRoleUpdate(t *testing.T) { resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.#", "1"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.1971754988", "default"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "orphan", "true"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "period", "86400"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_period", "86400"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "renewable", "false"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "explicit_max_ttl", "115200"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_explicit_max_ttl", "115200"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "path_suffix", "parth-suffix"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.#", "1"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.217649824", "0.0.0.0/0"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_bound_cidrs.#", "1"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_bound_cidrs.217649824", "0.0.0.0/0"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_type", "default-batch"), ), }, @@ -94,12 +94,12 @@ func TestAccTokenAuthBackendRoleUpdate(t *testing.T) { resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.#", "1"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.1971754988", "default"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "orphan", "true"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "period", "86400"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_period", "86400"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "renewable", "false"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "explicit_max_ttl", "115200"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_explicit_max_ttl", "115200"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "path_suffix", "parth-suffix"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.#", "1"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.217649824", "0.0.0.0/0"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_bound_cidrs.#", "1"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_bound_cidrs.217649824", "0.0.0.0/0"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_type", "default-batch"), ), }, @@ -111,11 +111,11 @@ func TestAccTokenAuthBackendRoleUpdate(t *testing.T) { resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "allowed_policies.#", "0"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.#", "0"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "orphan", "false"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "period", "0"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_period", "0"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "renewable", "true"), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "explicit_max_ttl", "0"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_explicit_max_ttl", "0"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "path_suffix", ""), - resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.#", "0"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_bound_cidrs.#", "0"), resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_type", "default-service"), ), }, @@ -123,6 +123,58 @@ func TestAccTokenAuthBackendRoleUpdate(t *testing.T) { }) } +func TestAccTokenAuthBackendRoleDeprecated(t *testing.T) { + role := acctest.RandomWithPrefix("test-role") + roleUpdated := acctest.RandomWithPrefix("test-role-updated") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testProviders, + CheckDestroy: testAccCheckTokenAuthBackendRoleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccTokenAuthBackendRoleConfigDeprecated(role), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "role_name", role), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "allowed_policies.#", "2"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "allowed_policies.326271447", "dev"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "allowed_policies.1785148924", "test"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.#", "1"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.1971754988", "default"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "orphan", "true"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "period", "86400"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "renewable", "false"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "explicit_max_ttl", "115200"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "path_suffix", "parth-suffix"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.#", "1"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.217649824", "0.0.0.0/0"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_type", "default-batch"), + ), + }, + { + Config: testAccTokenAuthBackendRoleConfigDeprecated(roleUpdated), + Check: resource.ComposeTestCheckFunc( + testAccTokenAuthBackendRoleCheck_deleted(role), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "role_name", roleUpdated), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "allowed_policies.#", "2"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "allowed_policies.326271447", "dev"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "allowed_policies.1785148924", "test"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.#", "1"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "disallowed_policies.1971754988", "default"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "orphan", "true"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "period", "86400"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "renewable", "false"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "explicit_max_ttl", "115200"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "path_suffix", "parth-suffix"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.#", "1"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "bound_cidrs.217649824", "0.0.0.0/0"), + resource.TestCheckResourceAttr("vault_token_auth_backend_role.role", "token_type", "default-batch"), + ), + }, + }, + }) +} + func testAccCheckTokenAuthBackendRoleDestroy(s *terraform.State) error { client := testProvider.Meta().(*api.Client) @@ -187,17 +239,18 @@ func testAccTokenAuthBackendRoleCheck_attrs(role string) resource.TestCheckFunc } attrs := map[string]string{ - "role_name": "name", - "allowed_policies": "allowed_policies", - "disallowed_policies": "disallowed_policies", - "orphan": "orphan", - "period": "period", - "explicit_max_ttl": "explicit_max_ttl", - "path_suffix": "path_suffix", - "renewable": "renewable", - "bound_cidrs": "bound_cidrs", - "token_type": "token_type", + "role_name": "name", + "allowed_policies": "allowed_policies", + "disallowed_policies": "disallowed_policies", + "orphan": "orphan", + "token_period": "token_period", + "token_explicit_max_ttl": "token_explicit_max_ttl", + "path_suffix": "path_suffix", + "renewable": "renewable", + "token_bound_cidrs": "token_bound_cidrs", + "token_type": "token_type", } + for stateAttr, apiAttr := range attrs { if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" { continue @@ -276,6 +329,22 @@ resource "vault_token_auth_backend_role" "role" { func testAccTokenAuthBackendRoleConfigUpdate(role string) string { return fmt.Sprintf(` +resource "vault_token_auth_backend_role" "role" { + role_name = "%s" + allowed_policies = ["dev", "test"] + disallowed_policies = ["default"] + orphan = true + token_period = "86400" + renewable = false + token_explicit_max_ttl = "115200" + path_suffix = "parth-suffix" + token_bound_cidrs = ["0.0.0.0/0"] + token_type = "default-batch" +}`, role) +} + +func testAccTokenAuthBackendRoleConfigDeprecated(role string) string { + return fmt.Sprintf(` resource "vault_token_auth_backend_role" "role" { role_name = "%s" allowed_policies = ["dev", "test"]