From c48f526d5c9df36a919889c949ac18c53278c6b5 Mon Sep 17 00:00:00 2001
From: Ian Ferguson <ian.ferguson@datadoghq.com>
Date: Mon, 14 Dec 2020 15:29:13 -0500
Subject: [PATCH] Allow client_id to be configured on vault_identity_oidc_role
 resources (#815)

Output of integration tests:
```
> pwd
/Users/ian.ferguson/git/terraform-provider-vault/vault

> env TF_ACC=true go test ./ -run 'TestAccIdentityOidcRole.*' -v
=== RUN   TestAccIdentityOidcRole
--- PASS: TestAccIdentityOidcRole (0.24s)
=== RUN   TestAccIdentityOidcRoleWithClientId
--- PASS: TestAccIdentityOidcRoleWithClientId (0.24s)
=== RUN   TestAccIdentityOidcRoleUpdate
--- PASS: TestAccIdentityOidcRoleUpdate (0.40s)
PASS
ok      github.com/terraform-providers/terraform-provider-vault/vault   (cached)
```
---
 vault/resource_identity_oidc_role.go      |  2 +
 vault/resource_identity_oidc_role_test.go | 59 +++++++++++++++++++++--
 website/docs/r/identity_oidc_role.html.md |  6 +--
 3 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/vault/resource_identity_oidc_role.go b/vault/resource_identity_oidc_role.go
index e6c06614e..286941b4d 100644
--- a/vault/resource_identity_oidc_role.go
+++ b/vault/resource_identity_oidc_role.go
@@ -53,6 +53,7 @@ func identityOidcRole() *schema.Resource {
 				Type:        schema.TypeString,
 				Description: "The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role",
 				Computed:    true,
+				Optional:    true,
 			},
 		},
 	}
@@ -60,6 +61,7 @@ func identityOidcRole() *schema.Resource {
 
 func identityOidcRoleUpdateFields(d *schema.ResourceData, data map[string]interface{}) {
 	data["key"] = d.Get("key").(string)
+	data["client_id"] = d.Get("client_id").(string)
 	data["template"] = d.Get("template").(string)
 	data["ttl"] = d.Get("ttl").(int)
 }
diff --git a/vault/resource_identity_oidc_role_test.go b/vault/resource_identity_oidc_role_test.go
index 09ba99a34..56a320426 100644
--- a/vault/resource_identity_oidc_role_test.go
+++ b/vault/resource_identity_oidc_role_test.go
@@ -44,8 +44,39 @@ func TestAccIdentityOidcRole(t *testing.T) {
 	})
 }
 
+func TestAccIdentityOidcRoleWithClientId(t *testing.T) {
+	name := acctest.RandomWithPrefix("test-role")
+	clientId := acctest.RandomWithPrefix("test-client-id")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testProviders,
+		CheckDestroy: testAccCheckIdentityOidcRoleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId),
+				Check: resource.ComposeTestCheckFunc(
+					testAccIdentityOidcRoleCheckAttrs(),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", ""),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", clientId),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "86400"),
+				),
+			},
+			{
+				ResourceName:      "vault_identity_oidc_role.role",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccIdentityOidcRoleUpdate(t *testing.T) {
 	name := acctest.RandomWithPrefix("test-role")
+	clientId := acctest.RandomWithPrefix("test-client-id")
+	updateClientId := acctest.RandomWithPrefix("test-update-client-id")
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -53,26 +84,28 @@ func TestAccIdentityOidcRoleUpdate(t *testing.T) {
 		CheckDestroy: testAccCheckIdentityOidcRoleDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccIdentityOidcRoleConfig(name),
+				Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId),
 				Check:  testAccIdentityOidcRoleCheckAttrs(),
 			},
 			{
-				Config: testAccIdentityOidcRoleConfigUpdate(name),
+				Config: testAccIdentityOidcRoleConfigUpdate(name, updateClientId),
 				Check: resource.ComposeTestCheckFunc(
 					testAccIdentityOidcRoleCheckAttrs(),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", fmt.Sprintf("%s\n", testAccIdentityOidcRoleTemplate)),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", updateClientId),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "3600"),
 				),
 			},
 			{
-				Config: testAccIdentityOidcRoleConfig(name),
+				Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId),
 				Check: resource.ComposeTestCheckFunc(
 					testAccIdentityOidcRoleCheckAttrs(),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", ""),
+					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", clientId),
 					resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "86400"),
 				),
 			},
@@ -209,7 +242,22 @@ resource "vault_identity_oidc_role" "role" {
 `, entityName, entityName)
 }
 
-func testAccIdentityOidcRoleConfigUpdate(entityName string) string {
+func testAccIdentityOidcRoleWithClientIdConfig(entityName string, clientId string) string {
+	return fmt.Sprintf(`
+resource "vault_identity_oidc_key" "key" {
+  name = "%s"
+  algorithm = "RS256"
+}
+
+resource "vault_identity_oidc_role" "role" {
+	name = "%s"
+	key = vault_identity_oidc_key.key.name
+  client_id = "%s"
+}
+`, entityName, entityName, clientId)
+}
+
+func testAccIdentityOidcRoleConfigUpdate(entityName string, clientId string) string {
 	return fmt.Sprintf(`
 resource "vault_identity_oidc_key" "key" {
   name = "%s"
@@ -219,10 +267,11 @@ resource "vault_identity_oidc_key" "key" {
 resource "vault_identity_oidc_role" "role" {
 	name = "%s"
 	key = vault_identity_oidc_key.key.name
+  client_id = "%s"
 
 	template = <<EOF
 %s
 EOF
 	ttl = 3600
-}`, entityName, entityName, testAccIdentityOidcRoleTemplate)
+}`, entityName, entityName, clientId, testAccIdentityOidcRoleTemplate)
 }
diff --git a/website/docs/r/identity_oidc_role.html.md b/website/docs/r/identity_oidc_role.html.md
index 0bc182efb..8753249b5 100644
--- a/website/docs/r/identity_oidc_role.html.md
+++ b/website/docs/r/identity_oidc_role.html.md
@@ -90,15 +90,15 @@ The following arguments are supported:
 
 * `ttl` - (Optional) TTL of the tokens generated against the role in number of seconds.
 
+* `client_id` - (Optional) The value that will be included in the `aud` field of all the OIDC identity
+  tokens issued by this role
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
 * `id` - The name of the created role.
 
-* `client_id` - The value that will be included in the `aud` field of all the OIDC identity
-  tokens issued by this role
-
 ## Import
 
 The key can be imported with the role name, for example: