Add state migrator in secrets/auth mounts for disable_remount param…

…eter (#2037)

CHANGELOG.md

@@ -9,6 +9,7 @@ BUGS:
 * Fix panic when setting `key_usage` to an array of empty string and enable it to unset the key usage constraints: ([#2036](https://github.com/hashicorp/terraform-provider-vault/pull/2036))
 * Add state migrator for `external_member_group_ids`  in Identity Group ([#2043](https://github.com/hashicorp/terraform-provider-vault/pull/2043))
 * Fix drift detection for the kv-v2 secrets resource when `disable_read` is enabled: ([#2039](https://github.com/hashicorp/terraform-provider-vault/pull/2039))
+* Add state migrator in secrets/auth backends for `disable_remount` parameter ([#2037](https://github.com/hashicorp/terraform-provider-vault/pull/2037))
 
 IMPROVEMENTS:
 * Ensure sensitive values are masked in `vault_approle_auth_backend_login` plan output ([#2008](https://github.com/hashicorp/terraform-provider-vault/pull/2008))

internal/provider/schema_util.go

@@ -4,6 +4,7 @@
 package provider
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -39,7 +40,7 @@ func mustAddSchema(k string, s *schema.Schema, d map[string]*schema.Schema) {
 	d[k] = s
 }
 
-func MustAddMountMigrationSchema(r *schema.Resource) *schema.Resource {
+func MustAddMountMigrationSchema(r *schema.Resource, customStateUpgrade bool) *schema.Resource {
 	MustAddSchema(r, map[string]*schema.Schema{
 		consts.FieldDisableRemount: {
 			Type:     schema.TypeBool,
@@ -50,6 +51,18 @@ func MustAddMountMigrationSchema(r *schema.Resource) *schema.Resource {
 		},
 	})
 
+	if !customStateUpgrade {
+		// Enable disable_remount default state upgrade
+		// Since we are adding a new boolean parameter that is expected
+		// to be set to a default upon upgrading, we update the TF state
+		// and set disable_remount to 'false' ONLY if it was previously 'nil'
+		//
+		// This case should only occur when upgrading from a version that
+		// does not support the disable_remount parameter (<v3.9.0)
+		r.StateUpgraders = defaultDisableRemountStateUpgraders()
+		r.SchemaVersion = 1
+	}
+
 	return r
 }
 
@@ -70,3 +83,37 @@ func MustAddNamespaceSchema(d map[string]*schema.Schema) {
 		mustAddSchema(k, s, d)
 	}
 }
+
+func SecretsAuthMountDisableRemountResourceV0() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			consts.FieldDisableRemount: {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+				Description: "If set, opts out of mount migration " +
+					"on path updates.",
+			},
+		},
+	}
+}
+
+func SecretsAuthMountDisableRemountUpgradeV0(
+	_ context.Context, rawState map[string]interface{}, _ interface{},
+) (map[string]interface{}, error) {
+	if rawState[consts.FieldDisableRemount] == nil {
+		rawState[consts.FieldDisableRemount] = false
+	}
+
+	return rawState, nil
+}
+
+func defaultDisableRemountStateUpgraders() []schema.StateUpgrader {
+	return []schema.StateUpgrader{
+		{
+			Version: 0,
+			Type:    SecretsAuthMountDisableRemountResourceV0().CoreConfigSchema().ImpliedType(),
+			Upgrade: SecretsAuthMountDisableRemountUpgradeV0,
+		},
+	}
+}

internal/provider/schema_util_test.go

@@ -0,0 +1,45 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package provider
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+)
+
+func TestSecretsAuthDisableRemountUpgradeV0(t *testing.T) {
+	tests := []struct {
+		name     string
+		rawState map[string]interface{}
+		want     map[string]interface{}
+		wantErr  bool
+	}{
+		{
+			name: "basic",
+			rawState: map[string]interface{}{
+				consts.FieldDisableRemount: nil,
+			},
+			want: map[string]interface{}{
+				consts.FieldDisableRemount: false,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := SecretsAuthMountDisableRemountUpgradeV0(nil, tt.rawState, nil)
+
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("SecretsAuthMountDisableRemountUpgradeV0() error = %#v, wantErr %#v", err, tt.wantErr)
+				}
+			}
+
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("SecretsAuthMountDisableRemountUpgradeV0() got = %#v, want %#v", got, tt.want)
+			}
+		})
+	}
+}

vault/resource_ad_secret_backend.go

@@ -223,7 +223,7 @@ func adSecretBackendResource() *schema.Resource {
 		},
 		CustomizeDiff: getMountCustomizeDiffFunc(consts.FieldBackend),
 		Schema:        fields,
-	})
+	}, false)
 }
 
 func createConfigResource(d *schema.ResourceData, meta interface{}) error {

vault/resource_auth_backend.go

@@ -69,7 +69,7 @@ func AuthBackendResource() *schema.Resource {
 
 			"tune": authMountTuneSchema(),
 		},
-	})
+	}, false)
 }
 
 func authBackendWrite(d *schema.ResourceData, meta interface{}) error {

vault/resource_aws_secret_backend.go

@@ -106,7 +106,7 @@ func awsSecretBackendResource() *schema.Resource {
 				Description: "Specifies if the secret backend is local only",
 			},
 		},
-	})
+	}, false)
 }
 
 func getMountCustomizeDiffFunc(field string) schema.CustomizeDiffFunc {

vault/resource_azure_secret_backend.go

@@ -87,7 +87,7 @@ func azureSecretBackendResource() *schema.Resource {
 				Description: "The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud.",
 			},
 		},
-	})
+	}, false)
 }
 
 func azureSecretBackendCreate(d *schema.ResourceData, meta interface{}) error {

vault/resource_consul_secret_backend.go

@@ -113,7 +113,7 @@ func consulSecretBackendResource() *schema.Resource {
 				Description: "Specifies if the secret backend is local only",
 			},
 		},
-	})
+	}, false)
 }
 
 func consulSecretBackendCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {

vault/resource_gcp_auth_backend.go

@@ -94,7 +94,7 @@ func gcpAuthBackendResource() *schema.Resource {
 				Description: "The accessor of the auth backend",
 			},
 		},
-	})
+	}, false)
 }
 
 func gcpAuthCustomEndpointSchema() map[string]*schema.Schema {

vault/resource_gcp_secret_backend.go

@@ -83,7 +83,7 @@ func gcpSecretBackendResource(name string) *schema.Resource {
 				Description: "Local mount flag that can be explicitly set to true to enforce local mount in HA environment",
 			},
 		},
-	})
+	}, false)
 }
 
 func gcpSecretBackendCreate(d *schema.ResourceData, meta interface{}) error {

vault/resource_github_auth_backend.go

@@ -70,7 +70,7 @@ func githubAuthBackendResource() *schema.Resource {
 		},
 		Schema:        fields,
 		CustomizeDiff: getMountCustomizeDiffFunc(consts.FieldPath),
-	})
+	}, false)
 }
 
 func githubAuthBackendCreate(d *schema.ResourceData, meta interface{}) error {

vault/resource_jwt_auth_backend.go

@@ -167,7 +167,7 @@ func jwtAuthBackendResource() *schema.Resource {
 
 			"tune": authMountTuneSchema(),
 		},
-	})
+	}, false)
 }
 
 func jwtCustomizeDiff(ctx context.Context, d *schema.ResourceDiff, meta interface{}) error {

vault/resource_kmip_secret_backend.go

@@ -110,7 +110,7 @@ func kmipSecretBackendResource() *schema.Resource {
 				Description: "Client certificate TTL in seconds",
 			},
 		},
-	})
+	}, false)
 }
 
 func kmipSecretBackendCreate(d *schema.ResourceData, meta interface{}) error {

vault/resource_ldap_auth_backend.go

@@ -174,8 +174,15 @@ func ldapAuthBackendResource() *schema.Resource {
 	addTokenFields(fields, &addTokenFieldsConfig{})
 
 	return provider.MustAddMountMigrationSchema(&schema.Resource{
-		SchemaVersion: 1,
-
+		SchemaVersion: 2,
+		// Handle custom state upgrade case since schema version was already 1
+		StateUpgraders: []schema.StateUpgrader{
+			{
+				Version: 1,
+				Type:    provider.SecretsAuthMountDisableRemountResourceV0().CoreConfigSchema().ImpliedType(),
+				Upgrade: provider.SecretsAuthMountDisableRemountUpgradeV0,
+			},
+		},
 		CreateContext: ldapAuthBackendWrite,
 		UpdateContext: ldapAuthBackendUpdate,
 		ReadContext:   provider.ReadContextWrapper(ldapAuthBackendRead),
@@ -185,7 +192,7 @@ func ldapAuthBackendResource() *schema.Resource {
 		},
 		CustomizeDiff: getMountCustomizeDiffFunc(consts.FieldPath),
 		Schema:        fields,
-	})
+	}, true)
 }
 
 func ldapAuthBackendConfigPath(path string) string {

vault/resource_ldap_secret_backend.go

@@ -130,7 +130,7 @@ func ldapSecretBackendResource() *schema.Resource {
 		},
 		CustomizeDiff: getMountCustomizeDiffFunc(consts.FieldPath),
 		Schema:        fields,
-	})
+	}, false)
 
 	// Add common mount schema to the resource
 	provider.MustAddSchema(resource, getMountSchema("path", "type"))

vault/resource_nomad_secret_backend.go

@@ -107,7 +107,7 @@ func nomadSecretAccessBackendResource() *schema.Resource {
 			State: schema.ImportStatePassthrough,
 		},
 		Schema: fields,
-	})
+	}, false)
 }
 
 func createNomadAccessConfigResource(d *schema.ResourceData, meta interface{}) error {

vault/resource_okta_auth_backend.go

@@ -215,7 +215,7 @@ func oktaAuthBackendResource() *schema.Resource {
 				Description: "The mount accessor related to the auth mount.",
 			},
 		},
-	})
+	}, false)
 }
 
 func normalizeOktaTTL(i interface{}) string {

vault/resource_rabbitmq_secret_backend.go

@@ -91,7 +91,7 @@ func rabbitMQSecretBackendResource() *schema.Resource {
 				Description: "Template describing how dynamic usernames are generated.",
 			},
 		},
-	})
+	}, false)
 }
 
 func rabbitMQSecretBackendCreate(d *schema.ResourceData, meta interface{}) error {

vault/resource_terraform_cloud_secret_backend.go

@@ -77,7 +77,7 @@ func terraformCloudSecretBackendResource() *schema.Resource {
 				Description: "Maximum possible lease duration for secrets in seconds",
 			},
 		},
-	})
+	}, false)
 }
 
 func terraformCloudSecretBackendCreate(d *schema.ResourceData, meta interface{}) error {