diff --git a/CHANGELOG.md b/CHANGELOG.md index bb0fd4e04f..5a68d780e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ IMPROVEMENTS: * `resource/vault_audit `: added support for local mount to prevent replicating the audit backend ([#915](https://github.com/terraform-providers/terraform-provider-vault/pull/915)) +* `resource/vault_identity_oidc_role`: `client_id` parameter can optionally be configured ([#815](https://github.com/terraform-providers/terraform-provider-vault/pull/815)). BUG FIXES: diff --git a/vault/resource_identity_oidc_role.go b/vault/resource_identity_oidc_role.go index e6c06614e4..286941b4d4 100644 --- a/vault/resource_identity_oidc_role.go +++ b/vault/resource_identity_oidc_role.go @@ -53,6 +53,7 @@ func identityOidcRole() *schema.Resource { Type: schema.TypeString, Description: "The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role", Computed: true, + Optional: true, }, }, } @@ -60,6 +61,7 @@ func identityOidcRole() *schema.Resource { func identityOidcRoleUpdateFields(d *schema.ResourceData, data map[string]interface{}) { data["key"] = d.Get("key").(string) + data["client_id"] = d.Get("client_id").(string) data["template"] = d.Get("template").(string) data["ttl"] = d.Get("ttl").(int) } diff --git a/vault/resource_identity_oidc_role_test.go b/vault/resource_identity_oidc_role_test.go index 09ba99a341..56a320426f 100644 --- a/vault/resource_identity_oidc_role_test.go +++ b/vault/resource_identity_oidc_role_test.go @@ -44,8 +44,39 @@ func TestAccIdentityOidcRole(t *testing.T) { }) } +func TestAccIdentityOidcRoleWithClientId(t *testing.T) { + name := acctest.RandomWithPrefix("test-role") + clientId := acctest.RandomWithPrefix("test-client-id") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testProviders, + CheckDestroy: testAccCheckIdentityOidcRoleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId), + Check: resource.ComposeTestCheckFunc( + testAccIdentityOidcRoleCheckAttrs(), + resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name), + resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name), + resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", ""), + resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", clientId), + resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "86400"), + ), + }, + { + ResourceName: "vault_identity_oidc_role.role", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccIdentityOidcRoleUpdate(t *testing.T) { name := acctest.RandomWithPrefix("test-role") + clientId := acctest.RandomWithPrefix("test-client-id") + updateClientId := acctest.RandomWithPrefix("test-update-client-id") resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -53,26 +84,28 @@ func TestAccIdentityOidcRoleUpdate(t *testing.T) { CheckDestroy: testAccCheckIdentityOidcRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccIdentityOidcRoleConfig(name), + Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId), Check: testAccIdentityOidcRoleCheckAttrs(), }, { - Config: testAccIdentityOidcRoleConfigUpdate(name), + Config: testAccIdentityOidcRoleConfigUpdate(name, updateClientId), Check: resource.ComposeTestCheckFunc( testAccIdentityOidcRoleCheckAttrs(), resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name), resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name), resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", fmt.Sprintf("%s\n", testAccIdentityOidcRoleTemplate)), + resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", updateClientId), resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "3600"), ), }, { - Config: testAccIdentityOidcRoleConfig(name), + Config: testAccIdentityOidcRoleWithClientIdConfig(name, clientId), Check: resource.ComposeTestCheckFunc( testAccIdentityOidcRoleCheckAttrs(), resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "name", name), resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "key", name), resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "template", ""), + resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "client_id", clientId), resource.TestCheckResourceAttr("vault_identity_oidc_role.role", "ttl", "86400"), ), }, @@ -209,7 +242,22 @@ resource "vault_identity_oidc_role" "role" { `, entityName, entityName) } -func testAccIdentityOidcRoleConfigUpdate(entityName string) string { +func testAccIdentityOidcRoleWithClientIdConfig(entityName string, clientId string) string { + return fmt.Sprintf(` +resource "vault_identity_oidc_key" "key" { + name = "%s" + algorithm = "RS256" +} + +resource "vault_identity_oidc_role" "role" { + name = "%s" + key = vault_identity_oidc_key.key.name + client_id = "%s" +} +`, entityName, entityName, clientId) +} + +func testAccIdentityOidcRoleConfigUpdate(entityName string, clientId string) string { return fmt.Sprintf(` resource "vault_identity_oidc_key" "key" { name = "%s" @@ -219,10 +267,11 @@ resource "vault_identity_oidc_key" "key" { resource "vault_identity_oidc_role" "role" { name = "%s" key = vault_identity_oidc_key.key.name + client_id = "%s" template = <