diff --git a/vault/resource_aws_auth_backend_sts_role.go b/vault/resource_aws_auth_backend_sts_role.go index 518c9f95e..0979259af 100644 --- a/vault/resource_aws_auth_backend_sts_role.go +++ b/vault/resource_aws_auth_backend_sts_role.go @@ -76,8 +76,11 @@ func awsAuthBackendSTSRoleCreate(d *schema.ResourceData, meta interface{}) error path := awsAuthBackendSTSRolePath(backend, accountID) data := map[string]interface{}{ - "sts_role": stsRole, - consts.FieldExternalID: externalID, + "sts_role": stsRole, + } + + if provider.IsAPISupported(meta, provider.VaultVersion117) { + data[consts.FieldExternalID] = externalID } log.Printf("[DEBUG] Writing STS role %q to AWS auth backend", path) @@ -128,8 +131,10 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("account_id", accountID) d.Set("sts_role", resp.Data["sts_role"]) - if v, ok := resp.Data[consts.FieldExternalID]; ok { - d.Set(consts.FieldExternalID, v) + if provider.IsAPISupported(meta, provider.VaultVersion117) { + if v, ok := resp.Data[consts.FieldExternalID]; ok { + d.Set(consts.FieldExternalID, v) + } } return nil @@ -147,8 +152,11 @@ func awsAuthBackendSTSRoleUpdate(d *schema.ResourceData, meta interface{}) error path := d.Id() data := map[string]interface{}{ - "sts_role": stsRole, - consts.FieldExternalID: externalID, + "sts_role": stsRole, + } + + if provider.IsAPISupported(meta, provider.VaultVersion117) { + data[consts.FieldExternalID] = externalID } log.Printf("[DEBUG] Updating STS role %q in AWS auth backend", path) diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go index 9ae552a54..7a3db05e6 100644 --- a/vault/resource_aws_auth_backend_sts_role_test.go +++ b/vault/resource_aws_auth_backend_sts_role_test.go @@ -6,6 +6,7 @@ package vault import ( "fmt" "strconv" + "strings" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" @@ -22,8 +23,18 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) { accountID := strconv.Itoa(acctest.RandInt()) arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") externalID := "external-id" + + importStateVerifyIgnore := make([]string, 0) + resource.Test(t, resource.TestCase{ - PreCheck: func() { testutil.TestAccPreCheck(t) }, + PreCheck: func() { + testutil.TestAccPreCheck(t) + + // Ignore external_id if Vault version is < 1.17.0. + if !provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) { + importStateVerifyIgnore = append(importStateVerifyIgnore, consts.FieldExternalID) + } + }, ProviderFactories: providerFactories, CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, Steps: []resource.TestStep{ @@ -32,9 +43,10 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) { Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, { - ResourceName: "vault_aws_auth_backend_sts_role.role", - ImportState: true, - ImportStateVerify: true, + ResourceName: "vault_aws_auth_backend_sts_role.role", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: importStateVerifyIgnore, }, }, }) @@ -56,13 +68,18 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) { Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, + { + // Update ARN. + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), + }, { // Add external ID. - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID), - Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, externalID), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, { - // Update ARN and external ID. + // Update external ID. Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, @@ -130,9 +147,13 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string) } attrs := map[string]string{ - "sts_role": "sts_role", - consts.FieldExternalID: consts.FieldExternalID, + "sts_role": "sts_role", + } + // Only check external_id if Vault version is >= 1.17.0 + if provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) { + attrs[consts.FieldExternalID] = consts.FieldExternalID } + for stateAttr, apiAttr := range attrs { if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" { continue @@ -146,30 +167,27 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string) } func testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, stsRole, externalID string) string { - roleResource := fmt.Sprintf(` -resource "vault_aws_auth_backend_sts_role" "role" { - backend = vault_auth_backend.aws.path - account_id = "%s" - sts_role = "%s" -} -`, accountID, stsRole) + backendResource := fmt.Sprintf(` +resource "vault_auth_backend" "aws" { + type = "aws" + path = "%s" +}`, backend) + roleResourceOptionalFields := "" if externalID != "" { - roleResource = fmt.Sprintf(` + roleResourceOptionalFields += fmt.Sprintf(` + external_id = "%s"`, externalID) + } + + roleResource := fmt.Sprintf(` resource "vault_aws_auth_backend_sts_role" "role" { backend = vault_auth_backend.aws.path account_id = "%s" - sts_role = "%s" - external_id = "%s" + sts_role = "%s"%s } -`, accountID, stsRole, externalID) - } +`, accountID, stsRole, roleResourceOptionalFields) - return fmt.Sprintf(` -resource "vault_auth_backend" "aws" { - type = "aws" - path = "%s" -} -%s -`, backend, roleResource) + resources := []string{backendResource, roleResource} + + return strings.Join(resources, "\n") }