Upgrade to use TF SDK v2

[benashz]

The Vault Terraform provider is currently using v1 of the terraform-plugin-sdk, which is no longer seeing active feature development. The TF Plugin SDK v2 was released on July 30, 2020 and is considered to be the default SDK for all TF plugins. This PR includes the bulk of what is need to upgrade to v2. There are a few potentially breaking changes:

• Support for pgp_key encryption on the vault_token resource has been dropped. This is inline with upstream SDK changes.
• Multiple deprecated fields have been removed from some resources
• Terraform 0.12.0+ is now required

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Release note for CHANGELOG:

TBD:....

Output from acceptance testing:

$ make testacc TESTARGS='-v'
==> Checking that code complies with gofmt requirements...
go build -o terraform-provider-vault
mv terraform-provider-vault ~/.terraform.d/plugins/
TF_ACC=1 go test $(go list ./...) -v -v -timeout 120m
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
=== RUN   TestCodeFilePath
--- PASS: TestCodeFilePath (0.00s)
=== RUN   TestDocFilePath
--- PASS: TestDocFilePath (0.00s)
=== RUN   TestStripCurlyBraces
=== RUN   TestStripCurlyBraces/{test}
=== RUN   TestStripCurlyBraces/{{name}}
=== RUN   TestStripCurlyBraces/name
=== RUN   TestStripCurlyBraces/{name
--- PASS: TestStripCurlyBraces (0.00s)
    --- PASS: TestStripCurlyBraces/{test} (0.00s)
    --- PASS: TestStripCurlyBraces/{{name}} (0.00s)
    --- PASS: TestStripCurlyBraces/name (0.00s)
    --- PASS: TestStripCurlyBraces/{name (0.00s)

[...]

=== RUN   TestAccResourceTerraformCloudSecretCredsTeamBasic

--- SKIP: TestAccResourceTerraformCloudSecretCredsTeamBasic (0.00s)

[...]

--- SKIP: TestTerraformCloudSecretRole (0.00s)
=== RUN   TestTerraformCloudSecretBackendRoleNameFromPath
--- PASS: TestTerraformCloudSecretBackendRoleNameFromPath (0.00s)
=== RUN   TestTerraformCloudSecretBackendRoleBackendFromPath
--- PASS: TestTerraformCloudSecretBackendRoleBackendFromPath (0.00s)
=== RUN   TestAccTokenAuthBackendRoleImport
--- PASS: TestAccTokenAuthBackendRoleImport (1.70s)
=== RUN   TestAccTokenAuthBackendRole
--- PASS: TestAccTokenAuthBackendRole (1.45s)
=== RUN   TestAccTokenAuthBackendRoleUpdate
--- PASS: TestAccTokenAuthBackendRoleUpdate (4.74s)
=== RUN   TestAccTokenAuthBackendRoleDeprecated
--- PASS: TestAccTokenAuthBackendRoleDeprecated (2.57s)
=== RUN   TestResourceToken_basic
--- PASS: TestResourceToken_basic (1.47s)
=== RUN   TestResourceToken_import
--- PASS: TestResourceToken_import (1.83s)
=== RUN   TestResourceToken_full
--- PASS: TestResourceToken_full (1.41s)
=== RUN   TestResourceToken_lookup
--- PASS: TestResourceToken_lookup (1.45s)
=== RUN   TestResourceToken_expire
--- PASS: TestResourceToken_expire (15.25s)
=== RUN   TestResourceToken_renew
--- PASS: TestResourceToken_renew (25.45s)
=== RUN   TestAccTransitCacheConfig
--- PASS: TestAccTransitCacheConfig (4.78s)
=== RUN   TestTransitSecretBackendKey_basic
--- PASS: TestTransitSecretBackendKey_basic (2.83s)
=== RUN   TestTransitSecretBackendKey_rsa4096
--- PASS: TestTransitSecretBackendKey_rsa4096 (3.54s)
=== RUN   TestTransitSecretBackendKey_import
--- PASS: TestTransitSecretBackendKey_import (1.82s)
=== RUN   TestExpandAuthMethodTune
--- PASS: TestExpandAuthMethodTune (0.00s)
=== RUN   TestFlattenAuthMethodTune
--- PASS: TestFlattenAuthMethodTune (0.00s)
=== RUN   TestValidateNoTrailingSlash
--- PASS: TestValidateNoTrailingSlash (0.00s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     543.495s

[tvoran]

I think usually local imports are after the others?

Suggested change

	"github.com/hashicorp/terraform-provider-vault/helper"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
	"github.com/hashicorp/terraform-provider-vault/helper"

[tomhjp]

Not sure if this is canonical but goimports puts local imports first. Maybe just run goimports -w . at the root of the repo? And that should make everything consistent, it certainly looks like this PR inherited a lot of pre-existing inconsistency.

[benashz]

I am not sure what Goland uses, but it seems to group the local module's imports last.

[benashz]

Looks like it defaults to gofmt which groups the local packages last.

[tvoran]

Just a few more small comments. Have you also run the tests that require credentials and access to external systems? i.e. the database backends, anything that requires AWS creds, etc. Those tend to be skipped if the appropriate environment variables aren't set.

[tomhjp]

LGTM pending some minor comments from Theron! 👍

[tvoran]

😎

Just a thought that we'll probably want to manually run the enterprise-specific tests before releasing, since those aren't tested in CI right now.

[benashz]

😎

Just a thought that we'll probably want to manually run the enterprise-specific tests before releasing, since those aren't tested in CI right now.

👍 I tested locally against vault-enterprise and all tests passed.

[calvn]

Support for pgp_key encryption on the vault_token resource has been dropped. This is inline with upstream SDK changes.

@benashz Can you expand on this a bit? Is there a way to prevent accidental write of the raw token value to the state file?

[calvn]

I see that there are other places where we explicitly call d.SetId("") before returning if the value (e.g. resp) that we're about to reference is nil. How come we don't have to in this case?

[benashz]

Good catch!

I did a bit of digging and this should actually be an error, since the role does exist. Looks like a discovered issue.

PR on its way!

[benashz]

Support for pgp_key encryption on the vault_token resource has been dropped. This is inline with upstream SDK changes.

@benashz Can you expand on this a bit? Is there a way to prevent accidental write of the raw token value to the state file?

Not that I am aware of. The TF team recommends persisting the state to encrypted storage. Adding a cautionary note for this resource might be a good mitigation?

Some options that come to mind are:

• port the pgp crypto code from SDKv1
• remove the resource completely
• add a big note of caution to the resources documentation, pointing them to TF's guidance on securing the TF state.