From e7960096363dc0cbde57b967f884c03bb37cf42b Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 22 Nov 2021 16:13:31 -0800 Subject: [PATCH 01/11] add custom_metadata support to entity_alias --- vault/resource_identity_entity_alias.go | 29 +++++++++++++++----- vault/resource_identity_entity_alias_test.go | 15 +++++++++- 2 files changed, 36 insertions(+), 8 deletions(-) diff --git a/vault/resource_identity_entity_alias.go b/vault/resource_identity_entity_alias.go index 2e9cc550b..25c34ae01 100644 --- a/vault/resource_identity_entity_alias.go +++ b/vault/resource_identity_entity_alias.go @@ -39,6 +39,15 @@ func identityEntityAliasResource() *schema.Resource { Required: true, Description: "ID of the entity to which this is an alias.", }, + + "custom_metadata": { + Type: schema.TypeMap, + Optional: true, + Description: "Custom metadata to be associated with this alias.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, }, } } @@ -49,13 +58,15 @@ func identityEntityAliasCreate(d *schema.ResourceData, meta interface{}) error { name := d.Get("name").(string) mountAccessor := d.Get("mount_accessor").(string) canonicalID := d.Get("canonical_id").(string) + customMetadata := d.Get("custom_metadata").(map[string]interface{}) path := identityEntityAliasPath data := map[string]interface{}{ - "name": name, - "mount_accessor": mountAccessor, - "canonical_id": canonicalID, + "name": name, + "mount_accessor": mountAccessor, + "canonical_id": canonicalID, + "custom_metadata": customMetadata, } resp, err := client.Logical().Write(path, data) @@ -94,9 +105,10 @@ func identityEntityAliasUpdate(d *schema.ResourceData, meta interface{}) error { } data := map[string]interface{}{ - "name": resp.Data["name"], - "mount_accessor": resp.Data["mount_accessor"], - "canonical_id": resp.Data["canonical_id"], + "name": resp.Data["name"], + "mount_accessor": resp.Data["mount_accessor"], + "canonical_id": resp.Data["canonical_id"], + "custom_metadata": resp.Data["custom_metadata"], } if name, ok := d.GetOk("name"); ok { @@ -108,6 +120,9 @@ func identityEntityAliasUpdate(d *schema.ResourceData, meta interface{}) error { if canonicalID, ok := d.GetOk("canonical_id"); ok { data["canonical_id"] = canonicalID } + if customMetadata, ok := d.GetOk("custom_metadata"); ok { + data["custom_metadata"] = customMetadata + } _, err = client.Logical().Write(path, data) @@ -138,7 +153,7 @@ func identityEntityAliasRead(d *schema.ResourceData, meta interface{}) error { } d.SetId(resp.Data["id"].(string)) - for _, k := range []string{"name", "mount_accessor", "canonical_id"} { + for _, k := range []string{"name", "mount_accessor", "canonical_id", "custom_metadata"} { if err := d.Set(k, resp.Data[k]); err != nil { return fmt.Errorf("error setting state key \"%s\" on IdentityEntityAlias %q: %s", k, id, err) } diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go index 118254776..78754cd77 100644 --- a/vault/resource_identity_entity_alias_test.go +++ b/vault/resource_identity_entity_alias_test.go @@ -29,6 +29,7 @@ func TestAccIdentityEntityAlias(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntity, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntity, "id"), resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntity, "metadata"), ), }, { @@ -59,6 +60,7 @@ func TestAccIdentityEntityAlias_Update(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityA, "metadata"), ), }, { @@ -67,6 +69,7 @@ func TestAccIdentityEntityAlias_Update(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityB, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityB, "id"), resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubB, "accessor"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityA, "metadata"), ), }, }, @@ -101,11 +104,17 @@ func testAccIdentityEntityAliasConfig(entityName string, dupeAlias bool, altTarg resource "vault_identity_entity" "entityA" { name = "%s-A" policies = ["test"] + metadata = { + version = "1" + } } resource "vault_identity_entity" "entityB" { name = "%s-B" policies = ["test"] + metadata = { + version = "1" + } } resource "vault_auth_backend" "githubA" { @@ -122,8 +131,9 @@ resource "vault_identity_entity_alias" "entity-alias" { name = vault_identity_entity.entity%s.name mount_accessor = vault_auth_backend.github%s.accessor canonical_id = vault_identity_entity.entity%s.id + custom_metadata = vault_identity_entity.entity%s.metadata } -`, entityName, entityName, entityName, entityName, entityId, entityId, entityId) +`, entityName, entityName, entityName, entityName, entityId, entityId, entityId, entityId) // This duplicate alias tests the provider's handling of aliases that already exist but aren't // known to the provider. @@ -133,6 +143,9 @@ resource "vault_identity_entity_alias" "entity-alias-dupe" { name = vault_identity_entity.entity%s.name mount_accessor = vault_auth_backend.githubA.accessor canonical_id = vault_identity_entity.entity%s.id + custom_metadata = { + version = "1" + } } `, entityId, entityId) } From 99f79a71ab3bcac6709cd78f43614fcee97654f8 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 29 Nov 2021 10:48:08 -0800 Subject: [PATCH 02/11] add separate test for entity alias metadata --- vault/resource_identity_entity_alias_test.go | 68 ++++++++++++++++---- 1 file changed, 54 insertions(+), 14 deletions(-) diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go index 78754cd77..9e047e673 100644 --- a/vault/resource_identity_entity_alias_test.go +++ b/vault/resource_identity_entity_alias_test.go @@ -29,7 +29,6 @@ func TestAccIdentityEntityAlias(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntity, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntity, "id"), resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntity, "metadata"), ), }, { @@ -60,7 +59,6 @@ func TestAccIdentityEntityAlias_Update(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityA, "metadata"), ), }, { @@ -69,7 +67,6 @@ func TestAccIdentityEntityAlias_Update(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityB, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityB, "id"), resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubB, "accessor"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityA, "metadata"), ), }, }, @@ -94,6 +91,31 @@ func testAccCheckIdentityEntityAliasDestroy(s *terraform.State) error { return nil } +func TestAccIdentityEntityAlias_Metadata(t *testing.T) { + entity := acctest.RandomWithPrefix("my-entity") + + nameEntityA := "vault_identity_entity.entityA" + nameEntityAlias := "vault_identity_entity_alias.entity-alias" + nameGithubA := "vault_auth_backend.githubA" + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testProviders, + CheckDestroy: testAccCheckIdentityEntityAliasDestroy, + Steps: []resource.TestStep{ + { + Config: testAccIdentityEntityAliasMetadataConfig(entity), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityA, "metadata"), + ), + }, + }, + }) +} + func testAccIdentityEntityAliasConfig(entityName string, dupeAlias bool, altTarget bool) string { entityId := "A" if altTarget { @@ -104,17 +126,11 @@ func testAccIdentityEntityAliasConfig(entityName string, dupeAlias bool, altTarg resource "vault_identity_entity" "entityA" { name = "%s-A" policies = ["test"] - metadata = { - version = "1" - } } resource "vault_identity_entity" "entityB" { name = "%s-B" policies = ["test"] - metadata = { - version = "1" - } } resource "vault_auth_backend" "githubA" { @@ -131,9 +147,8 @@ resource "vault_identity_entity_alias" "entity-alias" { name = vault_identity_entity.entity%s.name mount_accessor = vault_auth_backend.github%s.accessor canonical_id = vault_identity_entity.entity%s.id - custom_metadata = vault_identity_entity.entity%s.metadata } -`, entityName, entityName, entityName, entityName, entityId, entityId, entityId, entityId) +`, entityName, entityName, entityName, entityName, entityId, entityId, entityId) // This duplicate alias tests the provider's handling of aliases that already exist but aren't // known to the provider. @@ -143,12 +158,37 @@ resource "vault_identity_entity_alias" "entity-alias-dupe" { name = vault_identity_entity.entity%s.name mount_accessor = vault_auth_backend.githubA.accessor canonical_id = vault_identity_entity.entity%s.id - custom_metadata = { - version = "1" - } } `, entityId, entityId) } return ret } + +func testAccIdentityEntityAliasMetadataConfig(entityName string) string { + entityId := "A" + + ret := fmt.Sprintf(` +resource "vault_identity_entity" "entityA" { + name = "%s-A" + policies = ["test"] + metadata = { + version = "1" + } +} + +resource "vault_auth_backend" "githubA" { + type = "github" + path = "githubA-%s" +} + +resource "vault_identity_entity_alias" "entity-alias" { + name = vault_identity_entity.entity%s.name + mount_accessor = vault_auth_backend.github%s.accessor + canonical_id = vault_identity_entity.entity%s.id + custom_metadata = vault_identity_entity.entity%s.metadata +} +`, entityName, entityName, entityId, entityId, entityId, entityId) + + return ret +} From c43aca9b2d24c6b84978956655b5a88f8afcad36 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 6 Dec 2021 11:25:03 -0800 Subject: [PATCH 03/11] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d50f29b44..502c6b3d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ IMPROVEMENTS: * `resource/jwt_auth_backend_role`: Add field `disable_bound_claims_parsing` to disable bound claim value parsing, which is useful when values contain commas ([#1200](https://github.com/hashicorp/terraform-provider-vault/pull/1200)) * `resource/transform_template`: Add `encode_format` and `decode_formats` fields for `Vault Enterprise` with the `Advanced Data Protection Transform Module` ([#1214](https://github.com/hashicorp/terraform-provider-vault/pull/1214)) * `data/generic_secret`: Store `lease_start_time` UTC. ([#1216](https://github.com/hashicorp/terraform-provider-vault/pull/1216)) +* `resource/identtiy_entity_alias`: Add support for `custom_metadata` field in entity aliases. ([#1235](https://github.com/hashicorp/terraform-provider-vault/pull/1235)) BUGS: * `data/gcp_auth_backend_role`: Report an error when attempting to access a nonexistent role. ([#1184](https://github.com/hashicorp/terraform-provider-vault/pull/1184)) From b9084fe24a7bbb9e7a81deaf8e11ac903fd0f394 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 6 Dec 2021 15:39:22 -0800 Subject: [PATCH 04/11] add test that updates alias and removes metadata --- vault/resource_identity_entity_alias_test.go | 56 ++++++++++++-------- 1 file changed, 35 insertions(+), 21 deletions(-) diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go index 9e047e673..a7be51fcf 100644 --- a/vault/resource_identity_entity_alias_test.go +++ b/vault/resource_identity_entity_alias_test.go @@ -104,7 +104,7 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { CheckDestroy: testAccCheckIdentityEntityAliasDestroy, Steps: []resource.TestStep{ { - Config: testAccIdentityEntityAliasMetadataConfig(entity), + Config: testAccIdentityEntityAliasMetadataConfig(entity, true), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), @@ -112,6 +112,14 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityA, "metadata"), ), }, + { + Config: testAccIdentityEntityAliasMetadataConfig(entity, false), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), + ), + }, }, }) } @@ -165,30 +173,36 @@ resource "vault_identity_entity_alias" "entity-alias-dupe" { return ret } -func testAccIdentityEntityAliasMetadataConfig(entityName string) string { +func testAccIdentityEntityAliasMetadataConfig(entityName string, includeMetadata bool) string { entityId := "A" ret := fmt.Sprintf(` -resource "vault_identity_entity" "entityA" { - name = "%s-A" - policies = ["test"] - metadata = { - version = "1" - } -} - -resource "vault_auth_backend" "githubA" { - type = "github" - path = "githubA-%s" -} + resource "vault_identity_entity" "entityA" { + name = "%s-A" + policies = ["test"] + } + + resource "vault_auth_backend" "githubA" { + type = "github" + path = "githubA-%s" + } -resource "vault_identity_entity_alias" "entity-alias" { - name = vault_identity_entity.entity%s.name - mount_accessor = vault_auth_backend.github%s.accessor - canonical_id = vault_identity_entity.entity%s.id - custom_metadata = vault_identity_entity.entity%s.metadata -} -`, entityName, entityName, entityId, entityId, entityId, entityId) +`, entityName, entityName) + + if includeMetadata { + ret += fmt.Sprintf(`resource "vault_identity_entity_alias" "entity-alias" { + name = vault_identity_entity.entity%s.name + mount_accessor = vault_auth_backend.github%s.accessor + canonical_id = vault_identity_entity.entity%s.id + custom_metadata = vault_identity_entity.entity%s.metadata + }`, entityId, entityId, entityId, entityId) + } else { + ret += fmt.Sprintf(`resource "vault_identity_entity_alias" "entity-alias" { + name = vault_identity_entity.entity%s.name + mount_accessor = vault_auth_backend.github%s.accessor + canonical_id = vault_identity_entity.entity%s.id + }`, entityId, entityId, entityId) + } return ret } From 583565d80287a1af1b9c2b228802fed51031ec19 Mon Sep 17 00:00:00 2001 From: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> Date: Mon, 6 Dec 2021 15:40:31 -0800 Subject: [PATCH 05/11] remove extra whitespace Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- vault/resource_identity_entity_alias.go | 1 - 1 file changed, 1 deletion(-) diff --git a/vault/resource_identity_entity_alias.go b/vault/resource_identity_entity_alias.go index 25c34ae01..bc3814402 100644 --- a/vault/resource_identity_entity_alias.go +++ b/vault/resource_identity_entity_alias.go @@ -39,7 +39,6 @@ func identityEntityAliasResource() *schema.Resource { Required: true, Description: "ID of the entity to which this is an alias.", }, - "custom_metadata": { Type: schema.TypeMap, Optional: true, From 8f74111684f80c7ed0836a4ddf79ba5cfc428c80 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 6 Dec 2021 15:55:47 -0800 Subject: [PATCH 06/11] update metadata test with non-null values --- vault/resource_identity_entity_alias_test.go | 57 ++++++++++++-------- 1 file changed, 35 insertions(+), 22 deletions(-) diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go index a7be51fcf..f628e5a1f 100644 --- a/vault/resource_identity_entity_alias_test.go +++ b/vault/resource_identity_entity_alias_test.go @@ -95,8 +95,10 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { entity := acctest.RandomWithPrefix("my-entity") nameEntityA := "vault_identity_entity.entityA" + nameEntityB := "vault_identity_entity.entityB" nameEntityAlias := "vault_identity_entity_alias.entity-alias" nameGithubA := "vault_auth_backend.githubA" + nameGithubB := "vault_auth_backend.githubB" resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -104,7 +106,7 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { CheckDestroy: testAccCheckIdentityEntityAliasDestroy, Steps: []resource.TestStep{ { - Config: testAccIdentityEntityAliasMetadataConfig(entity, true), + Config: testAccIdentityEntityAliasMetadataConfig(entity, false), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), @@ -113,11 +115,12 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { ), }, { - Config: testAccIdentityEntityAliasMetadataConfig(entity, false), + Config: testAccIdentityEntityAliasMetadataConfig(entity, true), Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityB, "name"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityB, "id"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubB, "accessor"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityB, "metadata"), ), }, }, @@ -173,36 +176,46 @@ resource "vault_identity_entity_alias" "entity-alias-dupe" { return ret } -func testAccIdentityEntityAliasMetadataConfig(entityName string, includeMetadata bool) string { +func testAccIdentityEntityAliasMetadataConfig(entityName string, altTarget bool) string { entityId := "A" + if altTarget { + entityId = "B" + } ret := fmt.Sprintf(` resource "vault_identity_entity" "entityA" { name = "%s-A" policies = ["test"] + metadata = { + version = "1" + } } - + + resource "vault_identity_entity" "entityB" { + name = "%s-B" + policies = ["test"] + metadata = { + version = "2" + } + } + resource "vault_auth_backend" "githubA" { type = "github" path = "githubA-%s" } -`, entityName, entityName) - - if includeMetadata { - ret += fmt.Sprintf(`resource "vault_identity_entity_alias" "entity-alias" { - name = vault_identity_entity.entity%s.name - mount_accessor = vault_auth_backend.github%s.accessor - canonical_id = vault_identity_entity.entity%s.id - custom_metadata = vault_identity_entity.entity%s.metadata - }`, entityId, entityId, entityId, entityId) - } else { - ret += fmt.Sprintf(`resource "vault_identity_entity_alias" "entity-alias" { - name = vault_identity_entity.entity%s.name - mount_accessor = vault_auth_backend.github%s.accessor - canonical_id = vault_identity_entity.entity%s.id - }`, entityId, entityId, entityId) + resource "vault_auth_backend" "githubB" { + type = "github" + path = "githubB-%s" + } + + resource "vault_identity_entity_alias" "entity-alias" { + name = vault_identity_entity.entity%s.name + mount_accessor = vault_auth_backend.github%s.accessor + canonical_id = vault_identity_entity.entity%s.id + custom_metadata = vault_identity_entity.entity%s.metadata } +`, entityName, entityName, entityName, entityName, entityId, entityId, entityId, entityId) return ret } From 9b669044f8519be1602d1e3c399f28bb702b4549 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Thu, 9 Dec 2021 12:52:41 -0800 Subject: [PATCH 07/11] fix map comparison in metadata test --- vault/resource_identity_entity_alias_test.go | 54 +++++++++----------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go index f628e5a1f..000f45c8c 100644 --- a/vault/resource_identity_entity_alias_test.go +++ b/vault/resource_identity_entity_alias_test.go @@ -95,10 +95,8 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { entity := acctest.RandomWithPrefix("my-entity") nameEntityA := "vault_identity_entity.entityA" - nameEntityB := "vault_identity_entity.entityB" nameEntityAlias := "vault_identity_entity_alias.entity-alias" nameGithubA := "vault_auth_backend.githubA" - nameGithubB := "vault_auth_backend.githubB" resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -111,16 +109,17 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityA, "metadata"), + resource.TestCheckResourceAttr(nameEntityAlias, "custom_metadata.%", "0"), ), }, { Config: testAccIdentityEntityAliasMetadataConfig(entity, true), Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityB, "name"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityB, "id"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubB, "accessor"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata", nameEntityB, "metadata"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata.version", nameEntityA, "metadata.version"), + resource.TestCheckResourceAttr(nameEntityAlias, "custom_metadata.%", "1"), ), }, }, @@ -176,27 +175,16 @@ resource "vault_identity_entity_alias" "entity-alias-dupe" { return ret } -func testAccIdentityEntityAliasMetadataConfig(entityName string, altTarget bool) string { +func testAccIdentityEntityAliasMetadataConfig(entityName string, includeMetadata bool) string { entityId := "A" - if altTarget { - entityId = "B" - } ret := fmt.Sprintf(` resource "vault_identity_entity" "entityA" { name = "%s-A" policies = ["test"] metadata = { - version = "1" - } - } - - resource "vault_identity_entity" "entityB" { - name = "%s-B" - policies = ["test"] - metadata = { - version = "2" - } + version = "1" + } } resource "vault_auth_backend" "githubA" { @@ -204,18 +192,24 @@ func testAccIdentityEntityAliasMetadataConfig(entityName string, altTarget bool) path = "githubA-%s" } - resource "vault_auth_backend" "githubB" { - type = "github" - path = "githubB-%s" - } +`, entityName, entityName) + if includeMetadata { + ret += fmt.Sprintf(` + resource "vault_identity_entity_alias" "entity-alias" { + name = vault_identity_entity.entity%s.name + mount_accessor = vault_auth_backend.github%s.accessor + canonical_id = vault_identity_entity.entity%s.id + custom_metadata = vault_identity_entity.entity%s.metadata + }`, entityId, entityId, entityId, entityId) + } else { + ret += fmt.Sprintf(` resource "vault_identity_entity_alias" "entity-alias" { - name = vault_identity_entity.entity%s.name - mount_accessor = vault_auth_backend.github%s.accessor - canonical_id = vault_identity_entity.entity%s.id - custom_metadata = vault_identity_entity.entity%s.metadata + name = vault_identity_entity.entity%s.name + mount_accessor = vault_auth_backend.github%s.accessor + canonical_id = vault_identity_entity.entity%s.id + }`, entityId, entityId, entityId) } -`, entityName, entityName, entityName, entityName, entityId, entityId, entityId, entityId) return ret } From 472be5fcfe690056e0e15ad736e6dc5e41f98efd Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Fri, 10 Dec 2021 12:34:35 -0800 Subject: [PATCH 08/11] refactor create/update test for metadata --- vault/resource_identity_entity_alias.go | 2 + vault/resource_identity_entity_alias_test.go | 81 +++++++++++--------- 2 files changed, 47 insertions(+), 36 deletions(-) diff --git a/vault/resource_identity_entity_alias.go b/vault/resource_identity_entity_alias.go index bc3814402..a8d2119ed 100644 --- a/vault/resource_identity_entity_alias.go +++ b/vault/resource_identity_entity_alias.go @@ -121,6 +121,8 @@ func identityEntityAliasUpdate(d *schema.ResourceData, meta interface{}) error { } if customMetadata, ok := d.GetOk("custom_metadata"); ok { data["custom_metadata"] = customMetadata + } else { + data["custom_metadata"] = make(map[string]interface{}) } _, err = client.Logical().Write(path, data) diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go index 000f45c8c..6d7b68612 100644 --- a/vault/resource_identity_entity_alias_test.go +++ b/vault/resource_identity_entity_alias_test.go @@ -95,8 +95,10 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { entity := acctest.RandomWithPrefix("my-entity") nameEntityA := "vault_identity_entity.entityA" + nameEntityB := "vault_identity_entity.entityB" nameEntityAlias := "vault_identity_entity_alias.entity-alias" nameGithubA := "vault_auth_backend.githubA" + nameGithubB := "vault_auth_backend.githubB" resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -109,17 +111,18 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), - resource.TestCheckResourceAttr(nameEntityAlias, "custom_metadata.%", "0"), + resource.TestCheckResourceAttr(nameEntityAlias, "custom_metadata.%", "1"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata.version", nameEntityA, "metadata.version"), ), }, { Config: testAccIdentityEntityAliasMetadataConfig(entity, true), Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"), - resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata.version", nameEntityA, "metadata.version"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityB, "name"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityB, "id"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubB, "accessor"), resource.TestCheckResourceAttr(nameEntityAlias, "custom_metadata.%", "1"), + resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata.version", nameEntityB, "metadata.version"), ), }, }, @@ -175,41 +178,47 @@ resource "vault_identity_entity_alias" "entity-alias-dupe" { return ret } -func testAccIdentityEntityAliasMetadataConfig(entityName string, includeMetadata bool) string { +func testAccIdentityEntityAliasMetadataConfig(entityName string, altTarget bool) string { entityId := "A" + if altTarget { + entityId = "B" + } ret := fmt.Sprintf(` resource "vault_identity_entity" "entityA" { - name = "%s-A" - policies = ["test"] - metadata = { - version = "1" - } - } - - resource "vault_auth_backend" "githubA" { - type = "github" - path = "githubA-%s" - } - -`, entityName, entityName) - - if includeMetadata { - ret += fmt.Sprintf(` - resource "vault_identity_entity_alias" "entity-alias" { - name = vault_identity_entity.entity%s.name - mount_accessor = vault_auth_backend.github%s.accessor - canonical_id = vault_identity_entity.entity%s.id - custom_metadata = vault_identity_entity.entity%s.metadata - }`, entityId, entityId, entityId, entityId) - } else { - ret += fmt.Sprintf(` - resource "vault_identity_entity_alias" "entity-alias" { - name = vault_identity_entity.entity%s.name - mount_accessor = vault_auth_backend.github%s.accessor - canonical_id = vault_identity_entity.entity%s.id - }`, entityId, entityId, entityId) - } + name = "%s-A" + policies = ["test"] + metadata = { + version = "1" + } + } + + resource "vault_identity_entity" "entityB" { + name = "%s-B" + policies = ["test"] + metadata = { + version = "2" + } + } + + resource "vault_auth_backend" "githubA" { + type = "github" + path = "githubA-%s" + } + + resource "vault_auth_backend" "githubB" { + type = "github" + path = "githubB-%s" + } + + resource "vault_identity_entity_alias" "entity-alias" { + name = vault_identity_entity.entity%s.name + mount_accessor = vault_auth_backend.github%s.accessor + canonical_id = vault_identity_entity.entity%s.id + custom_metadata = vault_identity_entity.entity%s.metadata + } + +`, entityName, entityName, entityName, entityName, entityId, entityId, entityId, entityId) return ret } From 690de454474b81483991f242e70869338d2e56e1 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Fri, 10 Dec 2021 12:36:39 -0800 Subject: [PATCH 09/11] fix typo in changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d18ad604a..a37a591be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ IMPROVEMENTS: * `resource/jwt_auth_backend_role`: Add field `disable_bound_claims_parsing` to disable bound claim value parsing, which is useful when values contain commas ([#1200](https://github.com/hashicorp/terraform-provider-vault/pull/1200)) * `resource/transform_template`: Add `encode_format` and `decode_formats` fields for `Vault Enterprise` with the `Advanced Data Protection Transform Module` ([#1214](https://github.com/hashicorp/terraform-provider-vault/pull/1214)) * `data/generic_secret`: Store `lease_start_time` UTC. ([#1216](https://github.com/hashicorp/terraform-provider-vault/pull/1216)) -* `resource/identtiy_entity_alias`: Add support for `custom_metadata` field in entity aliases. ([#1235](https://github.com/hashicorp/terraform-provider-vault/pull/1235)) +* `resource/identity_entity_alias`: Add support for `custom_metadata` field in entity aliases. ([#1235](https://github.com/hashicorp/terraform-provider-vault/pull/1235)) BUGS: * `data/gcp_auth_backend_role`: Report an error when attempting to access a nonexistent role. ([#1184](https://github.com/hashicorp/terraform-provider-vault/pull/1184)) From 86de87513615ad963f8c9bad3f0587ddc8090485 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 13 Dec 2021 10:41:33 -0800 Subject: [PATCH 10/11] rename function variables and modify error messages --- CHANGELOG.md | 2 +- vault/resource_identity_entity_alias.go | 16 ++++++---------- vault/resource_identity_entity_alias_test.go | 10 +++++----- 3 files changed, 12 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a37a591be..3553faed1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ IMPROVEMENTS: * `resource/jwt_auth_backend_role`: Add field `disable_bound_claims_parsing` to disable bound claim value parsing, which is useful when values contain commas ([#1200](https://github.com/hashicorp/terraform-provider-vault/pull/1200)) * `resource/transform_template`: Add `encode_format` and `decode_formats` fields for `Vault Enterprise` with the `Advanced Data Protection Transform Module` ([#1214](https://github.com/hashicorp/terraform-provider-vault/pull/1214)) * `data/generic_secret`: Store `lease_start_time` UTC. ([#1216](https://github.com/hashicorp/terraform-provider-vault/pull/1216)) -* `resource/identity_entity_alias`: Add support for `custom_metadata` field in entity aliases. ([#1235](https://github.com/hashicorp/terraform-provider-vault/pull/1235)) +* `resource/identity_entity_alias`: Add support for configuring `custom_metadata`. ([#1235](https://github.com/hashicorp/terraform-provider-vault/pull/1235)) BUGS: * `data/gcp_auth_backend_role`: Report an error when attempting to access a nonexistent role. ([#1184](https://github.com/hashicorp/terraform-provider-vault/pull/1184)) diff --git a/vault/resource_identity_entity_alias.go b/vault/resource_identity_entity_alias.go index a8d2119ed..3676fe05d 100644 --- a/vault/resource_identity_entity_alias.go +++ b/vault/resource_identity_entity_alias.go @@ -104,10 +104,9 @@ func identityEntityAliasUpdate(d *schema.ResourceData, meta interface{}) error { } data := map[string]interface{}{ - "name": resp.Data["name"], - "mount_accessor": resp.Data["mount_accessor"], - "canonical_id": resp.Data["canonical_id"], - "custom_metadata": resp.Data["custom_metadata"], + "name": resp.Data["name"], + "mount_accessor": resp.Data["mount_accessor"], + "canonical_id": resp.Data["canonical_id"], } if name, ok := d.GetOk("name"); ok { @@ -119,11 +118,8 @@ func identityEntityAliasUpdate(d *schema.ResourceData, meta interface{}) error { if canonicalID, ok := d.GetOk("canonical_id"); ok { data["canonical_id"] = canonicalID } - if customMetadata, ok := d.GetOk("custom_metadata"); ok { - data["custom_metadata"] = customMetadata - } else { - data["custom_metadata"] = make(map[string]interface{}) - } + + data["custom_metadata"] = d.Get("custom_metadata").(map[string]interface{}) _, err = client.Logical().Write(path, data) @@ -156,7 +152,7 @@ func identityEntityAliasRead(d *schema.ResourceData, meta interface{}) error { d.SetId(resp.Data["id"].(string)) for _, k := range []string{"name", "mount_accessor", "canonical_id", "custom_metadata"} { if err := d.Set(k, resp.Data[k]); err != nil { - return fmt.Errorf("error setting state key \"%s\" on IdentityEntityAlias %q: %s", k, id, err) + return fmt.Errorf("error setting state key %q on IdentityEntityAlias %q: err=%q", k, id, err) } } return nil diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go index 6d7b68612..39d2d503b 100644 --- a/vault/resource_identity_entity_alias_test.go +++ b/vault/resource_identity_entity_alias_test.go @@ -178,13 +178,13 @@ resource "vault_identity_entity_alias" "entity-alias-dupe" { return ret } -func testAccIdentityEntityAliasMetadataConfig(entityName string, altTarget bool) string { +func testAccIdentityEntityAliasMetadataConfig(entityPrefix string, entitySuffix bool) string { entityId := "A" - if altTarget { + if entitySuffix { entityId = "B" } - ret := fmt.Sprintf(` + result := fmt.Sprintf(` resource "vault_identity_entity" "entityA" { name = "%s-A" policies = ["test"] @@ -218,7 +218,7 @@ func testAccIdentityEntityAliasMetadataConfig(entityName string, altTarget bool) custom_metadata = vault_identity_entity.entity%s.metadata } -`, entityName, entityName, entityName, entityName, entityId, entityId, entityId, entityId) +`, entityPrefix, entityPrefix, entityPrefix, entityPrefix, entityId, entityId, entityId, entityId) - return ret + return result } From 1d820c6262f05ad16cc41757786b21dda073d266 Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Mon, 13 Dec 2021 11:00:49 -0800 Subject: [PATCH 11/11] add TODO note in tests --- vault/resource_identity_entity_alias_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go index 39d2d503b..fdde80a75 100644 --- a/vault/resource_identity_entity_alias_test.go +++ b/vault/resource_identity_entity_alias_test.go @@ -100,6 +100,8 @@ func TestAccIdentityEntityAlias_Metadata(t *testing.T) { nameGithubA := "vault_auth_backend.githubA" nameGithubB := "vault_auth_backend.githubB" + // TODO add back empty custom_metadata update tests + // once bug in Vault is resolved resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testProviders,