hashicorp · vinay-gopalan · Dec 13, 2021 · Nov 23, 2021 · Nov 23, 2021 · Nov 29, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,7 @@ IMPROVEMENTS:
 * `resource/jwt_auth_backend_role`: Add field `disable_bound_claims_parsing` to disable bound claim value parsing, which is useful when values contain commas ([#1200](https://github.com/hashicorp/terraform-provider-vault/pull/1200))
 * `resource/transform_template`: Add `encode_format` and `decode_formats` fields for `Vault Enterprise` with the `Advanced Data Protection Transform Module` ([#1214](https://github.com/hashicorp/terraform-provider-vault/pull/1214))
 * `data/generic_secret`: Store `lease_start_time` UTC. ([#1216](https://github.com/hashicorp/terraform-provider-vault/pull/1216))
+* `resource/identity_entity_alias`: Add support for `custom_metadata` field in entity aliases. ([#1235](https://github.com/hashicorp/terraform-provider-vault/pull/1235))
 
 BUGS:
 * `data/gcp_auth_backend_role`: Report an error when attempting to access a nonexistent role. ([#1184](https://github.com/hashicorp/terraform-provider-vault/pull/1184))

diff --git a/vault/resource_identity_entity_alias.go b/vault/resource_identity_entity_alias.go
@@ -39,6 +39,14 @@ func identityEntityAliasResource() *schema.Resource {
 				Required:    true,
 				Description: "ID of the entity to which this is an alias.",
 			},
+			"custom_metadata": {
+				Type:        schema.TypeMap,
+				Optional:    true,
+				Description: "Custom metadata to be associated with this alias.",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 		},
 	}
 }
@@ -49,13 +57,15 @@ func identityEntityAliasCreate(d *schema.ResourceData, meta interface{}) error {
 	name := d.Get("name").(string)
 	mountAccessor := d.Get("mount_accessor").(string)
 	canonicalID := d.Get("canonical_id").(string)
+	customMetadata := d.Get("custom_metadata").(map[string]interface{})
 
 	path := identityEntityAliasPath
 
 	data := map[string]interface{}{
-		"name":           name,
-		"mount_accessor": mountAccessor,
-		"canonical_id":   canonicalID,
+		"name":            name,
+		"mount_accessor":  mountAccessor,
+		"canonical_id":    canonicalID,
+		"custom_metadata": customMetadata,
 	}
 
 	resp, err := client.Logical().Write(path, data)
@@ -94,9 +104,10 @@ func identityEntityAliasUpdate(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	data := map[string]interface{}{
-		"name":           resp.Data["name"],
-		"mount_accessor": resp.Data["mount_accessor"],
-		"canonical_id":   resp.Data["canonical_id"],
+		"name":            resp.Data["name"],
+		"mount_accessor":  resp.Data["mount_accessor"],
+		"canonical_id":    resp.Data["canonical_id"],
+		"custom_metadata": resp.Data["custom_metadata"],
 	}
 
 	if name, ok := d.GetOk("name"); ok {
@@ -108,6 +119,11 @@ func identityEntityAliasUpdate(d *schema.ResourceData, meta interface{}) error {
 	if canonicalID, ok := d.GetOk("canonical_id"); ok {
 		data["canonical_id"] = canonicalID
 	}
+	if customMetadata, ok := d.GetOk("custom_metadata"); ok {
+		data["custom_metadata"] = customMetadata
+	} else {
+		data["custom_metadata"] = make(map[string]interface{})
+	}
 
 	_, err = client.Logical().Write(path, data)
 
@@ -138,7 +154,7 @@ func identityEntityAliasRead(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	d.SetId(resp.Data["id"].(string))
-	for _, k := range []string{"name", "mount_accessor", "canonical_id"} {
+	for _, k := range []string{"name", "mount_accessor", "canonical_id", "custom_metadata"} {
 		if err := d.Set(k, resp.Data[k]); err != nil {
 			return fmt.Errorf("error setting state key \"%s\" on IdentityEntityAlias %q: %s", k, id, err)
 		}

diff --git a/vault/resource_identity_entity_alias_test.go b/vault/resource_identity_entity_alias_test.go
@@ -91,6 +91,44 @@ func testAccCheckIdentityEntityAliasDestroy(s *terraform.State) error {
 	return nil
 }
 
+func TestAccIdentityEntityAlias_Metadata(t *testing.T) {
+	entity := acctest.RandomWithPrefix("my-entity")
+
+	nameEntityA := "vault_identity_entity.entityA"
+	nameEntityB := "vault_identity_entity.entityB"
+	nameEntityAlias := "vault_identity_entity_alias.entity-alias"
+	nameGithubA := "vault_auth_backend.githubA"
+	nameGithubB := "vault_auth_backend.githubB"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testProviders,
+		CheckDestroy: testAccCheckIdentityEntityAliasDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIdentityEntityAliasMetadataConfig(entity, false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityA, "name"),
+					resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityA, "id"),
+					resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubA, "accessor"),
+					resource.TestCheckResourceAttr(nameEntityAlias, "custom_metadata.%", "1"),
+					resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata.version", nameEntityA, "metadata.version"),
+				),
+			},
+			{
+				Config: testAccIdentityEntityAliasMetadataConfig(entity, true),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrPair(nameEntityAlias, "name", nameEntityB, "name"),
+					resource.TestCheckResourceAttrPair(nameEntityAlias, "canonical_id", nameEntityB, "id"),
+					resource.TestCheckResourceAttrPair(nameEntityAlias, "mount_accessor", nameGithubB, "accessor"),
+					resource.TestCheckResourceAttr(nameEntityAlias, "custom_metadata.%", "1"),
+					resource.TestCheckResourceAttrPair(nameEntityAlias, "custom_metadata.version", nameEntityB, "metadata.version"),
+				),
+			},
+		},
+	})
+}
+
 func testAccIdentityEntityAliasConfig(entityName string, dupeAlias bool, altTarget bool) string {
 	entityId := "A"
 	if altTarget {
@@ -139,3 +177,48 @@ resource "vault_identity_entity_alias" "entity-alias-dupe" {
 
 	return ret
 }
+
+func testAccIdentityEntityAliasMetadataConfig(entityName string, altTarget bool) string {
+	entityId := "A"
+	if altTarget {
+		entityId = "B"
+	}
+
+	ret := fmt.Sprintf(`
+	resource "vault_identity_entity" "entityA" {
+		name = "%s-A"
+		policies = ["test"]
+		metadata = {
+			version = "1"
+		  }
+	  }
+
+	  resource "vault_identity_entity" "entityB" {
+		name = "%s-B"
+		policies = ["test"]
+		metadata = {
+			version = "2"
+		  }
+	  }
+
+	  resource "vault_auth_backend" "githubA" {
+		type = "github"
+		path = "githubA-%s"
+	  }
+
+	  resource "vault_auth_backend" "githubB" {
+		type = "github"
+		path = "githubB-%s"
+	  }
+
+	  resource "vault_identity_entity_alias" "entity-alias" {
+		name = vault_identity_entity.entity%s.name
+		mount_accessor = vault_auth_backend.github%s.accessor
+		canonical_id = vault_identity_entity.entity%s.id
+		custom_metadata = vault_identity_entity.entity%s.metadata
+	  }
+
+`, entityName, entityName, entityName, entityName, entityId, entityId, entityId, entityId)
+
+	return ret
+}