add not_before_duration to ssh_secret_backend_role

[mju]

add not_before_duration to ssh_secret_backend_role

Description

https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/ssh_secret_backend_role currently don't have
https://developer.hashicorp.com/vault/api-docs/v1.12.x/secret/ssh#not_before_duration. I can make a good use of it
and thought it'd be a good idea to add it to this repo so many more people can benefit from it.

To comment on why we don't just use generic_endpoint everywhere,
we found that with generic_endpoint, the terraform plan returns way less information.

I ran the unit tests.

~/terraform-provider-vault$ make test
...
ok   github.com/hashicorp/terraform-provider-vault/vault 0.326s

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

To run the acceptance tests, run vault server -dev-tls first to up a vault server with
https/tls enabled. Then do the following on the other terminal.

export VAULT_ADDR='https://127.0.0.1:8200'
export VAULT_CACERT='/tmp/vault-tls.../vault-ca.pem'
export VAULT_TOKEN='xxx'

TESTARGS="--run TestAccSSHSecretBackendRole -v" make testacc

The output looks like

$ TESTARGS="--run TestAccSSHSecretBackendRole -v" make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test --run TestAccSSHSecretBackendRole -v -timeout 30m ./...
?   	github.com/hashicorp/terraform-provider-vault	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/coverage	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/generate	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/codegen	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/generated	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/decode	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/encode	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/alphabet	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/internal/consts	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/helper	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/role	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/mfa	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/template	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/group	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/pki	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/transformation	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/internal/identity/entity	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/schema	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/internal/provider	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/testutil	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/util	(cached) [no tests to run]
2023/09/18 11:12:14 [INFO] Using Vault token with the following policies: root
=== RUN   TestAccSSHSecretBackendRole
=== RUN   TestAccSSHSecretBackendRole/vault-1.11-and-below
    resource_ssh_secret_backend_role_test.go:150: Vault server version "1.12.0"
    resource_ssh_secret_backend_role_test.go:150: Vault version >= "1.12.0"
=== RUN   TestAccSSHSecretBackendRole/vault-1.12-and-up
    resource_ssh_secret_backend_role_test.go:162: Vault server version "1.12.0"
--- PASS: TestAccSSHSecretBackendRole (2.75s)
    --- SKIP: TestAccSSHSecretBackendRole/vault-1.11-and-below (0.00s)
    --- PASS: TestAccSSHSecretBackendRole/vault-1.12-and-up (2.75s)
=== RUN   TestAccSSHSecretBackendRoleOTP_basic
--- PASS: TestAccSSHSecretBackendRoleOTP_basic (0.95s)
=== RUN   TestAccSSHSecretBackendRole_template
    resource_ssh_secret_backend_role_test.go:203: Vault server version "1.12.0"
--- PASS: TestAccSSHSecretBackendRole_template (1.26s)
PASS
ok  	github.com/hashicorp/terraform-provider-vault/vault	4.981s

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

[fairclothjm]

@mju Thanks for the contribution! Could we please add a changelog entry and documentation for the new field? Here: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/ssh_secret_backend_role.html.md

[mju]

@mju Thanks for the contribution! Could we please add a changelog entry and documentation for the new field? Here: https://github.com/hashicorp/terraform-provider-vault/blob/main/website/docs/r/ssh_secret_backend_role.html.md

Done. I have two questions.

1. Are we expected to run acceptance tests? I commented on the PR summary why I wasn't able to do so. Would it be something that you have a CI pipeline for? Or would you be able to run it for me?
2. After the merger of this PR, roughly when would this feature be released?

[fairclothjm]

LGTM! Thanks!

[fairclothjm]

@mju Hello, looks like there is an error in the tests:

=== RUN   TestAccSSHSecretBackendRole/vault-1.12-and-up
    resource_ssh_secret_backend_role_test.go:162: Vault server version "1.13.3+ent"
    resource_ssh_secret_backend_role_test.go:158: Step 1/5 error: Check failed: 1 error occurred:
        	* Check 22/23 error: vault_ssh_secret_backend_role.test_role: Attribute 'not_before_duration' expected "0", got "30"
        
--- FAIL: TestAccSSHSecretBackendRole (0.45s)
    --- SKIP: TestAccSSHSecretBackendRole/vault-1.11-and-below (0.00s)
    --- FAIL: TestAccSSHSecretBackendRole/vault-1.12-and-up (0.45s)

You can run tests with a command like:

TESTARGS="--run TestAccSSHSecretBackendRole -v" make testacc

[mju]

@mju Hello, looks like there is an error in the tests:

=== RUN   TestAccSSHSecretBackendRole/vault-1.12-and-up
    resource_ssh_secret_backend_role_test.go:162: Vault server version "1.13.3+ent"
    resource_ssh_secret_backend_role_test.go:158: Step 1/5 error: Check failed: 1 error occurred:
        	* Check 22/23 error: vault_ssh_secret_backend_role.test_role: Attribute 'not_before_duration' expected "0", got "30"
        
--- FAIL: TestAccSSHSecretBackendRole (0.45s)
    --- SKIP: TestAccSSHSecretBackendRole/vault-1.11-and-below (0.00s)
    --- FAIL: TestAccSSHSecretBackendRole/vault-1.12-and-up (0.45s)

You can run tests with a command like:

TESTARGS="--run TestAccSSHSecretBackendRole -v" make testacc

vault's default value for this attribute is 30. I'll see how I can make it work.

About the Acceptance test, I don't have a https-enabled local vault to use. With vault server -dev, I will get

panic: failed to lookup token, err=Get "https://127.0.0.1:8201/v1/auth/token/lookup-self": remote error: tls: internal error

So I think for now I need to rely on the CI tests.

[fairclothjm]

Since the default is 30, I think you will need to update this to 30: https://github.com/hashicorp/terraform-provider-vault/pull/2019/files#diff-de680eba573f1d8768d49ad251da1d8c74870de89e5e4a4cef27a999c12f226bR51

Maybe we could change this to something other than 30: https://github.com/hashicorp/terraform-provider-vault/pull/2019/files#diff-de680eba573f1d8768d49ad251da1d8c74870de89e5e4a4cef27a999c12f226bR311 to check that the update changes from 30 => NEW_VALUE?

[mju]

Since the default is 30, I think you will need to update this to 30: https://github.com/hashicorp/terraform-provider-vault/pull/2019/files#diff-de680eba573f1d8768d49ad251da1d8c74870de89e5e4a4cef27a999c12f226bR51

Weird. I initially used 30s or 30m to start with and a unit test (make test) failed. Then I switched to 0.
I tried a moment ago to make a unit test fail and couldn't.

Maybe we could change this to something other than 30: https://github.com/hashicorp/terraform-provider-vault/pull/2019/files#diff-de680eba573f1d8768d49ad251da1d8c74870de89e5e4a4cef27a999c12f226bR311 to check that the update changes from 30 => NEW_VALUE?

Note that it's 30m here. The default is 30s. I'll make a change to make it clear though. I think I might have gotten 30m instead of 30s by luck.

[mju]

@fairclothjm I figured out how to run acceptance tests locally. It really should be fixed now. It seems CI tests are not triggered automatically?

[fairclothjm]

Are we expected to run acceptance tests? I commented on the PR summary why I wasn't able to do so. Would it be something that you have a CI pipeline for? Or would you be able to run it for me?

CI does not run for PRs from forks. Thanks for testing them locally!

After the merger of this PR, roughly when would this feature be released?

We do a release roughly once a month. We just did a release last week so approximately a month from now.

[fairclothjm]

Thanks @mju !