hashicorp · vinay-gopalan · Oct 31, 2023 · Oct 30, 2023 · Oct 31, 2023 · Oct 31, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 FEATURES:
 * Add support for `custom_metadata` on `vault_namespace`: ([#2033](https://github.com/hashicorp/terraform-provider-vault/pull/2033))
 * Add support for `OCSP*` role fields for the cert auth resource: ([#2056](https://github.com/hashicorp/terraform-provider-vault/pull/2056))
+* Add field `set_namespace_from_token` to Provider configuration ([#2070](https://github.com/hashicorp/terraform-provider-vault/pull/2070))
 
 BUGS:
 * Fix panic when readnig client_secret from a public oidc client ([#2048](https://github.com/hashicorp/terraform-provider-vault/pull/2048))

diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -363,6 +363,7 @@ const (
 	FieldServiceAccountJWT             = "service_account_jwt"
 	FieldDisableISSValidation          = "disable_iss_validation"
 	FieldPEMKeys                       = "pem_keys"
+	FieldSetNamespaceFromToken         = "set_namespace_from_token"
 	/*
 		common environment variables
 	*/

diff --git a/internal/provider/meta.go b/internal/provider/meta.go
@@ -314,8 +314,10 @@ func NewProviderMeta(d *schema.ResourceData) (interface{}, error) {
 		namespace = tokenNamespace
 		// set the namespace on the provider to ensure that all child
 		// namespace paths are properly honoured.
-		if err := d.Set(consts.FieldNamespace, namespace); err != nil {
-			return nil, err
+		if v, ok := d.Get(consts.FieldSetNamespaceFromToken).(bool); ok && v {
+			if err := d.Set(consts.FieldNamespace, namespace); err != nil {
+				return nil, err
+			}
 		}
 	}
 

diff --git a/internal/provider/meta_test.go b/internal/provider/meta_test.go
@@ -553,13 +553,15 @@ func TestNewProviderMeta(t *testing.T) {
 	}
 
 	tests := []struct {
-		name               string
-		d                  *schema.ResourceData
-		data               map[string]interface{}
-		wantNamespace      string
-		tokenNamespace     string
-		authLoginNamespace string
-		wantErr            bool
+		name                      string
+		d                         *schema.ResourceData
+		data                      map[string]interface{}
+		wantNamespace             string
+		tokenNamespace            string
+		authLoginNamespace        string
+		wantErr                   bool
+		checkSetSetTokenNamespace bool
+		wantNamespaceFromToken    string
 	}{
 		{
 			name:    "invalid-nil-ResourceData",
@@ -627,22 +629,60 @@ func TestNewProviderMeta(t *testing.T) {
 			name: "with-provider-ns-and-auth-login-with-ns",
 			d:    pr.TestResourceData(),
 			data: map[string]interface{}{
-				consts.FieldNamespace:           nsPrefix + "prov-ns-auth-ns",
+				consts.FieldNamespace:           nsPrefix + "prov-ns-prov-ns",
 				consts.FieldSkipGetVaultVersion: true,
 				consts.FieldSkipChildToken:      true,
 				consts.FieldAuthLoginUserpass: []map[string]interface{}{
 					{
-						consts.FieldNamespace: nsPrefix + "auth-ns-prov-ns",
+						consts.FieldNamespace: nsPrefix + "auth-ns-auth-ns",
 						consts.FieldMount:     consts.MountTypeUserpass,
 						consts.FieldUsername:  defaultUser,
 						consts.FieldPassword:  defaultPassword,
 					},
 				},
 			},
-			authLoginNamespace: nsPrefix + "auth-ns-prov-ns",
-			wantNamespace:      nsPrefix + "prov-ns-auth-ns",
+			authLoginNamespace: nsPrefix + "auth-ns-auth-ns",
+			wantNamespace:      nsPrefix + "prov-ns-prov-ns",
 			wantErr:            false,
 		},
+		{
+			// expect token based namespace to be ignored.
+			name: "set-namespace-from-token-false",
+			d:    pr.TestResourceData(),
+			data: map[string]interface{}{
+				consts.FieldSkipGetVaultVersion:   true,
+				consts.FieldSetNamespaceFromToken: false,
+				consts.FieldSkipChildToken:        true,
+			},
+			tokenNamespace:            nsPrefix + "set-ns-from-token-auth-false-ignored",
+			wantNamespace:             nsPrefix + "set-ns-from-token-auth-false-ignored",
+			checkSetSetTokenNamespace: true,
+			wantNamespaceFromToken:    "",
+			wantErr:                   false,
+		},
+		{
+			// expect token based namespace to be ignored.
+			name: "set-namespace-from-token-true",
+			d:    pr.TestResourceData(),
+			data: map[string]interface{}{
+				consts.FieldSkipGetVaultVersion:   true,
+				consts.FieldSetNamespaceFromToken: true,
+				consts.FieldSkipChildToken:        true,
+				consts.FieldAuthLoginUserpass: []map[string]interface{}{
+					{
+						consts.FieldNamespace: nsPrefix + "set-ns-from-token-auth-true",
+						consts.FieldMount:     consts.MountTypeUserpass,
+						consts.FieldUsername:  defaultUser,
+						consts.FieldPassword:  defaultPassword,
+					},
+				},
+			},
+			authLoginNamespace:        nsPrefix + "set-ns-from-token-auth-true",
+			wantNamespace:             nsPrefix + "set-ns-from-token-auth-true",
+			checkSetSetTokenNamespace: true,
+			wantNamespaceFromToken:    nsPrefix + "set-ns-from-token-auth-true",
+			wantErr:                   false,
+		},
 	}
 
 	createNamespace := func(t *testing.T, client *api.Client, ns string) {
@@ -748,7 +788,11 @@ func TestNewProviderMeta(t *testing.T) {
 			}
 
 			if !reflect.DeepEqual(p.client.Namespace(), tt.wantNamespace) {
-				t.Errorf("NewProviderMeta() got ns = %v, want ns %v", p.client.Namespace(), tt.wantNamespace)
+				t.Errorf("NewProviderMeta() got ns = %q, want ns %q", p.client.Namespace(), tt.wantNamespace)
+			}
+
+			if tt.checkSetSetTokenNamespace && tt.wantNamespaceFromToken != tt.d.Get(consts.FieldNamespace).(string) {
+				t.Errorf("NewProviderMeta() got ns = %q, want ns %q", tt.d.Get(consts.FieldNamespace).(string), tt.wantNamespaceFromToken)
 			}
 
 			if client.Token() == "" {

diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -175,6 +175,14 @@ func NewProvider(
 				DefaultFunc: schema.EnvDefaultFunc("VAULT_NAMESPACE", ""),
 				Description: "The namespace to use. Available only for Vault Enterprise.",
 			},
+			consts.FieldSetNamespaceFromToken: {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+				Description: "In the case where the Vault token is for a specific namespace " +
+					"and the provider namespace is not configured, use the token namespace " +
+					"as the root namespace for all resources.",
+			},
 			"headers": {
 				Type:        schema.TypeList,
 				Optional:    true,

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -214,6 +214,10 @@ variables in order to keep credential information out of the configuration.
 
 * `use_root_namespace` - (Optional) Authenticate to the root Vault namespace. Conflicts with `namespace`.
 
+* `set_namespace_from_token` -(Optional) Defaults to `true`. In the case where the Vault token is
+  for a specific namespace and the provider namespace is not configured, use the token namespace
+  as the root namespace for all resources.
+
 * `skip_get_vault_version` - (Optional) Skip the dynamic fetching of the Vault server version. 
   Set to `true` when the */sys/seal-status* API endpoint is not available. See [vault_version_override](#vault_version_override)
   for related info