Update Sync Association resource to include sync metadata for all subkeys

CHANGELOG.md

@@ -1,8 +1,12 @@
 ## Unreleased
 
 FEATURES:
+* Add `granularity` to Secrets Sync destination resources. Requires Vault 1.16+. ([#2202](https://github.com/hashicorp/terraform-provider-vault/pull/2202))
+
+IMPROVEMENTS:
 * Add support for `allowed_kubernetes_namespace_selector` in `vault_kubernetes_secret_backend_role` ([#2180](https://github.com/hashicorp/terraform-provider-vault/pull/2180)).
 * Add new data source `vault_namespace`. Requires Vault Enterprise: ([#2208](https://github.com/hashicorp/terraform-provider-vault/pull/2208)).
+* Enable Secrets Sync Association resource to track sync status across all subkeys of a secret ([#2202](https://github.com/hashicorp/terraform-provider-vault/pull/2202))
 
 BUGS:
 * fix `vault_approle_auth_backend_role_secret_id` regression to handle 404 errors ([#2204](https://github.com/hashicorp/terraform-provider-vault/pull/2204))

internal/consts/consts.go

@@ -413,6 +413,8 @@ const (
 	FieldStartTime                     = "start_time"
 	FieldEndTime                       = "end_time"
 	FieldLink                          = "link"
+	FieldGranularity                   = "granularity"
+	FieldGranularityLevel              = "granularity_level"
 
 	/*
 		common environment variables

internal/provider/schema_util.go

@@ -80,6 +80,12 @@ func MustAddSecretsSyncCommonSchema(r *schema.Resource) *schema.Resource {
 			Computed:    true,
 			Description: "Template describing how to generate external secret names.",
 		},
+		consts.FieldGranularity: {
+			Type:     schema.TypeString,
+			Optional: true,
+			Description: "Determines what level of information is synced as a distinct resource at the destination. " +
+				"Can be 'secret-path' or 'secret-key'",
+		},
 	})
 
 	return r

internal/sync/secrets_sync.go

@@ -27,7 +27,7 @@ func SyncDestinationCreateUpdate(ctx context.Context, d *schema.ResourceData, me
 	}
 
 	name := d.Get(consts.FieldName).(string)
-	path := secretsSyncDestinationPath(name, typ)
+	path := SecretsSyncDestinationPath(name, typ)
 
 	data := map[string]interface{}{}
 
@@ -48,16 +48,16 @@ func SyncDestinationCreateUpdate(ctx context.Context, d *schema.ResourceData, me
 		d.SetId(name)
 	}
 
-	return SyncDestinationRead(ctx, d, meta, typ, readFields)
+	return SyncDestinationRead(ctx, d, meta, typ, readFields, nil)
 }
 
-func SyncDestinationRead(ctx context.Context, d *schema.ResourceData, meta interface{}, typ string, fields []string) diag.Diagnostics {
+func SyncDestinationRead(ctx context.Context, d *schema.ResourceData, meta interface{}, typ string, fields []string, vaultSchemaMap map[string]string) diag.Diagnostics {
 	client, e := provider.GetClient(d, meta)
 	if e != nil {
 		return diag.FromErr(e)
 	}
 	name := d.Id()
-	path := secretsSyncDestinationPath(name, typ)
+	path := SecretsSyncDestinationPath(name, typ)
 
 	log.Printf("[DEBUG] Reading sync destination")
 	resp, err := client.Logical().ReadWithContext(ctx, path)
@@ -76,24 +76,34 @@ func SyncDestinationRead(ctx context.Context, d *schema.ResourceData, meta inter
 		return diag.FromErr(err)
 	}
 
-	// implicitly set type so it can be passed down to association resource for ease-of-use
+	// implicitly set type, so it can be passed down to association resource for ease-of-use
 	if err := d.Set(consts.FieldType, typ); err != nil {
 		return diag.FromErr(err)
 	}
 
 	connectionDetails := resp.Data[fieldConnectionDetails]
 	options := resp.Data[fieldOptions]
 	for _, k := range fields {
+		// field that Vault returns in response
+		vaultKey := k
+
+		if vaultSchemaMap != nil {
+			if v, ok := vaultSchemaMap[k]; ok {
+				// Vault uses a different key than the one in TF schema
+				vaultKey = v
+			}
+		}
+
 		if connectionMap, ok := connectionDetails.(map[string]interface{}); ok {
-			if v, ok := connectionMap[k]; ok {
+			if v, ok := connectionMap[vaultKey]; ok {
 				if err := d.Set(k, v); err != nil {
 					return diag.Errorf("error setting state key %q: err=%s", k, err)
 				}
 			}
 		}
 
 		if optionsMap, ok := options.(map[string]interface{}); ok {
-			if v, ok := optionsMap[k]; ok {
+			if v, ok := optionsMap[vaultKey]; ok {
 				if err := d.Set(k, v); err != nil {
 					return diag.Errorf("error setting state key %q: err=%s", k, err)
 				}
@@ -110,7 +120,7 @@ func SyncDestinationDelete(ctx context.Context, d *schema.ResourceData, meta int
 		return diag.FromErr(e)
 	}
 
-	path := secretsSyncDestinationPath(d.Id(), typ)
+	path := SecretsSyncDestinationPath(d.Id(), typ)
 
 	log.Printf("[DEBUG] Deleting sync destination at %q", path)
 	_, err := client.Logical().DeleteWithContext(ctx, path)
@@ -122,6 +132,6 @@ func SyncDestinationDelete(ctx context.Context, d *schema.ResourceData, meta int
 	return nil
 }
 
-func secretsSyncDestinationPath(name, typ string) string {
+func SecretsSyncDestinationPath(name, typ string) string {
 	return fmt.Sprintf("sys/sync/destinations/%s/%s", typ, name)
 }

vault/resource_aws_secret_backend_test.go

@@ -83,7 +83,7 @@ func TestAccAWSSecretBackend_wif(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		ProviderFactories: providerFactories,
 		PreCheck: func() {
-			testutil.TestAccPreCheck(t)
+			testutil.TestEntPreCheck(t)
 			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion116)
 		},
 		CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeAWS, consts.FieldPath),

vault/resource_config_ui_custom_message_test.go

@@ -52,7 +52,7 @@ func TestAccConfigUICustomMessage(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		ProviderFactories: providerFactories,
 		PreCheck: func() {
-			testutil.TestAccPreCheck(t)
+			testutil.TestEntPreCheck(t)
 			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion116)
 		},
 		Steps: []resource.TestStep{
@@ -88,5 +88,4 @@ func TestAccConfigUICustomMessage(t *testing.T) {
 			},
 		},
 	})
-
 }