From 5d31b24f7828105339671fe097d77015d3190883 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Fri, 15 Nov 2024 12:42:09 -0800 Subject: [PATCH 01/11] add external_id to aws_auth_backend_sts_role resource --- vault/resource_aws_auth_backend_sts_role.go | 32 +++++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/vault/resource_aws_auth_backend_sts_role.go b/vault/resource_aws_auth_backend_sts_role.go index b79bf35f89..518c9f95e4 100644 --- a/vault/resource_aws_auth_backend_sts_role.go +++ b/vault/resource_aws_auth_backend_sts_role.go @@ -11,6 +11,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-provider-vault/internal/consts" "github.com/hashicorp/terraform-provider-vault/internal/provider" ) @@ -52,6 +53,11 @@ func awsAuthBackendSTSRoleResource() *schema.Resource { return strings.Trim(v.(string), "/") }, }, + consts.FieldExternalID: { + Type: schema.TypeString, + Optional: true, + Description: "External ID expected by the STS role.", + }, }, } } @@ -65,13 +71,17 @@ func awsAuthBackendSTSRoleCreate(d *schema.ResourceData, meta interface{}) error backend := d.Get("backend").(string) accountID := d.Get("account_id").(string) stsRole := d.Get("sts_role").(string) + externalID := d.Get(consts.FieldExternalID).(string) path := awsAuthBackendSTSRolePath(backend, accountID) + data := map[string]interface{}{ + "sts_role": stsRole, + consts.FieldExternalID: externalID, + } + log.Printf("[DEBUG] Writing STS role %q to AWS auth backend", path) - _, err := client.Logical().Write(path, map[string]interface{}{ - "sts_role": stsRole, - }) + _, err := client.Logical().Write(path, data) d.SetId(path) @@ -117,6 +127,11 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("backend", backend) d.Set("account_id", accountID) d.Set("sts_role", resp.Data["sts_role"]) + + if v, ok := resp.Data[consts.FieldExternalID]; ok { + d.Set(consts.FieldExternalID, v) + } + return nil } @@ -127,12 +142,17 @@ func awsAuthBackendSTSRoleUpdate(d *schema.ResourceData, meta interface{}) error } stsRole := d.Get("sts_role").(string) + externalID := d.Get(consts.FieldExternalID).(string) + path := d.Id() + data := map[string]interface{}{ + "sts_role": stsRole, + consts.FieldExternalID: externalID, + } + log.Printf("[DEBUG] Updating STS role %q in AWS auth backend", path) - _, err := client.Logical().Write(path, map[string]interface{}{ - "sts_role": stsRole, - }) + _, err := client.Logical().Write(path, data) if err != nil { return fmt.Errorf("error updating STS role %q in AWS auth backend", path) } From 015f6b363edb6577ad01fbd3a3f9381402054281 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Fri, 15 Nov 2024 12:46:45 -0800 Subject: [PATCH 02/11] update docs for aws_auth_backend_sts_role resource --- website/docs/r/aws_auth_backend_sts_role.html.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/docs/r/aws_auth_backend_sts_role.html.md b/website/docs/r/aws_auth_backend_sts_role.html.md index 20535a6160..76d4ed6ee9 100644 --- a/website/docs/r/aws_auth_backend_sts_role.html.md +++ b/website/docs/r/aws_auth_backend_sts_role.html.md @@ -51,6 +51,8 @@ The following arguments are supported: * `backend` - (Optional) The path the AWS auth backend being configured was mounted at. Defaults to `aws`. +* `external_id` - (Optional) External ID expected by the STS role. The associated STS role must be configured to require the external ID. + ## Attributes Reference No additional attributes are exported by this resource. From da6892bf1c0e0f283643685ba8b382e7aa64f118 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Fri, 15 Nov 2024 17:11:33 -0800 Subject: [PATCH 03/11] update acceptance tests --- ...resource_aws_auth_backend_sts_role_test.go | 54 ++++++++++++++----- 1 file changed, 42 insertions(+), 12 deletions(-) diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go index b331594b6b..9ae552a544 100644 --- a/vault/resource_aws_auth_backend_sts_role_test.go +++ b/vault/resource_aws_auth_backend_sts_role_test.go @@ -12,6 +12,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/hashicorp/terraform-provider-vault/internal/consts" "github.com/hashicorp/terraform-provider-vault/internal/provider" "github.com/hashicorp/terraform-provider-vault/testutil" ) @@ -20,13 +21,14 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) { backend := acctest.RandomWithPrefix("aws") accountID := strconv.Itoa(acctest.RandInt()) arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") + externalID := "external-id" resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, ProviderFactories: providerFactories, CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn), + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, { @@ -43,17 +45,30 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) { accountID := strconv.Itoa(acctest.RandInt()) arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") updatedArn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") + externalID := "external-id" + updatedExternalID := "external-id-updated" resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, ProviderFactories: providerFactories, CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn), + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, { - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn), + // Add external ID. + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), + }, + { + // Update ARN and external ID. + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), + }, + { + // Remove external ID. + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, }, @@ -115,7 +130,8 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string) } attrs := map[string]string{ - "sts_role": "sts_role", + "sts_role": "sts_role", + consts.FieldExternalID: consts.FieldExternalID, } for stateAttr, apiAttr := range attrs { if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" { @@ -129,17 +145,31 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string) } } -func testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, stsRole string) string { +func testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, stsRole, externalID string) string { + roleResource := fmt.Sprintf(` +resource "vault_aws_auth_backend_sts_role" "role" { + backend = vault_auth_backend.aws.path + account_id = "%s" + sts_role = "%s" +} +`, accountID, stsRole) + + if externalID != "" { + roleResource = fmt.Sprintf(` +resource "vault_aws_auth_backend_sts_role" "role" { + backend = vault_auth_backend.aws.path + account_id = "%s" + sts_role = "%s" + external_id = "%s" +} +`, accountID, stsRole, externalID) + } + return fmt.Sprintf(` resource "vault_auth_backend" "aws" { type = "aws" path = "%s" } - -resource "vault_aws_auth_backend_sts_role" "role" { - backend = vault_auth_backend.aws.path - account_id = "%s" - sts_role = "%s" -} -`, backend, accountID, stsRole) +%s +`, backend, roleResource) } From 2c48a300457fbc563959b942a7ba21f6c383e973 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Tue, 19 Nov 2024 16:45:28 -0800 Subject: [PATCH 04/11] only support external_id on vault versions >= 1.17 external_id support for aws auth sts configuration added in 1.17.0: https://github.com/hashicorp/vault/pull/26628 --- vault/resource_aws_auth_backend_sts_role.go | 20 +++-- ...resource_aws_auth_backend_sts_role_test.go | 73 ++++++++++++------- 2 files changed, 59 insertions(+), 34 deletions(-) diff --git a/vault/resource_aws_auth_backend_sts_role.go b/vault/resource_aws_auth_backend_sts_role.go index 518c9f95e4..0979259afd 100644 --- a/vault/resource_aws_auth_backend_sts_role.go +++ b/vault/resource_aws_auth_backend_sts_role.go @@ -76,8 +76,11 @@ func awsAuthBackendSTSRoleCreate(d *schema.ResourceData, meta interface{}) error path := awsAuthBackendSTSRolePath(backend, accountID) data := map[string]interface{}{ - "sts_role": stsRole, - consts.FieldExternalID: externalID, + "sts_role": stsRole, + } + + if provider.IsAPISupported(meta, provider.VaultVersion117) { + data[consts.FieldExternalID] = externalID } log.Printf("[DEBUG] Writing STS role %q to AWS auth backend", path) @@ -128,8 +131,10 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("account_id", accountID) d.Set("sts_role", resp.Data["sts_role"]) - if v, ok := resp.Data[consts.FieldExternalID]; ok { - d.Set(consts.FieldExternalID, v) + if provider.IsAPISupported(meta, provider.VaultVersion117) { + if v, ok := resp.Data[consts.FieldExternalID]; ok { + d.Set(consts.FieldExternalID, v) + } } return nil @@ -147,8 +152,11 @@ func awsAuthBackendSTSRoleUpdate(d *schema.ResourceData, meta interface{}) error path := d.Id() data := map[string]interface{}{ - "sts_role": stsRole, - consts.FieldExternalID: externalID, + "sts_role": stsRole, + } + + if provider.IsAPISupported(meta, provider.VaultVersion117) { + data[consts.FieldExternalID] = externalID } log.Printf("[DEBUG] Updating STS role %q in AWS auth backend", path) diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go index 9ae552a544..b286b9b599 100644 --- a/vault/resource_aws_auth_backend_sts_role_test.go +++ b/vault/resource_aws_auth_backend_sts_role_test.go @@ -6,6 +6,7 @@ package vault import ( "fmt" "strconv" + "strings" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" @@ -22,8 +23,17 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) { accountID := strconv.Itoa(acctest.RandInt()) arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") externalID := "external-id" + + importStateVerifyIgnore := make([]string, 0) + // Ignore external_id if Vault version is < 1.17.0. + if !provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) { + importStateVerifyIgnore = append(importStateVerifyIgnore, consts.FieldExternalID) + } + resource.Test(t, resource.TestCase{ - PreCheck: func() { testutil.TestAccPreCheck(t) }, + PreCheck: func() { + testutil.TestAccPreCheck(t) + }, ProviderFactories: providerFactories, CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, Steps: []resource.TestStep{ @@ -32,9 +42,10 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) { Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, { - ResourceName: "vault_aws_auth_backend_sts_role.role", - ImportState: true, - ImportStateVerify: true, + ResourceName: "vault_aws_auth_backend_sts_role.role", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: importStateVerifyIgnore, }, }, }) @@ -56,13 +67,18 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) { Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, + { + // Update ARN. + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), + }, { // Add external ID. - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID), - Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, externalID), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, { - // Update ARN and external ID. + // Update external ID. Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, @@ -130,9 +146,13 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string) } attrs := map[string]string{ - "sts_role": "sts_role", - consts.FieldExternalID: consts.FieldExternalID, + "sts_role": "sts_role", + } + // Only check external_id if Vault version is >= 1.17.0 + if provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) { + attrs[consts.FieldExternalID] = consts.FieldExternalID } + for stateAttr, apiAttr := range attrs { if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" { continue @@ -146,30 +166,27 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string) } func testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, stsRole, externalID string) string { - roleResource := fmt.Sprintf(` -resource "vault_aws_auth_backend_sts_role" "role" { - backend = vault_auth_backend.aws.path - account_id = "%s" - sts_role = "%s" -} -`, accountID, stsRole) + backendResource := fmt.Sprintf(` +resource "vault_auth_backend" "aws" { + type = "aws" + path = "%s" +}`, backend) + roleResourceOptionalFields := "" if externalID != "" { - roleResource = fmt.Sprintf(` + roleResourceOptionalFields += fmt.Sprintf(` + external_id = "%s"`, externalID) + } + + roleResource := fmt.Sprintf(` resource "vault_aws_auth_backend_sts_role" "role" { backend = vault_auth_backend.aws.path account_id = "%s" - sts_role = "%s" - external_id = "%s" + sts_role = "%s"%s } -`, accountID, stsRole, externalID) - } +`, accountID, stsRole, roleResourceOptionalFields) - return fmt.Sprintf(` -resource "vault_auth_backend" "aws" { - type = "aws" - path = "%s" -} -%s -`, backend, roleResource) + resources := []string{backendResource, roleResource} + + return strings.Join(resources, "\n") } From 670162b923df30e92d0888e2ca250d37e44fff0c Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Wed, 20 Nov 2024 00:19:26 -0800 Subject: [PATCH 05/11] separate import test for external_id case --- ...resource_aws_auth_backend_sts_role_test.go | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go index b286b9b599..afb00e9240 100644 --- a/vault/resource_aws_auth_backend_sts_role_test.go +++ b/vault/resource_aws_auth_backend_sts_role_test.go @@ -22,17 +22,35 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) { backend := acctest.RandomWithPrefix("aws") accountID := strconv.Itoa(acctest.RandInt()) arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") - externalID := "external-id" - importStateVerifyIgnore := make([]string, 0) - // Ignore external_id if Vault version is < 1.17.0. - if !provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) { - importStateVerifyIgnore = append(importStateVerifyIgnore, consts.FieldExternalID) - } + resource.Test(t, resource.TestCase{ + PreCheck: func() { testutil.TestAccPreCheck(t) }, + ProviderFactories: providerFactories, + CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""), + Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), + }, + { + ResourceName: "vault_aws_auth_backend_sts_role.role", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAWSAuthBackendSTSRole_importWithExternalID(t *testing.T) { + backend := acctest.RandomWithPrefix("aws") + accountID := strconv.Itoa(acctest.RandInt()) + arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") + externalID := "external-id" resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) + SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion117) }, ProviderFactories: providerFactories, CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, @@ -42,10 +60,9 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) { Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, { - ResourceName: "vault_aws_auth_backend_sts_role.role", - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: importStateVerifyIgnore, + ResourceName: "vault_aws_auth_backend_sts_role.role", + ImportState: true, + ImportStateVerify: true, }, }, }) From 96c64f52a47ed7b4ecd3c4123b53d6a6e5311954 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Wed, 20 Nov 2024 12:21:24 -0800 Subject: [PATCH 06/11] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb789b06fb..7cf55e52d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ FEATURES: * Add support for `connection_timeout` field for the `vault_ldap_auth_backend` resource ([#2358](https://github.com/hashicorp/terraform-provider-vault/pull/2358)) * Add support for Rootless Configuration for Static Roles to Postgres DB ([#2341](https://github.com/hashicorp/terraform-provider-vault/pull/2341)) * Add support for `use_annotations_as_alias_metadata` field for the `vault_kubernetes_auth_backend_config` resource ([#2226](https://github.com/hashicorp/terraform-provider-vault/pull/2226)) +* Add support for `external_id` field for the `vault_aws_auth_backend_sts_role` resource ([#2370](https://github.com/hashicorp/terraform-provider-vault/pull/2370)) BUGS: From 1c2452e76cd525ef6c20206a8e05bc6269eb86d4 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Thu, 21 Nov 2024 11:14:43 -0800 Subject: [PATCH 07/11] fix changelog: move change under unreleased --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7cf55e52d2..a804398ca0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +FEATURES: + +* Add support for `external_id` field for the `vault_aws_auth_backend_sts_role` resource ([#2370](https://github.com/hashicorp/terraform-provider-vault/pull/2370)) + ## 4.5.0 (Nov 19, 2024) FEATURES: @@ -12,7 +16,6 @@ FEATURES: * Add support for `connection_timeout` field for the `vault_ldap_auth_backend` resource ([#2358](https://github.com/hashicorp/terraform-provider-vault/pull/2358)) * Add support for Rootless Configuration for Static Roles to Postgres DB ([#2341](https://github.com/hashicorp/terraform-provider-vault/pull/2341)) * Add support for `use_annotations_as_alias_metadata` field for the `vault_kubernetes_auth_backend_config` resource ([#2226](https://github.com/hashicorp/terraform-provider-vault/pull/2226)) -* Add support for `external_id` field for the `vault_aws_auth_backend_sts_role` resource ([#2370](https://github.com/hashicorp/terraform-provider-vault/pull/2370)) BUGS: From 67bb7aa2f0b849048741f005c85d535181bfcbf6 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Thu, 21 Nov 2024 11:48:44 -0800 Subject: [PATCH 08/11] add import test steps and remove separate import tests, add separate withExternalID test --- ...resource_aws_auth_backend_sts_role_test.go | 69 +++++++------------ 1 file changed, 23 insertions(+), 46 deletions(-) diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go index afb00e9240..0f0347e331 100644 --- a/vault/resource_aws_auth_backend_sts_role_test.go +++ b/vault/resource_aws_auth_backend_sts_role_test.go @@ -18,34 +18,13 @@ import ( "github.com/hashicorp/terraform-provider-vault/testutil" ) -func TestAccAWSAuthBackendSTSRole_import(t *testing.T) { - backend := acctest.RandomWithPrefix("aws") - accountID := strconv.Itoa(acctest.RandInt()) - arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testutil.TestAccPreCheck(t) }, - ProviderFactories: providerFactories, - CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, - Steps: []resource.TestStep{ - { - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""), - Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), - }, - { - ResourceName: "vault_aws_auth_backend_sts_role.role", - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func TestAccAWSAuthBackendSTSRole_importWithExternalID(t *testing.T) { +func TestAccAWSAuthBackendSTSRole_withExternalID(t *testing.T) { backend := acctest.RandomWithPrefix("aws") accountID := strconv.Itoa(acctest.RandInt()) arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") externalID := "external-id" + updatedExternalID := "external-id-updated" + resourceName := "vault_aws_auth_backend_sts_role.role" resource.Test(t, resource.TestCase{ PreCheck: func() { @@ -57,10 +36,25 @@ func TestAccAWSAuthBackendSTSRole_importWithExternalID(t *testing.T) { Steps: []resource.TestStep{ { Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID), - Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "backend", backend), + resource.TestCheckResourceAttr(resourceName, "account_id", accountID), + resource.TestCheckResourceAttr(resourceName, "sts_role", arn), + resource.TestCheckResourceAttr(resourceName, consts.FieldExternalID, externalID), + ), }, { - ResourceName: "vault_aws_auth_backend_sts_role.role", + // Update external ID. + Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, updatedExternalID), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "backend", backend), + resource.TestCheckResourceAttr(resourceName, "account_id", accountID), + resource.TestCheckResourceAttr(resourceName, "sts_role", arn), + resource.TestCheckResourceAttr(resourceName, consts.FieldExternalID, updatedExternalID), + ), + }, + { + ResourceName: resourceName, ImportState: true, ImportStateVerify: true, }, @@ -73,8 +67,6 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) { accountID := strconv.Itoa(acctest.RandInt()) arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") updatedArn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role") - externalID := "external-id" - updatedExternalID := "external-id-updated" resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, ProviderFactories: providerFactories, @@ -90,19 +82,9 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) { Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, { - // Add external ID. - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, externalID), - Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), - }, - { - // Update external ID. - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID), - Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), - }, - { - // Remove external ID. - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""), - Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), + ResourceName: "vault_aws_auth_backend_sts_role.role", + ImportState: true, + ImportStateVerify: true, }, }, }) @@ -165,11 +147,6 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string) attrs := map[string]string{ "sts_role": "sts_role", } - // Only check external_id if Vault version is >= 1.17.0 - if provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) { - attrs[consts.FieldExternalID] = consts.FieldExternalID - } - for stateAttr, apiAttr := range attrs { if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" { continue From 894d67a795fafbf0898e7feb0c723a87195b28f5 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Thu, 21 Nov 2024 11:59:36 -0800 Subject: [PATCH 09/11] handle error on d.Set --- vault/resource_aws_auth_backend_sts_role.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vault/resource_aws_auth_backend_sts_role.go b/vault/resource_aws_auth_backend_sts_role.go index 0979259afd..96e481eb5e 100644 --- a/vault/resource_aws_auth_backend_sts_role.go +++ b/vault/resource_aws_auth_backend_sts_role.go @@ -133,7 +133,9 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error { if provider.IsAPISupported(meta, provider.VaultVersion117) { if v, ok := resp.Data[consts.FieldExternalID]; ok { - d.Set(consts.FieldExternalID, v) + if err := d.Set(consts.FieldExternalID, v); err != nil { + return err + } } } From 042024d8927974896ae110c1b20a101e8062b1e8 Mon Sep 17 00:00:00 2001 From: Helen Fu <25168806+helenfufu@users.noreply.github.com> Date: Thu, 21 Nov 2024 12:06:03 -0800 Subject: [PATCH 10/11] rename testAccAWSAuthBackendSTSRoleConfig_basic to more general testAccAWSAuthBackendSTSRoleConfig --- vault/resource_aws_auth_backend_sts_role_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go index 0f0347e331..80d241426c 100644 --- a/vault/resource_aws_auth_backend_sts_role_test.go +++ b/vault/resource_aws_auth_backend_sts_role_test.go @@ -35,7 +35,7 @@ func TestAccAWSAuthBackendSTSRole_withExternalID(t *testing.T) { CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID), + Config: testAccAWSAuthBackendSTSRoleConfig(backend, accountID, arn, externalID), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "backend", backend), resource.TestCheckResourceAttr(resourceName, "account_id", accountID), @@ -45,7 +45,7 @@ func TestAccAWSAuthBackendSTSRole_withExternalID(t *testing.T) { }, { // Update external ID. - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, updatedExternalID), + Config: testAccAWSAuthBackendSTSRoleConfig(backend, accountID, arn, updatedExternalID), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "backend", backend), resource.TestCheckResourceAttr(resourceName, "account_id", accountID), @@ -73,12 +73,12 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) { CheckDestroy: testAccCheckAWSAuthBackendSTSRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""), + Config: testAccAWSAuthBackendSTSRoleConfig(backend, accountID, arn, ""), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn), }, { // Update ARN. - Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""), + Config: testAccAWSAuthBackendSTSRoleConfig(backend, accountID, updatedArn, ""), Check: testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn), }, { @@ -159,7 +159,7 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string) } } -func testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, stsRole, externalID string) string { +func testAccAWSAuthBackendSTSRoleConfig(backend, accountID, stsRole, externalID string) string { backendResource := fmt.Sprintf(` resource "vault_auth_backend" "aws" { type = "aws" From 6ce3f6c4869c2b5a57733bf3c309c1a571b8dd7b Mon Sep 17 00:00:00 2001 From: helenfufu <25168806+helenfufu@users.noreply.github.com> Date: Fri, 22 Nov 2024 11:43:09 -0800 Subject: [PATCH 11/11] note 1.17 version requirement in doc Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> --- website/docs/r/aws_auth_backend_sts_role.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/aws_auth_backend_sts_role.html.md b/website/docs/r/aws_auth_backend_sts_role.html.md index 76d4ed6ee9..98ac51c09b 100644 --- a/website/docs/r/aws_auth_backend_sts_role.html.md +++ b/website/docs/r/aws_auth_backend_sts_role.html.md @@ -51,7 +51,7 @@ The following arguments are supported: * `backend` - (Optional) The path the AWS auth backend being configured was mounted at. Defaults to `aws`. -* `external_id` - (Optional) External ID expected by the STS role. The associated STS role must be configured to require the external ID. +* `external_id` - (Optional) External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+. ## Attributes Reference