Extra config options for auth_backend

vault/resource_auth_backend.go

@@ -55,6 +55,38 @@ func authBackendResource() *schema.Resource {
 				Description: "The description of the auth backend",
 			},
 
+			"default_lease_ttl_seconds": {
+				Type:        schema.TypeInt,
+				Required:    false,
+				Optional:    true,
+				Computed:    true,
+				ForceNew:    true,
+				Description: "Default lease duration in seconds",
+			},
+
+			"max_lease_ttl_seconds": {
+				Type:        schema.TypeInt,
+				Required:    false,
+				Optional:    true,
+				Computed:    true,
+				ForceNew:    true,
+				Description: "Maximum possible lease duration in seconds",
+			},
+
+			"listing_visibility": {
+				Type:        schema.TypeString,
+				ForceNew:    true,
+				Optional:    true,
+				Description: "Speficies whether to show this mount in the UI-specific listing endpoint",
+			},
+
+			"local": {
+				Type:        schema.TypeBool,
+				ForceNew:    true,
+				Optional:    true,
+				Description: "Specifies if the auth method is local only",
+			},
+
 			"accessor": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -67,19 +99,27 @@ func authBackendResource() *schema.Resource {
 func authBackendWrite(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 
-	name := d.Get("type").(string)
-	desc := d.Get("description").(string)
+	mountType := d.Get("type").(string)
 	path := d.Get("path").(string)
 
+	options := &api.EnableAuthOptions{
+		Type:        mountType,
+		Description: d.Get("description").(string),
+		Config: api.AuthConfigInput{
+			DefaultLeaseTTL:   fmt.Sprintf("%ds", d.Get("default_lease_ttl_seconds")),
+			MaxLeaseTTL:       fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds")),
+			ListingVisibility: d.Get("listing_visibility").(string),
+		},
+		Local: d.Get("local").(bool),
+	}
+
 	if path == "" {
-		path = name
+		path = mountType
 	}
 
 	log.Printf("[DEBUG] Writing auth %q to Vault", path)
 
-	err := client.Sys().EnableAuth(path, name, desc)
-
-	if err != nil {
+	if err := client.Sys().EnableAuthWithOptions(path, options); err != nil {
 		return fmt.Errorf("error writing to Vault: %s", err)
 	}
 
@@ -95,9 +135,7 @@ func authBackendDelete(d *schema.ResourceData, meta interface{}) error {
 
 	log.Printf("[DEBUG] Deleting auth %s from Vault", path)
 
-	err := client.Sys().DisableAuth(path)
-
-	if err != nil {
+	if err := client.Sys().DisableAuth(path); err != nil {
 		return fmt.Errorf("error disabling auth from Vault: %s", err)
 	}
 
@@ -120,6 +158,10 @@ func authBackendRead(d *schema.ResourceData, meta interface{}) error {
 			d.Set("type", auth.Type)
 			d.Set("path", path)
 			d.Set("description", auth.Description)
+			d.Set("default_lease_ttl_seconds", auth.Config.DefaultLeaseTTL)
+			d.Set("max_lease_ttl_seconds", auth.Config.MaxLeaseTTL)
+			d.Set("listing_visibility", auth.Config.ListingVisibility)
+			d.Set("local", auth.Local)
 			d.Set("accessor", auth.Accessor)
 			return nil
 		}

vault/resource_auth_backend_test.go

@@ -57,6 +57,10 @@ resource "vault_auth_backend" "test" {
 	type = "github"
 	path = "%s"
 	description = "Test auth backend"
+	default_lease_ttl_seconds = 3600
+	max_lease_ttl_seconds = 86400
+	listing_visibility = "unauth"
+	local = true
 }`, path)
 }
 
@@ -82,6 +86,30 @@ func testResourceAuth_initialCheck(expectedPath string) resource.TestCheckFunc {
 			return fmt.Errorf("unexpected auth path %q, expected %q", path, expectedPath)
 		}
 
+		if instanceState.Attributes["type"] != "github" {
+			return fmt.Errorf("unexpected auth type")
+		}
+
+		if instanceState.Attributes["description"] != "Test auth backend" {
+			return fmt.Errorf("unexpected auth description")
+		}
+
+		if instanceState.Attributes["default_lease_ttl_seconds"] != "3600" {
+			return fmt.Errorf("unexpected auth default_lease_ttl_seconds")
+		}
+
+		if instanceState.Attributes["max_lease_ttl_seconds"] != "86400" {
+			return fmt.Errorf("unexpected auth max_lease_ttl_seconds")
+		}
+
+		if instanceState.Attributes["listing_visibility"] != "unauth" {
+			return fmt.Errorf("unexpected auth listing_visibility")
+		}
+
+		if instanceState.Attributes["local"] != "true" {
+			return fmt.Errorf("unexpected auth local")
+		}
+
 		client := testProvider.Meta().(*api.Client)
 		auths, err := client.Sys().ListAuth()
 
@@ -90,9 +118,27 @@ func testResourceAuth_initialCheck(expectedPath string) resource.TestCheckFunc {
 		}
 
 		found := false
-		for serverPath := range auths {
+		for serverPath, serverAuth := range auths {
 			if serverPath == expectedPath+"/" {
 				found = true
+				if serverAuth.Type != "github" {
+					return fmt.Errorf("unexpected auth type")
+				}
+				if serverAuth.Description != "Test auth backend" {
+					return fmt.Errorf("unexpected auth description")
+				}
+				if serverAuth.Config.DefaultLeaseTTL != 3600 {
+					return fmt.Errorf("unexpected auth default_lease_ttl_seconds")
+				}
+				if serverAuth.Config.MaxLeaseTTL != 86400 {
+					return fmt.Errorf("unexpected auth max_lease_ttl_seconds")
+				}
+				if serverAuth.Config.ListingVisibility != "unauth" {
+					return fmt.Errorf("unexpected auth listing_visibility")
+				}
+				if serverAuth.Local != true {
+					return fmt.Errorf("unexpected auth local")
+				}
 				break
 			}
 		}

website/docs/r/auth_backend.html.md

@@ -27,6 +27,14 @@ The following arguments are supported:
 
 * `description` - (Optional) A description of the auth backend
 
+* `default_lease_ttl_seconds` - (Optional) The default lease duration in seconds.
+
+* `max_lease_ttl_seconds` - (Optional) The maximum lease duration in seconds.
+
+* `listing_visibility` - (Optional) Speficies whether to show this mount in the UI-specific listing endpoint.
+
+* `local` - (Optional) Specifies if the auth method is local only.
+
 ## Attributes Reference
 
 In addition to the fields above, the following attributes are exported: