From b86c60ced41280003aac8e8d21063dab15c2e25a Mon Sep 17 00:00:00 2001 From: Matthew Bamber Date: Thu, 28 Feb 2019 11:44:39 +0000 Subject: [PATCH 1/3] Add cidr block --- vault/resource_ssh_secret_backend_role.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/vault/resource_ssh_secret_backend_role.go b/vault/resource_ssh_secret_backend_role.go index a07faa777..8968eafa1 100644 --- a/vault/resource_ssh_secret_backend_role.go +++ b/vault/resource_ssh_secret_backend_role.go @@ -71,6 +71,10 @@ func sshSecretBackendRoleResource() *schema.Resource { Type: schema.TypeString, Optional: true, }, + "cidr_list": { + Type: schema.TypeString, + Optional: true, + }, "allowed_extensions": { Type: schema.TypeString, Optional: true, @@ -138,6 +142,10 @@ func sshSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error { data["allowed_domains"] = v.(string) } + if v, ok := d.GetOk("cidr_list"); ok { + data["cidr_list"] = v.(string) + } + if v, ok := d.GetOk("allowed_extensions"); ok { data["allowed_extensions"] = v.(string) } @@ -221,6 +229,7 @@ func sshSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { d.Set("allow_user_key_ids", role.Data["allow_user_key_ids"]) d.Set("allowed_critical_options", role.Data["allowed_critical_options"]) d.Set("allowed_domains", role.Data["allowed_domains"]) + d.Set("cidr_list", role.Data["cidr_list"]) d.Set("allowed_extensions", role.Data["allowed_extensions"]) d.Set("default_extensions", role.Data["default_extensions"]) d.Set("default_critical_options", role.Data["default_critical_options"]) From fc2e55f57f9d18f766186a142d590bd1e79020b9 Mon Sep 17 00:00:00 2001 From: Matthew Bamber Date: Thu, 28 Feb 2019 11:45:16 +0000 Subject: [PATCH 2/3] Add tests --- .../resource_ssh_secret_backend_role_test.go | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/vault/resource_ssh_secret_backend_role_test.go b/vault/resource_ssh_secret_backend_role_test.go index b37aafb67..fc7982f4b 100644 --- a/vault/resource_ssh_secret_backend_role_test.go +++ b/vault/resource_ssh_secret_backend_role_test.go @@ -68,6 +68,28 @@ func TestAccSSHSecretBackendRole_basic(t *testing.T) { }) } +func TestAccSSHSecretBackendRoleOTP_basic(t *testing.T) { + backend := acctest.RandomWithPrefix("tf-test/ssh") + name := acctest.RandomWithPrefix("tf-test-role") + resource.Test(t, resource.TestCase{ + Providers: testProviders, + PreCheck: func() { testAccPreCheck(t) }, + CheckDestroy: testAccSSHSecretBackendRoleCheckDestroy, + Steps: []resource.TestStep{ + { + Config: testAccSSHSecretBackendRoleOTPConfig_basic(name, backend), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "name", name), + resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "backend", backend), + resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "allowed_users", "usr1,usr2"), + resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "default_user", "usr"), + resource.TestCheckResourceAttr("vault_ssh_secret_backend_role.test_role", "cidr_list", "0.0.0.0/0"), + ), + }, + }, + }) +} + func TestAccSSHSecretBackendRole_import(t *testing.T) { backend := acctest.RandomWithPrefix("tf-test/ssh") name := acctest.RandomWithPrefix("tf-test-role") @@ -172,3 +194,21 @@ resource "vault_ssh_secret_backend_role" "test_role" { } `, path, name) } + +func testAccSSHSecretBackendRoleOTPConfig_basic(name, path string) string { + return fmt.Sprintf(` +resource "vault_mount" "example" { + path = "%s" + type = "ssh" +} + +resource "vault_ssh_secret_backend_role" "test_role" { + name = "%s" + backend = "${vault_mount.example.path}" + allowed_users = "usr1,usr2" + default_user = "usr" + key_type = "otp" + cidr_list = "0.0.0.0/0" +} +`, path, name) +} From 1b86e25e84a7d834779893b66d989e0fefcc1a59 Mon Sep 17 00:00:00 2001 From: Matthew Bamber Date: Thu, 28 Feb 2019 11:49:40 +0000 Subject: [PATCH 3/3] Update website --- website/docs/r/ssh_secret_backend_role.html.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/website/docs/r/ssh_secret_backend_role.html.md b/website/docs/r/ssh_secret_backend_role.html.md index fd90522e5..668f26b4a 100644 --- a/website/docs/r/ssh_secret_backend_role.html.md +++ b/website/docs/r/ssh_secret_backend_role.html.md @@ -24,6 +24,15 @@ resource "vault_ssh_secret_backend_role" "foo" { key_type = "ca" allow_user_certificates = true } + +resource "vault_ssh_secret_backend_role" "bar" { + name = "otp-role" + backend = "${vault_mount.example.path}" + key_type = "otp" + default_user = "default" + allowed_users = "default,baz" + cidr_list = "0.0.0.0/0" +} ``` ## Argument Reference @@ -50,6 +59,8 @@ The following arguments are supported: * `allowed_domains` - (Optional) The list of domains for which a client can request a host certificate. +* `cidr_list` - (Optional) The comma-separated string of CIDR blocks for which this role is applicable. + * `allowed_extensions` - (Optional) Specifies a comma-separated list of extensions that certificates can have when signed. * `default_extensions` - (Optional) Specifies a map of extensions that certificates have when signed.