From 7207d4300248dc081927283c073700505b25f927 Mon Sep 17 00:00:00 2001 From: Anatole Beuzon Date: Fri, 3 May 2019 16:38:34 -0400 Subject: [PATCH 1/5] aws_secret_backend_role: add role_arns argument --- vault/resource_aws_secret_backend_role.go | 32 ++++++++++++++++++----- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/vault/resource_aws_secret_backend_role.go b/vault/resource_aws_secret_backend_role.go index 659accbc0..01b69ff3e 100644 --- a/vault/resource_aws_secret_backend_role.go +++ b/vault/resource_aws_secret_backend_role.go @@ -37,7 +37,7 @@ func awsSecretBackendRoleResource() *schema.Resource { "policy_arns": { Type: schema.TypeList, Optional: true, - ConflictsWith: []string{"policy", "policy_arn"}, + ConflictsWith: []string{"policy", "policy_arn", "role_arns"}, Description: "ARN for an existing IAM policy the role should use.", Elem: &schema.Schema{ Type: schema.TypeString, @@ -46,21 +46,21 @@ func awsSecretBackendRoleResource() *schema.Resource { "policy_arn": { Type: schema.TypeString, Optional: true, - ConflictsWith: []string{"policy_document", "policy", "policy_arns"}, + ConflictsWith: []string{"policy_document", "policy", "policy_arns", "role_arns"}, Description: "ARN for an existing IAM policy the role should use.", Deprecated: `Use "policy_arns".`, }, "policy_document": { Type: schema.TypeString, Optional: true, - ConflictsWith: []string{"policy_arn", "policy"}, + ConflictsWith: []string{"policy_arn", "policy", "role_arns"}, Description: "IAM policy the role should use in JSON format.", DiffSuppressFunc: util.JsonDiffSuppress, }, "policy": { Type: schema.TypeString, Optional: true, - ConflictsWith: []string{"policy_arns", "policy_arn", "policy_document"}, + ConflictsWith: []string{"policy_arns", "policy_arn", "policy_document", "role_arns"}, Description: "IAM policy the role should use in JSON format.", DiffSuppressFunc: util.JsonDiffSuppress, Deprecated: `Use "policy_document".`, @@ -70,6 +70,16 @@ func awsSecretBackendRoleResource() *schema.Resource { Required: true, Description: "Role credential type.", }, + "role_arns": { + Type: schema.TypeList, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + Optional: true, + ForceNew: true, + ConflictsWith: []string{"policy", "policy_arn", "policy_arns", "policy_document"}, + Description: "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'", + }, }, } } @@ -97,8 +107,14 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error { policy = d.Get("policy") } - if policy == "" && len(policyARNs) == 0 { - return fmt.Errorf("either policy or policy_arn must be set.") + var roleARNs []string + roleARNsIfc := d.Get("role_arns") + for _, roleIfc := range roleARNsIfc.([]interface{}) { + roleARNs = append(roleARNs, roleIfc.(string)) + } + + if policy == "" && len(policyARNs) == 0 && len(roleARNs) == 0 { + return fmt.Errorf("either policy, policy_arns, or role_arns must be set") } data := map[string]interface{}{ @@ -110,6 +126,9 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error { if len(policyARNs) != 0 { data["policy_arns"] = policyARNs } + if len(roleARNs) != 0 { + data["role_arns"] = roleARNs + } log.Printf("[DEBUG] Creating role %q on AWS backend %q", name, backend) _, err := client.Logical().Write(backend+"/roles/"+name, data) @@ -160,6 +179,7 @@ func awsSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { } d.Set("credential_type", secret.Data["credential_type"]) + d.Set("role_arns", secret.Data["role_arns"]) d.Set("backend", strings.Join(pathPieces[:len(pathPieces)-2], "/")) d.Set("name", pathPieces[len(pathPieces)-1]) return nil From 0ca3c8698f046b107c4e69b6cf383a3fc6365ab4 Mon Sep 17 00:00:00 2001 From: Anatole Beuzon Date: Fri, 3 May 2019 16:39:09 -0400 Subject: [PATCH 2/5] aws_secret_backend_role: use role_arns in tests --- .../resource_aws_secret_backend_role_test.go | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/vault/resource_aws_secret_backend_role_test.go b/vault/resource_aws_secret_backend_role_test.go index 0a7eec342..593055b27 100644 --- a/vault/resource_aws_secret_backend_role_test.go +++ b/vault/resource_aws_secret_backend_role_test.go @@ -15,6 +15,8 @@ const testAccAWSSecretBackendRolePolicyInline_basic = `{"Version": "2012-10-17", const testAccAWSSecretBackendRolePolicyInline_updated = `{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "ec2:*","Resource": "*"}]}` const testAccAWSSecretBackendRolePolicyArn_basic = "arn:aws:iam::123456789123:policy/foo" const testAccAWSSecretBackendRolePolicyArn_updated = "arn:aws:iam::123456789123:policy/bar" +const testAccAWSSecretBackendRoleRoleArn_basic = "arn:aws:iam::123456789123:role/foo" +const testAccAWSSecretBackendRoleRoleArn_updated = "arn:aws:iam::123456789123:role/bar" func TestAccAWSSecretBackendRole_basic(t *testing.T) { backend := acctest.RandomWithPrefix("tf-test-aws") @@ -38,6 +40,9 @@ func TestAccAWSSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_basic), ), }, { @@ -53,6 +58,9 @@ func TestAccAWSSecretBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_updated), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_updated), ), }, }, @@ -81,6 +89,9 @@ func TestAccAWSSecretBackendRole_import(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_basic), ), }, { @@ -98,6 +109,11 @@ func TestAccAWSSecretBackendRole_import(t *testing.T) { ImportState: true, ImportStateVerify: true, }, + { + ResourceName: "vault_aws_secret_backend_role.test_role_arns", + ImportState: true, + ImportStateVerify: true, + }, }, }) } @@ -124,6 +140,9 @@ func TestAccAWSSecretBackendRole_nested(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_basic), ), }, { @@ -139,6 +158,9 @@ func TestAccAWSSecretBackendRole_nested(t *testing.T) { resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend), util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_updated), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.0", testAccAWSSecretBackendRoleRoleArn_updated), ), }, }, @@ -192,7 +214,14 @@ resource "vault_aws_secret_backend_role" "test_policy_inline_and_arns" { credential_type = "iam_user" backend = "${vault_aws_secret_backend.test.path}" } -`, path, accessKey, secretKey, name, testAccAWSSecretBackendRolePolicyInline_basic, name, testAccAWSSecretBackendRolePolicyArn_basic, name, testAccAWSSecretBackendRolePolicyInline_basic, testAccAWSSecretBackendRolePolicyArn_basic) + +resource "vault_aws_secret_backend_role" "test_role_arns" { + name = "%s-role-arns" + role_arns = ["%s"] + credential_type = "assumed_role" + backend = "${vault_aws_secret_backend.test.path}" +} +`, path, accessKey, secretKey, name, testAccAWSSecretBackendRolePolicyInline_basic, name, testAccAWSSecretBackendRolePolicyArn_basic, name, testAccAWSSecretBackendRolePolicyInline_basic, testAccAWSSecretBackendRolePolicyArn_basic, name, testAccAWSSecretBackendRoleRoleArn_basic) } func testAccAWSSecretBackendRoleConfig_updated(name, path, accessKey, secretKey string) string { @@ -224,5 +253,12 @@ resource "vault_aws_secret_backend_role" "test_policy_inline_and_arns" { credential_type = "iam_user" backend = "${vault_aws_secret_backend.test.path}" } -`, path, accessKey, secretKey, name, testAccAWSSecretBackendRolePolicyInline_updated, name, testAccAWSSecretBackendRolePolicyArn_updated, name, testAccAWSSecretBackendRolePolicyInline_updated, testAccAWSSecretBackendRolePolicyArn_updated) + +resource "vault_aws_secret_backend_role" "test_role_arns" { + name = "%s-role-arns" + role_arns = ["%s"] + credential_type = "assumed_role" + backend = "${vault_aws_secret_backend.test.path}" +} +`, path, accessKey, secretKey, name, testAccAWSSecretBackendRolePolicyInline_updated, name, testAccAWSSecretBackendRolePolicyArn_updated, name, testAccAWSSecretBackendRolePolicyInline_updated, testAccAWSSecretBackendRolePolicyArn_updated, name, testAccAWSSecretBackendRoleRoleArn_updated) } From 5176afbea18bd8eeb81f0719d913dabae2ee01c8 Mon Sep 17 00:00:00 2001 From: Anatole Beuzon Date: Fri, 3 May 2019 16:39:17 -0400 Subject: [PATCH 3/5] aws_secret_backend_role: add role_arns to docs --- website/docs/r/aws_secret_backend_role.html.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/docs/r/aws_secret_backend_role.html.md b/website/docs/r/aws_secret_backend_role.html.md index 2e607e610..7555556a2 100644 --- a/website/docs/r/aws_secret_backend_role.html.md +++ b/website/docs/r/aws_secret_backend_role.html.md @@ -62,6 +62,10 @@ role. Either `policy_document` or `policy_arns` must be specified. * `policy_arns` - (Optional) The ARN for a pre-existing policy to associate with this role. Either `policy_document` or `policy_arns` must be specified. +* `role_arns` - (Optional) Specifies the ARNs of the AWS roles this Vault role +is allowed to assume. Required when `credential_type` is `assumed_role` and +prohibited otherwise. + * `credential_type` - (Required) Specifies the type of credential to be used when retrieving credentials from the role. Must be one of `iam_user`, `assumed_role`, or `federation_token`. From 88ff54571dd665cb985b432429e9f53abd589cc0 Mon Sep 17 00:00:00 2001 From: Anatole Beuzon Date: Wed, 8 May 2019 11:06:55 -0400 Subject: [PATCH 4/5] Remove ConflictsWith clause for policy_document --- vault/resource_aws_secret_backend_role.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/resource_aws_secret_backend_role.go b/vault/resource_aws_secret_backend_role.go index 01b69ff3e..6e16c38e3 100644 --- a/vault/resource_aws_secret_backend_role.go +++ b/vault/resource_aws_secret_backend_role.go @@ -53,7 +53,7 @@ func awsSecretBackendRoleResource() *schema.Resource { "policy_document": { Type: schema.TypeString, Optional: true, - ConflictsWith: []string{"policy_arn", "policy", "role_arns"}, + ConflictsWith: []string{"policy_arn", "policy"}, Description: "IAM policy the role should use in JSON format.", DiffSuppressFunc: util.JsonDiffSuppress, }, From dc957f6805d8c74e964160911d6095a34e248893 Mon Sep 17 00:00:00 2001 From: Anatole Beuzon Date: Wed, 8 May 2019 11:08:39 -0400 Subject: [PATCH 5/5] Remove ConflictsWith clause with policy_document for role_arns --- vault/resource_aws_secret_backend_role.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/resource_aws_secret_backend_role.go b/vault/resource_aws_secret_backend_role.go index 6e16c38e3..1fab5d690 100644 --- a/vault/resource_aws_secret_backend_role.go +++ b/vault/resource_aws_secret_backend_role.go @@ -77,7 +77,7 @@ func awsSecretBackendRoleResource() *schema.Resource { }, Optional: true, ForceNew: true, - ConflictsWith: []string{"policy", "policy_arn", "policy_arns", "policy_document"}, + ConflictsWith: []string{"policy", "policy_arn", "policy_arns"}, Description: "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'", }, },