Support token_type and allowed_response_headers in github_auth_backend and jwt_auth_backend

vault/auth_mount.go

@@ -55,6 +55,18 @@ func authMountTuneSchema() *schema.Schema {
 					Description: "List of headers to whitelist and pass from the request to the backend.",
 					Elem:        &schema.Schema{Type: schema.TypeString},
 				},
+				"allowed_response_headers": {
+					Type:        schema.TypeList,
+					Optional:    true,
+					Description: "List of headers to whitelist and allowing a plugin to include them in the response.",
+					Elem:        &schema.Schema{Type: schema.TypeString},
+				},
+				"token_type": {
+					Type:         schema.TypeString,
+					Optional:     true,
+					Description:  "Specifies the type of tokens that should be returned by the mount.",
+					ValidateFunc: validation.StringInSlice([]string{"default-service", "default-batch", "service", "batch"}, false),
+				},
 			},
 		},
 	}

vault/resource_github_auth_backend_test.go

@@ -64,18 +64,22 @@ func TestAccGithubAuthBackend_tuning(t *testing.T) {
 					testAccCheckAuthMountExists(resName, &resAuth),
 					resource.TestCheckResourceAttr(resName, "id", backend),
 					resource.TestCheckResourceAttr(resName, "path", backend),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.default_lease_ttl", "10m"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.max_lease_ttl", "20m"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.listing_visibility", "hidden"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.audit_non_hmac_request_keys.#", "2"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.audit_non_hmac_request_keys.0", "key1"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.audit_non_hmac_request_keys.1", "key2"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.audit_non_hmac_response_keys.#", "2"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.audit_non_hmac_response_keys.0", "key3"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.audit_non_hmac_response_keys.1", "key4"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.passthrough_request_headers.#", "2"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.passthrough_request_headers.0", "X-Custom-Header"),
-					resource.TestCheckResourceAttr(resName, "tune.2905546040.passthrough_request_headers.1", "X-Forwarded-To"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.default_lease_ttl", "10m"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.max_lease_ttl", "20m"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.listing_visibility", "hidden"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.audit_non_hmac_request_keys.#", "2"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.audit_non_hmac_request_keys.0", "key1"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.audit_non_hmac_request_keys.1", "key2"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.audit_non_hmac_response_keys.#", "2"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.audit_non_hmac_response_keys.0", "key3"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.audit_non_hmac_response_keys.1", "key4"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.passthrough_request_headers.#", "2"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.passthrough_request_headers.0", "X-Custom-Header"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.passthrough_request_headers.1", "X-Forwarded-To"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.allowed_response_headers.#", "2"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.allowed_response_headers.0", "X-Custom-Response-Header"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.allowed_response_headers.1", "X-Forwarded-Response-To"),
+					resource.TestCheckResourceAttr(resName, "tune.316901839.token_type", "batch"),
 				),
 			},
 			{
@@ -84,16 +88,21 @@ func TestAccGithubAuthBackend_tuning(t *testing.T) {
 					testAccCheckAuthMountExists(resName, &resAuth),
 					resource.TestCheckResourceAttr(resName, "id", backend),
 					resource.TestCheckResourceAttr(resName, "path", backend),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.default_lease_ttl", "50m"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.max_lease_ttl", "1h10m"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.listing_visibility", "unauth"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.audit_non_hmac_request_keys.#", "1"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.audit_non_hmac_request_keys.0", "key1"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.audit_non_hmac_response_keys.#", "0"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.passthrough_request_headers.#", "3"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.passthrough_request_headers.0", "X-Custom-Header"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.passthrough_request_headers.1", "X-Forwarded-To"),
-					resource.TestCheckResourceAttr(resName, "tune.2753290056.passthrough_request_headers.2", "X-Mas"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.default_lease_ttl", "50m"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.max_lease_ttl", "1h10m"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.listing_visibility", "unauth"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.audit_non_hmac_request_keys.#", "1"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.audit_non_hmac_request_keys.0", "key1"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.audit_non_hmac_response_keys.#", "0"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.passthrough_request_headers.#", "3"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.passthrough_request_headers.0", "X-Custom-Header"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.passthrough_request_headers.1", "X-Forwarded-To"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.passthrough_request_headers.2", "X-Mas"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.allowed_response_headers.#", "3"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.allowed_response_headers.0", "X-Custom-Response-Header"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.allowed_response_headers.1", "X-Forwarded-Response-To"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.allowed_response_headers.2", "X-Mas-Response"),
+					resource.TestCheckResourceAttr(resName, "tune.2811438229.token_type", "default-batch"),
 				),
 			},
 		},
@@ -246,6 +255,8 @@ resource "vault_github_auth_backend" "gh" {
 		audit_non_hmac_request_keys = ["key1", "key2"]
 		audit_non_hmac_response_keys = ["key3", "key4"]
 		passthrough_request_headers = ["X-Custom-Header", "X-Forwarded-To"]
+		allowed_response_headers = ["X-Custom-Response-Header", "X-Forwarded-Response-To"]
+		token_type = "batch"
 	}
 }
 `, backend)
@@ -263,6 +274,8 @@ resource "vault_github_auth_backend" "gh" {
 		audit_non_hmac_request_keys = ["key1"]
 		listing_visibility = "unauth"
 		passthrough_request_headers = ["X-Custom-Header", "X-Forwarded-To", "X-Mas"]
+		allowed_response_headers = ["X-Custom-Response-Header", "X-Forwarded-Response-To", "X-Mas-Response"]
+		token_type = "default-batch"
 	}
 }
 `, backend)

vault/structures.go

@@ -35,6 +35,12 @@ func expandAuthMethodTune(rawL []interface{}) api.MountConfigInput {
 	if v, ok := raw["passthrough_request_headers"]; ok {
 		data.PassthroughRequestHeaders = expandStringSliceWithEmpty(v.([]interface{}), true)
 	}
+	if v, ok := raw["allowed_response_headers"]; ok {
+		data.AllowedResponseHeaders = expandStringSliceWithEmpty(v.([]interface{}), true)
+	}
+	if v, ok := raw["token_type"]; ok {
+		data.TokenType = v.(string)
+	}
 	return data
 }
 
@@ -53,6 +59,10 @@ func flattenAuthMethodTune(dt *api.MountConfigOutput) map[string]interface{} {
 	if len(dt.PassthroughRequestHeaders) > 0 && dt.PassthroughRequestHeaders[0] != "" {
 		m["passthrough_request_headers"] = flattenStringSlice(dt.PassthroughRequestHeaders)
 	}
+	if len(dt.AllowedResponseHeaders) > 0 && dt.AllowedResponseHeaders[0] != "" {
+		m["allowed_response_headers"] = flattenStringSlice(dt.AllowedResponseHeaders)
+	}
+	m["token_type"] = dt.TokenType
 	return m
 }
 

vault/structures_test.go

@@ -15,6 +15,8 @@ func TestExpandAuthMethodTune(t *testing.T) {
 			"audit_non_hmac_request_keys": []interface{}{"foo", "bar"},
 			"listing_visibility":          "unauth",
 			"passthrough_request_headers": []interface{}{"X-Custom", "X-Mas"},
+			"allowed_response_headers":    []interface{}{"X-Response-Custom", "X-Response-Mas"},
+			"token_type":                  "default-batch",
 		},
 	}
 	actual := expandAuthMethodTune(flattened)
@@ -25,6 +27,8 @@ func TestExpandAuthMethodTune(t *testing.T) {
 		AuditNonHMACResponseKeys:  nil,
 		ListingVisibility:         "unauth",
 		PassthroughRequestHeaders: []string{"X-Custom", "X-Mas"},
+		AllowedResponseHeaders:    []string{"X-Response-Custom", "X-Response-Mas"},
+		TokenType:                 "default-batch",
 	}
 
 	if !reflect.DeepEqual(actual, expected) {
@@ -42,6 +46,8 @@ func TestFlattenAuthMethodTune(t *testing.T) {
 		AuditNonHMACRequestKeys:   []string{"foo", "bar"},
 		ListingVisibility:         "",
 		PassthroughRequestHeaders: []string{"X-Custom", "X-Mas"},
+		AllowedResponseHeaders:    []string{"X-Response-Custom", "X-Response-Mas"},
+		TokenType:                 "default-service",
 	}
 
 	expected := map[string]interface{}{
@@ -50,6 +56,8 @@ func TestFlattenAuthMethodTune(t *testing.T) {
 		"audit_non_hmac_request_keys": []interface{}{"foo", "bar"},
 		"passthrough_request_headers": []interface{}{"X-Custom", "X-Mas"},
 		"listing_visibility":          "",
+		"allowed_response_headers":    []interface{}{"X-Response-Custom", "X-Response-Mas"},
+		"token_type":                  "default-service",
 	}
 
 	actual := flattenAuthMethodTune(expanded)

website/docs/r/github_auth_backend.html.md

@@ -8,7 +8,7 @@ description: |-
 
 # vault\_github\_auth\_backend
 
-Manages a Github Auth mount in a Vault server. See the [Vault 
+Manages a Github Auth mount in a Vault server. See the [Vault
 documentation](https://www.vaultproject.io/docs/auth/github.html) for more
 information.
 
@@ -24,39 +24,45 @@ resource "vault_github_auth_backend" "example" {
 
 The following arguments are supported:
 
-* `path` - (Optional) Path where the auth backend is mounted. Defaults to `auth/github` 
+* `path` - (Optional) Path where the auth backend is mounted. Defaults to `auth/github`
   if not specified.
 
 * `organization` - (Required) The organization configured users must be part of.
 
-* `base_url` - (Optional) The API endpoint to use. Useful if you 
+* `base_url` - (Optional) The API endpoint to use. Useful if you
   are running GitHub Enterprise or an API-compatible authentication server.
 
-* `description` - (Optional) Specifies the description of the mount. 
+* `description` - (Optional) Specifies the description of the mount.
   This overrides the current stored value, if any.
 
 The `tune` block is used to tune the auth backend:
 
-* `default_lease_ttl` - (Optional) Specifies the default time-to-live. 
-  If set, this overrides the global default. 
+* `default_lease_ttl` - (Optional) Specifies the default time-to-live.
+  If set, this overrides the global default.
   Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)
 
-* `max_lease_ttl` - (Optional) Specifies the maximum time-to-live. 
+* `max_lease_ttl` - (Optional) Specifies the maximum time-to-live.
   If set, this overrides the global default.
   Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)
 
-* `audit_non_hmac_response_keys` - (Optional) Specifies the list of keys that will 
+* `audit_non_hmac_response_keys` - (Optional) Specifies the list of keys that will
   not be HMAC'd by audit devices in the response data object.
 
-* `audit_non_hmac_request_keys` - (Optional) Specifies the list of keys that will 
+* `audit_non_hmac_request_keys` - (Optional) Specifies the list of keys that will
   not be HMAC'd by audit devices in the request data object.
 
-* `listing_visibility` - (Optional) Specifies whether to show this mount in 
+* `listing_visibility` - (Optional) Specifies whether to show this mount in
   the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
 
-* `passthrough_request_headers` - (Optional) List of headers to whitelist and 
+* `passthrough_request_headers` - (Optional) List of headers to whitelist and
   pass from the request to the backend.
 
+* `allowed_response_headers` - (Optional) List of headers to whitelist and allowing
+  a plugin to include them in the response.
+
+* `token_type` - (Optional) Specifies the type of tokens that should be returned by
+  the mount. Valid values are "default-service", "default-batch", "service", "batch".
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:

website/docs/r/jwt_auth_backend.html.md

@@ -14,7 +14,7 @@ Provides a resource for managing an
 ## Example Usage
 
 Manage JWT auth backend:
- 
+
 ```hcl
 resource "vault_jwt_auth_backend" "example" {
     description  = "Demonstration of the Terraform JWT auth backend"
@@ -25,7 +25,7 @@ resource "vault_jwt_auth_backend" "example" {
 ```
 
 Manage OIDC auth backend:
- 
+
 ```hcl
 resource "vault_jwt_auth_backend" "example" {
     description  = "Demonstration of the Terraform JWT auth backend"
@@ -73,26 +73,32 @@ The following arguments are supported:
 
 The `tune` block is used to tune the auth backend:
 
-* `default_lease_ttl` - (Optional) Specifies the default time-to-live. 
-  If set, this overrides the global default. 
+* `default_lease_ttl` - (Optional) Specifies the default time-to-live.
+  If set, this overrides the global default.
   Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)
 
-* `max_lease_ttl` - (Optional) Specifies the maximum time-to-live. 
+* `max_lease_ttl` - (Optional) Specifies the maximum time-to-live.
   If set, this overrides the global default.
   Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)
 
-* `audit_non_hmac_response_keys` - (Optional) Specifies the list of keys that will 
+* `audit_non_hmac_response_keys` - (Optional) Specifies the list of keys that will
   not be HMAC'd by audit devices in the response data object.
 
-* `audit_non_hmac_request_keys` - (Optional) Specifies the list of keys that will 
+* `audit_non_hmac_request_keys` - (Optional) Specifies the list of keys that will
   not be HMAC'd by audit devices in the request data object.
 
-* `listing_visibility` - (Optional) Specifies whether to show this mount in 
+* `listing_visibility` - (Optional) Specifies whether to show this mount in
   the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
 
-* `passthrough_request_headers` - (Optional) List of headers to whitelist and 
+* `passthrough_request_headers` - (Optional) List of headers to whitelist and
   pass from the request to the backend.
 
+* `allowed_response_headers` - (Optional) List of headers to whitelist and allowing
+  a plugin to include them in the response.
+
+* `token_type` - (Optional) Specifies the type of tokens that should be returned by
+  the mount. Valid values are "default-service", "default-batch", "service", "batch".
+
 ## Attributes Reference
 
 No additional attributes are exposed by this resource.