Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add iam_groups to vault_aws_secret_backend_role #826

Merged
merged 4 commits into from
Aug 19, 2020
Merged

Add iam_groups to vault_aws_secret_backend_role #826

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c5826c7
Add `iam_groups` to `vault_aws_secret_backend_role`
lawliet89 Jul 22, 2020
9c6a3b5
Apply suggestions from code review
lawliet89 Aug 16, 2020
af7788b
Apply suggestions from code review
lawliet89 Aug 19, 2020
da9da8d
Add test step
lawliet89 Aug 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions vault/resource_aws_secret_backend_role.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,14 @@ func awsSecretBackendRoleResource() *schema.Resource {
ConflictsWith: []string{"policy", "policy_arn"},
Description: "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'",
},
"iam_groups": {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
Description: "A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.",
},
"default_sts_ttl": {
Type: schema.TypeInt,
Optional: true,
Expand Down Expand Up @@ -127,6 +135,11 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {

credentialType := d.Get("credential_type").(string)

var iamGroups []interface{}
if v, ok := d.GetOk("iam_groups"); ok {
iamGroups = v.(*schema.Set).List()
}
lawliet89 marked this conversation as resolved.
Show resolved Hide resolved

data := map[string]interface{}{
"credential_type": credentialType,
}
Expand All @@ -139,6 +152,9 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
if len(roleARNs) != 0 {
data["role_arns"] = roleARNs
}
if len(iamGroups) != 0 {
lawliet89 marked this conversation as resolved.
Show resolved Hide resolved
data["iam_groups"] = iamGroups
}

defaultStsTTL, defaultStsTTLOk := d.GetOk("default_sts_ttl")
maxStsTTL, maxStsTTLOk := d.GetOk("max_sts_ttl")
Expand Down Expand Up @@ -214,6 +230,9 @@ func awsSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
if v, ok := secret.Data["max_sts_ttl"]; ok {
d.Set("max_sts_ttl", v)
}
if v, ok := secret.Data["iam_groups"]; ok {
d.Set("iam_groups", v)
}
d.Set("backend", strings.Join(pathPieces[:len(pathPieces)-2], "/"))
d.Set("name", pathPieces[len(pathPieces)-1])
return nil
Expand Down
16 changes: 14 additions & 2 deletions vault/resource_aws_secret_backend_role_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,16 +53,20 @@ func TestAccAWSSecretBackendRole_basic(t *testing.T) {
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "max_sts_ttl", "21600"),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "backend", backend),
util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "2"),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.1770433549", testAccAWSSecretBackendRolePolicyArn_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "iam_groups.#", "2"),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "name", fmt.Sprintf("%s-policy-inline-and-arns", name)),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend),
util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.1770433549", testAccAWSSecretBackendRolePolicyArn_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "iam_groups.#", "2"),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.2518714066", testAccAWSSecretBackendRoleRoleArn_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "iam_groups.#", "2"),
),
},
},
Expand Down Expand Up @@ -154,17 +158,21 @@ func TestAccAWSSecretBackendRole_nested(t *testing.T) {
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "backend", backend),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "default_sts_ttl", "3600"),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "max_sts_ttl", "21600"),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "2"),
util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.1770433549", testAccAWSSecretBackendRolePolicyArn_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "iam_groups.#", "2"),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "name", fmt.Sprintf("%s-policy-inline-and-arns", name)),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "backend", backend),
util.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_document", testAccAWSSecretBackendRolePolicyInline_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "policy_arns.1770433549", testAccAWSSecretBackendRolePolicyArn_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline_and_arns", "iam_groups.#", "2"),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "name", fmt.Sprintf("%s-role-arns", name)),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "backend", backend),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "role_arns.2518714066", testAccAWSSecretBackendRoleRoleArn_updated),
resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_role_arns", "iam_groups.#", "2"),
),
},
},
Expand Down Expand Up @@ -243,12 +251,14 @@ resource "vault_aws_secret_backend_role" "test_policy_inline" {
backend = "${vault_aws_secret_backend.test.path}"
default_sts_ttl = 3600
max_sts_ttl = 21600
iam_groups = ["group1", "group2"]
}

resource "vault_aws_secret_backend_role" "test_policy_arns" {
name = "%s-policy-arn"
policy_arns = ["%s"]
credential_type = "iam_user"
credential_type = "iam_user"
lawliet89 marked this conversation as resolved.
Show resolved Hide resolved
iam_groups = ["group1", "group2"]
backend = "${vault_aws_secret_backend.test.path}"
}

Expand All @@ -257,13 +267,15 @@ resource "vault_aws_secret_backend_role" "test_policy_inline_and_arns" {
policy_document = %q
policy_arns = ["%s"]
credential_type = "iam_user"
backend = "${vault_aws_secret_backend.test.path}"
iam_groups = ["group1", "group2"]
backend = "${vault_aws_secret_backend.test.path}"
lawliet89 marked this conversation as resolved.
Show resolved Hide resolved
}

resource "vault_aws_secret_backend_role" "test_role_arns" {
name = "%s-role-arns"
role_arns = ["%s"]
credential_type = "assumed_role"
iam_groups = ["group1", "group2"]
lawliet89 marked this conversation as resolved.
Show resolved Hide resolved
backend = "${vault_aws_secret_backend.test.path}"
}
`, path, accessKey, secretKey, name, testAccAWSSecretBackendRolePolicyInline_updated, name, testAccAWSSecretBackendRolePolicyArn_updated, name, testAccAWSSecretBackendRolePolicyInline_updated, testAccAWSSecretBackendRolePolicyArn_updated, name, testAccAWSSecretBackendRoleRoleArn_updated)
Expand Down
39 changes: 23 additions & 16 deletions website/docs/r/aws_secret_backend_role.html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,32 +51,39 @@ EOT
The following arguments are supported:

* `backend` - (Required) The path the AWS secret backend is mounted at,
with no leading or trailing `/`s.
with no leading or trailing `/`s.

* `name` - (Required) The name to identify this role within the backend.
Must be unique within the backend.
Must be unique within the backend.

* `credential_type` - (Required) Specifies the type of credential to be used when
retrieving credentials from the role. Must be one of `iam_user`, `assumed_role`, or
`federation_token`.
retrieving credentials from the role. Must be one of `iam_user`, `assumed_role`, or
`federation_token`.

* `role_arns` - (Optional) Specifies the ARNs of the AWS roles this Vault role
is allowed to assume. Required when `credential_type` is `assumed_role` and
prohibited otherwise.
is allowed to assume. Required when `credential_type` is `assumed_role` and
prohibited otherwise.

* `policy_arns` - (Optional) Specifies a list of AWS managed policy ARNs. The
behavior depends on the credential type. With `iam_user`, the policies will be
attached to IAM users when they are requested. With `assumed_role` and
`federation_token`, the policy ARNs will act as a filter on what the credentials
can do, similar to `policy_document`. When `credential_type` is `iam_user` or
`federation_token`, at least one of `policy_document` or `policy_arns` must
be specified.
behavior depends on the credential type. With `iam_user`, the policies will be
attached to IAM users when they are requested. With `assumed_role` and
`federation_token`, the policy ARNs will act as a filter on what the credentials
can do, similar to `policy_document`. When `credential_type` is `iam_user` or
`federation_token`, at least one of `policy_document` or `policy_arns` must
be specified.

* `policy_document` - (Optional) The IAM policy document for the role. The
behavior depends on the credential type. With `iam_user`, the policy document
will be attached to the IAM user generated and augment the permissions the IAM
user has. With `assumed_role` and `federation_token`, the policy document will
act as a filter on what the credentials can do, similar to `policy_arns`.
behavior depends on the credential type. With `iam_user`, the policy document
will be attached to the IAM user generated and augment the permissions the IAM
user has. With `assumed_role` and `federation_token`, the policy document will
act as a filter on what the credentials can do, similar to `policy_arns`.

* `iam_groups` (Optional) - A list of IAM group names. IAM users generated
against this vault role will be added to these IAM Groups. For a credential
type of `assumed_role` or `federation_token`, the policies sent to the
corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
policies from each group in `iam_groups` combined with the `policy_document`
and `policy_arns` parameters.

* `default_sts_ttl` - (Optional) The default TTL in seconds for STS credentials.
When a TTL is not specified when STS credentials are requested,
Expand Down