Pull latest

CHANGELOG.md

@@ -1,4 +1,15 @@
-## 2.0.1 (Unreleased)
+## 2.1.0 (July 05, 2019)
+
+IMPROVEMENTS:
+
+* For `aws_secret_backend_role`, adds support for `default_sts_ttl` and `max_sts_ttl` ([#444](https://github.com/terraform-providers/terraform-provider-vault/pull/444)).
+
+BUG FIXES:
+
+* Fixes ordering issues with `aws_auth_backend_role` and `aws_auth_backend_role_tags` ([#439](https://github.com/terraform-providers/terraform-provider-vault/pull/439)).
+* Supports providing lists for `bound_claims` ([#455](https://github.com/terraform-providers/terraform-provider-vault/pull/455)).
+* Resolves issue with persistent diffs on `vault_generic_secret` ([#456](https://github.com/terraform-providers/terraform-provider-vault/pull/456)).
+
 ## 2.0.0 (June 19, 2019)
 
 FEATURES:

vault/resource_aws_auth_backend_role.go

@@ -48,7 +48,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Removed:     `Use "bound_ami_ids" as a list.`,
 			},
 			"bound_ami_ids": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances using this AMI ID will be permitted to log in.",
 				Elem: &schema.Schema{
@@ -62,7 +62,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Removed:     `Use "bound_account_ids" as a list.`,
 			},
 			"bound_account_ids": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances with this account ID in their identity document will be permitted to log in.",
 				Elem: &schema.Schema{
@@ -76,7 +76,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Removed:     `Use "bound_regions" as a list.`,
 			},
 			"bound_regions": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances in this region will be permitted to log in.",
 				Elem: &schema.Schema{
@@ -91,7 +91,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				ConflictsWith: []string{"bound_vpc_ids"},
 			},
 			"bound_vpc_ids": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances associated with this VPC ID will be permitted to log in.",
 				Elem: &schema.Schema{
@@ -105,7 +105,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Removed:     `Use "bound_subnet_ids" as a list.`,
 			},
 			"bound_subnet_ids": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances associated with this subnet ID will be permitted to log in.",
 				Elem: &schema.Schema{
@@ -119,7 +119,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Removed:     `Use "bound_iam_role_arns" as a list.`,
 			},
 			"bound_iam_role_arns": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances that match this IAM role ARN will be permitted to log in.",
 				Elem: &schema.Schema{
@@ -133,15 +133,15 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Removed:     `Use "bound_iam_instance_profile_arns" as a list.`,
 			},
 			"bound_iam_instance_profile_arns": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in.",
 				Elem: &schema.Schema{
 					Type: schema.TypeString,
 				},
 			},
 			"bound_ec2_instance_id": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances that match this instance ID will be permitted to log in.",
 				Elem: &schema.Schema{
@@ -150,7 +150,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Removed: `Use "bound_ec2_instance_ids".`,
 			},
 			"bound_ec2_instance_ids": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Only EC2 instances that match this instance ID will be permitted to log in.",
 				Elem: &schema.Schema{
@@ -169,7 +169,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Removed:     `Use "bound_iam_principal_arns" as a list.`,
 			},
 			"bound_iam_principal_arns": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "The IAM principal that must be authenticated using the iam auth method.",
 				Elem: &schema.Schema{
@@ -208,7 +208,7 @@ func awsAuthBackendRoleResource() *schema.Resource {
 				Description: "If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. The maximum allowed lifetime of token issued using this role. Specified as a number of seconds.",
 			},
 			"policies": {
-				Type:     schema.TypeList,
+				Type:     schema.TypeSet,
 				Optional: true,
 				Elem: &schema.Schema{
 					Type: schema.TypeString,
@@ -258,7 +258,7 @@ func resourceVaultAwsAuthBackendRoleCustomizeDiff(diff *schema.ResourceDiff, v i
 
 func setSlice(d *schema.ResourceData, tfFieldName, vaultFieldName string, data map[string]interface{}) {
 	if ifcValue, ok := d.GetOk(tfFieldName); ok {
-		ifcValues := ifcValue.([]interface{})
+		ifcValues := ifcValue.(*schema.Set).List()
 		strVals := make([]string, len(ifcValues))
 		for i, ifcVal := range ifcValues {
 			strVals[i] = ifcVal.(string)
@@ -276,11 +276,7 @@ func awsAuthBackendRoleCreate(d *schema.ResourceData, meta interface{}) error {
 	path := awsAuthBackendRolePath(backend, role)
 
 	log.Printf("[DEBUG] Writing AWS auth backend role %q", path)
-	iPolicies := d.Get("policies").([]interface{})
-	policies := make([]string, len(iPolicies))
-	for i, iPolicy := range iPolicies {
-		policies[i] = iPolicy.(string)
-	}
+	policies := d.Get("policies").(*schema.Set).List()
 
 	authType := d.Get("auth_type").(string)
 	inferred := d.Get("inferred_entity_type").(string)
@@ -513,11 +509,7 @@ func awsAuthBackendRoleUpdate(d *schema.ResourceData, meta interface{}) error {
 	path := d.Id()
 
 	log.Printf("[DEBUG] Updating AWS auth backend role %q", path)
-	iPolicies := d.Get("policies").([]interface{})
-	policies := make([]string, len(iPolicies))
-	for i, iPolicy := range iPolicies {
-		policies[i] = iPolicy.(string)
-	}
+	policies := d.Get("policies").(*schema.Set).List()
 
 	authType := d.Get("auth_type").(string)
 	inferred := d.Get("inferred_entity_type").(string)

vault/resource_aws_auth_backend_role_tag.go

@@ -31,7 +31,7 @@ func awsAuthBackendRoleTagResource() *schema.Resource {
 				ForceNew:    true,
 			},
 			"policies": {
-				Type:        schema.TypeList,
+				Type:        schema.TypeSet,
 				Optional:    true,
 				Description: "Policies to be associated with the tag.",
 				Elem: &schema.Schema{
@@ -85,7 +85,7 @@ func awsAuthBackendRoleTagResourceCreate(d *schema.ResourceData, meta interface{
 	data := map[string]interface{}{}
 
 	if v, ok := d.GetOk("policies"); ok {
-		data["policies"] = v
+		data["policies"] = v.(*schema.Set).List()
 	}
 	if v, ok := d.GetOk("max_ttl"); ok {
 		data["max_ttl"] = v

vault/resource_aws_auth_backend_role_test.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform/helper/acctest"
@@ -168,17 +169,17 @@ func TestAccAWSAuthBackendRole_iamUpdate(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_aws_auth_backend_role.role",
 						"bound_iam_principal_arns.#", "1"),
 					resource.TestCheckResourceAttr("vault_aws_auth_backend_role.role",
-						"bound_iam_principal_arns.0", "arn:aws:iam::123456789012:role/MyRole/*"),
+						"bound_iam_principal_arns.3878455414", "arn:aws:iam::123456789012:role/MyRole/*"),
 					resource.TestCheckResourceAttr("vault_aws_auth_backend_role.role",
 						"ttl", "30"),
 					resource.TestCheckResourceAttr("vault_aws_auth_backend_role.role",
 						"max_ttl", "60"),
 					resource.TestCheckResourceAttr("vault_aws_auth_backend_role.role",
 						"policies.#", "2"),
 					resource.TestCheckResourceAttr("vault_aws_auth_backend_role.role",
-						"policies.0", "default"),
+						"policies.1971754988", "default"),
 					resource.TestCheckResourceAttr("vault_aws_auth_backend_role.role",
-						"policies.1", "dev"),
+						"policies.326271447", "dev"),
 				),
 			},
 			{
@@ -267,9 +268,9 @@ func testAccAWSAuthBackendRoleCheck_attrs(backend, role string) resource.TestChe
 			} else if _, ok := instanceState.Attributes[attr.PreviousNameInProvider]; ok {
 				providerValIsArray = false
 				stateAttr = attr.PreviousNameInProvider
-			} else if _, ok := instanceState.Attributes[attr.NameInProvider+".0"]; ok {
+			} else if _, ok := instanceState.Attributes[attr.NameInProvider+".#"]; ok {
 				stateAttr = attr.NameInProvider
-			} else if _, ok := instanceState.Attributes[attr.PreviousNameInProvider+".0"]; ok {
+			} else if _, ok := instanceState.Attributes[attr.PreviousNameInProvider+".#"]; ok {
 				stateAttr = attr.PreviousNameInProvider
 			}
 			stateAttrVal := instanceState.Attributes[stateAttr]
@@ -323,9 +324,17 @@ func testAccAWSAuthBackendRoleCheck_attrs(backend, role string) resource.TestChe
 						return fmt.Errorf("expected %s to have %d entries in state, has %d", stateAttr, len(vaultRespVal), count)
 					}
 					for i := 0; i < count; i++ {
-						stateData := instanceState.Attributes[stateAttr+"."+strconv.Itoa(i)]
-						if stateData != vaultRespVal[i] {
-							return fmt.Errorf("expected item %d of %s (%s in state) of %q to be %q, got %q", i, attr.NameInVault, stateAttr, endpoint, stateData, vaultRespVal[i])
+						found := false
+						for stateKey, stateValue := range instanceState.Attributes {
+							if strings.HasPrefix(stateKey, stateAttr) {
+								if vaultRespVal[i] == stateValue {
+									found = true
+									break
+								}
+							}
+						}
+						if !found {
+							return fmt.Errorf("Expected item %d of %s (%s in state) of %q to be in state but wasn't", i, attr.NameInVault, stateAttr, vaultRespVal[i])
 						}
 					}
 					match = true

vault/resource_aws_secret_backend_role.go

@@ -3,6 +3,7 @@ package vault
 import (
 	"fmt"
 	"log"
+	"strconv"
 	"strings"
 
 	"github.com/hashicorp/terraform/helper/schema"
@@ -35,7 +36,7 @@ func awsSecretBackendRoleResource() *schema.Resource {
 				Description: "The path of the AWS Secret Backend the role belongs to.",
 			},
 			"policy_arns": {
-				Type:          schema.TypeList,
+				Type:          schema.TypeSet,
 				Optional:      true,
 				ConflictsWith: []string{"policy", "policy_arn", "role_arns"},
 				Description:   "ARN for an existing IAM policy the role should use.",
@@ -71,7 +72,7 @@ func awsSecretBackendRoleResource() *schema.Resource {
 				Description: "Role credential type.",
 			},
 			"role_arns": {
-				Type: schema.TypeList,
+				Type: schema.TypeSet,
 				Elem: &schema.Schema{
 					Type: schema.TypeString,
 				},
@@ -80,6 +81,18 @@ func awsSecretBackendRoleResource() *schema.Resource {
 				ConflictsWith: []string{"policy", "policy_arn", "policy_arns"},
 				Description:   "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role'",
 			},
+			"default_sts_ttl": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Computed:    true,
+				Description: "The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token.",
+			},
+			"max_sts_ttl": {
+				Type:        schema.TypeInt,
+				Optional:    true,
+				Computed:    true,
+				Description: "The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.",
+			},
 		},
 	}
 }
@@ -91,34 +104,31 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 	name := d.Get("name").(string)
 
 	policyARNsIfc, ok := d.GetOk("policy_arns")
-	var policyARNs []string
+	var policyARNs []interface{}
 	if !ok {
-		policyARN := d.Get("policy_arn").(string)
+		policyARN := d.Get("policy_arn")
 		if policyARN != "" {
 			policyARNs = append(policyARNs, policyARN)
 		}
-	}
-	for _, arnIfc := range policyARNsIfc.([]interface{}) {
-		policyARNs = append(policyARNs, arnIfc.(string))
+	} else {
+		policyARNs = policyARNsIfc.(*schema.Set).List()
 	}
 
 	policy, ok := d.GetOk("policy_document")
 	if !ok {
 		policy = d.Get("policy")
 	}
 
-	var roleARNs []string
-	roleARNsIfc := d.Get("role_arns")
-	for _, roleIfc := range roleARNsIfc.([]interface{}) {
-		roleARNs = append(roleARNs, roleIfc.(string))
-	}
+	roleARNs := d.Get("role_arns").(*schema.Set).List()
 
 	if policy == "" && len(policyARNs) == 0 && len(roleARNs) == 0 {
 		return fmt.Errorf("either policy, policy_arns, or role_arns must be set")
 	}
 
+	credentialType := d.Get("credential_type").(string)
+
 	data := map[string]interface{}{
-		"credential_type": d.Get("credential_type").(string),
+		"credential_type": credentialType,
 	}
 	if policy != "" {
 		data["policy_document"] = policy
@@ -130,6 +140,24 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 		data["role_arns"] = roleARNs
 	}
 
+	defaultStsTTL, defaultStsTTLOk := d.GetOk("default_sts_ttl")
+	maxStsTTL, maxStsTTLOk := d.GetOk("max_sts_ttl")
+	if credentialType == "assumed_role" || credentialType == "federation_token" {
+		if defaultStsTTLOk {
+			data["default_sts_ttl"] = strconv.Itoa(defaultStsTTL.(int))
+		}
+		if maxStsTTLOk {
+			data["max_sts_ttl"] = strconv.Itoa(maxStsTTL.(int))
+		}
+	} else {
+		if defaultStsTTLOk {
+			return fmt.Errorf("default_sts_ttl is only valid when credential_type is assumed_role or federation_token")
+		}
+		if maxStsTTLOk {
+			return fmt.Errorf("max_sts_ttl is only valid when credential_type is assumed_role or federation_token")
+		}
+	}
+
 	log.Printf("[DEBUG] Creating role %q on AWS backend %q", name, backend)
 	_, err := client.Logical().Write(backend+"/roles/"+name, data)
 	if err != nil {
@@ -180,6 +208,12 @@ func awsSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 
 	d.Set("credential_type", secret.Data["credential_type"])
 	d.Set("role_arns", secret.Data["role_arns"])
+	if v, ok := secret.Data["default_sts_ttl"]; ok {
+		d.Set("default_sts_ttl", v)
+	}
+	if v, ok := secret.Data["max_sts_ttl"]; ok {
+		d.Set("max_sts_ttl", v)
+	}
 	d.Set("backend", strings.Join(pathPieces[:len(pathPieces)-2], "/"))
 	d.Set("name", pathPieces[len(pathPieces)-1])
 	return nil