From efac989b319f1cac1cb9f2e7f3bb03e9129b833c Mon Sep 17 00:00:00 2001 From: catsby Date: Thu, 7 May 2020 15:05:04 -0500 Subject: [PATCH 1/2] add regression test for #533 --- ...resource_approle_auth_backend_role_test.go | 87 ++++++++++++++++++- 1 file changed, 85 insertions(+), 2 deletions(-) diff --git a/vault/resource_approle_auth_backend_role_test.go b/vault/resource_approle_auth_backend_role_test.go index 4b942c68c..500a9c584 100644 --- a/vault/resource_approle_auth_backend_role_test.go +++ b/vault/resource_approle_auth_backend_role_test.go @@ -348,7 +348,7 @@ func TestAccAppRoleAuthBackendRole_deprecatedFullUpdate(t *testing.T) { resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "secret_id_num_uses", "5"), resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", - "period", "0"), + "token_period", "0"), resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "bind_secret_id", "false"), resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", @@ -377,7 +377,7 @@ func TestAccAppRoleAuthBackendRole_deprecatedFullUpdate(t *testing.T) { resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "secret_id_num_uses", "10"), resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", - "period", "0"), + "token_period", "0"), resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "bind_secret_id", "true"), resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", @@ -520,3 +520,86 @@ resource "vault_approle_auth_backend_role" "role" { token_max_ttl = 10800 }`, backend, role, roleID) } + +// TestAccAppRoleAuthBackendRole_token_policy_update is a regression test for +// https://github.com/terraform-providers/terraform-provider-vault/issues/533 +func TestAccAppRoleAuthBackendRole_token_policy_update(t *testing.T) { + backend := acctest.RandomWithPrefix("approle") + role := acctest.RandomWithPrefix("test-role") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testProviders, + CheckDestroy: testAccCheckAppRoleAuthBackendRoleDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAppRoleAuthBackendRole_policy(backend, role), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "backend", backend), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "role_name", role), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "policies.#", "3"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "period", "86400"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_policies.#", "0"), + resource.TestCheckResourceAttrSet("vault_approle_auth_backend_role.role", + "role_id"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_period", "0"), + ), + }, + { + Config: testAccAppRoleAuthBackendRole_token_policy(backend, role), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "backend", backend), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "role_name", role), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "policies.#", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "period", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_policies.#", "3"), + resource.TestCheckResourceAttrSet("vault_approle_auth_backend_role.role", + "role_id"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_period", "86400"), + ), + }, + }, + }) +} + +func testAccAppRoleAuthBackendRole_policy(backend, role string) string { + return fmt.Sprintf(` +resource "vault_auth_backend" "approle" { + type = "approle" + path = "%s" +} + +resource "vault_approle_auth_backend_role" "role" { + backend = "${vault_auth_backend.approle.path}" + role_name = "%s" + policies = ["default", "dev", "prod"] + period = 86400 +}`, backend, role) +} + +func testAccAppRoleAuthBackendRole_token_policy(backend, role string) string { + return fmt.Sprintf(` +resource "vault_auth_backend" "approle" { + type = "approle" + path = "%s" +} + +resource "vault_approle_auth_backend_role" "role" { + backend = "${vault_auth_backend.approle.path}" + role_name = "%s" + token_policies = ["default", "dev", "prod"] + token_period = 86400 +}`, backend, role) +} From 203171e40bc5ec4ac0ff7e1d77c9cf6db53987b3 Mon Sep 17 00:00:00 2001 From: catsby Date: Thu, 7 May 2020 15:17:13 -0500 Subject: [PATCH 2/2] conditionally set policies and period --- vault/resource_approle_auth_backend_role.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/vault/resource_approle_auth_backend_role.go b/vault/resource_approle_auth_backend_role.go index 78d56cfe5..370c5d413 100644 --- a/vault/resource_approle_auth_backend_role.go +++ b/vault/resource_approle_auth_backend_role.go @@ -264,6 +264,9 @@ func approleAuthBackendRoleRead(d *schema.ResourceData, meta interface{}) error if _, ok := d.GetOk("token_policies"); ok { d.Set("token_policies", nil) } + if v, ok := resp.Data["policies"]; ok { + d.Set("policies", v) + } } // Check if the user is using the deprecated `period` @@ -273,9 +276,12 @@ func approleAuthBackendRoleRead(d *schema.ResourceData, meta interface{}) error if _, ok := d.GetOk("token_period"); ok { d.Set("token_period", nil) } + if v, ok := resp.Data["period"]; ok { + d.Set("period", v) + } } - for _, k := range []string{"bind_secret_id", "secret_id_num_uses", "secret_id_ttl", "policies", "period"} { + for _, k := range []string{"bind_secret_id", "secret_id_num_uses", "secret_id_ttl"} { if err := d.Set(k, resp.Data[k]); err != nil { return fmt.Errorf("error setting state key \"%s\": %s", k, err) }