Add the ability to generate tokens from AWS auth backend. #28
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add the vault_aws_auth_backend_login resource, which manages a "login",
basically a token session. Ideally, this would be a data source that
would generate a token on every read, and that's how the implementation
started. However, because the EC2 instance auth method only allows a
single authentication per host for a set amount of time, the refresh
cycle made this useless as a data source--an API error would be thrown
on every subsequent plan until the instance's identity was removed from
the whitelist. Which isn't ideal.
So instead this became a resource, so it could manage the requisite
state (namely, the nonce) that is needed to reissue tokens to an
instance that is already present in the whitelist. I opted to use the
Read method to do the actual token creation, rather than in the Create
function, to make this work essentially like a data source, issuing a
new token on every call. The plus side of this is that the resource
"just works". This could also be managed more like a typical resource,
with the Create function creating the token, but due to limitations in
the API, we can't read all the information about a token back, so the
usefulness of that approach is more limited.
Testing of this is weird, largely because Vault requires an EC2 instance
be actually running to issue tokens on its auth info. And access to
EC2's metadata server is needed, as well. Rather than trying to stand up
EC2 instances and SSH into them as part of the tests, the tests that
require the metadata server are skipped if the metadata server is
unavailable.