-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for standard auth mount tune configuration to vault_auth_backend resource #650
Add support for standard auth mount tune configuration to vault_auth_backend resource #650
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi! Thanks for working on this, it's much appreciated.
I have a general question regarding this PR - is it fully backwards compatible? So, would folks who are presently using this need to make any changes to their configs?
@tyrannosaurus-becks thank you for the review! To answer you questions:
Yes!
Current users will not need to make any changes, and users currently using the existing attributes will be able to move from the now deprecated attributes to the new/standard tune block attributes safely without generating a new resource. I think this test case exercises a scenario where the user has just the configuration that exists today (the first step) as well as what happens when a user edits the configuration to use the same ttl attributes that are now in the tune block, in the second step of the test: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fantastic! Thank you! I circled back to this and tested it all out and it looks great. Much appreciated.
@tyrannosaurus-becks thank you so much! |
@tyrannosaurus-becks can we add this PR to the Changelog? 🙏 it seems to be missing |
@Ninir , whoops, oversight on my part! Just added, thanks for bringing this to my attention. |
I think you need to update the documentation as well: mark old parameters as deprecated and provide the example. |
Agreed, this new |
@Andor @threemachines I've opened #697 to update the documentation to match these changes, sorry about that. |
Community Note
Description
Currently, updates to
default_lease_ttl_seconds
,max_lease_ttl_seconds
orlisting_visibility
attributes of thevault_auth_backend
resource force creation of a new resource, which invalidates existing tokens previously issued by the backend, and can result in roles under that backend no longer exiting/not being recreated, leading to outages for users depending on that backend to login.This PR follows up on the PR @leominov opened in #557, but implemented using the suggestion by @shwuandwing in this comment: #557 (comment)
It does not strictly speaking resolve #315, in that the existing parameters will still force a new resource, but it addresses the root issue but deprecating those existing parameters and introducing a
tune
configuration block consistent with what has been done in thevault_github_auth_backend
andvault_jwt_auth_backend
.The common tune schema and implementation does allow for updating those values without forcing a new resource.
Relates #269
Relates #315
Relates #557
Release note for CHANGELOG:
Output from acceptance testing: