use GET instead of LIST for auth mount fetching

hashicorp · Feb 22, 2024 · 3037b0c · 3037b0c
1 parent 4850af0
commit 3037b0c
Show file tree

Hide file tree

Showing 7 changed files with 58 additions and 71 deletions.
diff --git a/util/mountutil/mountutil.go b/util/mountutil/mountutil.go
@@ -37,6 +37,20 @@ func GetMount(ctx context.Context, client *api.Client, path string) (*api.MountO
 	return mount, nil
 }
 
+// GetAuthMount will fetch the auth mount at the given path.
+func GetAuthMount(ctx context.Context, client *api.Client, path string) (*api.MountOutput, error) {
+	mount, err := client.Sys().GetAuthWithContext(ctx, path)
+	// Hardcoding the error string check is not ideal, but Vault does not
+	// return 404 in this case
+	if err != nil && strings.Contains(err.Error(), ErrVaultAuthMountNotFound) || mount == nil {
+		return nil, fmt.Errorf("%w: %s", ErrMountNotFound, err)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error reading from Vault: %s", err)
+	}
+	return mount, nil
+}
+
 // NormalizeMountPath to be in a form valid for accessing values from api.MountOutput
 func NormalizeMountPath(path string) string {
 	return TrimSlashes(path) + consts.PathDelim

diff --git a/vault/auth_mount.go b/vault/auth_mount.go
@@ -6,7 +6,6 @@ package vault
 import (
 	"fmt"
 	"log"
-	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -77,19 +76,6 @@ func authMountTuneSchema() *schema.Schema {
 	}
 }
 
-func authMountInfoGet(client *api.Client, path string) (*api.AuthMount, error) {
-	auths, err := client.Sys().ListAuth()
-	if err != nil {
-		return nil, fmt.Errorf("error reading from auth mounts: %s", err)
-	}
-
-	authMount := auths[strings.Trim(path, "/")+"/"]
-	if authMount == nil {
-		return nil, fmt.Errorf("auth mount %s not present", path)
-	}
-	return authMount, nil
-}
-
 func authMountTune(client *api.Client, path string, configured interface{}) error {
 	input := expandAuthMethodTune(configured.(*schema.Set).List())
 

diff --git a/vault/data_source_auth_backend.go b/vault/data_source_auth_backend.go
@@ -4,12 +4,14 @@
 package vault
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
+	"github.com/hashicorp/terraform-provider-vault/util/mountutil"
 )
 
 func authBackendDataSource() *schema.Resource {
@@ -66,28 +68,23 @@ func authBackendDataSourceRead(d *schema.ResourceData, meta interface{}) error {
 		return e
 	}
 
-	targetPath := d.Get("path").(string)
+	path := d.Get("path").(string)
 
-	auths, err := client.Sys().ListAuth()
+	auth, err := mountutil.GetAuthMount(context.Background(), client, path)
 	if err != nil {
 		return fmt.Errorf("error reading from Vault: %s", err)
 	}
 
-	for path, auth := range auths {
-		path = strings.TrimSuffix(path, "/")
-		if path == targetPath {
-			// Compatibility with resource_auth_backend id
-			d.SetId(path)
-			d.Set("type", auth.Type)
-			d.Set("description", auth.Description)
-			d.Set("accessor", auth.Accessor)
-			d.Set("default_lease_ttl_seconds", auth.Config.DefaultLeaseTTL)
-			d.Set("max_lease_ttl_seconds", auth.Config.MaxLeaseTTL)
-			d.Set("listing_visibility", auth.Config.ListingVisibility)
-			d.Set("local", auth.Local)
-			return nil
-		}
-	}
+	path = strings.TrimSuffix(path, "/")
+	d.SetId(path)
+	d.Set("type", auth.Type)
+	d.Set("description", auth.Description)
+	d.Set("accessor", auth.Accessor)
+	d.Set("default_lease_ttl_seconds", auth.Config.DefaultLeaseTTL)
+	d.Set("max_lease_ttl_seconds", auth.Config.MaxLeaseTTL)
+	d.Set("listing_visibility", auth.Config.ListingVisibility)
+	d.Set("local", auth.Local)
+	return nil
 
 	// If we fell out here then we didn't find our Auth in the list.
 	return nil

diff --git a/vault/okta.go b/vault/okta.go
@@ -50,7 +50,6 @@ func listOktaUsers(client *api.Client, path string) ([]string, error) {
 
 func readOktaUser(client *api.Client, path string, username string) (*oktaUser, error) {
 	secret, err := client.Logical().Read(oktaUserEndpoint(path, username))
-
 	if err != nil {
 		return nil, err
 	}
@@ -76,24 +75,6 @@ func deleteOktaUser(client *api.Client, path, username string) error {
 	return err
 }
 
-func isOktaAuthBackendPresent(client *api.Client, path string) (bool, error) {
-	auths, err := client.Sys().ListAuth()
-	if err != nil {
-		return false, fmt.Errorf("error reading from Vault: %s", err)
-	}
-
-	configuredPath := path + "/"
-
-	for authBackendPath, auth := range auths {
-
-		if auth.Type == "okta" && authBackendPath == configuredPath {
-			return true, nil
-		}
-	}
-
-	return false, nil
-}
-
 func isOktaGroupPresent(client *api.Client, path, name string) (bool, error) {
 	secret, err := client.Logical().Read(oktaGroupEndpoint(path, name))
 	if err != nil {
@@ -122,7 +103,6 @@ func listOktaGroups(client *api.Client, path string) ([]string, error) {
 
 func readOktaGroup(client *api.Client, path string, name string) (*oktaGroup, error) {
 	secret, err := client.Logical().Read(oktaGroupEndpoint(path, name))
-
 	if err != nil {
 		return nil, err
 	}

diff --git a/vault/resource_github_auth_backend.go b/vault/resource_github_auth_backend.go
@@ -4,6 +4,8 @@
 package vault
 
 import (
+	"context"
+	"errors"
 	"fmt"
 	"log"
 	"strings"
@@ -14,6 +16,7 @@ import (
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/util/mountutil"
 )
 
 func githubAuthBackendResource() *schema.Resource {
@@ -180,10 +183,17 @@ func githubAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 	configPath := path + "/config"
 
 	log.Printf("[DEBUG] Reading github auth mount from '%q'", path)
-	mount, err := authMountInfoGet(client, d.Id())
+	mount, err := mountutil.GetAuthMount(context.Background(), client, path)
+	if errors.Is(err, mountutil.ErrMountNotFound) {
+		log.Printf("[WARN] Mount %q not found, removing from state.", path)
+		d.SetId("")
+		return nil
+	}
+
 	if err != nil {
-		return fmt.Errorf("error reading github auth mount from '%q': %w", path, err)
+		return fmt.Errorf("error reading from Vault: %s", err)
 	}
+
 	log.Printf("[INFO] Read github auth mount from '%q'", path)
 
 	log.Printf("[DEBUG] Reading github auth config from '%q'", configPath)

diff --git a/vault/resource_ldap_auth_backend.go b/vault/resource_ldap_auth_backend.go
@@ -5,6 +5,7 @@ package vault
 
 import (
 	"context"
+	"errors"
 	"log"
 	"strings"
 
@@ -16,6 +17,7 @@ import (
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/util/mountutil"
 )
 
 const ldapAuthType string = "ldap"
@@ -355,18 +357,19 @@ func ldapAuthBackendRead(_ context.Context, d *schema.ResourceData, meta interfa
 	}
 
 	path := d.Id()
-	auths, err := client.Sys().ListAuth()
+
+	authMount, err := mountutil.GetAuthMount(context.Background(), client, path)
+	if errors.Is(err, mountutil.ErrMountNotFound) {
+		log.Printf("[WARN] Mount %q not found, removing from state.", path)
+		d.SetId("")
+		return nil
+	}
+
 	if err != nil {
 		return diag.Errorf("error reading from Vault: %s", err)
 	}
 
 	d.Set("path", path)
-
-	authMount := auths[strings.Trim(path, "/")+"/"]
-	if authMount == nil {
-		return diag.Errorf("auth mount %s not present", path)
-	}
-
 	d.Set("description", authMount.Description)
 	d.Set("accessor", authMount.Accessor)
 	d.Set("local", authMount.Local)

diff --git a/vault/resource_okta_auth_backend.go b/vault/resource_okta_auth_backend.go
@@ -4,6 +4,7 @@
 package vault
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"log"
@@ -18,6 +19,7 @@ import (
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
+	"github.com/hashicorp/terraform-provider-vault/util/mountutil"
 )
 
 var oktaAuthType = "okta"
@@ -298,24 +300,19 @@ func oktaAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 	path := d.Id()
 	log.Printf("[DEBUG] Reading auth %s from Vault", path)
 
-	present, err := isOktaAuthBackendPresent(client, path)
-	if err != nil {
-		return fmt.Errorf("unable to check auth backends in Vault for path %s: %s", path, err)
-	}
-
-	if !present {
-		// If we fell out here then we didn't find our Auth in the list.
+	mount, err := mountutil.GetAuthMount(context.Background(), client, path)
+	if errors.Is(err, mountutil.ErrMountNotFound) {
+		log.Printf("[WARN] Mount %q not found, removing from state.", path)
 		d.SetId("")
 		return nil
 	}
 
-	if err := d.Set(consts.FieldPath, path); err != nil {
+	if err != nil {
 		return err
 	}
 
-	mount, err := authMountInfoGet(client, path)
-	if err != nil {
-		return fmt.Errorf("error reading okta oth mount from '%q': %s", path, err)
+	if err := d.Set(consts.FieldPath, path); err != nil {
+		return err
 	}
 
 	if err := d.Set("accessor", mount.Accessor); err != nil {