Merge pull request #308 from lawliet89/add-gcp-auth-role

Add fields to `vault_gcp_auth_backend_role`
hashicorp · Feb 20, 2019 · 5b2c7da · 5b2c7da
2 parents 7915959 + 242a877
commit 5b2c7da
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 111 deletions.
diff --git a/vault/resource_gcp_auth_backend_role.go b/vault/resource_gcp_auth_backend_role.go
@@ -69,6 +69,20 @@ func gcpAuthBackendRoleResource() *schema.Resource {
 				Optional: true,
 				Computed: true,
 			},
+			"add_group_aliases": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
+			"max_jwt_exp": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+			"allow_gce_inference": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
 			"bound_service_accounts": {
 				Type: schema.TypeSet,
 				Elem: &schema.Schema{
@@ -126,28 +140,11 @@ func gcpRoleResourcePath(backend, role string) string {
 	return "auth/" + strings.Trim(backend, "/") + "/role/" + strings.Trim(role, "/")
 }
 
-func gcpAuthResourceCreate(d *schema.ResourceData, meta interface{}) error {
-	client := meta.(*api.Client)
-
-	backend := d.Get("backend").(string)
-	role := d.Get("role").(string)
-
-	path := gcpRoleResourcePath(backend, role)
-
-	data := map[string]interface{}{}
-
+func gcpRoleUpdateFields(d *schema.ResourceData, data map[string]interface{}) {
 	if v, ok := d.GetOk("type"); ok {
 		data["type"] = v.(string)
 	}
 
-	if v, ok := d.GetOk("project_id"); ok {
-		data["project_id"] = v.(string)
-	}
-
-	if v, ok := d.GetOk("bound_projects"); ok {
-		data["bound_projects"] = v.(*schema.Set).List()
-	}
-
 	if v, ok := d.GetOk("ttl"); ok {
 		data["ttl"] = v.(string)
 	}
@@ -168,6 +165,18 @@ func gcpAuthResourceCreate(d *schema.ResourceData, meta interface{}) error {
 		data["bound_service_accounts"] = v.(*schema.Set).List()
 	}
 
+	if v, ok := d.GetOk("add_group_aliases"); ok {
+		data["add_group_aliases"] = v.(bool)
+	}
+
+	if v, ok := d.GetOk("max_jwt_exp"); ok {
+		data["max_jwt_exp"] = v.(string)
+	}
+
+	if v, ok := d.GetOk("allow_gce_inference"); ok {
+		data["allow_gce_inference"] = v.(bool)
+	}
+
 	if v, ok := d.GetOk("bound_zones"); ok {
 		data["bound_zones"] = v.(*schema.Set).List()
 	}
@@ -183,6 +192,18 @@ func gcpAuthResourceCreate(d *schema.ResourceData, meta interface{}) error {
 	if v, ok := d.GetOk("bound_instance_labels"); ok {
 		data["bound_instance_labels"] = v.(*schema.Set).List()
 	}
+}
+
+func gcpAuthResourceCreate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*api.Client)
+
+	backend := d.Get("backend").(string)
+	role := d.Get("role").(string)
+
+	path := gcpRoleResourcePath(backend, role)
+
+	data := map[string]interface{}{}
+	gcpRoleUpdateFields(d, data)
 
 	log.Printf("[DEBUG] Writing role %q to GCP auth backend", path)
 	d.SetId(path)
@@ -201,50 +222,7 @@ func gcpAuthResourceUpdate(d *schema.ResourceData, meta interface{}) error {
 	path := d.Id()
 
 	data := map[string]interface{}{}
-
-	if v, ok := d.GetOk("ttl"); ok {
-		data["ttl"] = v.(string)
-	}
-
-	if v, ok := d.GetOk("max_ttl"); ok {
-		data["max_ttl"] = v.(string)
-	}
-
-	if v, ok := d.GetOk("period"); ok {
-		data["period"] = v.(string)
-	}
-
-	if v, ok := d.GetOk("policies"); ok {
-		data["policies"] = v.(*schema.Set).List()
-	}
-
-	if v, ok := d.GetOk("bound_service_accounts"); ok {
-		data["bound_service_accounts"] = v.(*schema.Set).List()
-	}
-
-	if v, ok := d.GetOk("bound_zones"); ok {
-		data["bound_zones"] = v.(*schema.Set).List()
-	}
-
-	if v, ok := d.GetOk("bound_regions"); ok {
-		data["bound_regions"] = v.(*schema.Set).List()
-	}
-
-	if v, ok := d.GetOk("bound_instance_groups"); ok {
-		data["bound_instance_groups"] = v.(*schema.Set).List()
-	}
-
-	if v, ok := d.GetOk("bound_labels"); ok {
-		data["bound_labels"] = v.(*schema.Set).List()
-	}
-
-	if v, ok := d.GetOk("project_id"); ok {
-		data["project_id"] = v.(string)
-	}
-
-	if v, ok := d.GetOk("bound_projects"); ok {
-		data["bound_projects"] = v.(*schema.Set).List()
-	}
+	gcpRoleUpdateFields(d, data)
 
 	log.Printf("[DEBUG] Updating role %q in GCP auth backend", path)
 	_, err := client.Logical().Write(path, data)
@@ -273,18 +251,12 @@ func gcpAuthResourceRead(d *schema.ResourceData, meta interface{}) error {
 		return nil
 	}
 
-	d.Set("ttl", resp.Data["ttl"])
-	d.Set("max_ttl", resp.Data["max_ttl"])
-
-	if v, ok := d.GetOk("project_id"); ok {
-		d.Set("project_id", v)
-	}
-	if v, ok := d.GetOk("bound_projects"); ok {
-		d.Set("bound_projects", v)
+	for _, k := range []string{"ttl", "max_ttl", "project_id", "bound_projects", "period", "policies", "add_group_aliases", "max_jwt_exp", "bound_service_accounts", "bound_zones", "bound_regions", "bound_instance_groups", "bound_labels"} {
+		if v, ok := resp.Data[k]; ok {
+			d.Set(k, v)
+		}
 	}
 
-	d.Set("period", resp.Data["period"])
-
 	// These checks are done for backwards compatibility. The 'type' key used to be
 	// 'role_type' and was changed to 'role' errorneously before being corrected
 	if v, ok := resp.Data["type"]; ok {
@@ -295,38 +267,6 @@ func gcpAuthResourceRead(d *schema.ResourceData, meta interface{}) error {
 		d.Set("type", v)
 	}
 
-	d.Set("policies",
-		schema.NewSet(
-			schema.HashString, resp.Data["policies"].([]interface{})))
-
-	if accounts, ok := resp.Data["bound_service_accounts"]; ok {
-		d.Set("bound_service_accounts",
-			schema.NewSet(
-				schema.HashString, accounts.([]interface{})))
-	}
-
-	if zones, ok := resp.Data["bound_zones"]; ok {
-		d.Set("bound_zones", schema.NewSet(schema.HashString, zones.([]interface{})))
-	}
-
-	if regions, ok := resp.Data["bound_regions"]; ok {
-		d.Set("bound_regions",
-			schema.NewSet(
-				schema.HashString, regions.([]interface{})))
-	}
-
-	if groups, ok := resp.Data["bound_instance_groups"]; ok {
-		d.Set("bound_instance_groups",
-			schema.NewSet(
-				schema.HashString, groups.([]interface{})))
-	}
-
-	if labels, ok := resp.Data["bound_labels"]; ok {
-		d.Set("bound_labels",
-			schema.NewSet(
-				schema.HashString, labels.([]interface{})))
-	}
-
 	return nil
 }
 

diff --git a/vault/resource_gcp_auth_backend_role_test.go b/vault/resource_gcp_auth_backend_role_test.go
@@ -116,6 +116,7 @@ func testGCPAuthBackendRoleCheck_attrs(backend, name string) resource.TestCheckF
 			"bound_regions":          "bound_regions",
 			"bound_zones":            "bound_zones",
 			"bound_labels":           "bound_labels",
+			"add_group_aliases":      "add_group_aliases",
 		}
 
 		for stateAttr, apiAttr := range attrs {
@@ -209,6 +210,7 @@ resource "vault_gcp_auth_backend_role" "test" {
     ttl                    = 300
     max_ttl                = 600
     policies               = ["policy_a", "policy_b"]
+    add_group_aliases      = true
 }
 `, backend, name, serviceAccount, projectId)
 
@@ -230,10 +232,10 @@ resource "vault_gcp_auth_backend_role" "test" {
     project_id             = "%s"
     ttl                    = 300
     max_ttl                = 600
-		policies               = ["policy_a", "policy_b"]
-		bound_regions					 = ["eu-west2"]
-		bound_zones  					 = ["europe-west2-c"]
-		bound_labels					 = ["foo"]
+    policies               = ["policy_a", "policy_b"]
+    bound_regions          = ["eu-west2"]
+    bound_zones            = ["europe-west2-c"]
+    bound_labels           = ["foo"]
 }
 `, backend, name, projectId)
 

diff --git a/website/docs/r/gcp_auth_backend_role.html.md b/website/docs/r/gcp_auth_backend_role.html.md
@@ -35,7 +35,9 @@ The following arguments are supported:
 
 * `type` - (Required) Type of GCP authentication role (either `gce` or `iam`)
 
-* `project_id` - (Optional, Deprecated) GCP Project that the role exists within
+* `project_id` - (Optional; Deprecated, use `bound_projects` instead) GCP Project that the role exists within
+
+* `bound_projects` - (Optional) An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
 
 * `ttl` - (Optional) Default TTL of tokens issued by the backend
 
@@ -47,9 +49,15 @@ The following arguments are supported:
 
 * `backend` - (Optional) Path to the mounted GCP auth backend
 
-* `bound_service_accounts` - (Optional) GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`We)
+* `bound_service_accounts` - (Optional) GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
+
+### `iam`-only Parameters
+
+* `max_jwt_exp` - (Optional) The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
+
+* `allow_gce_inference` - (Optional) A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
 
-### gce-only Parameters
+### `gce`-only Parameters
 
 The following parameters are only valid when the role is of type `"gce"`: