Add back support for deriving the provider namespace from the Vault t…

…oken's
hashicorp · May 4, 2023 · 96f4c39 · 96f4c39
1 parent 32398d9
commit 96f4c39
Showing 1 changed file with 31 additions and 10 deletions.
diff --git a/internal/provider/meta.go b/internal/provider/meta.go
@@ -227,13 +227,15 @@ func NewProviderMeta(d *schema.ResourceData) (interface{}, error) {
 
 	var token string
 	if authLogin != nil {
+		// the clone is only used to auth to Vault
 		clone, err := client.Clone()
 		if err != nil {
 			return nil, err
 		}
 
 		if authLogin.Namespace() != "" {
 			// the namespace configured on the auth_login takes precedence over the provider's
+			// for authentication only.
 			clone.SetNamespace(authLogin.Namespace())
 		} else if namespace != "" {
 			// authenticate to the engine in the provider's namespace
@@ -257,21 +259,22 @@ func NewProviderMeta(d *schema.ResourceData) (interface{}, error) {
 	if token != "" {
 		client.SetToken(token)
 	}
+
 	if client.Token() == "" {
 		return nil, errors.New("no vault token set on Client")
 	}
 
-	if !d.Get(consts.FieldSkipChildToken).(bool) {
-		tokenInfo, err := client.Auth().Token().LookupSelf()
-		if err != nil {
-			return nil, fmt.Errorf("failed to lookup token, err=%w", err)
-		}
+	tokenInfo, err := client.Auth().Token().LookupSelf()
+	if err != nil {
+		return nil, fmt.Errorf("failed to lookup token, err=%w", err)
+	}
 
-		var tokenNamespace string
-		if tokenNamespaceRaw, ok := tokenInfo.Data[consts.FieldNamespacePath]; ok {
-			tokenNamespace = strings.Trim(tokenNamespaceRaw.(string), "/")
-		}
+	var tokenNamespace string
+	if v, ok := tokenInfo.Data[consts.FieldNamespacePath]; ok {
+		tokenNamespace = strings.Trim(v.(string), "/")
+	}
 
+	if !d.Get(consts.FieldSkipChildToken).(bool) {
 		// a child token is always created in the namespace of the parent token.
 		token, err = createChildToken(d, client, tokenNamespace)
 		if err != nil {
@@ -281,8 +284,25 @@ func NewProviderMeta(d *schema.ResourceData) (interface{}, error) {
 		client.SetToken(token)
 	}
 
+	if namespace == "" && tokenNamespace != "" {
+		// set the provider namespace to token's namespace
+		// this is here to ensure that do not break any configurations that are relying on the
+		// token's namespace being used for resource provisioning.
+		// In the future we should drop support for this behaviour.
+		log.Printf("[WARN] The provider namespace should be set when using namespaced auth tokens. "+
+			"Please update your provider configuration's namespace to be %q. "+
+			"Future releases may not support this type of configuration.", tokenNamespace)
+
+		namespace = tokenNamespace
+		// set the namespace on the provider to ensure that all child
+		// namespace paths are properly honoured.
+		if err := d.Set(consts.FieldNamespace, namespace); err != nil {
+			return nil, err
+		}
+	}
+
 	if namespace != "" {
-		// set the namespace on the parent
+		// set the namespace on the parent client
 		client.SetNamespace(namespace)
 	}
 
@@ -423,6 +443,7 @@ func createChildToken(d *schema.ResourceData, c *api.Client, namespace string) (
 		tokenName = "terraform"
 	}
 
+	// the clone is only used to auth to Vault
 	clone, err := c.Clone()
 	if err != nil {
 		return "", err