Add audit non HMAC'd request / response keys to mount resource

[npurdy-tyro]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #667

Release note for CHANGELOG:

`resource/vault_mount`: Added support for `audit_non_hmac_request_keys` and `audit_non_hmac_response_keys` when mounting secret backends ([#667](https://github.com/hashicorp/terraform-provider-vault/issues/667))

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestResourceMount'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./...) -v -run=TestResourceMount -timeout 20m
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/codegen   (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/generated [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/decode    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/encode    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/alphabet    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/role        (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/template    (cached) [no tests to run]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/generated/resources/transform/transformation      (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/helper    [no test files]
?       github.com/hashicorp/terraform-provider-vault/schema    [no test files]
testing: warning: no tests to run
PASS
ok      github.com/hashicorp/terraform-provider-vault/util      (cached) [no tests to run]
=== RUN   TestResourceMount
--- PASS: TestResourceMount (1.57s)
=== RUN   TestResourceMount_Local
--- PASS: TestResourceMount_Local (1.61s)
=== RUN   TestResourceMount_SealWrap
--- PASS: TestResourceMount_SealWrap (1.68s)
=== RUN   TestResourceMount_AuditNonHMACRequestKeys
--- PASS: TestResourceMount_AuditNonHMACRequestKeys (1.59s)
=== RUN   TestResourceMount_KVV2
--- PASS: TestResourceMount_KVV2 (1.66s)
=== RUN   TestResourceMount_ExternalEntropyAccess
--- PASS: TestResourceMount_ExternalEntropyAccess (3.51s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     (cached)

[hashicorp-cla]

All committers have signed the CLA.

[dovys]

Hey, thanks for the contribution! Would really love to see this merged as we're blocked by this at @monzo too

[benashz]

Looking good. I made some suggestions for the tests. There was some code duplication in the tests, we also want to verify the state matches.

[benashz]

Use testResourceMount_CheckAuditNonHMACRequestKeys() instead

Suggested change

	func testResourceMount_UpdateAuditNonHMACRequestKeys(s *terraform.State) error {
	resourceState := s.Modules[0].Resources["vault_mount.test"]
	instanceState := resourceState.Primary
	path := instanceState.ID
	if path != instanceState.Attributes["path"] {
	return fmt.Errorf("id doesn't match path")
	}
	if path != "remountingExample" {
	return fmt.Errorf("unexpected path value")
	}
	mount, err := findMount(path)
	if err != nil {
	return fmt.Errorf("error reading back mount: %s", err)
	}
	if len(mount.Config.AuditNonHMACRequestKeys) < 2 || mount.Config.AuditNonHMACRequestKeys[0] != "test3request" || mount.Config.AuditNonHMACRequestKeys[1] != "test4request" {
	return fmt.Errorf("audit_non_hmac_request_keys is %v; expected [\"test3request\", \"test4request\"]", mount.Config.AuditNonHMACRequestKeys)
	}
	if len(mount.Config.AuditNonHMACResponseKeys) < 2 || mount.Config.AuditNonHMACResponseKeys[0] != "test3response" || mount.Config.AuditNonHMACResponseKeys[1] != "test4response" {
	return fmt.Errorf("audit_non_hmac_response_keys is %v; expected [\"test3response\", \"test4response\"]", mount.Config.AuditNonHMACRequestKeys)
	}
	return nil
	}

[benashz]

Suggested change

	func testResourceMount_InitialCheckAuditNonHMACRequestKeys(expectedPath string) resource.TestCheckFunc {
	func testResourceMount_CheckAuditNonHMACRequestKeys(expectedPath string, expectedReqKeys, expectedRespKeys []string) resource.TestCheckFunc {

[benashz]

Suggest checking the state attributes as well.

Suggested change

	Check: testResourceMount_InitialCheckAuditNonHMACRequestKeys(path),
	Check: resource.ComposeTestCheckFunc(
	resource.TestCheckResourceAttr("vault_mount.test", "path", path),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.#", "2"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.0", "test1request"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.1", "test2request"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.#", "2"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.0", "test1response"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.1", "test2response"),
	testResourceMount_CheckAuditNonHMACRequestKeys(
	path,
	[]string{"test1request", "test2request"},
	[]string{"test1response", "test2response"}),
	),

[benashz]

Suggested change

	Check: testResourceMount_UpdateAuditNonHMACRequestKeys,
	Check: resource.ComposeTestCheckFunc(
	resource.TestCheckResourceAttr("vault_mount.test", "path", "remountingExample"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.#", "2"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.0", "test3request"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.1", "test4request"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.#", "2"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.0", "test3response"),
	resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.1", "test4response"),
	testResourceMount_CheckAuditNonHMACRequestKeys(
	"remountingExample",
	[]string{"test3request", "test4request"},
	[]string{"test3response", "test4response"}),
	),

[benashz]

testAccPreCheck() was just replaced by testutil.TestAccPreCheck() in 5660a05, you'll want to rebase.

Suggested change

	PreCheck: func() { testAccPreCheck(t) },
	PreCheck: func() { testutil.TestAccPreCheck(t) },

[benashz]

Suggested change

	if len(mount.Config.AuditNonHMACRequestKeys) < 2 || mount.Config.AuditNonHMACRequestKeys[0] != "test1request" || mount.Config.AuditNonHMACRequestKeys[1] != "test2request" {
	return fmt.Errorf("audit_non_hmac_request_keys is %v; expected [\"test1request\", \"test2request\"]", mount.Config.AuditNonHMACRequestKeys)
	}
	if len(mount.Config.AuditNonHMACResponseKeys) < 2 || mount.Config.AuditNonHMACResponseKeys[0] != "test1response" || mount.Config.AuditNonHMACResponseKeys[1] != "test2response" {
	return fmt.Errorf("audit_non_hmac_response_keys is %v; expected [\"test1response\", \"test2response\"]", mount.Config.AuditNonHMACRequestKeys)
	if !reflect.DeepEqual(expectedReqKeys, mount.Config.AuditNonHMACRequestKeys) {
	return fmt.Errorf("expected audit_non_hmac_request_keys %#v, actual %#v",
	expectedReqKeys,
	mount.Config.AuditNonHMACRequestKeys)
	}
	if !reflect.DeepEqual(expectedRespKeys, mount.Config.AuditNonHMACResponseKeys) {
	return fmt.Errorf("expected audit_non_hmac_response_keys %#v, actual %#v",
	expectedRespKeys,
	mount.Config.AuditNonHMACResponseKeys)

[benashz]

Moving this work to #1297.

Thank you @npurdy-tyro for your contribution. We will make sure you recognized as a co-author!