diff --git a/vault/provider.go b/vault/provider.go index bd404cfe8..3ca73ea7c 100644 --- a/vault/provider.go +++ b/vault/provider.go @@ -595,10 +595,6 @@ var ( Resource: passwordPolicyResource(), PathInventory: []string{"/sys/policy/password/{name}"}, }, - "vault_pki_secret_backend": { - Resource: pkiSecretBackendResource(), - PathInventory: []string{UnknownPath}, - }, "vault_pki_secret_backend_cert": { Resource: pkiSecretBackendCertResource(), PathInventory: []string{"/pki/issue/{role}"}, diff --git a/vault/resource_ad_secret_backend.go b/vault/resource_ad_secret_backend.go index c1190a577..cfe80511e 100644 --- a/vault/resource_ad_secret_backend.go +++ b/vault/resource_ad_secret_backend.go @@ -2,10 +2,11 @@ package vault import ( "fmt" - "github.com/hashicorp/terraform-provider-vault/util" "log" "strings" + "github.com/hashicorp/terraform-provider-vault/util" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/vault/api" ) @@ -81,13 +82,6 @@ func adSecretBackendResource() *schema.Resource { Optional: true, Description: `Use anonymous bind to discover the bind DN of a user.`, }, - "formatter": { - Type: schema.TypeString, - Optional: true, - Computed: true, - Deprecated: `Formatter is deprecated and password_policy should be used with Vault >= 1.5.`, - Description: `Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix".`, - }, "groupattr": { Type: schema.TypeString, Optional: true, @@ -114,13 +108,6 @@ func adSecretBackendResource() *schema.Resource { Computed: true, Description: `The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band.`, }, - "length": { - Type: schema.TypeInt, - Optional: true, - Computed: true, - Deprecated: `Length is deprecated and password_policy should be used with Vault >= 1.5.`, - Description: `The desired length of passwords that Vault generates.`, - }, "local": { Type: schema.TypeBool, Required: false, @@ -271,9 +258,6 @@ func createConfigResource(d *schema.ResourceData, meta interface{}) error { if v, ok := d.GetOkExists("discoverdn"); ok { data["discoverdn"] = v } - if v, ok := d.GetOkExists("formatter"); ok { - data["formatter"] = v - } if v, ok := d.GetOkExists("groupattr"); ok { data["groupattr"] = v } @@ -289,9 +273,6 @@ func createConfigResource(d *schema.ResourceData, meta interface{}) error { if v, ok := d.GetOkExists("last_rotation_tolerance"); ok { data["last_rotation_tolerance"] = v } - if v, ok := d.GetOkExists("length"); ok { - data["length"] = v - } if v, ok := d.GetOkExists("max_ttl"); ok { data["max_ttl"] = v } @@ -410,11 +391,6 @@ func readConfigResource(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("error setting state key 'discoverdn': %s", err) } } - if val, ok := resp.Data["formatter"]; ok { - if err := d.Set("formatter", val); err != nil { - return fmt.Errorf("error setting state key 'formatter': %s", err) - } - } if val, ok := resp.Data["groupattr"]; ok { if err := d.Set("groupattr", val); err != nil { return fmt.Errorf("error setting state key 'groupattr': %s", err) @@ -440,11 +416,6 @@ func readConfigResource(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("error setting state key 'last_rotation_tolerance': %s", err) } } - if val, ok := resp.Data["length"]; ok { - if err := d.Set("length", val); err != nil { - return fmt.Errorf("error setting state key 'length': %s", err) - } - } if val, ok := resp.Data["max_ttl"]; ok { if err := d.Set("max_ttl", val); err != nil { return fmt.Errorf("error setting state key 'max_ttl': %s", err) @@ -569,9 +540,6 @@ func updateConfigResource(d *schema.ResourceData, meta interface{}) error { if raw, ok := d.GetOk("discoverdn"); ok { data["discoverdn"] = raw } - if raw, ok := d.GetOk("formatter"); ok { - data["formatter"] = raw - } if raw, ok := d.GetOk("groupattr"); ok { data["groupattr"] = raw } @@ -587,9 +555,6 @@ func updateConfigResource(d *schema.ResourceData, meta interface{}) error { if raw, ok := d.GetOk("last_rotation_tolerance"); ok { data["last_rotation_tolerance"] = raw } - if raw, ok := d.GetOk("length"); ok { - data["length"] = raw - } if raw, ok := d.GetOk("max_ttl"); ok { data["max_ttl"] = raw } diff --git a/vault/resource_azure_auth_backend_role.go b/vault/resource_azure_auth_backend_role.go index 011ec6aaa..e188d75df 100644 --- a/vault/resource_azure_auth_backend_role.go +++ b/vault/resource_azure_auth_backend_role.go @@ -204,60 +204,6 @@ func azureAuthBackendRoleRead(d *schema.ResourceData, meta interface{}) error { readTokenFields(d, resp) - // Check if the user is using the deprecated `policies` - if _, deprecated := d.GetOk("policies"); deprecated { - // Then we see if `token_policies` was set and unset it - // Vault will still return `policies` - if _, ok := d.GetOk("token_policies"); ok { - d.Set("token_policies", nil) - } - - if v, ok := resp.Data["policies"]; ok { - d.Set("policies", v) - } - - } - - // Check if the user is using the deprecated `period` - if _, deprecated := d.GetOk("period"); deprecated { - // Then we see if `token_period` was set and unset it - // Vault will still return `period` - if _, ok := d.GetOk("token_period"); ok { - d.Set("token_period", nil) - } - - if v, ok := resp.Data["period"]; ok { - d.Set("period", v) - } - } - - // Check if the user is using the deprecated `ttl` - if _, deprecated := d.GetOk("ttl"); deprecated { - // Then we see if `token_ttl` was set and unset it - // Vault will still return `ttl` - if _, ok := d.GetOk("token_ttl"); ok { - d.Set("token_ttl", nil) - } - - if v, ok := resp.Data["ttl"]; ok { - d.Set("ttl", v) - } - - } - - // Check if the user is using the deprecated `max_ttl` - if _, deprecated := d.GetOk("max_ttl"); deprecated { - // Then we see if `token_max_ttl` was set and unset it - // Vault will still return `max_ttl` - if _, ok := d.GetOk("token_max_ttl"); ok { - d.Set("token_max_ttl", nil) - } - - if v, ok := resp.Data["max_ttl"]; ok { - d.Set("max_ttl", v) - } - } - d.Set("backend", backend) d.Set("role", role) diff --git a/vault/resource_github_auth_backend.go b/vault/resource_github_auth_backend.go index fe13b0bdf..2638495f7 100644 --- a/vault/resource_github_auth_backend.go +++ b/vault/resource_github_auth_backend.go @@ -74,7 +74,6 @@ func githubAuthBackendCreate(d *schema.ResourceData, meta interface{}) error { Type: "github", Description: description, }) - if err != nil { return fmt.Errorf("error enabling github auth backend at '%s': %s", path, err) } @@ -105,7 +104,6 @@ func githubAuthBackendUpdate(d *schema.ResourceData, meta interface{}) error { log.Printf("[DEBUG] Writing github auth config to '%q'", configPath) _, err := client.Logical().Write(configPath, data) - if err != nil { d.SetId("") return fmt.Errorf("error writing github config to '%q': %s", configPath, err) @@ -176,33 +174,8 @@ func githubAuthBackendRead(d *schema.ResourceData, meta interface{}) error { return err } - ttlS := flattenVaultDuration(dt.Data["ttl"]) - maxTtlS := flattenVaultDuration(dt.Data["max_ttl"]) - readTokenFields(d, dt) - // Check if the user is using the deprecated `ttl` - if _, deprecated := d.GetOk("ttl"); deprecated { - // Then we see if `token_ttl` was set and unset it - // Vault will still return `ttl` - if _, ok := d.GetOk("token_ttl"); ok { - d.Set("token_ttl", nil) - } - - d.Set("ttl", ttlS) - } - - // Check if the user is using the deprecated `max_ttl` - if _, deprecated := d.GetOk("max_ttl"); deprecated { - // Then we see if `token_max_ttl` was set and unset it - // Vault will still return `max_ttl` - if _, ok := d.GetOk("token_max_ttl"); ok { - d.Set("token_max_ttl", nil) - } - - d.Set("max_ttl", maxTtlS) - } - d.Set("path", d.Id()) d.Set("organization", dt.Data["organization"]) d.Set("base_url", dt.Data["base_url"]) diff --git a/vault/resource_pki_secret_backend.go b/vault/resource_pki_secret_backend.go deleted file mode 100644 index 0fda20cfc..000000000 --- a/vault/resource_pki_secret_backend.go +++ /dev/null @@ -1,177 +0,0 @@ -package vault - -import ( - "fmt" - "log" - - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" - "github.com/hashicorp/vault/api" - "strings" -) - -func pkiSecretBackendResource() *schema.Resource { - return &schema.Resource{ - DeprecationMessage: `This resource duplicates "vault_mount" and will be removed in the next major release.`, - Create: pkiSecretBackendCreate, - Read: pkiSecretBackendRead, - Update: pkiSecretBackendUpdate, - Delete: pkiSecretBackendDelete, - Exists: pkiSecretBackendExists, - Importer: &schema.ResourceImporter{ - State: schema.ImportStatePassthrough, - }, - - Schema: map[string]*schema.Schema{ - "path": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - Description: "Path to mount the backend at.", - ValidateFunc: func(v interface{}, k string) (ws []string, errs []error) { - value := v.(string) - if strings.HasSuffix(value, "/") { - errs = append(errs, fmt.Errorf("path cannot end in '/'")) - } - return - }, - DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { - return old+"/" == new || new+"/" == old - }, - }, - "description": { - Type: schema.TypeString, - Required: false, - Optional: true, - ForceNew: true, - Description: "Human-friendly description of the mount for the backend.", - }, - "default_lease_ttl_seconds": { - Type: schema.TypeInt, - Required: false, - Optional: true, - Computed: true, - ForceNew: false, - Description: "Default lease duration for tokens and secrets in seconds", - }, - "max_lease_ttl_seconds": { - Type: schema.TypeInt, - Required: false, - Optional: true, - Computed: true, - ForceNew: false, - Description: "Maximum possible lease duration for tokens and secrets in seconds", - }, - }, - } -} - -func pkiSecretBackendCreate(d *schema.ResourceData, meta interface{}) error { - client := meta.(*api.Client) - - path := d.Get("path").(string) - description := d.Get("description").(string) - defaultTTL := d.Get("default_lease_ttl_seconds").(int) - maxTTL := d.Get("max_lease_ttl_seconds").(int) - - d.Partial(true) - log.Printf("[DEBUG] Mounting PKI backend at %q", path) - err := client.Sys().Mount(path, &api.MountInput{ - Type: "pki", - Description: description, - Config: api.MountConfigInput{ - DefaultLeaseTTL: fmt.Sprintf("%ds", defaultTTL), - MaxLeaseTTL: fmt.Sprintf("%ds", maxTTL), - }, - }) - if err != nil { - return fmt.Errorf("error mounting to %q: %s", path, err) - } - log.Printf("[DEBUG] Mounted PKI backend at %q", path) - d.SetId(path) - - d.Partial(false) - - return pkiSecretBackendRead(d, meta) -} - -func pkiSecretBackendRead(d *schema.ResourceData, meta interface{}) error { - client := meta.(*api.Client) - - path := d.Id() - - log.Printf("[DEBUG] Reading PKI backend mount %q from Vault", path) - mounts, err := client.Sys().ListMounts() - if err != nil { - return fmt.Errorf("error reading mount %q: %s", path, err) - } - log.Printf("[DEBUG] Read PKI backend mount %q from Vault", path) - - // the API always returns the path with a trailing slash, so let's make - // sure we always specify it as a trailing slash. - mount, ok := mounts[strings.Trim(path, "/")+"/"] - if !ok { - log.Printf("[WARN] Mount %q not found, removing backend from state.", path) - d.SetId("") - return nil - } - - d.Set("path", path) - d.Set("description", mount.Description) - d.Set("default_lease_ttl_seconds", mount.Config.DefaultLeaseTTL) - d.Set("max_lease_ttl_seconds", mount.Config.MaxLeaseTTL) - d.Partial(false) - - return nil -} - -func pkiSecretBackendUpdate(d *schema.ResourceData, meta interface{}) error { - client := meta.(*api.Client) - - path := d.Id() - d.Partial(true) - if d.HasChange("default_lease_ttl_seconds") || d.HasChange("max_lease_ttl_seconds") { - config := api.MountConfigInput{ - DefaultLeaseTTL: fmt.Sprintf("%ds", d.Get("default_lease_ttl_seconds")), - MaxLeaseTTL: fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds")), - } - log.Printf("[DEBUG] Updating lease TTLs for %q", path) - err := client.Sys().TuneMount(path, config) - if err != nil { - return fmt.Errorf("error updating mount TTLs for %q: %s", path, err) - } - log.Printf("[DEBUG] Updated lease TTLs for %q", path) - } - d.Partial(false) - - return pkiSecretBackendRead(d, meta) -} - -func pkiSecretBackendDelete(d *schema.ResourceData, meta interface{}) error { - client := meta.(*api.Client) - - path := d.Id() - - log.Printf("[DEBUG] Unmounting PKI backend %q", path) - err := client.Sys().Unmount(path) - if err != nil { - return fmt.Errorf("error unmounting PKI backend from %q: %s", path, err) - } - log.Printf("[DEBUG] Unmounted PKI backend %q", path) - - return nil -} - -func pkiSecretBackendExists(d *schema.ResourceData, meta interface{}) (bool, error) { - client := meta.(*api.Client) - - path := d.Id() - log.Printf("[DEBUG] Checking if PKI backend exists at %q", path) - mounts, err := client.Sys().ListMounts() - if err != nil { - return true, fmt.Errorf("error retrieving list of mounts: %s", err) - } - log.Printf("[DEBUG] Checked if PKI backend exists at %q", path) - _, ok := mounts[strings.Trim(path, "/")+"/"] - - return ok, nil -} diff --git a/vault/resource_pki_secret_backend_cert_test.go b/vault/resource_pki_secret_backend_cert_test.go index d732a53eb..1c904ec59 100644 --- a/vault/resource_pki_secret_backend_cert_test.go +++ b/vault/resource_pki_secret_backend_cert_test.go @@ -45,7 +45,7 @@ func testPkiSecretBackendCertDestroy(s *terraform.State) error { } for _, rs := range s.RootModule().Resources { - if rs.Type != "vault_pki_secret_backend" { + if rs.Type != "vault_mount" { continue } for path, mount := range mounts { @@ -61,24 +61,26 @@ func testPkiSecretBackendCertDestroy(s *terraform.State) error { func testPkiSecretBackendCertConfig_basic(rootPath string, intermediatePath string) string { return fmt.Sprintf(` -resource "vault_pki_secret_backend" "test-root" { +resource "vault_mount" "test-root" { path = "%s" + type = "pki" description = "test root" default_lease_ttl_seconds = "8640000" max_lease_ttl_seconds = "8640000" } -resource "vault_pki_secret_backend" "test-intermediate" { - depends_on = [ "vault_pki_secret_backend.test-root" ] +resource "vault_mount" "test-intermediate" { + depends_on = [ "vault_mount.test-root" ] path = "%s" + type = "pki" description = "test intermediate" default_lease_ttl_seconds = "86400" max_lease_ttl_seconds = "86400" } resource "vault_pki_secret_backend_root_cert" "test" { - depends_on = [ "vault_pki_secret_backend.test-intermediate" ] - backend = vault_pki_secret_backend.test-root.path + depends_on = [ "vault_mount.test-intermediate" ] + backend = vault_mount.test-root.path type = "internal" common_name = "my.domain" ttl = "86400" @@ -95,14 +97,14 @@ resource "vault_pki_secret_backend_root_cert" "test" { resource "vault_pki_secret_backend_intermediate_cert_request" "test" { depends_on = [ "vault_pki_secret_backend_root_cert.test" ] - backend = vault_pki_secret_backend.test-intermediate.path + backend = vault_mount.test-intermediate.path type = "internal" common_name = "test.my.domain" } resource "vault_pki_secret_backend_root_sign_intermediate" "test" { depends_on = [ "vault_pki_secret_backend_intermediate_cert_request.test" ] - backend = vault_pki_secret_backend.test-root.path + backend = vault_mount.test-root.path csr = vault_pki_secret_backend_intermediate_cert_request.test.csr common_name = "test.my.domain" permitted_dns_domains = [".test.my.domain"] @@ -115,13 +117,13 @@ resource "vault_pki_secret_backend_root_sign_intermediate" "test" { resource "vault_pki_secret_backend_intermediate_set_signed" "test" { depends_on = [ "vault_pki_secret_backend_root_sign_intermediate.test" ] - backend = vault_pki_secret_backend.test-intermediate.path + backend = vault_mount.test-intermediate.path certificate = vault_pki_secret_backend_root_sign_intermediate.test.certificate } resource "vault_pki_secret_backend_role" "test" { depends_on = [ "vault_pki_secret_backend_intermediate_set_signed.test" ] - backend = vault_pki_secret_backend.test-intermediate.path + backend = vault_mount.test-intermediate.path name = "test" allowed_domains = ["test.my.domain"] allow_subdomains = true @@ -132,7 +134,7 @@ resource "vault_pki_secret_backend_role" "test" { resource "vault_pki_secret_backend_cert" "test" { depends_on = [ "vault_pki_secret_backend_role.test" ] - backend = vault_pki_secret_backend.test-intermediate.path + backend = vault_mount.test-intermediate.path name = vault_pki_secret_backend_role.test.name common_name = "cert.test.my.domain" uri_sans = ["spiffe://test.my.domain"] @@ -191,16 +193,17 @@ func TestPkiSecretBackendCert_renew(t *testing.T) { func testPkiSecretBackendCertConfig_renew(rootPath string) string { return fmt.Sprintf(` -resource "vault_pki_secret_backend" "test-root" { +resource "vault_mount" "test-root" { path = "%s" + type = "pki" description = "test root" default_lease_ttl_seconds = "8640000" max_lease_ttl_seconds = "8640000" } resource "vault_pki_secret_backend_root_cert" "test" { - depends_on = [ "vault_pki_secret_backend.test-root" ] - backend = vault_pki_secret_backend.test-root.path + depends_on = [ "vault_mount.test-root" ] + backend = vault_mount.test-root.path type = "internal" common_name = "my.domain" ttl = "86400" @@ -217,7 +220,7 @@ resource "vault_pki_secret_backend_root_cert" "test" { resource "vault_pki_secret_backend_role" "test" { depends_on = [ "vault_pki_secret_backend_root_cert.test" ] - backend = vault_pki_secret_backend.test-root.path + backend = vault_mount.test-root.path name = "test" allowed_domains = ["test.my.domain"] allow_subdomains = true @@ -227,7 +230,7 @@ resource "vault_pki_secret_backend_role" "test" { resource "vault_pki_secret_backend_cert" "test" { depends_on = [ "vault_pki_secret_backend_role.test" ] - backend = vault_pki_secret_backend.test-root.path + backend = vault_mount.test-root.path name = vault_pki_secret_backend_role.test.name common_name = "cert.test.my.domain" ttl = "1h" diff --git a/vault/resource_pki_secret_backend_config_ca_test.go b/vault/resource_pki_secret_backend_config_ca_test.go index b602faa05..d0926c3e0 100644 --- a/vault/resource_pki_secret_backend_config_ca_test.go +++ b/vault/resource_pki_secret_backend_config_ca_test.go @@ -2,6 +2,7 @@ package vault import ( "fmt" + "strconv" "strings" "testing" @@ -9,7 +10,6 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" "github.com/hashicorp/vault/api" - "strconv" ) func TestPkiSecretBackendConfigCA_basic(t *testing.T) { @@ -39,7 +39,7 @@ func testPkiSecretBackendConfigCADestroy(s *terraform.State) error { } for _, rs := range s.RootModule().Resources { - if rs.Type != "vault_pki_secret_backend" { + if rs.Type != "vault_mount" { continue } for path, mount := range mounts { @@ -55,16 +55,17 @@ func testPkiSecretBackendConfigCADestroy(s *terraform.State) error { func testPkiSecretBackendConfigCAConfig_basic(path string) string { return fmt.Sprintf(` -resource "vault_pki_secret_backend" "test" { +resource "vault_mount" "test" { path = "%s" + type = "pki" description = "test root" default_lease_ttl_seconds = "8640000" max_lease_ttl_seconds = "8640000" } resource "vault_pki_secret_backend_config_ca" "test" { - depends_on = [ "vault_pki_secret_backend.test" ] - backend = vault_pki_secret_backend.test.path + depends_on = [ "vault_mount.test" ] + backend = vault_mount.test.path pem_bundle = < This resource has been replaced by [vault_mount](../r/mount.html). + +A replacement might look like: + +```hcl +resource "vault_mount" "pki-example" { + path = "pki-example" + type = "pki" + description = "This is an example PKI mount" + + default_lease_ttl_seconds = 3600 + max_lease_ttl_seconds = 86400 +} +``` + +_Attempting to provision a `vault_pki_secret_backend` resource will raise an error._ + ## Resource: `vault_token` ### Removed fields diff --git a/website/docs/r/pki_secret_backend.html.md b/website/docs/r/pki_secret_backend.html.md deleted file mode 100644 index 869b264d2..000000000 --- a/website/docs/r/pki_secret_backend.html.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -layout: "vault" -page_title: "Vault: vault_pki_secret_backend resource" -sidebar_current: "docs-vault-resource-pki-secret-backend" -description: |- - Creates an PKI secret backend for Vault. ---- - -# vault\_pki\_secret\_backend - -Creates an PKI Secret Backend for Vault. PKI secret backends can then issue certificates, once a role has been added to -the backend. - -## Example Usage - -```hcl -resource "vault_pki_secret_backend" "pki" { - path = "pki" - default_lease_ttl_seconds = 3600 - max_lease_ttl_seconds = 86400 -} -``` - -## Argument Reference - -The following arguments are supported: - -* `path` - (Required) The unique path this backend should be mounted at. Must not begin or end with a `/`. - -* `description` - (Optional) A human-friendly description for this backend. - -* `default_lease_ttl_seconds` - (Optional) The default TTL for credentials issued by this backend. - -* `max_lease_ttl_seconds` - (Optional) The maximum TTL that can be requested for credentials issued by this backend. - -## Attributes Reference - -No additional attributes are exported by this resource. - -## Import - -PKI secret backends can be imported using the `path`, e.g. - -``` -$ terraform import vault_pki_secret_backend.pki pki -``` diff --git a/website/docs/r/pki_secret_backend_cert.html.md b/website/docs/r/pki_secret_backend_cert.html.md index 513724910..e2de55f57 100755 --- a/website/docs/r/pki_secret_backend_cert.html.md +++ b/website/docs/r/pki_secret_backend_cert.html.md @@ -23,7 +23,7 @@ for more details. resource "vault_pki_secret_backend_cert" "app" { depends_on = [vault_pki_secret_backend_role.admin] - backend = vault_pki_secret_backend.intermediate.path + backend = vault_mount.intermediate.path name = vault_pki_secret_backend_role.test.name common_name = "app.my.domain" diff --git a/website/docs/r/pki_secret_backend_config_ca.html.md b/website/docs/r/pki_secret_backend_config_ca.html.md index b6aa92cae..9c93a5bc9 100644 --- a/website/docs/r/pki_secret_backend_config_ca.html.md +++ b/website/docs/r/pki_secret_backend_config_ca.html.md @@ -21,9 +21,9 @@ for more details. ```hcl resource "vault_pki_secret_backend_config_ca" "intermediate" { - depends_on = [vault_pki_secret_backend.intermediate] + depends_on = [vault_mount.intermediate] - backend = vault_pki_secret_backend.intermediate.path + backend = vault_mount.intermediate.path pem_bundle = <vault_okta_auth_backend_user - > - vault_pki_secret_backend - - > vault_pki_secret_backend_cert