Add audit non HMAC'd request/response keys to mount resource

CHANGELOG.md

@@ -6,6 +6,7 @@ IMPROVEMENTS:
 * `resource/database_secret_backend_connection`: Add support for configuring Redshift databases ([#1279](https://github.com/hashicorp/terraform-provider-vault/pull/1279))
 * `resource/pki_secret_backend_intermediate_cert_request`: Add support for the `ed25519` key_type ([#1278](https://github.com/hashicorp/terraform-provider-vault/pull/1278))
 * `resource/rabbitmq_secret_backend_role`: Add support for `vhost_topics` ([#1246](https://github.com/hashicorp/terraform-provider-vault/pull/1246))
+* `resource/vault_mount`: Add support for `audit_non_hmac_request_keys` and `audit_non_hmac_response_keys` ([#1297](https://github.com/hashicorp/terraform-provider-vault/pull/1297))
 
 ## 3.1.1 (December 22, 2021)
 BUGS:

vault/resource_mount.go

@@ -60,6 +60,20 @@ func MountResource() *schema.Resource {
 				Description: "Maximum possible lease duration for tokens and secrets in seconds",
 			},
 
+			"audit_non_hmac_request_keys": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
+			"audit_non_hmac_response_keys": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
 			"accessor": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -111,8 +125,10 @@ func mountWrite(d *schema.ResourceData, meta interface{}) error {
 		Type:        d.Get("type").(string),
 		Description: d.Get("description").(string),
 		Config: api.MountConfigInput{
-			DefaultLeaseTTL: fmt.Sprintf("%ds", d.Get("default_lease_ttl_seconds")),
-			MaxLeaseTTL:     fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds")),
+			DefaultLeaseTTL:          fmt.Sprintf("%ds", d.Get("default_lease_ttl_seconds")),
+			MaxLeaseTTL:              fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds")),
+			AuditNonHMACRequestKeys:  expandStringSlice(d.Get("audit_non_hmac_request_keys").([]interface{})),
+			AuditNonHMACResponseKeys: expandStringSlice(d.Get("audit_non_hmac_response_keys").([]interface{})),
 		},
 		Local:                 d.Get("local").(bool),
 		Options:               opts(d),
@@ -142,6 +158,14 @@ func mountUpdate(d *schema.ResourceData, meta interface{}) error {
 		Options:         opts(d),
 	}
 
+	if d.HasChange("audit_non_hmac_request_keys") {
+		config.AuditNonHMACRequestKeys = expandStringSlice(d.Get("audit_non_hmac_request_keys").([]interface{}))
+	}
+
+	if d.HasChange("audit_non_hmac_response_keys") {
+		config.AuditNonHMACResponseKeys = expandStringSlice(d.Get("audit_non_hmac_response_keys").([]interface{}))
+	}
+
 	if d.HasChange("description") {
 		description := fmt.Sprintf("%s", d.Get("description"))
 		config.Description = &description
@@ -228,6 +252,8 @@ func mountRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("description", mount.Description)
 	d.Set("default_lease_ttl_seconds", mount.Config.DefaultLeaseTTL)
 	d.Set("max_lease_ttl_seconds", mount.Config.MaxLeaseTTL)
+	d.Set("audit_non_hmac_request_keys", mount.Config.AuditNonHMACRequestKeys)
+	d.Set("audit_non_hmac_response_keys", mount.Config.AuditNonHMACResponseKeys)
 	d.Set("accessor", mount.Accessor)
 	d.Set("local", mount.Local)
 	d.Set("options", mount.Options)

vault/resource_mount_test.go

@@ -2,6 +2,8 @@ package vault
 
 import (
 	"fmt"
+	"reflect"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -109,6 +111,49 @@ func TestResourceMount_SealWrap(t *testing.T) {
 	})
 }
 
+// Test Audit non-HMAC fields
+func TestResourceMount_AuditNonHMACRequestKeys(t *testing.T) {
+	resourcePath := "vault_mount.test"
+	path := "example-" + acctest.RandString(10)
+
+	expectReqKeysNew := []string{"test1request", "test2request"}
+	expectRespKeysNew := []string{"test1response", "test2response"}
+	expectReqKeysUpdate := []string{"test3request", "test4request"}
+	expectRespKeysUpdate := []string{"test3response", "test4response"}
+	resource.Test(t, resource.TestCase{
+		Providers: testProviders,
+		PreCheck:  func() { testutil.TestAccPreCheck(t) },
+		Steps: []resource.TestStep{
+			{
+				Config: testResourceMount_AuditNonHMACRequestKeysConfig(path, expectReqKeysNew, expectRespKeysNew),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourcePath, "path", path),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_request_keys.#", "2"),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_request_keys.0", expectReqKeysNew[0]),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_request_keys.1", expectReqKeysNew[1]),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_response_keys.#", "2"),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_response_keys.0", expectRespKeysNew[0]),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_response_keys.1", expectRespKeysNew[1]),
+					testResourceMount_CheckAuditNonHMACRequestKeys(path, expectReqKeysNew, expectRespKeysNew),
+				),
+			},
+			{
+				Config: testResourceMount_AuditNonHMACRequestKeysConfig(path, expectReqKeysUpdate, expectRespKeysUpdate),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourcePath, "path", path),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_request_keys.#", "2"),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_request_keys.0", expectReqKeysUpdate[0]),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_request_keys.1", expectReqKeysUpdate[1]),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_response_keys.#", "2"),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_response_keys.0", expectRespKeysUpdate[0]),
+					resource.TestCheckResourceAttr(resourcePath, "audit_non_hmac_response_keys.1", expectRespKeysUpdate[1]),
+					testResourceMount_CheckAuditNonHMACRequestKeys(path, expectReqKeysUpdate, expectRespKeysUpdate),
+				),
+			},
+		},
+	})
+}
+
 func TestResourceMount_KVV2(t *testing.T) {
 	path := acctest.RandomWithPrefix("example")
 	kvv2Cfg := fmt.Sprintf(`
@@ -481,6 +526,82 @@ func testResourceMount_UpdateCheckSealWrap(s *terraform.State) error {
 	return nil
 }
 
+func testResourceMount_AuditNonHMACRequestKeysConfig(path string, reqKeys, respKeys []string) string {
+	config := fmt.Sprintf(`
+resource "vault_mount" "test" {
+    path = "%s"
+    type = "kv"
+    description = "Example local mount for testing"
+    default_lease_ttl_seconds = 3600
+    max_lease_ttl_seconds = 36000
+    options = {
+	    version = "1"
+    }
+`, path)
+
+	qs := func(s []string) []string {
+		r := make([]string, len(s))
+		for i, v := range s {
+			r[i] = fmt.Sprintf("%q", v)
+		}
+		return r
+	}
+
+	for k, v := range map[string][]string{
+		"audit_non_hmac_request_keys":  reqKeys,
+		"audit_non_hmac_response_keys": respKeys,
+	} {
+		if len(v) > 0 {
+			config += fmt.Sprintf("%*s = [%s]\n", len(k)+4, k, strings.Join(qs(v), ","))
+		}
+	}
+
+	return config + "}"
+}
+
+func testResourceMount_CheckAuditNonHMACRequestKeys(expectedPath string, expectedReqKeys, expectedRespKeys []string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		resourceState := s.Modules[0].Resources["vault_mount.test"]
+		if resourceState == nil {
+			return fmt.Errorf("resource not found in state")
+		}
+
+		instanceState := resourceState.Primary
+		if instanceState == nil {
+			return fmt.Errorf("resource has no primary instance")
+		}
+
+		path := instanceState.ID
+
+		if path != instanceState.Attributes["path"] {
+			return fmt.Errorf("id %q doesn't match path %q", path, instanceState.Attributes["path"])
+		}
+
+		if path != expectedPath {
+			return fmt.Errorf("unexpected path %q, expected %q", path, expectedPath)
+		}
+
+		mount, err := findMount(path)
+		if err != nil {
+			return fmt.Errorf("error reading back mount %q: %s", path, err)
+		}
+
+		if !reflect.DeepEqual(expectedReqKeys, mount.Config.AuditNonHMACRequestKeys) {
+			return fmt.Errorf("expected audit_non_hmac_request_keys %#v, actual %#v",
+				expectedReqKeys,
+				mount.Config.AuditNonHMACRequestKeys)
+		}
+
+		if !reflect.DeepEqual(expectedRespKeys, mount.Config.AuditNonHMACResponseKeys) {
+			return fmt.Errorf("expected audit_non_hmac_response_keys %#v, actual %#v",
+				expectedRespKeys,
+				mount.Config.AuditNonHMACResponseKeys)
+		}
+
+		return nil
+	}
+}
+
 func testResourceMount_CheckExternalEntropyAccess(expectedPath string, expectedExternalEntropyAccess bool) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		resourceState := s.Modules[0].Resources["vault_mount.test"]

website/docs/r/mount.html.md

@@ -64,6 +64,10 @@ The following arguments are supported:
 
 * `max_lease_ttl_seconds` - (Optional) Maximum possible lease duration for tokens and secrets in seconds
 
+* `audit_non_hmac_response_keys` - (Optional) Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
+
+* `audit_non_hmac_request_keys` - (Optional) Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
+
 * `local` - (Optional) Boolean flag that can be explicitly set to true to enforce local mount in HA environment
 
 * `options` - (Optional) Specifies mount type specific options that are passed to the backend