From 97e757358f7b7031685cf69695176a7491deb33f Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Wed, 9 Feb 2022 17:50:43 -0500 Subject: [PATCH 1/2] Fix persistent diff for kubernetes_ca_cert in k8s-auth-config --- ...rce_kubernetes_auth_backend_config_test.go | 4 +- ...resource_kubernetes_auth_backend_config.go | 36 +++++---- ...rce_kubernetes_auth_backend_config_test.go | 77 ++++++++++++++++--- 3 files changed, 92 insertions(+), 25 deletions(-) diff --git a/vault/data_source_kubernetes_auth_backend_config_test.go b/vault/data_source_kubernetes_auth_backend_config_test.go index 95cf3beb8..eb2896740 100644 --- a/vault/data_source_kubernetes_auth_backend_config_test.go +++ b/vault/data_source_kubernetes_auth_backend_config_test.go @@ -21,7 +21,7 @@ func TestAccKubernetesAuthBackendConfigDataSource_basic(t *testing.T) { CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt), + Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt, kubernetesCAcert), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -120,7 +120,7 @@ func testAccKubernetesAuthBackendConfigDataSourceConfig_basic(backend, jwt strin data "vault_kubernetes_auth_backend_config" "config" { backend = %q -}`, testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt), backend) +}`, testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt, kubernetesCAcert), backend) } func testAccKubernetesAuthBackendConfigDataSourceConfig_full(backend, jwt string, issuer string, disableIssValidation bool, disableLocalCaJwt bool) string { diff --git a/vault/resource_kubernetes_auth_backend_config.go b/vault/resource_kubernetes_auth_backend_config.go index b42a431aa..76e77d88d 100644 --- a/vault/resource_kubernetes_auth_backend_config.go +++ b/vault/resource_kubernetes_auth_backend_config.go @@ -33,7 +33,7 @@ func kubernetesAuthBackendConfigResource() *schema.Resource { Type: schema.TypeString, Description: "PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.", Optional: true, - Default: "", + Computed: true, }, "token_reviewer_jwt": { Type: schema.TypeString, @@ -131,7 +131,10 @@ func kubernetesAuthBackendConfigCreate(d *schema.ResourceData, meta interface{}) // NOTE: Since reading the auth//config does // not return the `token_reviewer_jwt`, // set it from data after successfully storing it in Vault. - d.Set("token_reviewer_jwt", data["token_reviewer_jwt"]) + if err := d.Set("token_reviewer_jwt", data["token_reviewer_jwt"]); err != nil { + return err + } + log.Printf("[DEBUG] Wrote Kubernetes auth backend config %q", path) return kubernetesAuthBackendConfigRead(d, meta) @@ -162,6 +165,7 @@ func kubernetesAuthBackendConfigRead(d *schema.ResourceData, meta interface{}) e if err != nil { return fmt.Errorf("error reading Kubernetes auth backend config %q: %s", path, err) } + log.Printf("[DEBUG] Read Kubernetes auth backend config %q", path) if resp == nil { log.Printf("[WARN] Kubernetes auth backend config %q not found, removing from state", path) @@ -169,21 +173,25 @@ func kubernetesAuthBackendConfigRead(d *schema.ResourceData, meta interface{}) e return nil } - d.Set("backend", backend) - d.Set("kubernetes_host", resp.Data["kubernetes_host"]) - d.Set("kubernetes_ca_cert", resp.Data["kubernetes_ca_cert"]) - d.Set("issuer", resp.Data["issuer"]) - d.Set("disable_iss_validation", resp.Data["disable_iss_validation"]) - d.Set("disable_local_ca_jwt", resp.Data["disable_local_ca_jwt"]) - - iPemKeys := resp.Data["pem_keys"].([]interface{}) - pemKeys := make([]string, 0, len(iPemKeys)) + if err := d.Set("backend", backend); err != nil { + return err + } - for _, iPemKey := range iPemKeys { - pemKeys = append(pemKeys, iPemKey.(string)) + params := []string{ + "kubernetes_host", + "kubernetes_ca_cert", + "issuer", + "disable_iss_validation", + "disable_local_ca_jwt", + "pem_keys", } - d.Set("pem_keys", pemKeys) + for _, k := range params { + v := resp.Data[k] + if err := d.Set(k, v); err != nil { + return err + } + } return nil } diff --git a/vault/resource_kubernetes_auth_backend_config_test.go b/vault/resource_kubernetes_auth_backend_config_test.go index 36743db82..fbe610f26 100644 --- a/vault/resource_kubernetes_auth_backend_config_test.go +++ b/vault/resource_kubernetes_auth_backend_config_test.go @@ -108,7 +108,7 @@ func TestAccKubernetesAuthBackendConfig_import(t *testing.T) { ImportStateVerifyIgnore: []string{"backend", "token_reviewer_jwt"}, }, { - Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt), + Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt, kubernetesCAcert), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -141,7 +141,7 @@ func TestAccKubernetesAuthBackendConfig_basic(t *testing.T) { CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt), + Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt, kubernetesCAcert), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -186,7 +186,7 @@ func TestAccKubernetesAuthBackendConfig_update(t *testing.T) { CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy, Steps: []resource.TestStep{ { - Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, oldJWT), + Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, oldJWT, kubernetesCAcert), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -199,7 +199,7 @@ func TestAccKubernetesAuthBackendConfig_update(t *testing.T) { ), }, { - Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, newJWT), + Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, newJWT, kubernetesCAcert), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", "backend", backend), @@ -342,8 +342,58 @@ func TestAccKubernetesAuthBackendConfig_fullUpdate(t *testing.T) { }) } -func testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt string) string { - return fmt.Sprintf(` +func TestAccKubernetesAuthBackendConfig_localCA(t *testing.T) { + backend := acctest.RandomWithPrefix("kubernetes") + jwt := kubernetesJWT + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testutil.TestAccPreCheck(t) }, + Providers: testProviders, + CheckDestroy: testAccCheckKubernetesAuthBackendConfigDestroy, + Steps: []resource.TestStep{ + { + Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt, ""), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "backend", backend), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "kubernetes_host", "http://example.com:443"), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "kubernetes_ca_cert", ""), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "token_reviewer_jwt", jwt), + ), + }, + { + PreConfig: func() { + client := testProvider.Meta().(*api.Client) + path := kubernetesAuthBackendConfigPath(backend) + if _, err := client.Logical().Write(path, map[string]interface{}{ + "kubernetes_ca_cert": kubernetesCAcert, + "kubernetes_host": "http://example.com:443", + "token_reviewer_jwt": jwt, + }); err != nil { + t.Fatal(err) + } + }, + Config: testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt, ""), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "backend", backend), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "kubernetes_host", "http://example.com:443"), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "kubernetes_ca_cert", kubernetesCAcert), + resource.TestCheckResourceAttr("vault_kubernetes_auth_backend_config.config", + "token_reviewer_jwt", jwt), + ), + }, + }, + }) +} + +func testAccKubernetesAuthBackendConfigConfig_basic(backend, jwt, ca string) string { + config := fmt.Sprintf(` resource "vault_auth_backend" "kubernetes" { type = "kubernetes" path = "%s" @@ -352,13 +402,20 @@ resource "vault_auth_backend" "kubernetes" { resource "vault_kubernetes_auth_backend_config" "config" { backend = vault_auth_backend.kubernetes.path kubernetes_host = "http://example.com:443" - kubernetes_ca_cert = %q token_reviewer_jwt = %q -}`, backend, kubernetesCAcert, jwt) +`, backend, jwt) + + if ca != "" { + config += fmt.Sprintf(` + kubernetes_ca_cert = %q +`, ca) + } + + return config + "}" } func testAccKubernetesAuthBackendConfigConfig_full(backend, jwt string, issuer string, disableIssValidation bool, disableLocalCaJwt bool) string { - return fmt.Sprintf(` + config := fmt.Sprintf(` resource "vault_auth_backend" "kubernetes" { type = "kubernetes" path = "%s" @@ -374,4 +431,6 @@ resource "vault_kubernetes_auth_backend_config" "config" { disable_iss_validation = %t disable_local_ca_jwt = %t }`, backend, kubernetesCAcert, jwt, kubernetesPEMfile, issuer, disableIssValidation, disableLocalCaJwt) + + return config } From 971d2e9885707f578aeeb27eaef91ae2ea214a36 Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Wed, 9 Feb 2022 18:34:37 -0500 Subject: [PATCH 2/2] Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b5f4b420..25238ffd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ BUGS: * `resource/kubernetes_auth_backend_config`: Ensure `disable_iss_validation` is honored in all cases ([#1315](https://github.com/hashicorp/terraform-provider-vault/pull/1315)) * `resource/database_secret_backend_connection`: Add error handling for unrecognized plugins on read ([#1325](https://github.com/hashicorp/terraform-provider-vault/pull/1325)) +* `resource/kubernetes_auth_backend_config`: Prevent persistent diff for `kubernetes_ca_cert` when it is loaded by the backend ([#1337](https://github.com/hashicorp/terraform-provider-vault/pull/1337)) IMPROVEMENTS: * `resource/token_auth_backend_role`: Add `allowed_policies_glob` and `disallowed_polices_glob` ([#1316](https://github.com/hashicorp/terraform-provider-vault/pull/1316))