From fc2ad49c6086fb8b5a5bcedb01539249f55d545e Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Wed, 2 Mar 2022 16:01:59 -0500 Subject: [PATCH 1/4] Add support for Consul roles Update the consul_secret_backend_role resource to support Consul roles. --- testutil/testutil.go | 4 + vault/resource_consul_secret_backend_role.go | 61 ++++++++++---- ...esource_consul_secret_backend_role_test.go | 80 +++++++++++++------ vault/resource_github_auth_backend_test.go | 6 +- ...esource_transit_secret_backend_key_test.go | 6 +- 5 files changed, 114 insertions(+), 43 deletions(-) diff --git a/testutil/testutil.go b/testutil/testutil.go index 078745bcc..71a002cad 100644 --- a/testutil/testutil.go +++ b/testutil/testutil.go @@ -16,6 +16,10 @@ import ( "github.com/mitchellh/go-homedir" ) +const ( + EnvVarSkipVaultNext = "SKIP_VAULT_NEXT_TESTS" +) + func TestAccPreCheck(t *testing.T) { FatalTestEnvUnset(t, "VAULT_ADDR", "VAULT_TOKEN") } diff --git a/vault/resource_consul_secret_backend_role.go b/vault/resource_consul_secret_backend_role.go index 19aca4598..af6c64d0f 100644 --- a/vault/resource_consul_secret_backend_role.go +++ b/vault/resource_consul_secret_backend_role.go @@ -47,6 +47,14 @@ func consulSecretBackendRoleResource() *schema.Resource { Type: schema.TypeString, }, }, + "roles": { + Type: schema.TypeSet, + Optional: true, + Description: `Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, "max_ttl": { Type: schema.TypeInt, Optional: true, @@ -99,26 +107,30 @@ func consulSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) erro policies := d.Get("policies").([]interface{}) - payload := map[string]interface{}{ + data := map[string]interface{}{ "policies": policies, } if v, ok := d.GetOkExists("max_ttl"); ok { - payload["max_ttl"] = v + data["max_ttl"] = v } if v, ok := d.GetOkExists("ttl"); ok { - payload["ttl"] = v + data["ttl"] = v } if v, ok := d.GetOkExists("token_type"); ok { - payload["token_type"] = v + data["token_type"] = v } if v, ok := d.GetOkExists("local"); ok { - payload["local"] = v + data["local"] = v + } + // to be consistent with the `policies` field name, we map `roles` to `consul_roles` + if v, ok := d.GetOkExists("roles"); ok { + data["consul_roles"] = v.(*schema.Set).List() } log.Printf("[DEBUG] Configuring Consul secrets backend role at %q", path) - if _, err := client.Logical().Write(path, payload); err != nil { + if _, err := client.Logical().Write(path, data); err != nil { return fmt.Errorf("error writing role configuration for %q: %s", path, err) } @@ -158,17 +170,38 @@ func consulSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error } data := secret.Data - d.Set("name", name) + if err := d.Set("name", name); err != nil { + return err + } + var pathKey string if _, ok := d.GetOk("path"); ok { - d.Set("path", backend) + pathKey = "path" } else { - d.Set("backend", backend) + pathKey = "backend" + } + if err := d.Set(pathKey, backend); err != nil { + return err + } + + // map request params to schema fields + params := map[string]string{ + "policies": "policies", + "max_ttl": "max_ttl", + "ttl": "ttl", + "token_type": "token_type", + "local": "local", + "consul_roles": "roles", + } + + for k, v := range params { + val, ok := data[k] + if k == "consul_roles" && !ok { + continue + } + if err := d.Set(v, val); err != nil { + return err + } } - d.Set("policies", data["policies"]) - d.Set("max_ttl", data["max_ttl"]) - d.Set("ttl", data["ttl"]) - d.Set("token_type", data["token_type"]) - d.Set("local", data["local"]) return nil } diff --git a/vault/resource_consul_secret_backend_role_test.go b/vault/resource_consul_secret_backend_role_test.go index f28b47ccc..e921ed543 100644 --- a/vault/resource_consul_secret_backend_role_test.go +++ b/vault/resource_consul_secret_backend_role_test.go @@ -2,6 +2,7 @@ package vault import ( "fmt" + "os" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" @@ -16,6 +17,40 @@ func TestConsulSecretBackendRole(t *testing.T) { backend := acctest.RandomWithPrefix("tf-test-backend") name := acctest.RandomWithPrefix("tf-test-name") token := "026a0c16-87cd-4c2d-b3f3-fb539f592b7e" + + resourcePath := "vault_consul_secret_backend_role.test" + createTestCheckFuncs := []resource.TestCheckFunc{ + resource.TestCheckResourceAttr(resourcePath, "backend", backend), + resource.TestCheckResourceAttr(resourcePath, "name", name), + resource.TestCheckResourceAttr(resourcePath, "ttl", "0"), + resource.TestCheckResourceAttr(resourcePath, "policies.#", "1"), + resource.TestCheckResourceAttr(resourcePath, "policies.0", "foo"), + } + + updateTestCheckFuncs := []resource.TestCheckFunc{ + resource.TestCheckResourceAttr(resourcePath, "backend", backend), + resource.TestCheckResourceAttr(resourcePath, "name", name), + resource.TestCheckResourceAttr(resourcePath, "ttl", "120"), + resource.TestCheckResourceAttr(resourcePath, "max_ttl", "240"), + resource.TestCheckResourceAttr(resourcePath, "local", "true"), + resource.TestCheckResourceAttr(resourcePath, "token_type", "client"), + resource.TestCheckResourceAttr(resourcePath, "policies.#", "2"), + resource.TestCheckResourceAttr(resourcePath, "policies.0", "foo"), + resource.TestCheckResourceAttr(resourcePath, "policies.1", "bar"), + } + + if v := os.Getenv(testutil.EnvVarSkipVaultNext); v == "" { + createTestCheckFuncs = append(createTestCheckFuncs, + resource.TestCheckResourceAttr(resourcePath, "roles.#", "1"), + resource.TestCheckResourceAttr(resourcePath, "roles.0", "role-0"), + ) + updateTestCheckFuncs = append(updateTestCheckFuncs, + resource.TestCheckResourceAttr(resourcePath, "roles.#", "3"), + resource.TestCheckResourceAttr(resourcePath, "roles.0", "role-0"), + resource.TestCheckResourceAttr(resourcePath, "roles.1", "role-1"), + resource.TestCheckResourceAttr(resourcePath, "roles.2", "role-2"), + ) + } resource.Test(t, resource.TestCase{ Providers: testProviders, PreCheck: func() { testutil.TestAccPreCheck(t) }, @@ -23,27 +58,11 @@ func TestConsulSecretBackendRole(t *testing.T) { Steps: []resource.TestStep{ { Config: testConsulSecretBackendRole_initialConfig(backend, name, token), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "backend", backend), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "name", name), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "ttl", "0"), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.#", "1"), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.0", "foo"), - ), + Check: resource.ComposeTestCheckFunc(createTestCheckFuncs...), }, { Config: testConsulSecretBackendRole_updateConfig(backend, name, token), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "backend", backend), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "name", name), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "ttl", "120"), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "max_ttl", "240"), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "local", "true"), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "token_type", "client"), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.#", "2"), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.0", "foo"), - resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.1", "bar"), - ), + Check: resource.ComposeTestCheckFunc(updateTestCheckFuncs...), }, }, }) @@ -85,12 +104,18 @@ resource "vault_consul_secret_backend_role" "test" { policies = [ "foo" ] + + roles = [ + "role-0", + # canary to ensure roles is a Set + "role-0", + ] } `, backend, token, name) } func testConsulSecretBackendRole_updateConfig(backend, name, token string) string { - return fmt.Sprintf(` + config := fmt.Sprintf(` resource "vault_consul_secret_backend" "test" { path = "%s" description = "test description" @@ -103,17 +128,26 @@ resource "vault_consul_secret_backend" "test" { resource "vault_consul_secret_backend_role" "test" { backend = vault_consul_secret_backend.test.path name = "%s" + ttl = 120 + max_ttl = 240 + local = true + token_type = "client" policies = [ "foo", "bar", ] - ttl = 120 - max_ttl = 240 - local = true - token_type = "client" + roles = [ + "role-0", + "role-1", + "role-2", + # canary to ensure roles is a Set + "role-2", + ] } `, backend, token, name) + + return config } func TestConsulSecretBackendRoleNameFromPath(t *testing.T) { diff --git a/vault/resource_github_auth_backend_test.go b/vault/resource_github_auth_backend_test.go index b93baae48..c2f5bb8a6 100644 --- a/vault/resource_github_auth_backend_test.go +++ b/vault/resource_github_auth_backend_test.go @@ -22,7 +22,7 @@ const testGHOrg = "hashicorp" func TestAccGithubAuthBackend_basic(t *testing.T) { testutil.SkipTestAcc(t) // TODO: remove once we can test against the vault-1.10 dev builds - testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS") + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) orgMeta := testutil.GetGHOrgResponse(t, testGHOrg) @@ -69,7 +69,7 @@ func TestAccGithubAuthBackend_basic(t *testing.T) { func TestAccGithubAuthBackend_tuning(t *testing.T) { testutil.SkipTestAcc(t) // TODO: remove once we can test against the vault-1.10 dev builds - testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS") + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) orgMeta := testutil.GetGHOrgResponse(t, testGHOrg) @@ -140,7 +140,7 @@ func TestAccGithubAuthBackend_tuning(t *testing.T) { func TestAccGithubAuthBackend_description(t *testing.T) { testutil.SkipTestAcc(t) // TODO: remove once we can test against the vault-1.10 dev builds - testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS") + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) orgMeta := testutil.GetGHOrgResponse(t, testGHOrg) diff --git a/vault/resource_transit_secret_backend_key_test.go b/vault/resource_transit_secret_backend_key_test.go index 56622a2b5..fefce9ee8 100644 --- a/vault/resource_transit_secret_backend_key_test.go +++ b/vault/resource_transit_secret_backend_key_test.go @@ -14,7 +14,7 @@ import ( ) func TestTransitSecretBackendKey_basic(t *testing.T) { - testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS") + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) backend := acctest.RandomWithPrefix("transit") name := acctest.RandomWithPrefix("key") @@ -75,7 +75,7 @@ func TestTransitSecretBackendKey_basic(t *testing.T) { } func TestTransitSecretBackendKey_rsa4096(t *testing.T) { - testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS") + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) backend := acctest.RandomWithPrefix("transit") name := acctest.RandomWithPrefix("key") @@ -132,7 +132,7 @@ func TestTransitSecretBackendKey_rsa4096(t *testing.T) { } func TestTransitSecretBackendKey_import(t *testing.T) { - testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS") + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) backend := acctest.RandomWithPrefix("transit") name := acctest.RandomWithPrefix("key") From 15400df9b1e8fc505b246f09f0fde0677bec60da Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Wed, 2 Mar 2022 16:08:48 -0500 Subject: [PATCH 2/4] Update docs --- website/docs/r/consul_secret_backend_role.html.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/docs/r/consul_secret_backend_role.html.md b/website/docs/r/consul_secret_backend_role.html.md index b9d314e47..c559fe9b1 100644 --- a/website/docs/r/consul_secret_backend_role.html.md +++ b/website/docs/r/consul_secret_backend_role.html.md @@ -40,6 +40,8 @@ The following arguments are supported: * `name` - (Required) The name of the Consul secrets engine role to create. * `policies` - (Required) The list of Consul ACL policies to associate with these roles. + +* `roles` - (Optional) Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+. * `max_ttl` - (Optional) Maximum TTL for leases associated with this role, in seconds. From f0d919bf138cd1245425de2a7b53d3ca428f1a70 Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Thu, 3 Mar 2022 09:53:27 -0500 Subject: [PATCH 3/4] Rename roles to consul_roles to be match Vault --- vault/resource_consul_secret_backend_role.go | 7 +++---- .../resource_consul_secret_backend_role_test.go | 16 ++++++++-------- .../docs/r/consul_secret_backend_role.html.md | 2 +- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/vault/resource_consul_secret_backend_role.go b/vault/resource_consul_secret_backend_role.go index af6c64d0f..34a4581bb 100644 --- a/vault/resource_consul_secret_backend_role.go +++ b/vault/resource_consul_secret_backend_role.go @@ -47,7 +47,7 @@ func consulSecretBackendRoleResource() *schema.Resource { Type: schema.TypeString, }, }, - "roles": { + "consul_roles": { Type: schema.TypeSet, Optional: true, Description: `Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+`, @@ -123,8 +123,7 @@ func consulSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) erro if v, ok := d.GetOkExists("local"); ok { data["local"] = v } - // to be consistent with the `policies` field name, we map `roles` to `consul_roles` - if v, ok := d.GetOkExists("roles"); ok { + if v, ok := d.GetOkExists("consul_roles"); ok { data["consul_roles"] = v.(*schema.Set).List() } @@ -190,7 +189,7 @@ func consulSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error "ttl": "ttl", "token_type": "token_type", "local": "local", - "consul_roles": "roles", + "consul_roles": "consul_roles", } for k, v := range params { diff --git a/vault/resource_consul_secret_backend_role_test.go b/vault/resource_consul_secret_backend_role_test.go index e921ed543..0e694a6ff 100644 --- a/vault/resource_consul_secret_backend_role_test.go +++ b/vault/resource_consul_secret_backend_role_test.go @@ -41,14 +41,14 @@ func TestConsulSecretBackendRole(t *testing.T) { if v := os.Getenv(testutil.EnvVarSkipVaultNext); v == "" { createTestCheckFuncs = append(createTestCheckFuncs, - resource.TestCheckResourceAttr(resourcePath, "roles.#", "1"), - resource.TestCheckResourceAttr(resourcePath, "roles.0", "role-0"), + resource.TestCheckResourceAttr(resourcePath, "consul_roles.#", "1"), + resource.TestCheckResourceAttr(resourcePath, "consul_roles.0", "role-0"), ) updateTestCheckFuncs = append(updateTestCheckFuncs, - resource.TestCheckResourceAttr(resourcePath, "roles.#", "3"), - resource.TestCheckResourceAttr(resourcePath, "roles.0", "role-0"), - resource.TestCheckResourceAttr(resourcePath, "roles.1", "role-1"), - resource.TestCheckResourceAttr(resourcePath, "roles.2", "role-2"), + resource.TestCheckResourceAttr(resourcePath, "consul_roles.#", "3"), + resource.TestCheckResourceAttr(resourcePath, "consul_roles.0", "role-0"), + resource.TestCheckResourceAttr(resourcePath, "consul_roles.1", "role-1"), + resource.TestCheckResourceAttr(resourcePath, "consul_roles.2", "role-2"), ) } resource.Test(t, resource.TestCase{ @@ -105,7 +105,7 @@ resource "vault_consul_secret_backend_role" "test" { "foo" ] - roles = [ + consul_roles = [ "role-0", # canary to ensure roles is a Set "role-0", @@ -137,7 +137,7 @@ resource "vault_consul_secret_backend_role" "test" { "foo", "bar", ] - roles = [ + consul_roles = [ "role-0", "role-1", "role-2", diff --git a/website/docs/r/consul_secret_backend_role.html.md b/website/docs/r/consul_secret_backend_role.html.md index c559fe9b1..233d2da57 100644 --- a/website/docs/r/consul_secret_backend_role.html.md +++ b/website/docs/r/consul_secret_backend_role.html.md @@ -41,7 +41,7 @@ The following arguments are supported: * `policies` - (Required) The list of Consul ACL policies to associate with these roles. -* `roles` - (Optional) Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+. +* `consul_roles` - (Optional) Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+. * `max_ttl` - (Optional) Maximum TTL for leases associated with this role, in seconds. From 10cf54363a83275ee37134654f08ca1175019c65 Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Thu, 3 Mar 2022 10:55:53 -0500 Subject: [PATCH 4/4] Require either policies or consul_roles to be set --- vault/resource_consul_secret_backend_role.go | 13 +++-- ...esource_consul_secret_backend_role_test.go | 47 +++++++++++++++---- .../docs/r/consul_secret_backend_role.html.md | 4 +- 3 files changed, 47 insertions(+), 17 deletions(-) diff --git a/vault/resource_consul_secret_backend_role.go b/vault/resource_consul_secret_backend_role.go index 34a4581bb..34281ca30 100644 --- a/vault/resource_consul_secret_backend_role.go +++ b/vault/resource_consul_secret_backend_role.go @@ -41,7 +41,7 @@ func consulSecretBackendRoleResource() *schema.Resource { }, "policies": { Type: schema.TypeList, - Required: true, + Optional: true, Description: "List of Consul policies to associate with this role", Elem: &schema.Schema{ Type: schema.TypeString, @@ -106,9 +106,15 @@ func consulSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) erro path := consulSecretBackendRolePath(backend, name) policies := d.Get("policies").([]interface{}) + roles := d.Get("consul_roles").(*schema.Set).List() + + if len(policies) == 0 && len(roles) == 0 { + return fmt.Errorf("policies or consul_roles must be set") + } data := map[string]interface{}{ - "policies": policies, + "policies": policies, + "consul_roles": roles, } if v, ok := d.GetOkExists("max_ttl"); ok { @@ -123,9 +129,6 @@ func consulSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) erro if v, ok := d.GetOkExists("local"); ok { data["local"] = v } - if v, ok := d.GetOkExists("consul_roles"); ok { - data["consul_roles"] = v.(*schema.Set).List() - } log.Printf("[DEBUG] Configuring Consul secrets backend role at %q", path) diff --git a/vault/resource_consul_secret_backend_role_test.go b/vault/resource_consul_secret_backend_role_test.go index 0e694a6ff..f433606f8 100644 --- a/vault/resource_consul_secret_backend_role_test.go +++ b/vault/resource_consul_secret_backend_role_test.go @@ -3,6 +3,7 @@ package vault import ( "fmt" "os" + "regexp" "testing" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" @@ -39,7 +40,9 @@ func TestConsulSecretBackendRole(t *testing.T) { resource.TestCheckResourceAttr(resourcePath, "policies.1", "bar"), } + var withRoles bool if v := os.Getenv(testutil.EnvVarSkipVaultNext); v == "" { + withRoles = true createTestCheckFuncs = append(createTestCheckFuncs, resource.TestCheckResourceAttr(resourcePath, "consul_roles.#", "1"), resource.TestCheckResourceAttr(resourcePath, "consul_roles.0", "role-0"), @@ -57,11 +60,19 @@ func TestConsulSecretBackendRole(t *testing.T) { CheckDestroy: testAccConsulSecretBackendRoleCheckDestroy, Steps: []resource.TestStep{ { - Config: testConsulSecretBackendRole_initialConfig(backend, name, token), + Config: testConsulSecretBackendRole_initialConfig(backend, name, token, false, false), + ExpectError: regexp.MustCompile(`policies or consul_roles must be set`), + }, + { + Config: testConsulSecretBackendRole_initialConfig(backend, name, token, true, withRoles), Check: resource.ComposeTestCheckFunc(createTestCheckFuncs...), }, { - Config: testConsulSecretBackendRole_updateConfig(backend, name, token), + Config: testConsulSecretBackendRole_updateConfig(backend, name, token, false, false), + ExpectError: regexp.MustCompile(`policies or consul_roles must be set`), + }, + { + Config: testConsulSecretBackendRole_updateConfig(backend, name, token, true, withRoles), Check: resource.ComposeTestCheckFunc(updateTestCheckFuncs...), }, }, @@ -86,8 +97,8 @@ func testAccConsulSecretBackendRoleCheckDestroy(s *terraform.State) error { return nil } -func testConsulSecretBackendRole_initialConfig(backend, name, token string) string { - return fmt.Sprintf(` +func testConsulSecretBackendRole_initialConfig(backend, name, token string, withPolicies, withRoles bool) string { + config := fmt.Sprintf(` resource "vault_consul_secret_backend" "test" { path = "%s" description = "test description" @@ -100,21 +111,30 @@ resource "vault_consul_secret_backend" "test" { resource "vault_consul_secret_backend_role" "test" { backend = vault_consul_secret_backend.test.path name = "%s" +`, backend, token, name) + if withPolicies { + config += ` policies = [ "foo" ] +` + } + if withRoles { + config += ` consul_roles = [ "role-0", # canary to ensure roles is a Set "role-0", ] -} -`, backend, token, name) +` + } + + return config + "}" } -func testConsulSecretBackendRole_updateConfig(backend, name, token string) string { +func testConsulSecretBackendRole_updateConfig(backend, name, token string, withPolicies, withRoles bool) string { config := fmt.Sprintf(` resource "vault_consul_secret_backend" "test" { path = "%s" @@ -132,11 +152,18 @@ resource "vault_consul_secret_backend_role" "test" { max_ttl = 240 local = true token_type = "client" +`, backend, token, name) + if withPolicies { + config += ` policies = [ "foo", "bar", ] +` + } + if withRoles { + config += ` consul_roles = [ "role-0", "role-1", @@ -144,10 +171,10 @@ resource "vault_consul_secret_backend_role" "test" { # canary to ensure roles is a Set "role-2", ] -} -`, backend, token, name) +` + } - return config + return config + "}" } func TestConsulSecretBackendRoleNameFromPath(t *testing.T) { diff --git a/website/docs/r/consul_secret_backend_role.html.md b/website/docs/r/consul_secret_backend_role.html.md index 233d2da57..b5df0bd99 100644 --- a/website/docs/r/consul_secret_backend_role.html.md +++ b/website/docs/r/consul_secret_backend_role.html.md @@ -39,9 +39,9 @@ The following arguments are supported: * `name` - (Required) The name of the Consul secrets engine role to create. -* `policies` - (Required) The list of Consul ACL policies to associate with these roles. +* `policies` - (Required when `consul_roles` is unset) The list of Consul ACL policies to associate with these roles. -* `consul_roles` - (Optional) Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+. +* `consul_roles` - (Required when `policies` is unset) Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+. * `max_ttl` - (Optional) Maximum TTL for leases associated with this role, in seconds.