Add support for Consul roles

testutil/testutil.go

@@ -16,6 +16,10 @@ import (
 	"github.com/mitchellh/go-homedir"
 )
 
+const (
+	EnvVarSkipVaultNext = "SKIP_VAULT_NEXT_TESTS"
+)
+
 func TestAccPreCheck(t *testing.T) {
 	FatalTestEnvUnset(t, "VAULT_ADDR", "VAULT_TOKEN")
 }

vault/resource_consul_secret_backend_role.go

@@ -41,12 +41,20 @@ func consulSecretBackendRoleResource() *schema.Resource {
 			},
 			"policies": {
 				Type:        schema.TypeList,
-				Required:    true,
+				Optional:    true,
 				Description: "List of Consul policies to associate with this role",
 				Elem: &schema.Schema{
 					Type: schema.TypeString,
 				},
 			},
+			"consul_roles": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Description: `Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+`,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"max_ttl": {
 				Type:        schema.TypeInt,
 				Optional:    true,
@@ -98,27 +106,33 @@ func consulSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) erro
 	path := consulSecretBackendRolePath(backend, name)
 
 	policies := d.Get("policies").([]interface{})
+	roles := d.Get("consul_roles").(*schema.Set).List()
 
-	payload := map[string]interface{}{
-		"policies": policies,
+	if len(policies) == 0 && len(roles) == 0 {
+		return fmt.Errorf("policies or consul_roles must be set")
+	}
+
+	data := map[string]interface{}{
+		"policies":     policies,
+		"consul_roles": roles,
 	}
 
 	if v, ok := d.GetOkExists("max_ttl"); ok {
-		payload["max_ttl"] = v
+		data["max_ttl"] = v
 	}
 	if v, ok := d.GetOkExists("ttl"); ok {
-		payload["ttl"] = v
+		data["ttl"] = v
 	}
 	if v, ok := d.GetOkExists("token_type"); ok {
-		payload["token_type"] = v
+		data["token_type"] = v
 	}
 	if v, ok := d.GetOkExists("local"); ok {
-		payload["local"] = v
+		data["local"] = v
 	}
 
 	log.Printf("[DEBUG] Configuring Consul secrets backend role at %q", path)
 
-	if _, err := client.Logical().Write(path, payload); err != nil {
+	if _, err := client.Logical().Write(path, data); err != nil {
 		return fmt.Errorf("error writing role configuration for %q: %s", path, err)
 	}
 
@@ -158,17 +172,38 @@ func consulSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error
 	}
 
 	data := secret.Data
-	d.Set("name", name)
+	if err := d.Set("name", name); err != nil {
+		return err
+	}
+	var pathKey string
 	if _, ok := d.GetOk("path"); ok {
-		d.Set("path", backend)
+		pathKey = "path"
 	} else {
-		d.Set("backend", backend)
+		pathKey = "backend"
+	}
+	if err := d.Set(pathKey, backend); err != nil {
+		return err
+	}
+
+	// map request params to schema fields
+	params := map[string]string{
+		"policies":     "policies",
+		"max_ttl":      "max_ttl",
+		"ttl":          "ttl",
+		"token_type":   "token_type",
+		"local":        "local",
+		"consul_roles": "consul_roles",
+	}
+
+	for k, v := range params {
+		val, ok := data[k]
+		if k == "consul_roles" && !ok {
+			continue
+		}
+		if err := d.Set(v, val); err != nil {
+			return err
+		}
 	}
-	d.Set("policies", data["policies"])
-	d.Set("max_ttl", data["max_ttl"])
-	d.Set("ttl", data["ttl"])
-	d.Set("token_type", data["token_type"])
-	d.Set("local", data["local"])
 
 	return nil
 }

vault/resource_consul_secret_backend_role_test.go

@@ -2,6 +2,8 @@ package vault
 
 import (
 	"fmt"
+	"os"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -16,34 +18,62 @@ func TestConsulSecretBackendRole(t *testing.T) {
 	backend := acctest.RandomWithPrefix("tf-test-backend")
 	name := acctest.RandomWithPrefix("tf-test-name")
 	token := "026a0c16-87cd-4c2d-b3f3-fb539f592b7e"
+
+	resourcePath := "vault_consul_secret_backend_role.test"
+	createTestCheckFuncs := []resource.TestCheckFunc{
+		resource.TestCheckResourceAttr(resourcePath, "backend", backend),
+		resource.TestCheckResourceAttr(resourcePath, "name", name),
+		resource.TestCheckResourceAttr(resourcePath, "ttl", "0"),
+		resource.TestCheckResourceAttr(resourcePath, "policies.#", "1"),
+		resource.TestCheckResourceAttr(resourcePath, "policies.0", "foo"),
+	}
+
+	updateTestCheckFuncs := []resource.TestCheckFunc{
+		resource.TestCheckResourceAttr(resourcePath, "backend", backend),
+		resource.TestCheckResourceAttr(resourcePath, "name", name),
+		resource.TestCheckResourceAttr(resourcePath, "ttl", "120"),
+		resource.TestCheckResourceAttr(resourcePath, "max_ttl", "240"),
+		resource.TestCheckResourceAttr(resourcePath, "local", "true"),
+		resource.TestCheckResourceAttr(resourcePath, "token_type", "client"),
+		resource.TestCheckResourceAttr(resourcePath, "policies.#", "2"),
+		resource.TestCheckResourceAttr(resourcePath, "policies.0", "foo"),
+		resource.TestCheckResourceAttr(resourcePath, "policies.1", "bar"),
+	}
+
+	var withRoles bool
+	if v := os.Getenv(testutil.EnvVarSkipVaultNext); v == "" {
+		withRoles = true
+		createTestCheckFuncs = append(createTestCheckFuncs,
+			resource.TestCheckResourceAttr(resourcePath, "consul_roles.#", "1"),
+			resource.TestCheckResourceAttr(resourcePath, "consul_roles.0", "role-0"),
+		)
+		updateTestCheckFuncs = append(updateTestCheckFuncs,
+			resource.TestCheckResourceAttr(resourcePath, "consul_roles.#", "3"),
+			resource.TestCheckResourceAttr(resourcePath, "consul_roles.0", "role-0"),
+			resource.TestCheckResourceAttr(resourcePath, "consul_roles.1", "role-1"),
+			resource.TestCheckResourceAttr(resourcePath, "consul_roles.2", "role-2"),
+		)
+	}
 	resource.Test(t, resource.TestCase{
 		Providers:    testProviders,
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		CheckDestroy: testAccConsulSecretBackendRoleCheckDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testConsulSecretBackendRole_initialConfig(backend, name, token),
-				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "backend", backend),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "name", name),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "ttl", "0"),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.#", "1"),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.0", "foo"),
-				),
+				Config:      testConsulSecretBackendRole_initialConfig(backend, name, token, false, false),
+				ExpectError: regexp.MustCompile(`policies or consul_roles must be set`),
+			},
+			{
+				Config: testConsulSecretBackendRole_initialConfig(backend, name, token, true, withRoles),
+				Check:  resource.ComposeTestCheckFunc(createTestCheckFuncs...),
 			},
 			{
-				Config: testConsulSecretBackendRole_updateConfig(backend, name, token),
-				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "backend", backend),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "name", name),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "ttl", "120"),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "max_ttl", "240"),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "local", "true"),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "token_type", "client"),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.#", "2"),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.0", "foo"),
-					resource.TestCheckResourceAttr("vault_consul_secret_backend_role.test", "policies.1", "bar"),
-				),
+				Config:      testConsulSecretBackendRole_updateConfig(backend, name, token, false, false),
+				ExpectError: regexp.MustCompile(`policies or consul_roles must be set`),
+			},
+			{
+				Config: testConsulSecretBackendRole_updateConfig(backend, name, token, true, withRoles),
+				Check:  resource.ComposeTestCheckFunc(updateTestCheckFuncs...),
 			},
 		},
 	})
@@ -67,8 +97,8 @@ func testAccConsulSecretBackendRoleCheckDestroy(s *terraform.State) error {
 	return nil
 }
 
-func testConsulSecretBackendRole_initialConfig(backend, name, token string) string {
-	return fmt.Sprintf(`
+func testConsulSecretBackendRole_initialConfig(backend, name, token string, withPolicies, withRoles bool) string {
+	config := fmt.Sprintf(`
 resource "vault_consul_secret_backend" "test" {
   path = "%s"
   description = "test description"
@@ -81,16 +111,31 @@ resource "vault_consul_secret_backend" "test" {
 resource "vault_consul_secret_backend_role" "test" {
   backend = vault_consul_secret_backend.test.path
   name = "%s"
+`, backend, token, name)
 
+	if withPolicies {
+		config += `
   policies = [
     "foo"
   ]
-}
-`, backend, token, name)
+`
+	}
+
+	if withRoles {
+		config += `
+  consul_roles = [
+    "role-0",
+    # canary to ensure roles is a Set
+    "role-0",
+  ]
+`
+	}
+
+	return config + "}"
 }
 
-func testConsulSecretBackendRole_updateConfig(backend, name, token string) string {
-	return fmt.Sprintf(`
+func testConsulSecretBackendRole_updateConfig(backend, name, token string, withPolicies, withRoles bool) string {
+	config := fmt.Sprintf(`
 resource "vault_consul_secret_backend" "test" {
   path = "%s"
   description = "test description"
@@ -103,17 +148,33 @@ resource "vault_consul_secret_backend" "test" {
 resource "vault_consul_secret_backend_role" "test" {
   backend = vault_consul_secret_backend.test.path
   name = "%s"
-
-  policies = [
-    "foo",
-    "bar",
-  ]
   ttl = 120
   max_ttl = 240
   local = true
   token_type = "client"
-}
 `, backend, token, name)
+
+	if withPolicies {
+		config += `
+  policies = [
+    "foo",
+    "bar",
+  ]
+`
+	}
+	if withRoles {
+		config += `
+  consul_roles = [
+    "role-0",
+    "role-1",
+    "role-2",
+    # canary to ensure roles is a Set
+    "role-2",
+  ]
+`
+	}
+
+	return config + "}"
 }
 
 func TestConsulSecretBackendRoleNameFromPath(t *testing.T) {

vault/resource_github_auth_backend_test.go

@@ -22,7 +22,7 @@ const testGHOrg = "hashicorp"
 func TestAccGithubAuthBackend_basic(t *testing.T) {
 	testutil.SkipTestAcc(t)
 	// TODO: remove once we can test against the vault-1.10 dev builds
-	testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS")
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
 
 	orgMeta := testutil.GetGHOrgResponse(t, testGHOrg)
 
@@ -69,7 +69,7 @@ func TestAccGithubAuthBackend_basic(t *testing.T) {
 func TestAccGithubAuthBackend_tuning(t *testing.T) {
 	testutil.SkipTestAcc(t)
 	// TODO: remove once we can test against the vault-1.10 dev builds
-	testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS")
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
 
 	orgMeta := testutil.GetGHOrgResponse(t, testGHOrg)
 
@@ -140,7 +140,7 @@ func TestAccGithubAuthBackend_tuning(t *testing.T) {
 func TestAccGithubAuthBackend_description(t *testing.T) {
 	testutil.SkipTestAcc(t)
 	// TODO: remove once we can test against the vault-1.10 dev builds
-	testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS")
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
 
 	orgMeta := testutil.GetGHOrgResponse(t, testGHOrg)
 

vault/resource_transit_secret_backend_key_test.go

@@ -14,7 +14,7 @@ import (
 )
 
 func TestTransitSecretBackendKey_basic(t *testing.T) {
-	testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS")
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
 
 	backend := acctest.RandomWithPrefix("transit")
 	name := acctest.RandomWithPrefix("key")
@@ -75,7 +75,7 @@ func TestTransitSecretBackendKey_basic(t *testing.T) {
 }
 
 func TestTransitSecretBackendKey_rsa4096(t *testing.T) {
-	testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS")
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
 
 	backend := acctest.RandomWithPrefix("transit")
 	name := acctest.RandomWithPrefix("key")
@@ -132,7 +132,7 @@ func TestTransitSecretBackendKey_rsa4096(t *testing.T) {
 }
 
 func TestTransitSecretBackendKey_import(t *testing.T) {
-	testutil.SkipTestEnvSet(t, "SKIP_VAULT_NEXT_TESTS")
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
 
 	backend := acctest.RandomWithPrefix("transit")
 	name := acctest.RandomWithPrefix("key")

website/docs/r/consul_secret_backend_role.html.md

@@ -39,7 +39,9 @@ The following arguments are supported:
 
 * `name` - (Required) The name of the Consul secrets engine role to create.
 
-* `policies` - (Required) The list of Consul ACL policies to associate with these roles.
+* `policies` - (Required when `consul_roles` is unset) The list of Consul ACL policies to associate with these roles.
+
+* `consul_roles` - (Required when `policies` is unset) Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+.
 
 * `max_ttl` - (Optional) Maximum TTL for leases associated with this role, in seconds.