Add back support for deriving the provider namespace from the Vault token's

go.mod

@@ -53,4 +53,5 @@ require (
 	google.golang.org/api v0.98.0
 	google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e
 	google.golang.org/grpc v1.50.0 // indirect
+	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
 )

go.sum

@@ -2862,6 +2862,7 @@ k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc=
 k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 layeh.com/radius v0.0.0-20190322222518-890bc1058917/go.mod h1:fywZKyu//X7iRzaxLgPWsvc0L26IUpVvE/aeIL2JtIQ=
 mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=

internal/consts/consts.go

@@ -217,7 +217,7 @@ const (
 	FieldIPAddresses                = "ip_addresses"
 	FieldCIDRBlocks                 = "cidr_blocks"
 	FieldProjectRoles               = "project_roles"
-
+	FieldSkipChildToken             = "skip_child_token"
 	/*
 		common environment variables
 	*/

internal/provider/meta.go

@@ -20,6 +20,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/command/config"
+	"k8s.io/utils/pointer"
 
 	"github.com/hashicorp/terraform-provider-vault/helper"
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
@@ -66,11 +67,11 @@ func (p *ProviderMeta) GetNSClient(ns string) (*api.Client, error) {
 		return nil, err
 	}
 
+	ns = strings.Trim(ns, "/")
 	if ns == "" {
 		return nil, fmt.Errorf("empty namespace not allowed")
 	}
 
-	ns = strings.Trim(ns, "/")
 	if root, ok := p.resourceData.GetOk(consts.FieldNamespace); ok && root.(string) != "" {
 		ns = fmt.Sprintf("%s/%s", root, ns)
 	}
@@ -216,40 +217,93 @@ func NewProviderMeta(d *schema.ResourceData) (interface{}, error) {
 
 	MaxHTTPRetriesCCC = d.Get("max_retries_ccc").(int)
 
-	// Try and get the token from the config or token helper
-	token, err := GetToken(d)
-	if err != nil {
-		return nil, err
-	}
+	// Set the namespace to the requested namespace, if provided
+	namespace := d.Get(consts.FieldNamespace).(string)
 
 	authLogin, err := GetAuthLogin(d)
 	if err != nil {
 		return nil, err
 	}
 
+	var token string
 	if authLogin != nil {
-		client.SetNamespace(authLogin.Namespace())
-		secret, err := authLogin.Login(client)
+		// the clone is only used to auth to Vault
+		clone, err := client.Clone()
+		if err != nil {
+			return nil, err
+		}
+
+		if authLogin.Namespace() != "" {
+			// the namespace configured on the auth_login takes precedence over the provider's
+			// for authentication only.
+			clone.SetNamespace(authLogin.Namespace())
+		} else if namespace != "" {
+			// authenticate to the engine in the provider's namespace
+			clone.SetNamespace(namespace)
+		}
+
+		secret, err := authLogin.Login(clone)
 		if err != nil {
 			return nil, err
 		}
 
 		token = secret.Auth.ClientToken
+	} else {
+		// try and get the token from the config or token helper
+		token, err = GetToken(d)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	if token != "" {
 		client.SetToken(token)
 	}
+
 	if client.Token() == "" {
-		return nil, errors.New("no vault token found")
+		return nil, errors.New("no vault token set on Client")
 	}
 
-	skipChildToken := d.Get("skip_child_token").(bool)
-	if !skipChildToken {
-		err := setChildToken(d, client)
+	tokenInfo, err := client.Auth().Token().LookupSelf()
+	if err != nil {
+		return nil, fmt.Errorf("failed to lookup token, err=%w", err)
+	}
+
+	var tokenNamespace string
+	if v, ok := tokenInfo.Data[consts.FieldNamespacePath]; ok {
+		tokenNamespace = strings.Trim(v.(string), "/")
+	}
+
+	if !d.Get(consts.FieldSkipChildToken).(bool) {
+		// a child token is always created in the namespace of the parent token.
+		token, err = createChildToken(d, client, tokenNamespace)
 		if err != nil {
 			return nil, err
 		}
+
+		client.SetToken(token)
+	}
+
+	if namespace == "" && tokenNamespace != "" {
+		// set the provider namespace to the token's namespace
+		// this is here to ensure that do not break any configurations that are relying on the
+		// token's namespace being used for resource provisioning.
+		// In the future we should drop support for this behaviour.
+		log.Printf("[WARN] The provider namespace should be set when using namespaced auth tokens. "+
+			"Please update your provider configuration's namespace to be %q. "+
+			"Future releases may not support this type of configuration.", tokenNamespace)
+
+		namespace = tokenNamespace
+		// set the namespace on the provider to ensure that all child
+		// namespace paths are properly honoured.
+		if err := d.Set(consts.FieldNamespace, namespace); err != nil {
+			return nil, err
+		}
+	}
+
+	if namespace != "" {
+		// set the namespace on the parent client
+		client.SetNamespace(namespace)
 	}
 
 	var vaultVersion *version.Version
@@ -268,11 +322,6 @@ func NewProviderMeta(d *schema.ResourceData) (interface{}, error) {
 		}
 		vaultVersion = ver
 	}
-	// Set the namespace to the requested namespace, if provided
-	namespace := d.Get(consts.FieldNamespace).(string)
-	if namespace != "" {
-		client.SetNamespace(namespace)
-	}
 
 	return &ProviderMeta{
 		resourceData: d,
@@ -388,58 +437,50 @@ func getVaultVersion(client *api.Client) (*version.Version, error) {
 	return version.Must(version.NewSemver(resp.Version)), nil
 }
 
-func setChildToken(d *schema.ResourceData, c *api.Client) error {
+func createChildToken(d *schema.ResourceData, c *api.Client, namespace string) (string, error) {
 	tokenName := d.Get("token_name").(string)
 	if tokenName == "" {
 		tokenName = "terraform"
 	}
 
+	// the clone is only used to auth to Vault
+	clone, err := c.Clone()
+	if err != nil {
+		return "", err
+	}
+
+	if namespace != "" {
+		log.Printf("[INFO] Creating child token, namespace=%q", namespace)
+		clone.SetNamespace(namespace)
+	}
 	// In order to enforce our relatively-short lease TTL, we derive a
-	// temporary child token that inherits all of the policies of the
+	// temporary child token that inherits all the policies of the
 	// token we were given but expires after max_lease_ttl_seconds.
 	//
 	// The intent here is that Terraform will need to re-fetch any
-	// secrets on each run and so we limit the exposure risk of secrets
+	// secrets on each run, so we limit the exposure risk of secrets
 	// that end up stored in the Terraform state, assuming that they are
 	// credentials that Vault is able to revoke.
 	//
 	// Caution is still required with state files since not all secrets
 	// can explicitly be revoked, and this limited scope won't apply to
 	// any secrets that are *written* by Terraform to Vault.
-
-	// Set the namespace to the token's namespace only for the
-	// child token creation
-	tokenInfo, err := c.Auth().Token().LookupSelf()
-	if err != nil {
-		return err
-	}
-	if tokenNamespaceRaw, ok := tokenInfo.Data["namespace_path"]; ok {
-		tokenNamespace := tokenNamespaceRaw.(string)
-		if tokenNamespace != "" {
-			c.SetNamespace(tokenNamespace)
-		}
-	}
-
-	renewable := false
-	childTokenLease, err := c.Auth().Token().Create(&api.TokenCreateRequest{
+	childTokenLease, err := clone.Auth().Token().Create(&api.TokenCreateRequest{
 		DisplayName:    tokenName,
 		TTL:            fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds").(int)),
 		ExplicitMaxTTL: fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds").(int)),
-		Renewable:      &renewable,
+		Renewable:      pointer.Bool(false),
 	})
 	if err != nil {
-		return fmt.Errorf("failed to create limited child token: %s", err)
+		return "", fmt.Errorf("failed to create limited child token: %s", err)
 	}
 
 	childToken := childTokenLease.Auth.ClientToken
 	policies := childTokenLease.Auth.Policies
 
 	log.Printf("[INFO] Using Vault token with the following policies: %s", strings.Join(policies, ", "))
 
-	// Set the token to the generated child token
-	c.SetToken(childToken)
-
-	return nil
+	return childToken, nil
 }
 
 func GetToken(d *schema.ResourceData) (string, error) {

vault/provider.go

@@ -84,7 +84,7 @@ func Provider() *schema.Provider {
 				DefaultFunc: schema.EnvDefaultFunc("VAULT_TOKEN_NAME", ""),
 				Description: "Token name to use for creating the Vault child token.",
 			},
-			"skip_child_token": {
+			consts.FieldSkipChildToken: {
 				Type:        schema.TypeBool,
 				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("TERRAFORM_VAULT_SKIP_CHILD_TOKEN", false),

vault/provider_test.go

@@ -157,6 +157,7 @@ func TestTokenReadProviderConfigureWithHeaders(t *testing.T) {
 
 func TestAccNamespaceProviderConfigure(t *testing.T) {
 	testutil.SkipTestAccEnt(t)
+	testutil.SkipTestAcc(t)
 
 	rootProvider := Provider()
 	rootProviderResource := &schema.Resource{
@@ -168,21 +169,19 @@ func TestAccNamespaceProviderConfigure(t *testing.T) {
 	}
 
 	namespacePath := acctest.RandomWithPrefix("test-namespace")
+	client := testProvider.Meta().(*provider.ProviderMeta).GetClient()
 
-	// Create a test namespace and make sure it stays there
-	resource.Test(t, resource.TestCase{
-		PreCheck: func() { testutil.TestAccPreCheck(t) },
-		Providers: map[string]*schema.Provider{
-			"vault": rootProvider,
-		},
-		Steps: []resource.TestStep{
-			{
-				Config: testNamespaceConfig(namespacePath),
-				Check:  testNamespaceCheckAttrs(),
-			},
-		},
+	t.Cleanup(func() {
+		if _, err := client.Logical().Delete(SysNamespaceRoot + namespacePath); err != nil {
+			t.Errorf("failed to delete parent namespace %q, err=%s", namespacePath, err)
+		}
 	})
 
+	// create the namespace for the provider
+	if _, err := client.Logical().Write(SysNamespaceRoot+namespacePath, nil); err != nil {
+		t.Fatal(err)
+	}
+
 	nsProvider := Provider()
 	nsProviderResource := &schema.Resource{
 		Schema: nsProvider.Schema,
@@ -644,7 +643,7 @@ func TestAccChildToken(t *testing.T) {
 							}
 						}
 					},
-					Config: testProviderConfig(test.useChildTokenSchema, `skip_child_token = `+test.skipChildTokenSchema),
+					Config: testProviderConfig(test.useChildTokenSchema, consts.FieldSkipChildToken+` = `+test.skipChildTokenSchema),
 					Check:  checkTokenUsed(test.expectChildToken),
 				},
 			},