Add support for configuring SAML Auth resources

CHANGELOG.md

@@ -5,7 +5,14 @@ FEATURES:
 
 * BUGS:
 * Fix panic when reading `client_secret` from a public oidc client ([#2048](https://github.com/hashicorp/terraform-provider-vault/pull/2048))
+* Add support for `custom_metadata` on `vault_namespace`: ([#2033](https://github.com/hashicorp/terraform-provider-vault/pull/2033))
+* Add support for `OCSP*` role fields for the cert auth resource: ([#2056](https://github.com/hashicorp/terraform-provider-vault/pull/2056))
+
+BUGS:
+* Fix panic when reading `client_secret` from a public oidc client ([#2048](https://github.com/hashicorp/terraform-provider-vault/pull/2048))
 * Fix API request missing `roles` field for `mongodbatlas_secret_role` resource ([#2047](https://github.com/hashicorp/terraform-provider-vault/pull/2047))
+* Fix bug when updating vault_azure_secret_backend_role: ([#2063](https://github.com/hashicorp/terraform-provider-vault/pull/2063))
+* Fix audience string ordering for `auth_login_gcp` causing GCE auth to fail ([#2064](https://github.com/hashicorp/terraform-provider-vault/pull/2064))
 
 IMPROVEMENTS:
 * Updated dependencies: ([#2038](https://github.com/hashicorp/terraform-provider-vault/pull/2038))

vault/provider.go

@@ -705,6 +705,22 @@ var (
 			Resource:      UpdateSchemaResource(managedKeysResource()),
 			PathInventory: []string{"/sys/managed-keys/{type}/{name}"},
 		},
+		"vault_transform_transformation": {
+			Resource:      UpdateSchemaResource(transformTransformationResource()),
+			PathInventory: []string{"/transform/transformation/{name}"},
+		},
+		"vault_transform_template": {
+			Resource:      UpdateSchemaResource(transformTemplateResource()),
+			PathInventory: []string{"/transform/template/{name}"},
+		},
+		"vault_transform_role": {
+			Resource:      UpdateSchemaResource(transformRoleResource()),
+			PathInventory: []string{"/transform/role/{name}"},
+		},
+		"vault_transform_alphabet": {
+			Resource:      UpdateSchemaResource(transformAlphabetResource()),
+			PathInventory: []string{"/transform/alphabet/{name}"},
+		},
 		"vault_saml_auth_backend": {
 			Resource:      UpdateSchemaResource(samlAuthBackendResource()),
 			PathInventory: []string{"/auth/saml/config"},

vault/resource_saml_auth_backend.go

@@ -101,7 +101,7 @@ func samlAuthBackendResource() *schema.Resource {
 					Type: schema.TypeString,
 				},
 				Required: true,
-				Description: "The well-formated URLs of your Assertion Consumer Service (ACS) " +
+				Description: "The well-formatted URLs of your Assertion Consumer Service (ACS) " +
 					"that should receive a response from the identity provider.",
 			},
 			fieldDefaultRole: {

vault/resource_saml_auth_backend_role.go

@@ -42,7 +42,7 @@ func samlAuthBackendRoleResource() *schema.Resource {
 	fields := map[string]*schema.Schema{
 		consts.FieldPath: {
 			Type:        schema.TypeString,
-			Optional:    true,
+			Required:    true,
 			Description: "Path where SAML Auth engine is mounted.",
 			ForceNew:    true,
 		},
@@ -69,7 +69,7 @@ func samlAuthBackendRoleResource() *schema.Resource {
 		fieldBoundAttributes: {
 			Type:        schema.TypeMap,
 			Optional:    true,
-			Description: "Mapping of attribute names to values that are expected to exist in the SAML assertion",
+			Description: "Mapping of attribute names to values that are expected to exist in the SAML assertion.",
 		},
 		fieldBoundAttributesType: {
 			Type:        schema.TypeString,

website/docs/r/saml_auth_backend.html.md

@@ -0,0 +1,74 @@
+---
+layout: "vault"
+page_title: "Vault: vault_saml_auth_backend resource"
+sidebar_current: "docs-vault-saml-auth-backend"
+description: |-
+Manages SAML Auth mounts in Vault.
+---
+
+# vault\_saml\_auth\_backend
+
+Manages a SAML Auth mount in a Vault server. See the [Vault
+documentation](https://www.vaultproject.io/docs/auth/saml/) for more
+information.
+
+## Example Usage
+
+```hcl
+resource "vault_saml_auth_backend" "test" {
+  path             = "saml"
+  idp_metadata_url = "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata"
+  entity_id        = "https://my.vault/v1/auth/saml"
+  acs_urls         = ["https://my.vault.primary/v1/auth/saml/callback"]
+  default_role     = "admin"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `namespace` - (Optional) The namespace to provision the resource in.
+  The value should not contain leading or trailing forward slashes.
+  The `namespace` is always relative to the provider's configured [namespace](/docs/providers/vault#namespace).
+  *Available only for Vault Enterprise*.
+
+* `path` - (Optional) Path where the auth backend will be mounted. Defaults to `auth/saml`
+  if not specified.
+
+* `disable_remount` - (Optional) If set to `true`, opts out of mount migration on path updates.
+  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+
+* `idp_metadata_url` - (Optional) The metadata URL of the identity provider.
+
+* `idp_sso_url` (Optional) The SSO URL of the identity provider. Mutually exclusive with 
+  `idp_metadata_url`.
+
+* `idp_entity_id` (Optional) The entity ID of the identity provider. Mutually exclusive with
+  `idp_metadata_url`.
+
+* `idp_cert` (Optional) The PEM encoded certificate of the identity provider. Mutually exclusive
+  with `idp_metadata_url`.
+
+* `entity_id` - (Optional) The entity ID of the SAML authentication service provider.
+
+* `acs_urls` - (Optional) The well-formatted URLs of your Assertion Consumer Service (ACS)
+  that should receive a response from the identity provider.
+
+* `default_role` - (Optional) The role to use if no role is provided during login.
+
+* `verbose_logging` - (Optional) If set to `true`, logs additional, potentially sensitive
+  information during the SAML exchange according to the current logging level. Not 
+  recommended for production.
+
+## Attributes Reference
+
+No additional attributes are exported by this resource.
+
+## Import
+
+SAML authentication mounts can be imported using the `path`, e.g.
+
+```
+$ terraform import vault_saml_auth_backend.example saml
+```

website/docs/r/saml_auth_backend_role.html.md

@@ -0,0 +1,115 @@
+---
+layout: "vault"
+page_title: "Vault: vault_saml_auth_backend_role resource"
+sidebar_current: "docs-vault-resource-saml-auth-backend-role"
+description: |-
+Manages SAML auth backend roles in Vault.
+---
+
+# vault\_saml\_auth\_backend\_role
+
+Manages an SAML auth backend role in a Vault server. See the [Vault
+documentation](https://www.vaultproject.io/docs/auth/saml.html) for more
+information.
+
+## Example Usage
+
+```hcl
+resource "vault_saml_auth_backend" "example" {
+  path             = "saml"
+  idp_metadata_url = "https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata"
+  entity_id        = "https://my.vault/v1/auth/saml"
+  acs_urls         = ["https://my.vault.primary/v1/auth/saml/callback"]
+  default_role     = "default-role"
+}
+
+resource "vault_saml_auth_backend_role" "example" {
+  path                = vault_saml_auth_backend.example.path
+  name                = "my-role"
+  groups_attribute    = "groups"
+  bound_attributes    = {
+    group = "admin"
+  }
+  bound_subjects      = ["*example.com"]
+  token_policies      = ["writer"]
+  token_ttl           = 86400
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `namespace` - (Optional) The namespace to provision the resource in.
+  The value should not contain leading or trailing forward slashes.
+  The `namespace` is always relative to the provider's configured [namespace](/docs/providers/vault#namespace).
+  *Available only for Vault Enterprise*.
+
+* `path` - (Required) Path where the auth backend is mounted.
+
+* `name` - (Required) Unique name of the role.
+
+* `bound_subjects` - (Optional) List of subjects being asserted for SAML authentication.
+
+* `bound_attributes` - (Optional) Mapping of attribute names to values that are expected to
+  exist in the SAML assertion.
+
+* `bound_subjects_type` - (Optional) The type of matching assertion to perform on `bound_subjects`.
+
+* `bound_attributes_type` - (Optional) The type of matching assertion to perform on
+  `bound_attributes_type`.
+
+* `groups_attribute` - (Optional) The attribute to use to identify the set of groups to which the
+  user belongs.
+
+
+### Common Token Arguments
+
+These arguments are common across several Authentication Token resources since Vault 1.2.
+
+* `token_ttl` - (Optional) The incremental lifetime for generated tokens in number of seconds.
+  Its current value will be referenced at renewal time.
+
+* `token_max_ttl` - (Optional) The maximum lifetime for generated tokens in number of seconds.
+  Its current value will be referenced at renewal time.
+
+* `token_period` - (Optional) If set, indicates that the
+  token generated using this role should never expire. The token should be renewed within the
+  duration specified by this value. At each renewal, the token's TTL will be set to the
+  value of this field. Specified in seconds.
+
+* `token_policies` - (Optional) List of policies to encode onto generated tokens. Depending
+  on the auth method, this list may be supplemented by user/group/other values.
+
+* `token_bound_cidrs` - (Optional) List of CIDR blocks; if set, specifies blocks of IP
+  addresses which can authenticate successfully, and ties the resulting token to these blocks
+  as well.
+
+* `token_explicit_max_ttl` - (Optional) If set, will encode an
+  [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+  onto the token in number of seconds. This is a hard cap even if `token_ttl` and
+  `token_max_ttl` would otherwise allow a renewal.
+
+* `token_no_default_policy` - (Optional) If set, the default policy will not be set on
+  generated tokens; otherwise it will be added to the policies set in token_policies.
+
+* `token_num_uses` - (Optional) The [maximum number](https://developer.hashicorp.com/vault/api-docs/auth/saml#token_num_uses)
+  of times a generated token may be used (within its lifetime); 0 means unlimited.
+
+* `token_type` - (Optional) The type of token that should be generated. Can be `service`,
+  `batch`, or `default` to use the mount's tuned default (which unless changed will be
+  `service` tokens). For token store roles, there are two additional possibilities:
+  `default-service` and `default-batch` which specify the type to return unless the client
+  requests a different type at generation time.
+
+## Attributes Reference
+
+No additional attributes are exported by this resource.
+
+## Import
+
+SAML authentication backend roles can be imported using the `path`, e.g.
+
+```
+$ terraform import vault_saml_auth_backend_role.example auth/saml/role/my-role
+```