Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ldap rotation import skip parameter #2128

Merged
merged 26 commits into from
Feb 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
e61366f
data source fields
kpcraig Jan 12, 2024
ab89eaf
add rotation skip param to resources
kpcraig Jan 16, 2024
849cc8d
nil value that is rejected on update
kpcraig Jan 17, 2024
4621649
add filter for pre 1.16 vaults
kpcraig Jan 18, 2024
761ce2e
fix boolean
kpcraig Jan 18, 2024
21c60df
skip 1.16 fields on read if older vault
kpcraig Feb 6, 2024
3640082
Merge branch 'main' into VAULT-23264/ldap-rotation-import-ski
kpcraig Feb 6, 2024
cd1a8f9
add skip field guard to data source
kpcraig Feb 6, 2024
a23c888
overly verbose refactor to save tests
kpcraig Feb 7, 2024
f5b287f
shorter version of gated test
kpcraig Feb 7, 2024
86cc396
invert boolean
kpcraig Feb 7, 2024
8c28de0
test fixes
kpcraig Feb 8, 2024
7716303
add test for backend
kpcraig Feb 8, 2024
abd73c2
don't use GetOK for booleans
kpcraig Feb 12, 2024
6025d5e
update documentation
kpcraig Feb 12, 2024
19ee87b
update changelog
kpcraig Feb 12, 2024
2df416c
rewrite update/create split to retain parameter in the tfvp data store
kpcraig Feb 20, 2024
c8373b6
add commentary
kpcraig Feb 20, 2024
8864062
add test
kpcraig Feb 20, 2024
17274e4
add test
kpcraig Feb 20, 2024
cddd3b4
update skip check
kpcraig Feb 20, 2024
0574b4b
Update vault/resource_ldap_secret_backend_test.go
kpcraig Feb 21, 2024
6cf7caf
Update vault/resource_ldap_secret_backend_static_role_test.go
kpcraig Feb 21, 2024
9677686
clean up create/update detection
kpcraig Feb 21, 2024
080a09a
Merge remote-tracking branch 'refs/remotes/origin/VAULT-23264/ldap-ro…
kpcraig Feb 21, 2024
2e75933
clean up credential code
kpcraig Feb 21, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
FEATURES:
* Add destination and association resources to support Secrets Sync. Requires Vault 1.16+ ([#2098](https://github.com/hashicorp/terraform-provider-vault/pull/2098)).
* Add support for Oracle database plugin configuration options `split_statements` and `disconnect_sessions`: ([#2085](https://github.com/hashicorp/terraform-provider-vault/pull/2085))
* Add support for `skip_import_rotation` and `skip_static_role_import_rotation` in `ldap_secret_backend_static_role` and `ldap_secret_backend` respectively. Requires Vault 1.16+ ([#2128](https://github.com/hashicorp/terraform-provider-vault/pull/2128)).

## 3.24.0 (Jan 17, 2024)

Expand Down
2 changes: 2 additions & 0 deletions internal/consts/consts.go
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,8 @@ const (
FieldPermanentlyDelete = "permanently_delete"
FieldSignInAudience = "sign_in_audience"
FieldTags = "tags"
FieldSkipStaticRoleImportRotation = "skip_static_role_import_rotation"
FieldSkipImportRotation = "skip_import_rotation"
FieldCustomTags = "custom_tags"
FieldSecretNameTemplate = "secret_name_template"

Expand Down
5 changes: 5 additions & 0 deletions vault/data_source_ldap_static_role_credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@ func ldapStaticCredDataSource() *schema.Resource {
Computed: true,
Description: "Name of the static role.",
},
consts.FieldSkipImportRotation: {
Type: schema.TypeBool,
Optional: true,
Description: "Skip rotation of the password on import.",
},
Comment on lines +72 to +76
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove this since they are not relevant to the data source.

},
}
}
Expand Down
36 changes: 36 additions & 0 deletions vault/data_source_ldap_static_role_credentials_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,16 @@ func TestAccDataSourceLDAPStaticRoleCredentials(t *testing.T) {
resource.TestCheckResourceAttrSet(dataName, consts.FieldLastVaultRotation),
),
},
// second 1.16 gated check
{
SkipFunc: func() (bool, error) {
return !testProvider.Meta().(*provider.ProviderMeta).IsAPISupported(provider.VaultVersion116), nil
},
Config: testLDAPStaticRoleDataSourceWithSkipImportRotation(backend, bindDN, bindPass, url, username, dn),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_ldap_secret_backend_static_role_with_skip", consts.FieldSkipImportRotation, "true"),
),
},
Comment on lines +42 to +51
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove this since they are not relevant to the data source.

},
})
}
Expand Down Expand Up @@ -67,3 +77,29 @@ data "vault_ldap_static_credentials" "creds" {
}
`, path, bindDN, bindPass, url, username, dn, username)
}

func testLDAPStaticRoleDataSourceWithSkipImportRotation(path, bindDN, bindPass, url, username, dn string) string {
return fmt.Sprintf(`
resource "vault_ldap_secret_backend" "test" {
path = "%s"
description = "test description"
binddn = "%s"
bindpass = "%s"
url = "%s"
}

resource "vault_ldap_secret_backend_static_role_with_skip" "role" {
mount = vault_ldap_secret_backend.test.path
username = "%s"
dn = "%s"
role_name = "%s"
rotation_period = 60
skip_import_rotation = true
}

data "vault_ldap_static_credentials" "creds" {
mount = vault_ldap_secret_backend.test.path
role_name = vault_ldap_secret_backend_static_role.role.role_name
}
`, path, bindDN, bindPass, url, username, dn, username)
}
Comment on lines +80 to +105
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove this since they are not relevant to the data source.

13 changes: 13 additions & 0 deletions vault/resource_ldap_secret_backend.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,11 @@ func ldapSecretBackendResource() *schema.Resource {
Optional: true,
Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",
},
consts.FieldSkipStaticRoleImportRotation: {
Type: schema.TypeBool,
Optional: true,
Description: "Skip rotation of static role secrets on import.",
},
}
resource := provider.MustAddMountMigrationSchema(&schema.Resource{
CreateContext: provider.MountCreateContextWrapper(createUpdateLDAPConfigResource, provider.VaultVersion112),
Expand Down Expand Up @@ -181,6 +186,11 @@ func createUpdateLDAPConfigResource(ctx context.Context, d *schema.ResourceData,
consts.FieldStartTLS,
}

// add skip_static_role_import_rotation if after vault 1.16
if provider.IsAPISupported(meta, provider.VaultVersion116) {
booleanFields = append(booleanFields, consts.FieldSkipStaticRoleImportRotation)
}

// use d.Get() for boolean fields
for _, field := range booleanFields {
data[field] = d.Get(field)
Expand Down Expand Up @@ -245,6 +255,9 @@ func readLDAPConfigResource(ctx context.Context, d *schema.ResourceData, meta in
consts.FieldUserAttr,
consts.FieldUserDN,
}
if provider.IsAPISupported(meta, provider.VaultVersion116) {
fields = append(fields, consts.FieldSkipStaticRoleImportRotation)
}

for _, field := range fields {
if val, ok := resp.Data[field]; ok {
Expand Down
14 changes: 14 additions & 0 deletions vault/resource_ldap_secret_backend_static_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,11 @@ func ldapSecretBackendStaticRoleResource() *schema.Resource {
Required: true,
Description: "How often Vault should rotate the password of the user entry.",
},
consts.FieldSkipImportRotation: {
Type: schema.TypeBool,
Optional: true,
Description: "Skip rotation of the password on import.",
},
}
return &schema.Resource{
CreateContext: createUpdateLDAPStaticRoleResource,
Expand All @@ -64,6 +69,7 @@ var ldapSecretBackendStaticRoleFields = []string{
consts.FieldUsername,
consts.FieldDN,
consts.FieldRotationPeriod,
consts.FieldSkipImportRotation,
}

func createUpdateLDAPStaticRoleResource(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
Expand All @@ -78,6 +84,11 @@ func createUpdateLDAPStaticRoleResource(ctx context.Context, d *schema.ResourceD
log.Printf("[DEBUG] Creating LDAP static role at %q", rolePath)
data := map[string]interface{}{}
for _, field := range ldapSecretBackendStaticRoleFields {
// omit skip_import_rotation if vault version is less that 1.16 or if this is an update
// (alternately, only include skip_import_rotation on new resources created on 1.16
if field == consts.FieldSkipImportRotation && (!provider.IsAPISupported(meta, provider.VaultVersion116) || !d.IsNewResource()) {
continue
}
if v, ok := d.GetOk(field); ok {
data[field] = v
}
Expand Down Expand Up @@ -109,6 +120,9 @@ func readLDAPStaticRoleResource(ctx context.Context, d *schema.ResourceData, met
}

for _, field := range ldapSecretBackendStaticRoleFields {
if field == consts.FieldSkipImportRotation && !provider.IsAPISupported(meta, provider.VaultVersion116) {
continue
}
if val, ok := resp.Data[field]; ok {
if err := d.Set(field, val); err != nil {
return diag.FromErr(fmt.Errorf("error setting state key '%s': %s", field, err))
Expand Down
29 changes: 29 additions & 0 deletions vault/resource_ldap_secret_backend_static_role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,13 @@ func TestAccLDAPSecretBackendStaticRole(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, consts.FieldRotationPeriod, rotationPeriod),
),
},
{
SkipFunc: func() (bool, error) {
return !testProvider.Meta().(*provider.ProviderMeta).IsAPISupported(provider.VaultVersion116), nil
},
Config: testLDAPSecretBackendStaticRoleConfig_withSkip(path, bindDN, bindPass, url, username, dn, username, rotationPeriod),
Check: resource.TestCheckResourceAttr(resourceName, consts.FieldSkipImportRotation, "true"),
},
{
Config: testLDAPSecretBackendStaticRoleConfig(path, bindDN, bindPass, url, updatedUsername, updatedDN, updatedUsername, updatedRotationPeriod),
Check: resource.ComposeTestCheckFunc(
Expand Down Expand Up @@ -76,3 +83,25 @@ resource "vault_ldap_secret_backend_static_role" "role" {
}
`, mount, bindDN, bindPass, url, username, dn, role, rotationPeriod)
}

func testLDAPSecretBackendStaticRoleConfig_withSkip(mount, bindDN, bindPass, url, username, dn, role, rotationPeriod string) string {
return fmt.Sprintf(`
resource "vault_ldap_secret_backend" "test" {
path = "%s"
description = "test description"
binddn = "%s"
bindpass = "%s"
url = "%s"
userdn = "CN=Users,DC=corp,DC=example,DC=net"
}

resource "vault_ldap_secret_backend_static_role" "role" {
mount = vault_ldap_secret_backend.test.path
username = "%s"
dn = "%s"
role_name = "%s"
rotation_period = %s
skip_import_rotation = true
}
`, mount, bindDN, bindPass, url, username, dn, role, rotationPeriod)
}
18 changes: 18 additions & 0 deletions vault/resource_ldap_secret_backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,13 @@ func TestLDAPSecretBackend(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, consts.FieldConnectionTimeout, "30"),
),
},
{
SkipFunc: func() (bool, error) {
return !testProvider.Meta().(*provider.ProviderMeta).IsAPISupported(provider.VaultVersion116), nil
},
Config: testLDAPSecretBackendConfig_withSkip(path, bindDN, bindPass),
Check: resource.TestCheckResourceAttr(resourceName, consts.FieldSkipStaticRoleImportRotation, "true"),
},
{
Config: testLDAPSecretBackendConfig(path, updatedDescription, bindDN, bindPass, url, updatedUserDN, "openldap", false),
Check: resource.ComposeTestCheckFunc(
Expand Down Expand Up @@ -190,6 +197,17 @@ resource "vault_ldap_secret_backend" "test" {
}`, path, bindDN, bindPass)
}

func testLDAPSecretBackendConfig_withSkip(path, bindDN, bindPass string) string {
return fmt.Sprintf(`
resource "vault_ldap_secret_backend" "test" {
path = "%s"
description = "test description"
binddn = "%s"
bindpass = "%s"
skip_static_role_import_rotation = true
}`, path, bindDN, bindPass)
}

func testLDAPSecretBackendConfig(mount, description, bindDN, bindPass, url, userDN, schema string, insecureTLS bool) string {
return fmt.Sprintf(`
resource "vault_ldap_secret_backend" "test" {
Expand Down
3 changes: 3 additions & 0 deletions website/docs/d/ldap_static_role_credentials.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,3 +72,6 @@ In addition to the arguments above, the following attributes are exported:
* `ttl` - Duration in seconds after which the issued credential should expire.

* `username` - The name of the static role.

* `skip_import_rotation` - (Optional) Causes vault to skip the initial rotation on import. Not applicable on updates.
Requires Vault 1.16 or above.
Comment on lines +75 to +77
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove this since they are not relevant to the data source.

3 changes: 3 additions & 0 deletions website/docs/r/ldap_secret_backend.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ The following arguments are supported:

* `userdn` - (Optional) LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

* `skip_static_role_import_rotation` - (Optional) If set to true, static roles will not be rotated during import.
Defaults to false. Requires Vault 1.16 or above.

## Attributes Reference

No additional attributes are exported by this resource.
Expand Down
3 changes: 3 additions & 0 deletions website/docs/r/ldap_secret_backend_static_role.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,9 @@ The following arguments are supported:

* `rotation_period` - (Required) How often Vault should rotate the password of the user entry.

* `skip_import_rotation` - (Optional) Causes vault to skip the initial secret rotation on import. Not applicable to updates.
Requires Vault 1.16 or above.

## Attributes Reference

No additional attributes are exported by this resource.
Expand Down
Loading