hashicorp · kpcraig · Feb 21, 2024 · Jan 12, 2024 · Jan 16, 2024 · Jan 17, 2024
diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -373,6 +373,8 @@ const (
 	FieldPermanentlyDelete             = "permanently_delete"
 	FieldSignInAudience                = "sign_in_audience"
 	FieldTags                          = "tags"
+	FieldSkipStaticRoleImportRotation  = "skip_static_role_import_rotation"
+	FieldSkipImportRotation            = "skip_import_rotation"
 	FieldCustomTags                    = "custom_tags"
 	FieldSecretNameTemplate            = "secret_name_template"
 

diff --git a/vault/data_source_ldap_static_role_credentials.go b/vault/data_source_ldap_static_role_credentials.go
@@ -69,6 +69,11 @@ func ldapStaticCredDataSource() *schema.Resource {
 				Computed:    true,
 				Description: "Name of the static role.",
 			},
+			consts.FieldSkipImportRotation: {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Skip rotation of the password on import.",
+			},
 		},
 	}
 }
@@ -119,6 +124,15 @@ func readLDAPStaticCreds(ctx context.Context, d *schema.ResourceData, meta inter
 	if err := d.Set(consts.FieldUsername, response.username); err != nil {
 		return diag.FromErr(err)
 	}
+	if provider.IsAPISupported(meta, provider.VaultVersion116) {
+		var skip bool
+		if skipRaw, ok := secret.Data[consts.FieldSkipImportRotation]; ok {
+			skip = skipRaw.(bool)
+		}
+		if err := d.Set(consts.FieldSkipImportRotation, skip); err != nil {
+			return diag.FromErr(err)
+		}
+	}
 	return nil
 }
 

diff --git a/vault/data_source_ldap_static_role_credentials_test.go b/vault/data_source_ldap_static_role_credentials_test.go
@@ -39,6 +39,16 @@ func TestAccDataSourceLDAPStaticRoleCredentials(t *testing.T) {
 					resource.TestCheckResourceAttrSet(dataName, consts.FieldLastVaultRotation),
 				),
 			},
+			// second 1.16 gated check
+			{
+				SkipFunc: func() (bool, error) {
+					return !provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion116), nil
+				},
+				RefreshState: true,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(dataName, consts.FieldSkipImportRotation),
+				),
+			},
 		},
 	})
 }

diff --git a/vault/resource_ldap_secret_backend.go b/vault/resource_ldap_secret_backend.go
@@ -119,6 +119,11 @@ func ldapSecretBackendResource() *schema.Resource {
 			Optional:    true,
 			Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",
 		},
+		consts.FieldSkipStaticRoleImportRotation: {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Description: "Skip rotation of static role secrets on import.",
+		},
 	}
 	resource := provider.MustAddMountMigrationSchema(&schema.Resource{
 		CreateContext: provider.MountCreateContextWrapper(createUpdateLDAPConfigResource, provider.VaultVersion112),
@@ -181,6 +186,11 @@ func createUpdateLDAPConfigResource(ctx context.Context, d *schema.ResourceData,
 		consts.FieldStartTLS,
 	}
 
+	// add skip_static_role_import_rotation if after vault 1.16
+	if provider.IsAPISupported(meta, provider.VaultVersion116) {
+		booleanFields = append(booleanFields, consts.FieldSkipStaticRoleImportRotation)
+	}
+
 	// use d.Get() for boolean fields
 	for _, field := range booleanFields {
 		data[field] = d.Get(field)
@@ -245,6 +255,9 @@ func readLDAPConfigResource(ctx context.Context, d *schema.ResourceData, meta in
 		consts.FieldUserAttr,
 		consts.FieldUserDN,
 	}
+	if provider.IsAPISupported(meta, provider.VaultVersion116) {
+		fields = append(fields, consts.FieldSkipStaticRoleImportRotation)
+	}
 
 	for _, field := range fields {
 		if val, ok := resp.Data[field]; ok {

diff --git a/vault/resource_ldap_secret_backend_static_role.go b/vault/resource_ldap_secret_backend_static_role.go
@@ -47,10 +47,15 @@ func ldapSecretBackendStaticRoleResource() *schema.Resource {
 			Required:    true,
 			Description: "How often Vault should rotate the password of the user entry.",
 		},
+		consts.FieldSkipImportRotation: {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Description: "Skip rotation of the password on import.",
+		},
 	}
 	return &schema.Resource{
-		CreateContext: createUpdateLDAPStaticRoleResource,
-		UpdateContext: createUpdateLDAPStaticRoleResource,
+		CreateContext: createLDAPStaticRoleResource,
+		UpdateContext: updateLDAPStaticRoleResource,
 		ReadContext:   provider.ReadContextWrapper(readLDAPStaticRoleResource),
 		DeleteContext: deleteLDAPStaticRoleResource,
 		Importer: &schema.ResourceImporter{
@@ -64,9 +69,20 @@ var ldapSecretBackendStaticRoleFields = []string{
 	consts.FieldUsername,
 	consts.FieldDN,
 	consts.FieldRotationPeriod,
+	consts.FieldSkipImportRotation,
+}
+
+func updateLDAPStaticRoleResource(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	if _, ok := d.GetOk(consts.FieldSkipImportRotation); ok {
+		err := d.Set(consts.FieldSkipImportRotation, nil)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+	}
+	return createLDAPStaticRoleResource(ctx, d, meta)
 }
 
-func createUpdateLDAPStaticRoleResource(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+func createLDAPStaticRoleResource(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client, err := provider.GetClient(d, meta)
 	if err != nil {
 		return diag.FromErr(err)
@@ -78,6 +94,10 @@ func createUpdateLDAPStaticRoleResource(ctx context.Context, d *schema.ResourceD
 	log.Printf("[DEBUG] Creating LDAP static role at %q", rolePath)
 	data := map[string]interface{}{}
 	for _, field := range ldapSecretBackendStaticRoleFields {
+		// omit skip_import_rotation if before vault 1.16
+		if field == consts.FieldSkipImportRotation && !provider.IsAPISupported(meta, provider.VaultVersion116) {
+			continue
+		}
 		if v, ok := d.GetOk(field); ok {
 			data[field] = v
 		}
@@ -109,6 +129,9 @@ func readLDAPStaticRoleResource(ctx context.Context, d *schema.ResourceData, met
 	}
 
 	for _, field := range ldapSecretBackendStaticRoleFields {
+		if field == consts.FieldSkipImportRotation && !provider.IsAPISupported(meta, provider.VaultVersion116) {
+			continue
+		}
 		if val, ok := resp.Data[field]; ok {
 			if err := d.Set(field, val); err != nil {
 				return diag.FromErr(fmt.Errorf("error setting state key '%s': %s", field, err))

diff --git a/vault/resource_ldap_secret_backend_static_role_test.go b/vault/resource_ldap_secret_backend_static_role_test.go
@@ -43,6 +43,13 @@ func TestAccLDAPSecretBackendStaticRole(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, consts.FieldRotationPeriod, rotationPeriod),
 				),
 			},
+			{
+				SkipFunc: func() (bool, error) {
+					return !provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion116), nil
+				},
+				RefreshState: true,
+				Check:        resource.TestCheckResourceAttrSet(resourceName, consts.FieldSkipImportRotation),
+			},
 			{
 				Config: testLDAPSecretBackendStaticRoleConfig(path, bindDN, bindPass, url, updatedUsername, updatedDN, updatedUsername, updatedRotationPeriod),
 				Check: resource.ComposeTestCheckFunc(

diff --git a/vault/resource_ldap_secret_backend_test.go b/vault/resource_ldap_secret_backend_test.go
@@ -61,6 +61,13 @@ func TestLDAPSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, consts.FieldConnectionTimeout, "30"),
 				),
 			},
+			{
+				SkipFunc: func() (bool, error) {
+					return !provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion116), nil
+				},
+				RefreshState: true,
+				Check:        resource.TestCheckResourceAttrSet(resourceName, consts.FieldSkipStaticRoleImportRotation),
+			},
 			{
 				Config: testLDAPSecretBackendConfig(path, updatedDescription, bindDN, bindPass, url, updatedUserDN, "openldap", false),
 				Check: resource.ComposeTestCheckFunc(