hashicorp · tyrannosaurus-becks · Feb 1, 2019 · Feb 1, 2019
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -2,7 +2,7 @@ version: "2.2"
 
 services:
   vault:
-    image: vault:0.11.1
+    image: vault:1.0.0
     cap_add:
     - "IPC_LOCK"
     ports:

diff --git a/vault/resource_gcp_auth_backend_role.go b/vault/resource_gcp_auth_backend_role.go
@@ -14,7 +14,7 @@ func gcpAuthBackendRoleResource() *schema.Resource {
 	return &schema.Resource{
 		SchemaVersion: 1,
 
-		Create: gcpAuthResourceWrite,
+		Create: gcpAuthResourceCreate,
 		Update: gcpAuthResourceUpdate,
 		Read:   gcpAuthResourceRead,
 		Delete: gcpAuthResourceDelete,
@@ -30,10 +30,21 @@ func gcpAuthBackendRoleResource() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
+			"bound_projects": {
+				Type: schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional:      true,
+				ForceNew:      true,
+				ConflictsWith: []string{"project_id"},
+			},
 			"project_id": {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
+				Type:          schema.TypeString,
+				Optional:      true,
+				ForceNew:      true,
+				Deprecated:    `Use "bound_projects"`,
+				ConflictsWith: []string{"bound_projects"},
 			},
 			"ttl": {
 				Type:     schema.TypeString,
@@ -115,7 +126,7 @@ func gcpRoleResourcePath(backend, role string) string {
 	return "auth/" + strings.Trim(backend, "/") + "/role/" + strings.Trim(role, "/")
 }
 
-func gcpAuthResourceWrite(d *schema.ResourceData, meta interface{}) error {
+func gcpAuthResourceCreate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 
 	backend := d.Get("backend").(string)
@@ -133,6 +144,10 @@ func gcpAuthResourceWrite(d *schema.ResourceData, meta interface{}) error {
 		data["project_id"] = v.(string)
 	}
 
+	if v, ok := d.GetOk("bound_projects"); ok {
+		data["bound_projects"] = v.(*schema.Set).List()
+	}
+
 	if v, ok := d.GetOk("ttl"); ok {
 		data["ttl"] = v.(string)
 	}
@@ -223,6 +238,14 @@ func gcpAuthResourceUpdate(d *schema.ResourceData, meta interface{}) error {
 		data["bound_labels"] = v.(*schema.Set).List()
 	}
 
+	if v, ok := d.GetOk("project_id"); ok {
+		data["project_id"] = v.(string)
+	}
+
+	if v, ok := d.GetOk("bound_projects"); ok {
+		data["bound_projects"] = v.(*schema.Set).List()
+	}
+
 	log.Printf("[DEBUG] Updating role %q in GCP auth backend", path)
 	_, err := client.Logical().Write(path, data)
 	if err != nil {
@@ -252,7 +275,14 @@ func gcpAuthResourceRead(d *schema.ResourceData, meta interface{}) error {
 
 	d.Set("ttl", resp.Data["ttl"])
 	d.Set("max_ttl", resp.Data["max_ttl"])
-	d.Set("project_id", resp.Data["project_id"])
+
+	if v, ok := d.GetOk("project_id"); ok {
+		d.Set("project_id", v)
+	}
+	if v, ok := d.GetOk("bound_projects"); ok {
+		d.Set("bound_projects", v)
+	}
+
 	d.Set("period", resp.Data["period"])
 
 	// These checks are done for backwards compatibility. The 'type' key used to be

diff --git a/vault/resource_gcp_auth_backend_role_test.go b/vault/resource_gcp_auth_backend_role_test.go
@@ -106,8 +106,8 @@ func testGCPAuthBackendRoleCheck_attrs(backend, name string) resource.TestCheckF
 		}
 
 		attrs := map[string]string{
-			"type":                   "role_type",
-			"project_id":             "project_id",
+			"type":                   "type",
+			"bound_projects":         "project_id",
 			"ttl":                    "ttl",
 			"max_ttl":                "max_ttl",
 			"period":                 "period",

diff --git a/website/docs/r/gcp_auth_backend_role.html.md b/website/docs/r/gcp_auth_backend_role.html.md
@@ -35,7 +35,7 @@ The following arguments are supported:
 
 * `type` - (Required) Type of GCP authentication role (either `gce` or `iam`)
 
-* `project_id` - (Required) GCP Project that the role exists within
+* `project_id` - (Optional, Deprecated) GCP Project that the role exists within
 
 * `ttl` - (Optional) Default TTL of tokens issued by the backend
 
@@ -61,6 +61,8 @@ The following parameters are only valid when the role is of type `"gce"`:
 
 * `bound_labels` - (Optional) A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
 
+* `bound_projects` - (Optional) GCP Projects that the role exists within
+
 For more details on the usage of each argument consult the [Vault GCP API documentation](https://www.vaultproject.io/api/auth/gcp/index.html).
 
 ## Attribute Reference