Merge branch 'release/1.19.x' into backport/VAULT-31443/update/vault-…

…plugin-secrets-gcpkms/v0.20.0/heartily-unique-macaque
hashicorp · Feb 13, 2025 · f07ecc7 · f07ecc7
2 parents 7329753 + 61d457f
commit f07ecc7
Show file tree

Hide file tree

Showing 12 changed files with 224 additions and 251 deletions.
diff --git a/changelog/29613.txt b/changelog/29613.txt
@@ -0,0 +1,3 @@
+```release-note:change
+auth/alicloud: Update plugin to v0.20.0
+```
diff --git a/go.mod b/go.mod
@@ -136,7 +136,7 @@ require (
 	github.com/hashicorp/raft-snapshot v1.0.4
 	github.com/hashicorp/raft-wal v0.4.0
 	github.com/hashicorp/vault-hcp-lib v0.0.0-20240704151836-a5c058ac604c
-	github.com/hashicorp/vault-plugin-auth-alicloud v0.19.0
+	github.com/hashicorp/vault-plugin-auth-alicloud v0.20.0
 	github.com/hashicorp/vault-plugin-auth-azure v0.20.0
 	github.com/hashicorp/vault-plugin-auth-cf v0.20.0
 	github.com/hashicorp/vault-plugin-auth-gcp v0.20.0

diff --git a/go.sum b/go.sum
@@ -1563,8 +1563,8 @@ github.com/hashicorp/serf v0.10.1 h1:Z1H2J60yRKvfDYAOZLd2MU0ND4AH/WDz7xYHDWQsIPY
 github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4=
 github.com/hashicorp/vault-hcp-lib v0.0.0-20240704151836-a5c058ac604c h1:LCwgi0iiq6pPIRWG80MWwZfPxO2xoHPYwShWfnhAhNI=
 github.com/hashicorp/vault-hcp-lib v0.0.0-20240704151836-a5c058ac604c/go.mod h1:Nb41BTPvmFbKB73D/+XpxIw6Nf2Rt+AOUvLzlDxwAGQ=
-github.com/hashicorp/vault-plugin-auth-alicloud v0.19.0 h1:LgNFlAgUsOjt8THbhcnWDyfdiSwPIajfay6ltdg3d6I=
-github.com/hashicorp/vault-plugin-auth-alicloud v0.19.0/go.mod h1:hkcOv6HSKRMWwZA/YZ6OgStW6iQXCv90KfSTJYbt5vc=
+github.com/hashicorp/vault-plugin-auth-alicloud v0.20.0 h1:yw96/zWrNPFTH8yTqTvVtraJ3EWk9vewvx1H7X6lekI=
+github.com/hashicorp/vault-plugin-auth-alicloud v0.20.0/go.mod h1:aAE14G1n1/Qw5/Vj+P0eaEuo8m6op2/3RhR4gN3q5AI=
 github.com/hashicorp/vault-plugin-auth-azure v0.20.0 h1:U61a6ftWbWdNePzULeV/qtTFwKVAofS8d49VYqSUzV0=
 github.com/hashicorp/vault-plugin-auth-azure v0.20.0/go.mod h1:AsV1KgBBqVAQ2pEzMlcR/I+d5jHmpslDFdIXmdjTB3M=
 github.com/hashicorp/vault-plugin-auth-cf v0.20.0 h1:KOdNy0uSffjw0sOU9zg9JgdCkuRPcqOjOIxyV2NZLjg=

diff --git a/ui/tests/helpers/openapi/expected-auth-attrs.js b/ui/tests/helpers/openapi/expected-auth-attrs.js
@@ -378,6 +378,13 @@ const gcp = {
       fieldGroup: 'default',
       type: 'object',
     },
+    disableAutomatedRotation: {
+      editType: 'boolean',
+      fieldGroup: 'default',
+      helpText:
+        'If set to true, will deregister all registered rotation jobs from the RotationManager for the plugin.',
+      type: 'boolean',
+    },
     gceAlias: {
       editType: 'string',
       helpText: 'Indicates what value to use when generating an alias for GCE authentications.',
@@ -417,6 +424,27 @@ const gcp = {
       fieldGroup: 'default',
       helpText: 'Time-to-live of plugin identity tokens',
     },
+    rotationPeriod: {
+      editType: 'number',
+      fieldGroup: 'default',
+      helpText:
+        'TTL for automatic credential rotation of the given username. Mutually exclusive with rotation_schedule',
+      type: 'number',
+    },
+    rotationSchedule: {
+      editType: 'string',
+      fieldGroup: 'default',
+      helpText:
+        'CRON-style string that will define the schedule on which rotations should occur. Mutually exclusive with rotation_period',
+      type: 'string',
+    },
+    rotationWindow: {
+      editType: 'number',
+      fieldGroup: 'default',
+      helpText:
+        'Specifies the amount of time in which the rotation is allowed to occur starting from a given rotation_schedule',
+      type: 'number',
+    },
     serviceAccountEmail: {
       editType: 'string',
       fieldGroup: 'default',

diff --git a/website/content/docs/commands/operator/import.mdx b/website/content/docs/commands/operator/import.mdx
@@ -54,48 +54,28 @@ Output:
 ## Configuration
 
 The `operator import` command uses a dedicated configuration file to specify the source,
-destination, and mapping rules. To learn more about these types and secrets importing in
+destination, and mapping rules. To learn more about these types and secrets importing in 
 general, refer to the [Secrets Import documentation](/vault/docs/import).
 
 ```hcl
 source_gcp {
-  name             = "my-src-1"
-  credentials_file = "/path/to/service-account-key.json"
-}
-
-source_aws {
-  name                = "my-src-2"
-  credentials_profile = "my-profile-name"
-}
-
-source_azure {
-  name                = "my-src-3"
-  # Use default credentials from doing an az login
+  name        = "my-gcp-source-1"
+  credentials = "@/path/to/service-account-key.json"
 }
 
 destination_vault {
   name      = "my-dest-1"
   address   = "http://127.0.0.1:8200/"
+  token     = "root"
   namespace = "ns-1"
   mount     = "mount-1"
 }
 
-mapping {
+mapping_passthrough {
   name        = "my-map-1"
-  source      = "my-src-1"
-  destination = "my-dest-1"
-}
-
-mapping {
-  name        = "my-map-2"
-  source      = "my-src-2"
-  destination = "my-dest-1"
-}
-
-mapping {
-  name        = "my-map-3"
-  source      = "my-src-3"
+  source      = "my-gcp-1"
   destination = "my-dest-1"
+  priority    = 1
 }
 ```
 

diff --git a/website/content/docs/import/awssm.mdx b/website/content/docs/import/awssm.mdx
diff --git a/website/content/docs/import/azurekv.mdx b/website/content/docs/import/azurekv.mdx
diff --git a/website/content/docs/import/gcpsm.mdx b/website/content/docs/import/gcpsm.mdx
@@ -7,16 +7,18 @@ description: The Google Cloud Platform Secret Manager source imports secrets fro
 # GCP secret import source
 
 Use the GCP source to import secret data from GCP Secret Manager into your Vault instance. To use dynamic
-credentials with GCP import, ensure the [GCP secrets engine](/vault/docs/secrets/gcp) is already configured.
+credentials with GCP import, ensure the [GCP secrets engine](/vault/docs/secrets/gcp) is
+already configured.
 
 ## Argument reference
 
 Refer to the [HCL syntax](/vault/docs/import#hcl-syntax-1) for arguments common to all source types.
 
 ## Additional arguments
 
-- `credentials_file` `(string: "")` - The path to the service account key credentials file to authenticate with.
-  If `credentials_file` is set, then `vault_mount_path` and `vault_role_name` must be unset.
+- `credentials` `(string: "")` - The path to the service account key credentials file for the service account
+  with the [necessary permissions](#permissions). If `credentials` is set, then `vault_mount_path` and
+  `vault_role_name` must be unset.
 
 - `vault_mount_path` `(string: "")` - The Vault mount path to a pre-configured GCP
   secrets engine used to generate dynamic credentials for the importer. If one of