From 9823d5f095b4d30c9d0812b762cc0c2e98f12d0e Mon Sep 17 00:00:00 2001 From: rculpepper Date: Wed, 30 Jul 2025 14:07:16 -0400 Subject: [PATCH 1/6] add token_auth_metadata field --- vault/auth_token.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/vault/auth_token.go b/vault/auth_token.go index 76989f6ef2..5bf65b51ca 100644 --- a/vault/auth_token.go +++ b/vault/auth_token.go @@ -23,6 +23,7 @@ const ( TokenFieldPolicies = "token_policies" TokenFieldType = "token_type" TokenFieldNumUses = "token_num_uses" + TokenFieldAuthMetadata = "token_auth_metadata" // Vault 1.21+ ) var commonTokenFields = []string{ @@ -35,6 +36,7 @@ var commonTokenFields = []string{ TokenFieldPolicies, TokenFieldType, TokenFieldNumUses, + TokenFieldAuthMetadata, } type addTokenFieldsConfig struct { @@ -121,6 +123,12 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf Optional: true, ConflictsWith: config.TokenNumUsesConflict, } + + fields[TokenFieldAuthMetadata] = &schema.Schema{ + Type: schema.TypeMap, + Description: "", + Optional: true, + } } func setTokenFields(d *schema.ResourceData, data map[string]interface{}, config *addTokenFieldsConfig) { @@ -203,6 +211,10 @@ func setTokenFields(d *schema.ResourceData, data map[string]interface{}, config if !conflicted { data[TokenFieldBoundCIDRs] = d.Get(TokenFieldBoundCIDRs).(*schema.Set).List() } + + if metadata, ok := d.GetOk(TokenFieldAuthMetadata); ok { + data[TokenFieldAuthMetadata] = metadata + } } func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, create bool) { @@ -242,6 +254,10 @@ func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, crea if v, ok := d.GetOk(TokenFieldNumUses); ok { data[TokenFieldNumUses] = v.(int) } + + if v, ok := d.GetOk(TokenFieldAuthMetadata); ok { + data[TokenFieldAuthMetadata] = v + } } else { if d.HasChange(TokenFieldBoundCIDRs) { data[TokenFieldBoundCIDRs] = d.Get(TokenFieldBoundCIDRs).(*schema.Set).List() @@ -278,6 +294,10 @@ func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, crea if d.HasChange(TokenFieldNumUses) { data[TokenFieldNumUses] = d.Get(TokenFieldNumUses).(int) } + + if d.HasChange(TokenFieldAuthMetadata) { + data[TokenFieldAuthMetadata] = d.Get(TokenFieldAuthMetadata) + } } } From fe4f3633dae446a6212e82cb7c1579d0d13b97b1 Mon Sep 17 00:00:00 2001 From: rculpepper Date: Tue, 5 Aug 2025 12:28:22 -0400 Subject: [PATCH 2/6] add token_auth_metadata field to auth role endpoints --- vault/auth_token.go | 20 ++++++--- vault/auth_token_test.go | 5 +++ ...ource_approle_auth_backend_role_id_test.go | 4 +- ...resource_approle_auth_backend_role_test.go | 44 ++++++++++++++++--- vault/resource_aws_auth_backend_role_test.go | 13 ++++-- vault/resource_cert_auth_backend_role_test.go | 24 ++++++++-- vault/resource_github_auth_backend_test.go | 29 +++++++++--- vault/resource_ldap_auth_backend_test.go | 27 ++++++++---- vault/resource_okta_auth_backend_test.go | 34 +++++++++++--- vault/resource_scep_auth_backend_role_test.go | 25 +++++++++++ 10 files changed, 186 insertions(+), 39 deletions(-) diff --git a/vault/auth_token.go b/vault/auth_token.go index 5bf65b51ca..fddff80cf4 100644 --- a/vault/auth_token.go +++ b/vault/auth_token.go @@ -47,6 +47,7 @@ type addTokenFieldsConfig struct { TokenPeriodConflict []string TokenPoliciesConflict []string TokenTTLConflict []string + TokenAuthMetadataConflict []string TokenTypeDefault string } @@ -125,9 +126,10 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf } fields[TokenFieldAuthMetadata] = &schema.Schema{ - Type: schema.TypeMap, - Description: "", - Optional: true, + Type: schema.TypeMap, + Description: "", + Optional: true, + ConflictsWith: config.TokenAuthMetadataConflict, } } @@ -212,8 +214,16 @@ func setTokenFields(d *schema.ResourceData, data map[string]interface{}, config data[TokenFieldBoundCIDRs] = d.Get(TokenFieldBoundCIDRs).(*schema.Set).List() } - if metadata, ok := d.GetOk(TokenFieldAuthMetadata); ok { - data[TokenFieldAuthMetadata] = metadata + conflicted = false + for _, k := range config.TokenAuthMetadataConflict { + if _, ok := d.GetOk(k); ok { + conflicted = true + break + } + } + + if !conflicted { + data[TokenFieldAuthMetadata] = d.Get(TokenFieldAuthMetadata) } } diff --git a/vault/auth_token_test.go b/vault/auth_token_test.go index ba02b8f6e7..cffa250f2e 100644 --- a/vault/auth_token_test.go +++ b/vault/auth_token_test.go @@ -12,6 +12,11 @@ import ( "github.com/hashicorp/vault/api" ) +const tokenAuthMetadataConfig = ` + token_auth_metadata = { + "foo" = "bar" + }` + func Test_handleCIDRField(t *testing.T) { tests := []struct { name string diff --git a/vault/data_source_approle_auth_backend_role_id_test.go b/vault/data_source_approle_auth_backend_role_id_test.go index 914251ce75..7d4f9dd7c2 100644 --- a/vault/data_source_approle_auth_backend_role_id_test.go +++ b/vault/data_source_approle_auth_backend_role_id_test.go @@ -24,7 +24,7 @@ func TestAccAppRoleAuthBackendRoleID_basic(t *testing.T) { CheckDestroy: testAccCheckAppRoleAuthBackendRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role), + Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "backend", backend), @@ -92,7 +92,7 @@ func testAccAppRoleAuthBackendRoleIDConfig_basic(backend, role string) string { data "vault_approle_auth_backend_role_id" "role" { backend = "%s" role_name = "%s" -}`, testAccAppRoleAuthBackendRoleConfig_basic(backend, role), backend, role) +}`, testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""), backend, role) } func testAccAppRoleAuthBackendRoleIDConfig_customID(backend, role, roleID string) string { diff --git a/vault/resource_approle_auth_backend_role_test.go b/vault/resource_approle_auth_backend_role_test.go index a32c4fac0f..950e2922b9 100644 --- a/vault/resource_approle_auth_backend_role_test.go +++ b/vault/resource_approle_auth_backend_role_test.go @@ -71,7 +71,7 @@ func TestAccAppRoleAuthBackendRole_basic(t *testing.T) { CheckDestroy: testAccCheckAppRoleAuthBackendRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role), + Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "backend", backend), @@ -99,6 +99,39 @@ func TestAccAppRoleAuthBackendRole_basic(t *testing.T) { "secret_id_bound_cidrs.#", "0"), ), }, + { + Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, tokenAuthMetadataConfig), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "backend", backend), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "role_name", role), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_policies.#", "3"), + resource.TestCheckResourceAttrSet("vault_approle_auth_backend_role.role", + "role_id"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_ttl", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_max_ttl", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_num_uses", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "secret_id_ttl", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "secret_id_num_uses", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_period", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "bind_secret_id", "true"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "secret_id_bound_cidrs.#", "0"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_auth_metadata.%", "1"), + resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", + "token_auth_metadata.foo", "bar"), + ), + }, }, }) } @@ -113,7 +146,7 @@ func TestAccAppRoleAuthBackendRole_update(t *testing.T) { CheckDestroy: testAccCheckAppRoleAuthBackendRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role), + Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "backend", backend), @@ -281,7 +314,7 @@ func TestAccAppRoleAuthBackendRole_fullUpdate(t *testing.T) { ), }, { - Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role), + Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "backend", backend), @@ -335,7 +368,7 @@ func testAccCheckAppRoleAuthBackendRoleDestroy(s *terraform.State) error { return nil } -func testAccAppRoleAuthBackendRoleConfig_basic(backend, role string) string { +func testAccAppRoleAuthBackendRoleConfig_basic(backend, role, extraConfig string) string { return fmt.Sprintf(` resource "vault_auth_backend" "approle" { type = "approle" @@ -346,7 +379,8 @@ resource "vault_approle_auth_backend_role" "role" { backend = vault_auth_backend.approle.path role_name = "%s" token_policies = ["default", "dev", "prod"] -}`, backend, role) + %s +}`, backend, role, extraConfig) } func testAccAppRoleAuthBackendRoleConfig_update(backend, role string) string { diff --git a/vault/resource_aws_auth_backend_role_test.go b/vault/resource_aws_auth_backend_role_test.go index db6c2665c2..b4713a47ba 100644 --- a/vault/resource_aws_auth_backend_role_test.go +++ b/vault/resource_aws_auth_backend_role_test.go @@ -27,7 +27,7 @@ func TestAccAWSAuthBackendRole_importInferred(t *testing.T) { CheckDestroy: testAccCheckAWSAuthBackendRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role), + Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, ""), Check: testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role), }, { @@ -102,7 +102,11 @@ func TestAccAWSAuthBackendRole_inferred(t *testing.T) { CheckDestroy: testAccCheckAWSAuthBackendRoleDestroy, Steps: []resource.TestStep{ { - Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role), + Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, ""), + Check: testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role), + }, + { + Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, tokenAuthMetadataConfig), Check: testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role), }, }, @@ -294,7 +298,7 @@ func testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role string) re } } -func testAccAWSAuthBackendRoleConfig_inferred(backend, role string) string { +func testAccAWSAuthBackendRoleConfig_inferred(backend, role, extraConfig string) string { return fmt.Sprintf(` resource "vault_auth_backend" "aws" { type = "aws" @@ -316,7 +320,8 @@ resource "vault_aws_auth_backend_role" "role" { token_ttl = 60 token_max_ttl = 120 token_policies = ["default", "dev", "prod"] -}`, backend, role) + %s +}`, backend, role, extraConfig) } func testAccAWSAuthBackendRoleConfig_iam(backend, role string) string { diff --git a/vault/resource_cert_auth_backend_role_test.go b/vault/resource_cert_auth_backend_role_test.go index f648fc9d10..9e6374d891 100644 --- a/vault/resource_cert_auth_backend_role_test.go +++ b/vault/resource_cert_auth_backend_role_test.go @@ -90,7 +90,7 @@ func TestCertAuthBackend(t *testing.T) { CheckDestroy: testCertAuthBackendDestroy, Steps: []resource.TestStep{ { - Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, allowedNames, allowedOrgUnits), + Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, "", allowedNames, allowedOrgUnits), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "backend", backend), resource.TestCheckResourceAttr(resourceName, "name", name), @@ -117,6 +117,23 @@ func TestCertAuthBackend(t *testing.T) { testCertAuthBackendCheck_attrs(resourceName, backend, name), ), }, + { + Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, tokenAuthMetadataConfig, allowedNames, allowedOrgUnits), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "backend", backend), + resource.TestCheckResourceAttr(resourceName, "name", name), + resource.TestCheckResourceAttr(resourceName, "token_policies.#", "2"), + resource.TestCheckResourceAttr(resourceName, "token_ttl", "300"), + resource.TestCheckResourceAttr(resourceName, "token_max_ttl", "600"), + resource.TestCheckResourceAttr(resourceName, "allowed_names.#", "2"), + resource.TestCheckResourceAttr(resourceName, "allowed_organizational_units.#", "2"), + resource.TestCheckTypeSetElemAttr(resourceName, "allowed_organizational_units.*", "foo"), + resource.TestCheckTypeSetElemAttr(resourceName, "allowed_organizational_units.*", "baz"), + testCertAuthBackendCheck_attrs(resourceName, backend, name), + resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.%", "1"), + resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.foo", "bar"), + ), + }, }, }) } @@ -253,7 +270,7 @@ func testCertAuthBackendCheck_attrs(resourceName, backend, name string) resource } } -func testCertAuthBackendConfig_basic(backend, name, certificate string, allowedNames, allowedOrgUnits []string) string { +func testCertAuthBackendConfig_basic(backend, name, certificate, extraConfig string, allowedNames, allowedOrgUnits []string) string { config := fmt.Sprintf(` resource "vault_auth_backend" "cert" { @@ -272,8 +289,9 @@ EOF token_max_ttl = 600 token_policies = ["test_policy_1", "test_policy_2"] allowed_organizational_units = %s + %s } -`, backend, name, certificate, util.ArrayToTerraformList(allowedNames), util.ArrayToTerraformList(allowedOrgUnits)) +`, backend, name, certificate, util.ArrayToTerraformList(allowedNames), util.ArrayToTerraformList(allowedOrgUnits), extraConfig) return config } diff --git a/vault/resource_github_auth_backend_test.go b/vault/resource_github_auth_backend_test.go index adee759fdc..ee7df4bf7e 100644 --- a/vault/resource_github_auth_backend_test.go +++ b/vault/resource_github_auth_backend_test.go @@ -39,7 +39,7 @@ func TestAccGithubAuthBackend_basic(t *testing.T) { CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeGitHub, consts.FieldPath), Steps: []resource.TestStep{ { - Config: testAccGithubAuthBackendConfig_basic(path, testGHOrg), + Config: testAccGithubAuthBackendConfig_basic(path, testGHOrg, ""), Check: resource.ComposeTestCheckFunc( testutil.TestAccCheckAuthMountExists(resourceName, &resAuth, @@ -69,6 +69,24 @@ func TestAccGithubAuthBackend_basic(t *testing.T) { resource.TestCheckResourceAttrPtr(resourceName, "accessor", &resAuth.Accessor), ), }, + { + Config: testAccGithubAuthBackendConfig_basic(path, testGHOrg, tokenAuthMetadataConfig), + Check: resource.ComposeTestCheckFunc( + testutil.TestAccCheckAuthMountExists(resourceName, + &resAuth, + testProvider.Meta().(*provider.ProviderMeta).MustGetClient()), + resource.TestCheckResourceAttr(resourceName, "id", path), + resource.TestCheckResourceAttr(resourceName, consts.FieldPath, path), + resource.TestCheckResourceAttr(resourceName, "organization", testGHOrg), + // expect computed value for organization_id + resource.TestCheckResourceAttr(resourceName, "organization_id", "2999"), + resource.TestCheckResourceAttr(resourceName, "token_ttl", "1200"), + resource.TestCheckResourceAttr(resourceName, "token_max_ttl", "3000"), + resource.TestCheckResourceAttrPtr(resourceName, "accessor", &resAuth.Accessor), + resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.%", "1"), + resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.foo", "bar"), + ), + }, }, }) } @@ -284,7 +302,7 @@ func TestGithubAuthBackend_remount(t *testing.T) { CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeGitHub, consts.FieldPath), Steps: []resource.TestStep{ { - Config: testAccGithubAuthBackendConfig_basic(path, testGHOrg), + Config: testAccGithubAuthBackendConfig_basic(path, testGHOrg, ""), Check: resource.ComposeTestCheckFunc( testutil.TestAccCheckAuthMountExists(resourceName, &resAuth, @@ -300,7 +318,7 @@ func TestGithubAuthBackend_remount(t *testing.T) { ), }, { - Config: testAccGithubAuthBackendConfig_basic(updatedPath, testGHOrg), + Config: testAccGithubAuthBackendConfig_basic(updatedPath, testGHOrg, ""), Check: resource.ComposeTestCheckFunc( testutil.TestAccCheckAuthMountExists(resourceName, &resAuth, @@ -320,15 +338,16 @@ func TestGithubAuthBackend_remount(t *testing.T) { }) } -func testAccGithubAuthBackendConfig_basic(path, org string) string { +func testAccGithubAuthBackendConfig_basic(path, org, extraConfig string) string { return fmt.Sprintf(` resource "vault_github_auth_backend" "test" { path = "%s" organization = "%s" token_ttl = 1200 token_max_ttl = 3000 + %s } -`, path, org) +`, path, org, extraConfig) } func testAccGithubAuthBackendConfig_ns(ns, path, org string) string { diff --git a/vault/resource_ldap_auth_backend_test.go b/vault/resource_ldap_auth_backend_test.go index 4ea743cdc2..e8870f8e14 100644 --- a/vault/resource_ldap_auth_backend_test.go +++ b/vault/resource_ldap_auth_backend_test.go @@ -29,25 +29,33 @@ func TestLDAPAuthBackend_basic(t *testing.T) { CheckDestroy: testLDAPAuthBackendDestroy, Steps: []resource.TestStep{ { - Config: testLDAPAuthBackendConfig_basic(path, "true", "true"), + Config: testLDAPAuthBackendConfig_basic(path, "true", "true", ""), Check: testLDAPAuthBackendCheck_attrs(resourceName, path), }, { - Config: testLDAPAuthBackendConfig_basic(path, "false", "true"), + Config: testLDAPAuthBackendConfig_basic(path, "false", "true", ""), Check: testLDAPAuthBackendCheck_attrs(resourceName, path), }, { - Config: testLDAPAuthBackendConfig_basic(path, "true", "false"), + Config: testLDAPAuthBackendConfig_basic(path, "true", "false", ""), Check: testLDAPAuthBackendCheck_attrs(resourceName, path), }, { - Config: testLDAPAuthBackendConfig_basic(path, "false", "false"), + Config: testLDAPAuthBackendConfig_basic(path, "false", "false", ""), Check: testLDAPAuthBackendCheck_attrs(resourceName, path), }, { - Config: testLDAPAuthBackendConfig_basic(path, "true", "false"), + Config: testLDAPAuthBackendConfig_basic(path, "true", "false", ""), Check: testLDAPAuthBackendCheck_attrs(resourceName, path), }, + { + Config: testLDAPAuthBackendConfig_basic(path, "true", "true", tokenAuthMetadataConfig), + Check: resource.ComposeTestCheckFunc( + testLDAPAuthBackendCheck_attrs(resourceName, path), + resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.%", "1"), + resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.foo", "bar"), + ), + }, testutil.GetImportTestStep(resourceName, false, nil, "bindpass", "disable_remount"), }, }) @@ -101,14 +109,14 @@ func TestLDAPAuthBackend_remount(t *testing.T) { PreCheck: func() { testutil.TestAccPreCheck(t) }, Steps: []resource.TestStep{ { - Config: testLDAPAuthBackendConfig_basic(path, "true", "true"), + Config: testLDAPAuthBackendConfig_basic(path, "true", "true", ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "path", path), testLDAPAuthBackendCheck_attrs(resourceName, path), ), }, { - Config: testLDAPAuthBackendConfig_basic(updatedPath, "true", "true"), + Config: testLDAPAuthBackendConfig_basic(updatedPath, "true", "true", ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "path", updatedPath), testLDAPAuthBackendCheck_attrs(resourceName, updatedPath), @@ -303,7 +311,7 @@ func testLDAPAuthBackendCheck_attrs(resourceName string, name string) resource.T } } -func testLDAPAuthBackendConfig_basic(path, use_token_groups string, local string) string { +func testLDAPAuthBackendConfig_basic(path, use_token_groups, local, extraConfig string) string { return fmt.Sprintf(` resource "vault_ldap_auth_backend" "test" { path = "%s" @@ -323,8 +331,9 @@ resource "vault_ldap_auth_backend" "test" { username_as_alias = true use_token_groups = %s connection_timeout = 30 + %s } -`, path, local, use_token_groups) +`, path, local, use_token_groups, extraConfig) } func testLDAPAuthBackendConfig_tls(path, use_token_groups string, local string) string { diff --git a/vault/resource_okta_auth_backend_test.go b/vault/resource_okta_auth_backend_test.go index 6c96d4b135..0d49cfa241 100644 --- a/vault/resource_okta_auth_backend_test.go +++ b/vault/resource_okta_auth_backend_test.go @@ -28,7 +28,7 @@ func TestAccOktaAuthBackend_basic(t *testing.T) { CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeOkta, consts.FieldPath), Steps: []resource.TestStep{ { - Config: testAccOktaAuthConfig_basic(path, organization), + Config: testAccOktaAuthConfig_basic(path, organization, ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, TokenFieldTTL, "3600"), resource.TestCheckResourceAttr(resourceName, consts.FieldOrganization, "example"), @@ -61,6 +61,27 @@ func TestAccOktaAuthBackend_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "user.0.groups.0", "example"), ), }, + { + Config: testAccOktaAuthConfig_basic(path, organization, tokenAuthMetadataConfig), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, TokenFieldTTL, "3600"), + resource.TestCheckResourceAttr(resourceName, consts.FieldOrganization, "example"), + resource.TestCheckResourceAttr(resourceName, consts.FieldDescription, "Testing the Terraform okta auth backend"), + resource.TestCheckResourceAttrSet(resourceName, consts.FieldAccessor), + resource.TestCheckResourceAttr(resourceName, "group.#", "1"), + resource.TestCheckResourceAttr(resourceName, "group.0.group_name", "dummy"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.#", "3"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.0", "default"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.1", "one"), + resource.TestCheckResourceAttr(resourceName, "group.0.policies.2", "two"), + resource.TestCheckResourceAttr(resourceName, "user.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.username", "foo"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.#", "1"), + resource.TestCheckResourceAttr(resourceName, "user.0.groups.0", "dummy"), + resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.%", "1"), + resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.foo", "bar"), + ), + }, }, }) } @@ -78,7 +99,7 @@ func TestAccOktaAuthBackend_import(t *testing.T) { CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeOkta, consts.FieldPath), Steps: []resource.TestStep{ { - Config: testAccOktaAuthConfig_basic(path, organization), + Config: testAccOktaAuthConfig_basic(path, organization, ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, TokenFieldTTL, "3600"), resource.TestCheckResourceAttr(resourceName, consts.FieldOrganization, "example"), @@ -162,7 +183,7 @@ func TestAccOktaAuthBackend_remount(t *testing.T) { PreCheck: func() { testutil.TestAccPreCheck(t) }, Steps: []resource.TestStep{ { - Config: testAccOktaAuthConfig_basic(path, organization), + Config: testAccOktaAuthConfig_basic(path, organization, ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, consts.FieldPath, path), resource.TestCheckResourceAttr(resourceName, TokenFieldTTL, "3600"), @@ -172,7 +193,7 @@ func TestAccOktaAuthBackend_remount(t *testing.T) { ), }, { - Config: testAccOktaAuthConfig_basic(updatedPath, organization), + Config: testAccOktaAuthConfig_basic(updatedPath, organization, ""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, consts.FieldPath, updatedPath), resource.TestCheckResourceAttr(resourceName, TokenFieldTTL, "3600"), @@ -219,7 +240,7 @@ func TestAccOktaAuthBackend_TokenFields(t *testing.T) { }) } -func testAccOktaAuthConfig_basic(path string, organization string) string { +func testAccOktaAuthConfig_basic(path, organization, extraConfig string) string { return fmt.Sprintf(` resource "vault_okta_auth_backend" "test" { description = "Testing the Terraform okta auth backend" @@ -235,8 +256,9 @@ resource "vault_okta_auth_backend" "test" { username = "foo" groups = ["dummy"] } + %s } -`, path, organization) +`, path, organization, extraConfig) } func testAccOktaAuthConfig_updated(path string, organization string) string { diff --git a/vault/resource_scep_auth_backend_role_test.go b/vault/resource_scep_auth_backend_role_test.go index 244ed3bb77..6b4fde82da 100644 --- a/vault/resource_scep_auth_backend_role_test.go +++ b/vault/resource_scep_auth_backend_role_test.go @@ -71,6 +71,31 @@ resource "vault_scep_auth_backend_role" "test" { resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "challenge", ""), ), }, + { + Config: fmt.Sprintf(` +resource "vault_auth_backend" "scep" { + path = "%s" + type = "scep" +} +resource "vault_scep_auth_backend_role" "test" { + backend = vault_auth_backend.scep.id + name = "%s" + display_name = "Almondiga" + auth_type = "static-challenge" + %s +} + `, backend, name, tokenAuthMetadataConfig), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "backend", backend), + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "name", name), + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "display_name", "Almondiga"), + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "auth_type", "static-challenge"), + // Note that the challenge is not returned, since the resource was updated and no new challenge was specified + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "challenge", ""), + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "token_auth_metadata.%", "1"), + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "token_auth_metadata.foo", "bar"), + ), + }, }, }) } From 2b77ee3ab622eed94f3706c6a1c41124a2e19b30 Mon Sep 17 00:00:00 2001 From: rculpepper Date: Tue, 5 Aug 2025 13:48:45 -0400 Subject: [PATCH 3/6] add skip functions for tests --- internal/consts/consts.go | 1 + internal/provider/meta.go | 1 + vault/resource_approle_auth_backend_role_test.go | 8 ++++++++ vault/resource_aws_auth_backend_role_test.go | 8 ++++++++ vault/resource_cert_auth_backend_role_test.go | 8 ++++++++ vault/resource_github_auth_backend_test.go | 8 ++++++++ vault/resource_ldap_auth_backend_test.go | 8 ++++++++ vault/resource_okta_auth_backend_test.go | 10 +++++++++- vault/resource_scep_auth_backend_role_test.go | 8 ++++++++ 9 files changed, 59 insertions(+), 1 deletion(-) diff --git a/internal/consts/consts.go b/internal/consts/consts.go index 534b242d49..e5965b66b7 100644 --- a/internal/consts/consts.go +++ b/internal/consts/consts.go @@ -634,6 +634,7 @@ const ( VaultVersion1185 = "1.18.5" VaultVersion119 = "1.19.0" VaultVersion120 = "1.20.0" + VaultVersion121 = "1.21.0" /* Vault auth methods diff --git a/internal/provider/meta.go b/internal/provider/meta.go index f618cf946a..8b72402469 100644 --- a/internal/provider/meta.go +++ b/internal/provider/meta.go @@ -49,6 +49,7 @@ var ( VaultVersion1185 = version.Must(version.NewSemver(consts.VaultVersion1185)) VaultVersion119 = version.Must(version.NewSemver(consts.VaultVersion119)) VaultVersion120 = version.Must(version.NewSemver(consts.VaultVersion120)) + VaultVersion121 = version.Must(version.NewSemver(consts.VaultVersion121)) TokenTTLMinRecommended = time.Minute * 15 ) diff --git a/vault/resource_approle_auth_backend_role_test.go b/vault/resource_approle_auth_backend_role_test.go index 950e2922b9..1d77d2a95b 100644 --- a/vault/resource_approle_auth_backend_role_test.go +++ b/vault/resource_approle_auth_backend_role_test.go @@ -100,6 +100,14 @@ func TestAccAppRoleAuthBackendRole_basic(t *testing.T) { ), }, { + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + if !meta.IsAPISupported(provider.VaultVersion121) { + return true, nil + } + + return !meta.IsEnterpriseSupported(), nil + }, Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, tokenAuthMetadataConfig), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", diff --git a/vault/resource_aws_auth_backend_role_test.go b/vault/resource_aws_auth_backend_role_test.go index b4713a47ba..6c54542d7c 100644 --- a/vault/resource_aws_auth_backend_role_test.go +++ b/vault/resource_aws_auth_backend_role_test.go @@ -106,6 +106,14 @@ func TestAccAWSAuthBackendRole_inferred(t *testing.T) { Check: testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role), }, { + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + if !meta.IsAPISupported(provider.VaultVersion121) { + return true, nil + } + + return !meta.IsEnterpriseSupported(), nil + }, Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, tokenAuthMetadataConfig), Check: testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role), }, diff --git a/vault/resource_cert_auth_backend_role_test.go b/vault/resource_cert_auth_backend_role_test.go index 9e6374d891..7b0afb1b59 100644 --- a/vault/resource_cert_auth_backend_role_test.go +++ b/vault/resource_cert_auth_backend_role_test.go @@ -118,6 +118,14 @@ func TestCertAuthBackend(t *testing.T) { ), }, { + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + if !meta.IsAPISupported(provider.VaultVersion121) { + return true, nil + } + + return !meta.IsEnterpriseSupported(), nil + }, Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, tokenAuthMetadataConfig, allowedNames, allowedOrgUnits), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "backend", backend), diff --git a/vault/resource_github_auth_backend_test.go b/vault/resource_github_auth_backend_test.go index ee7df4bf7e..a7cf9e859e 100644 --- a/vault/resource_github_auth_backend_test.go +++ b/vault/resource_github_auth_backend_test.go @@ -70,6 +70,14 @@ func TestAccGithubAuthBackend_basic(t *testing.T) { ), }, { + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + if !meta.IsAPISupported(provider.VaultVersion121) { + return true, nil + } + + return !meta.IsEnterpriseSupported(), nil + }, Config: testAccGithubAuthBackendConfig_basic(path, testGHOrg, tokenAuthMetadataConfig), Check: resource.ComposeTestCheckFunc( testutil.TestAccCheckAuthMountExists(resourceName, diff --git a/vault/resource_ldap_auth_backend_test.go b/vault/resource_ldap_auth_backend_test.go index e8870f8e14..4f79cf2d24 100644 --- a/vault/resource_ldap_auth_backend_test.go +++ b/vault/resource_ldap_auth_backend_test.go @@ -49,6 +49,14 @@ func TestLDAPAuthBackend_basic(t *testing.T) { Check: testLDAPAuthBackendCheck_attrs(resourceName, path), }, { + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + if !meta.IsAPISupported(provider.VaultVersion121) { + return true, nil + } + + return !meta.IsEnterpriseSupported(), nil + }, Config: testLDAPAuthBackendConfig_basic(path, "true", "true", tokenAuthMetadataConfig), Check: resource.ComposeTestCheckFunc( testLDAPAuthBackendCheck_attrs(resourceName, path), diff --git a/vault/resource_okta_auth_backend_test.go b/vault/resource_okta_auth_backend_test.go index 0d49cfa241..1aab553a3e 100644 --- a/vault/resource_okta_auth_backend_test.go +++ b/vault/resource_okta_auth_backend_test.go @@ -10,8 +10,8 @@ import ( "github.com/hashicorp/terraform-plugin-testing/helper/acctest" "github.com/hashicorp/terraform-plugin-testing/helper/resource" - "github.com/hashicorp/terraform-provider-vault/internal/consts" + "github.com/hashicorp/terraform-provider-vault/internal/provider" "github.com/hashicorp/terraform-provider-vault/testutil" ) @@ -62,6 +62,14 @@ func TestAccOktaAuthBackend_basic(t *testing.T) { ), }, { + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + if !meta.IsAPISupported(provider.VaultVersion121) { + return true, nil + } + + return !meta.IsEnterpriseSupported(), nil + }, Config: testAccOktaAuthConfig_basic(path, organization, tokenAuthMetadataConfig), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, TokenFieldTTL, "3600"), diff --git a/vault/resource_scep_auth_backend_role_test.go b/vault/resource_scep_auth_backend_role_test.go index 6b4fde82da..779b2fc615 100644 --- a/vault/resource_scep_auth_backend_role_test.go +++ b/vault/resource_scep_auth_backend_role_test.go @@ -72,6 +72,14 @@ resource "vault_scep_auth_backend_role" "test" { ), }, { + SkipFunc: func() (bool, error) { + meta := testProvider.Meta().(*provider.ProviderMeta) + if !meta.IsAPISupported(provider.VaultVersion121) { + return true, nil + } + + return !meta.IsEnterpriseSupported(), nil + }, Config: fmt.Sprintf(` resource "vault_auth_backend" "scep" { path = "%s" From af4a5b4a7a92193e6306cdedfed15324cdfc4580 Mon Sep 17 00:00:00 2001 From: rculpepper Date: Tue, 5 Aug 2025 14:19:48 -0400 Subject: [PATCH 4/6] add docs and changelog --- CHANGELOG.md | 1 + website/docs/r/approle_auth_backend_role.html.md | 3 +++ website/docs/r/aws_auth_backend_role.html.md | 3 +++ website/docs/r/cert_auth_backend_role.html.md | 3 +++ website/docs/r/github_auth_backend.html.md | 3 +++ website/docs/r/ldap_auth_backend.html.md | 3 +++ website/docs/r/okta_auth_backend.html.md | 3 +++ website/docs/r/scep_auth_backend_role.html.md | 3 +++ 8 files changed, 22 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c4ced061ef..600333c0d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ FEATURES: * Add support for `root_password_ttl` in `vault_azure_secret_backend` resource. Requires Vault 1.15+ ([#2529](https://github.com/hashicorp/terraform-provider-vault/pull/2529)) * Add support for managed key parameters in the SSH CA config endpoint ([#2480](https://github.com/hashicorp/terraform-provider-vault/pull/2480)) * Add new resources `vault_oci_auth_backend` and `vault_oci_auth_backend_role` to manage OCI auth backend and roles. ([#1761](https://github.com/hashicorp/terraform-provider-vault/pull/1761)) +* Add support for `token_auth_metadata` field in auth resources ([#2547](https://github.com/hashicorp/terraform-provider-vault/pull/2547)) ## 5.1.0 (Jul 9, 2025) diff --git a/website/docs/r/approle_auth_backend_role.html.md b/website/docs/r/approle_auth_backend_role.html.md index 66f0ca6de1..d3f26678c5 100644 --- a/website/docs/r/approle_auth_backend_role.html.md +++ b/website/docs/r/approle_auth_backend_role.html.md @@ -95,6 +95,9 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. +* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. +This should be a list or map containing the metadata in key value pairs. + ## Attributes Reference No additional attributes are exported by this resource. diff --git a/website/docs/r/aws_auth_backend_role.html.md b/website/docs/r/aws_auth_backend_role.html.md index 27c2df230d..8c1af826b3 100644 --- a/website/docs/r/aws_auth_backend_role.html.md +++ b/website/docs/r/aws_auth_backend_role.html.md @@ -172,6 +172,9 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. +* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. + This should be a list or map containing the metadata in key value pairs. + ## Attributes Reference * `role_id` - The Vault generated role ID. diff --git a/website/docs/r/cert_auth_backend_role.html.md b/website/docs/r/cert_auth_backend_role.html.md index 1e2204604b..a0ec3afa96 100644 --- a/website/docs/r/cert_auth_backend_role.html.md +++ b/website/docs/r/cert_auth_backend_role.html.md @@ -122,6 +122,9 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. +* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. + This should be a list or map containing the metadata in key value pairs. + For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert). ## Attribute Reference diff --git a/website/docs/r/github_auth_backend.html.md b/website/docs/r/github_auth_backend.html.md index f257867225..1160c50996 100644 --- a/website/docs/r/github_auth_backend.html.md +++ b/website/docs/r/github_auth_backend.html.md @@ -121,6 +121,9 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. +* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. + This should be a list or map containing the metadata in key value pairs. + ## Import GitHub authentication mounts can be imported using the `path`, e.g. diff --git a/website/docs/r/ldap_auth_backend.html.md b/website/docs/r/ldap_auth_backend.html.md index 07670b1617..806e39a083 100644 --- a/website/docs/r/ldap_auth_backend.html.md +++ b/website/docs/r/ldap_auth_backend.html.md @@ -143,6 +143,9 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. +* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. + This should be a list or map containing the metadata in key value pairs. + For more details on the usage of each argument consult the [Vault LDAP API documentation](https://www.vaultproject.io/api-docs/auth/ldap). ~> **Important** Because Vault does not support reading the configured diff --git a/website/docs/r/okta_auth_backend.html.md b/website/docs/r/okta_auth_backend.html.md index 8fd7e056fa..e4fa4a597b 100644 --- a/website/docs/r/okta_auth_backend.html.md +++ b/website/docs/r/okta_auth_backend.html.md @@ -115,6 +115,9 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. +* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. + This should be a list or map containing the metadata in key value pairs. + ## Attributes Reference In addition to all arguments above, the following attributes are exported: diff --git a/website/docs/r/scep_auth_backend_role.html.md b/website/docs/r/scep_auth_backend_role.html.md index 607955d24b..1d6472bffe 100644 --- a/website/docs/r/scep_auth_backend_role.html.md +++ b/website/docs/r/scep_auth_backend_role.html.md @@ -86,6 +86,9 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. +* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. + This should be a list or map containing the metadata in key value pairs. + For more details on the usage of each argument consult the [Vault SCEP API documentation](https://developer.hashicorp.com/vault/docs/auth/scep). ## Attribute Reference From 247dab573dd2f12eb785d9de485d1b6c573ffefe Mon Sep 17 00:00:00 2001 From: rculpepper Date: Tue, 5 Aug 2025 14:47:56 -0400 Subject: [PATCH 5/6] add description --- vault/auth_token.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/auth_token.go b/vault/auth_token.go index fddff80cf4..624286fafb 100644 --- a/vault/auth_token.go +++ b/vault/auth_token.go @@ -127,7 +127,7 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf fields[TokenFieldAuthMetadata] = &schema.Schema{ Type: schema.TypeMap, - Description: "", + Description: "The metadata to be tied to generated tokens.\n This should be a list or map containing the metadata in key value pairs.", Optional: true, ConflictsWith: config.TokenAuthMetadataConflict, } From aac2633c3807a51e4e3e48b0e4ca34af686e1d6d Mon Sep 17 00:00:00 2001 From: rculpepper Date: Mon, 15 Sep 2025 16:35:09 -0400 Subject: [PATCH 6/6] change name to alias_metadata --- CHANGELOG.md | 2 +- vault/auth_token.go | 24 +++++++++---------- vault/auth_token_test.go | 4 ++-- ...resource_approle_auth_backend_role_test.go | 6 ++--- vault/resource_aws_auth_backend_role_test.go | 2 +- vault/resource_cert_auth_backend_role_test.go | 6 ++--- vault/resource_github_auth_backend_test.go | 6 ++--- vault/resource_ldap_auth_backend_test.go | 6 ++--- vault/resource_okta_auth_backend_test.go | 6 ++--- vault/resource_scep_auth_backend_role_test.go | 6 ++--- .../docs/r/approle_auth_backend_role.html.md | 2 +- website/docs/r/aws_auth_backend_role.html.md | 2 +- website/docs/r/cert_auth_backend_role.html.md | 2 +- website/docs/r/github_auth_backend.html.md | 2 +- website/docs/r/ldap_auth_backend.html.md | 2 +- website/docs/r/okta_auth_backend.html.md | 2 +- website/docs/r/scep_auth_backend_role.html.md | 2 +- 17 files changed, 41 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 600333c0d2..79f5038e6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ FEATURES: * Add support for `root_password_ttl` in `vault_azure_secret_backend` resource. Requires Vault 1.15+ ([#2529](https://github.com/hashicorp/terraform-provider-vault/pull/2529)) * Add support for managed key parameters in the SSH CA config endpoint ([#2480](https://github.com/hashicorp/terraform-provider-vault/pull/2480)) * Add new resources `vault_oci_auth_backend` and `vault_oci_auth_backend_role` to manage OCI auth backend and roles. ([#1761](https://github.com/hashicorp/terraform-provider-vault/pull/1761)) -* Add support for `token_auth_metadata` field in auth resources ([#2547](https://github.com/hashicorp/terraform-provider-vault/pull/2547)) +* Add support for `alias_metadata` field in auth resources ([#2547](https://github.com/hashicorp/terraform-provider-vault/pull/2547)) ## 5.1.0 (Jul 9, 2025) diff --git a/vault/auth_token.go b/vault/auth_token.go index 624286fafb..1fd70d1035 100644 --- a/vault/auth_token.go +++ b/vault/auth_token.go @@ -23,7 +23,7 @@ const ( TokenFieldPolicies = "token_policies" TokenFieldType = "token_type" TokenFieldNumUses = "token_num_uses" - TokenFieldAuthMetadata = "token_auth_metadata" // Vault 1.21+ + FieldAliasMetadata = "alias_metadata" // Vault 1.21+ ) var commonTokenFields = []string{ @@ -36,7 +36,7 @@ var commonTokenFields = []string{ TokenFieldPolicies, TokenFieldType, TokenFieldNumUses, - TokenFieldAuthMetadata, + FieldAliasMetadata, } type addTokenFieldsConfig struct { @@ -47,7 +47,7 @@ type addTokenFieldsConfig struct { TokenPeriodConflict []string TokenPoliciesConflict []string TokenTTLConflict []string - TokenAuthMetadataConflict []string + AliasMetadataConflict []string TokenTypeDefault string } @@ -125,11 +125,11 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf ConflictsWith: config.TokenNumUsesConflict, } - fields[TokenFieldAuthMetadata] = &schema.Schema{ + fields[FieldAliasMetadata] = &schema.Schema{ Type: schema.TypeMap, - Description: "The metadata to be tied to generated tokens.\n This should be a list or map containing the metadata in key value pairs.", + Description: "The metadata to be tied to generated entity alias.\n This should be a list or map containing the metadata in key value pairs.", Optional: true, - ConflictsWith: config.TokenAuthMetadataConflict, + ConflictsWith: config.AliasMetadataConflict, } } @@ -215,7 +215,7 @@ func setTokenFields(d *schema.ResourceData, data map[string]interface{}, config } conflicted = false - for _, k := range config.TokenAuthMetadataConflict { + for _, k := range config.AliasMetadataConflict { if _, ok := d.GetOk(k); ok { conflicted = true break @@ -223,7 +223,7 @@ func setTokenFields(d *schema.ResourceData, data map[string]interface{}, config } if !conflicted { - data[TokenFieldAuthMetadata] = d.Get(TokenFieldAuthMetadata) + data[FieldAliasMetadata] = d.Get(FieldAliasMetadata) } } @@ -265,8 +265,8 @@ func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, crea data[TokenFieldNumUses] = v.(int) } - if v, ok := d.GetOk(TokenFieldAuthMetadata); ok { - data[TokenFieldAuthMetadata] = v + if v, ok := d.GetOk(FieldAliasMetadata); ok { + data[FieldAliasMetadata] = v } } else { if d.HasChange(TokenFieldBoundCIDRs) { @@ -305,8 +305,8 @@ func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, crea data[TokenFieldNumUses] = d.Get(TokenFieldNumUses).(int) } - if d.HasChange(TokenFieldAuthMetadata) { - data[TokenFieldAuthMetadata] = d.Get(TokenFieldAuthMetadata) + if d.HasChange(FieldAliasMetadata) { + data[FieldAliasMetadata] = d.Get(FieldAliasMetadata) } } } diff --git a/vault/auth_token_test.go b/vault/auth_token_test.go index cffa250f2e..a08491a6bc 100644 --- a/vault/auth_token_test.go +++ b/vault/auth_token_test.go @@ -12,8 +12,8 @@ import ( "github.com/hashicorp/vault/api" ) -const tokenAuthMetadataConfig = ` - token_auth_metadata = { +const aliasMetadataConfig = ` + alias_metadata = { "foo" = "bar" }` diff --git a/vault/resource_approle_auth_backend_role_test.go b/vault/resource_approle_auth_backend_role_test.go index 1d77d2a95b..9cf049a581 100644 --- a/vault/resource_approle_auth_backend_role_test.go +++ b/vault/resource_approle_auth_backend_role_test.go @@ -108,7 +108,7 @@ func TestAccAppRoleAuthBackendRole_basic(t *testing.T) { return !meta.IsEnterpriseSupported(), nil }, - Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, tokenAuthMetadataConfig), + Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, aliasMetadataConfig), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "backend", backend), @@ -135,9 +135,9 @@ func TestAccAppRoleAuthBackendRole_basic(t *testing.T) { resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", "secret_id_bound_cidrs.#", "0"), resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", - "token_auth_metadata.%", "1"), + "alias_metadata.%", "1"), resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role", - "token_auth_metadata.foo", "bar"), + "alias_metadata.foo", "bar"), ), }, }, diff --git a/vault/resource_aws_auth_backend_role_test.go b/vault/resource_aws_auth_backend_role_test.go index 6c54542d7c..24c64affeb 100644 --- a/vault/resource_aws_auth_backend_role_test.go +++ b/vault/resource_aws_auth_backend_role_test.go @@ -114,7 +114,7 @@ func TestAccAWSAuthBackendRole_inferred(t *testing.T) { return !meta.IsEnterpriseSupported(), nil }, - Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, tokenAuthMetadataConfig), + Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, aliasMetadataConfig), Check: testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role), }, }, diff --git a/vault/resource_cert_auth_backend_role_test.go b/vault/resource_cert_auth_backend_role_test.go index 7b0afb1b59..c60f248c23 100644 --- a/vault/resource_cert_auth_backend_role_test.go +++ b/vault/resource_cert_auth_backend_role_test.go @@ -126,7 +126,7 @@ func TestCertAuthBackend(t *testing.T) { return !meta.IsEnterpriseSupported(), nil }, - Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, tokenAuthMetadataConfig, allowedNames, allowedOrgUnits), + Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, aliasMetadataConfig, allowedNames, allowedOrgUnits), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "backend", backend), resource.TestCheckResourceAttr(resourceName, "name", name), @@ -138,8 +138,8 @@ func TestCertAuthBackend(t *testing.T) { resource.TestCheckTypeSetElemAttr(resourceName, "allowed_organizational_units.*", "foo"), resource.TestCheckTypeSetElemAttr(resourceName, "allowed_organizational_units.*", "baz"), testCertAuthBackendCheck_attrs(resourceName, backend, name), - resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.%", "1"), - resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.foo", "bar"), + resource.TestCheckResourceAttr(resourceName, "alias_metadata.%", "1"), + resource.TestCheckResourceAttr(resourceName, "alias_metadata.foo", "bar"), ), }, }, diff --git a/vault/resource_github_auth_backend_test.go b/vault/resource_github_auth_backend_test.go index a7cf9e859e..130440c5b8 100644 --- a/vault/resource_github_auth_backend_test.go +++ b/vault/resource_github_auth_backend_test.go @@ -78,7 +78,7 @@ func TestAccGithubAuthBackend_basic(t *testing.T) { return !meta.IsEnterpriseSupported(), nil }, - Config: testAccGithubAuthBackendConfig_basic(path, testGHOrg, tokenAuthMetadataConfig), + Config: testAccGithubAuthBackendConfig_basic(path, testGHOrg, aliasMetadataConfig), Check: resource.ComposeTestCheckFunc( testutil.TestAccCheckAuthMountExists(resourceName, &resAuth, @@ -91,8 +91,8 @@ func TestAccGithubAuthBackend_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "token_ttl", "1200"), resource.TestCheckResourceAttr(resourceName, "token_max_ttl", "3000"), resource.TestCheckResourceAttrPtr(resourceName, "accessor", &resAuth.Accessor), - resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.%", "1"), - resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.foo", "bar"), + resource.TestCheckResourceAttr(resourceName, "alias_metadata.%", "1"), + resource.TestCheckResourceAttr(resourceName, "alias_metadata.foo", "bar"), ), }, }, diff --git a/vault/resource_ldap_auth_backend_test.go b/vault/resource_ldap_auth_backend_test.go index 4f79cf2d24..cc2490875f 100644 --- a/vault/resource_ldap_auth_backend_test.go +++ b/vault/resource_ldap_auth_backend_test.go @@ -57,11 +57,11 @@ func TestLDAPAuthBackend_basic(t *testing.T) { return !meta.IsEnterpriseSupported(), nil }, - Config: testLDAPAuthBackendConfig_basic(path, "true", "true", tokenAuthMetadataConfig), + Config: testLDAPAuthBackendConfig_basic(path, "true", "true", aliasMetadataConfig), Check: resource.ComposeTestCheckFunc( testLDAPAuthBackendCheck_attrs(resourceName, path), - resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.%", "1"), - resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.foo", "bar"), + resource.TestCheckResourceAttr(resourceName, "alias_metadata.%", "1"), + resource.TestCheckResourceAttr(resourceName, "alias_metadata.foo", "bar"), ), }, testutil.GetImportTestStep(resourceName, false, nil, "bindpass", "disable_remount"), diff --git a/vault/resource_okta_auth_backend_test.go b/vault/resource_okta_auth_backend_test.go index 1aab553a3e..6d34db6d93 100644 --- a/vault/resource_okta_auth_backend_test.go +++ b/vault/resource_okta_auth_backend_test.go @@ -70,7 +70,7 @@ func TestAccOktaAuthBackend_basic(t *testing.T) { return !meta.IsEnterpriseSupported(), nil }, - Config: testAccOktaAuthConfig_basic(path, organization, tokenAuthMetadataConfig), + Config: testAccOktaAuthConfig_basic(path, organization, aliasMetadataConfig), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, TokenFieldTTL, "3600"), resource.TestCheckResourceAttr(resourceName, consts.FieldOrganization, "example"), @@ -86,8 +86,8 @@ func TestAccOktaAuthBackend_basic(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "user.0.username", "foo"), resource.TestCheckResourceAttr(resourceName, "user.0.groups.#", "1"), resource.TestCheckResourceAttr(resourceName, "user.0.groups.0", "dummy"), - resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.%", "1"), - resource.TestCheckResourceAttr(resourceName, "token_auth_metadata.foo", "bar"), + resource.TestCheckResourceAttr(resourceName, "alias_metadata.%", "1"), + resource.TestCheckResourceAttr(resourceName, "alias_metadata.foo", "bar"), ), }, }, diff --git a/vault/resource_scep_auth_backend_role_test.go b/vault/resource_scep_auth_backend_role_test.go index 779b2fc615..14845965bf 100644 --- a/vault/resource_scep_auth_backend_role_test.go +++ b/vault/resource_scep_auth_backend_role_test.go @@ -92,7 +92,7 @@ resource "vault_scep_auth_backend_role" "test" { auth_type = "static-challenge" %s } - `, backend, name, tokenAuthMetadataConfig), + `, backend, name, aliasMetadataConfig), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "backend", backend), resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "name", name), @@ -100,8 +100,8 @@ resource "vault_scep_auth_backend_role" "test" { resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "auth_type", "static-challenge"), // Note that the challenge is not returned, since the resource was updated and no new challenge was specified resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "challenge", ""), - resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "token_auth_metadata.%", "1"), - resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "token_auth_metadata.foo", "bar"), + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "alias_metadata.%", "1"), + resource.TestCheckResourceAttr("vault_scep_auth_backend_role.test", "alias_metadata.foo", "bar"), ), }, }, diff --git a/website/docs/r/approle_auth_backend_role.html.md b/website/docs/r/approle_auth_backend_role.html.md index d3f26678c5..aa982d5648 100644 --- a/website/docs/r/approle_auth_backend_role.html.md +++ b/website/docs/r/approle_auth_backend_role.html.md @@ -95,7 +95,7 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. -* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. +* `alias_metadata` - (Optional) The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs. ## Attributes Reference diff --git a/website/docs/r/aws_auth_backend_role.html.md b/website/docs/r/aws_auth_backend_role.html.md index 8c1af826b3..53846262e5 100644 --- a/website/docs/r/aws_auth_backend_role.html.md +++ b/website/docs/r/aws_auth_backend_role.html.md @@ -172,7 +172,7 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. -* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. +* `alias_metadata` - (Optional) The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs. ## Attributes Reference diff --git a/website/docs/r/cert_auth_backend_role.html.md b/website/docs/r/cert_auth_backend_role.html.md index a0ec3afa96..b71a00853b 100644 --- a/website/docs/r/cert_auth_backend_role.html.md +++ b/website/docs/r/cert_auth_backend_role.html.md @@ -122,7 +122,7 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. -* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. +* `alias_metadata` - (Optional) The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs. For more details on the usage of each argument consult the [Vault Cert API documentation](https://www.vaultproject.io/api-docs/auth/cert). diff --git a/website/docs/r/github_auth_backend.html.md b/website/docs/r/github_auth_backend.html.md index 1160c50996..2d36d19d26 100644 --- a/website/docs/r/github_auth_backend.html.md +++ b/website/docs/r/github_auth_backend.html.md @@ -121,7 +121,7 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. -* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. +* `alias_metadata` - (Optional) The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs. ## Import diff --git a/website/docs/r/ldap_auth_backend.html.md b/website/docs/r/ldap_auth_backend.html.md index 806e39a083..59450bf6f8 100644 --- a/website/docs/r/ldap_auth_backend.html.md +++ b/website/docs/r/ldap_auth_backend.html.md @@ -143,7 +143,7 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. -* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. +* `alias_metadata` - (Optional) The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs. For more details on the usage of each argument consult the [Vault LDAP API documentation](https://www.vaultproject.io/api-docs/auth/ldap). diff --git a/website/docs/r/okta_auth_backend.html.md b/website/docs/r/okta_auth_backend.html.md index e4fa4a597b..6968d5e3bf 100644 --- a/website/docs/r/okta_auth_backend.html.md +++ b/website/docs/r/okta_auth_backend.html.md @@ -115,7 +115,7 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. -* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. +* `alias_metadata` - (Optional) The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs. ## Attributes Reference diff --git a/website/docs/r/scep_auth_backend_role.html.md b/website/docs/r/scep_auth_backend_role.html.md index 1d6472bffe..50aa4e09fd 100644 --- a/website/docs/r/scep_auth_backend_role.html.md +++ b/website/docs/r/scep_auth_backend_role.html.md @@ -86,7 +86,7 @@ These arguments are common across several Authentication Token resources since V `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time. -* `token_auth_metadata` - (Optional) The metadata to be tied to generated tokens. +* `alias_metadata` - (Optional) The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs. For more details on the usage of each argument consult the [Vault SCEP API documentation](https://developer.hashicorp.com/vault/docs/auth/scep).