Add alias_metadata field

CHANGELOG.md

@@ -5,6 +5,7 @@ FEATURES:
 * Add support for `root_password_ttl` in `vault_azure_secret_backend` resource. Requires Vault 1.15+ ([#2529](https://github.com/hashicorp/terraform-provider-vault/pull/2529))
 * Add support for managed key parameters in the SSH CA config endpoint ([#2480](https://github.com/hashicorp/terraform-provider-vault/pull/2480))
 * Add new resources `vault_oci_auth_backend` and `vault_oci_auth_backend_role` to manage OCI auth backend and roles. ([#1761](https://github.com/hashicorp/terraform-provider-vault/pull/1761))
+* Add support for `alias_metadata` field in auth resources ([#2547](https://github.com/hashicorp/terraform-provider-vault/pull/2547))
 
 ## 5.1.0 (Jul 9, 2025)
 

internal/consts/consts.go

@@ -634,6 +634,7 @@ const (
 	VaultVersion1185 = "1.18.5"
 	VaultVersion119  = "1.19.0"
 	VaultVersion120  = "1.20.0"
+	VaultVersion121  = "1.21.0"
 
 	/*
 		Vault auth methods

internal/provider/meta.go

@@ -49,6 +49,7 @@ var (
 	VaultVersion1185 = version.Must(version.NewSemver(consts.VaultVersion1185))
 	VaultVersion119  = version.Must(version.NewSemver(consts.VaultVersion119))
 	VaultVersion120  = version.Must(version.NewSemver(consts.VaultVersion120))
+	VaultVersion121  = version.Must(version.NewSemver(consts.VaultVersion121))
 
 	TokenTTLMinRecommended = time.Minute * 15
 )

vault/auth_token.go

@@ -23,6 +23,7 @@ const (
 	TokenFieldPolicies        = "token_policies"
 	TokenFieldType            = "token_type"
 	TokenFieldNumUses         = "token_num_uses"
+	FieldAliasMetadata        = "alias_metadata" // Vault 1.21+
 )
 
 var commonTokenFields = []string{
@@ -35,6 +36,7 @@ var commonTokenFields = []string{
 	TokenFieldPolicies,
 	TokenFieldType,
 	TokenFieldNumUses,
+	FieldAliasMetadata,
 }
 
 type addTokenFieldsConfig struct {
@@ -45,6 +47,7 @@ type addTokenFieldsConfig struct {
 	TokenPeriodConflict         []string
 	TokenPoliciesConflict       []string
 	TokenTTLConflict            []string
+	AliasMetadataConflict       []string
 
 	TokenTypeDefault string
 }
@@ -121,6 +124,13 @@ func addTokenFields(fields map[string]*schema.Schema, config *addTokenFieldsConf
 		Optional:      true,
 		ConflictsWith: config.TokenNumUsesConflict,
 	}
+
+	fields[FieldAliasMetadata] = &schema.Schema{
+		Type:          schema.TypeMap,
+		Description:   "The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs.",
+		Optional:      true,
+		ConflictsWith: config.AliasMetadataConflict,
+	}
 }
 
 func setTokenFields(d *schema.ResourceData, data map[string]interface{}, config *addTokenFieldsConfig) {
@@ -203,6 +213,18 @@ func setTokenFields(d *schema.ResourceData, data map[string]interface{}, config
 	if !conflicted {
 		data[TokenFieldBoundCIDRs] = d.Get(TokenFieldBoundCIDRs).(*schema.Set).List()
 	}
+
+	conflicted = false
+	for _, k := range config.AliasMetadataConflict {
+		if _, ok := d.GetOk(k); ok {
+			conflicted = true
+			break
+		}
+	}
+
+	if !conflicted {
+		data[FieldAliasMetadata] = d.Get(FieldAliasMetadata)
+	}
 }
 
 func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, create bool) {
@@ -242,6 +264,10 @@ func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, crea
 		if v, ok := d.GetOk(TokenFieldNumUses); ok {
 			data[TokenFieldNumUses] = v.(int)
 		}
+
+		if v, ok := d.GetOk(FieldAliasMetadata); ok {
+			data[FieldAliasMetadata] = v
+		}
 	} else {
 		if d.HasChange(TokenFieldBoundCIDRs) {
 			data[TokenFieldBoundCIDRs] = d.Get(TokenFieldBoundCIDRs).(*schema.Set).List()
@@ -278,6 +304,10 @@ func updateTokenFields(d *schema.ResourceData, data map[string]interface{}, crea
 		if d.HasChange(TokenFieldNumUses) {
 			data[TokenFieldNumUses] = d.Get(TokenFieldNumUses).(int)
 		}
+
+		if d.HasChange(FieldAliasMetadata) {
+			data[FieldAliasMetadata] = d.Get(FieldAliasMetadata)
+		}
 	}
 }
 

vault/auth_token_test.go

@@ -12,6 +12,11 @@ import (
 	"github.com/hashicorp/vault/api"
 )
 
+const aliasMetadataConfig = `
+	alias_metadata = {
+		"foo" = "bar"
+	}`
+
 func Test_handleCIDRField(t *testing.T) {
 	tests := []struct {
 		name        string

vault/data_source_approle_auth_backend_role_id_test.go

@@ -24,7 +24,7 @@ func TestAccAppRoleAuthBackendRoleID_basic(t *testing.T) {
 		CheckDestroy:             testAccCheckAppRoleAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role),
+				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
 						"backend", backend),
@@ -92,7 +92,7 @@ func testAccAppRoleAuthBackendRoleIDConfig_basic(backend, role string) string {
 data "vault_approle_auth_backend_role_id" "role" {
   backend = "%s"
   role_name = "%s"
-}`, testAccAppRoleAuthBackendRoleConfig_basic(backend, role), backend, role)
+}`, testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""), backend, role)
 }
 
 func testAccAppRoleAuthBackendRoleIDConfig_customID(backend, role, roleID string) string {

vault/resource_approle_auth_backend_role_test.go

@@ -71,7 +71,7 @@ func TestAccAppRoleAuthBackendRole_basic(t *testing.T) {
 		CheckDestroy:             testAccCheckAppRoleAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role),
+				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
 						"backend", backend),
@@ -99,6 +99,47 @@ func TestAccAppRoleAuthBackendRole_basic(t *testing.T) {
 						"secret_id_bound_cidrs.#", "0"),
 				),
 			},
+			{
+				SkipFunc: func() (bool, error) {
+					meta := testProvider.Meta().(*provider.ProviderMeta)
+					if !meta.IsAPISupported(provider.VaultVersion121) {
+						return true, nil
+					}
+
+					return !meta.IsEnterpriseSupported(), nil
+				},
+				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, aliasMetadataConfig),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"backend", backend),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"role_name", role),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"token_policies.#", "3"),
+					resource.TestCheckResourceAttrSet("vault_approle_auth_backend_role.role",
+						"role_id"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"token_ttl", "0"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"token_max_ttl", "0"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"token_num_uses", "0"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"secret_id_ttl", "0"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"secret_id_num_uses", "0"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"token_period", "0"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"bind_secret_id", "true"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"secret_id_bound_cidrs.#", "0"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"alias_metadata.%", "1"),
+					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
+						"alias_metadata.foo", "bar"),
+				),
+			},
 		},
 	})
 }
@@ -113,7 +154,7 @@ func TestAccAppRoleAuthBackendRole_update(t *testing.T) {
 		CheckDestroy:             testAccCheckAppRoleAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role),
+				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
 						"backend", backend),
@@ -281,7 +322,7 @@ func TestAccAppRoleAuthBackendRole_fullUpdate(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role),
+				Config: testAccAppRoleAuthBackendRoleConfig_basic(backend, role, ""),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_approle_auth_backend_role.role",
 						"backend", backend),
@@ -335,7 +376,7 @@ func testAccCheckAppRoleAuthBackendRoleDestroy(s *terraform.State) error {
 	return nil
 }
 
-func testAccAppRoleAuthBackendRoleConfig_basic(backend, role string) string {
+func testAccAppRoleAuthBackendRoleConfig_basic(backend, role, extraConfig string) string {
 	return fmt.Sprintf(`
 resource "vault_auth_backend" "approle" {
   type = "approle"
@@ -346,7 +387,8 @@ resource "vault_approle_auth_backend_role" "role" {
   backend = vault_auth_backend.approle.path
   role_name = "%s"
   token_policies = ["default", "dev", "prod"]
-}`, backend, role)
+  %s
+}`, backend, role, extraConfig)
 }
 
 func testAccAppRoleAuthBackendRoleConfig_update(backend, role string) string {

vault/resource_aws_auth_backend_role_test.go

@@ -27,7 +27,7 @@ func TestAccAWSAuthBackendRole_importInferred(t *testing.T) {
 		CheckDestroy:             testAccCheckAWSAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role),
+				Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, ""),
 				Check:  testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role),
 			},
 			{
@@ -102,7 +102,19 @@ func TestAccAWSAuthBackendRole_inferred(t *testing.T) {
 		CheckDestroy:             testAccCheckAWSAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role),
+				Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, ""),
+				Check:  testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role),
+			},
+			{
+				SkipFunc: func() (bool, error) {
+					meta := testProvider.Meta().(*provider.ProviderMeta)
+					if !meta.IsAPISupported(provider.VaultVersion121) {
+						return true, nil
+					}
+
+					return !meta.IsEnterpriseSupported(), nil
+				},
+				Config: testAccAWSAuthBackendRoleConfig_inferred(backend, role, aliasMetadataConfig),
 				Check:  testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role),
 			},
 		},
@@ -294,7 +306,7 @@ func testAccAWSAuthBackendRoleCheck_attrs(resourceName, backend, role string) re
 	}
 }
 
-func testAccAWSAuthBackendRoleConfig_inferred(backend, role string) string {
+func testAccAWSAuthBackendRoleConfig_inferred(backend, role, extraConfig string) string {
 	return fmt.Sprintf(`
 resource "vault_auth_backend" "aws" {
   type = "aws"
@@ -316,7 +328,8 @@ resource "vault_aws_auth_backend_role" "role" {
   token_ttl = 60
   token_max_ttl = 120
   token_policies = ["default", "dev", "prod"]
-}`, backend, role)
+	%s
+}`, backend, role, extraConfig)
 }
 
 func testAccAWSAuthBackendRoleConfig_iam(backend, role string) string {

vault/resource_cert_auth_backend_role_test.go

@@ -90,7 +90,7 @@ func TestCertAuthBackend(t *testing.T) {
 		CheckDestroy:             testCertAuthBackendDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, allowedNames, allowedOrgUnits),
+				Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, "", allowedNames, allowedOrgUnits),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, "backend", backend),
 					resource.TestCheckResourceAttr(resourceName, "name", name),
@@ -117,6 +117,31 @@ func TestCertAuthBackend(t *testing.T) {
 					testCertAuthBackendCheck_attrs(resourceName, backend, name),
 				),
 			},
+			{
+				SkipFunc: func() (bool, error) {
+					meta := testProvider.Meta().(*provider.ProviderMeta)
+					if !meta.IsAPISupported(provider.VaultVersion121) {
+						return true, nil
+					}
+
+					return !meta.IsEnterpriseSupported(), nil
+				},
+				Config: testCertAuthBackendConfig_basic(backend, name, testCertificate, aliasMetadataConfig, allowedNames, allowedOrgUnits),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "backend", backend),
+					resource.TestCheckResourceAttr(resourceName, "name", name),
+					resource.TestCheckResourceAttr(resourceName, "token_policies.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "token_ttl", "300"),
+					resource.TestCheckResourceAttr(resourceName, "token_max_ttl", "600"),
+					resource.TestCheckResourceAttr(resourceName, "allowed_names.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "allowed_organizational_units.#", "2"),
+					resource.TestCheckTypeSetElemAttr(resourceName, "allowed_organizational_units.*", "foo"),
+					resource.TestCheckTypeSetElemAttr(resourceName, "allowed_organizational_units.*", "baz"),
+					testCertAuthBackendCheck_attrs(resourceName, backend, name),
+					resource.TestCheckResourceAttr(resourceName, "alias_metadata.%", "1"),
+					resource.TestCheckResourceAttr(resourceName, "alias_metadata.foo", "bar"),
+				),
+			},
 		},
 	})
 }
@@ -253,7 +278,7 @@ func testCertAuthBackendCheck_attrs(resourceName, backend, name string) resource
 	}
 }
 
-func testCertAuthBackendConfig_basic(backend, name, certificate string, allowedNames, allowedOrgUnits []string) string {
+func testCertAuthBackendConfig_basic(backend, name, certificate, extraConfig string, allowedNames, allowedOrgUnits []string) string {
 	config := fmt.Sprintf(`
 
 resource "vault_auth_backend" "cert" {
@@ -272,8 +297,9 @@ EOF
     token_max_ttl                = 600
     token_policies               = ["test_policy_1", "test_policy_2"]
     allowed_organizational_units = %s
+	%s
 }
-`, backend, name, certificate, util.ArrayToTerraformList(allowedNames), util.ArrayToTerraformList(allowedOrgUnits))
+`, backend, name, certificate, util.ArrayToTerraformList(allowedNames), util.ArrayToTerraformList(allowedOrgUnits), extraConfig)
 
 	return config
 }