Add use_sts_region_from_client to AWS Auth Config (#1963)

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 3.19.0 (Aug 2, 2023)
 FEATURES:
 * Add support for User ID configuration for PKI Secrets Engine: ([#1936](https://github.com/hashicorp/terraform-provider-vault/pull/1936))
+* Add support for `use_sts_region_from_client` in `vault_aws_auth_backend_client` available in Vault v1.15.0+: ([#1963](https://github.com/hashicorp/terraform-provider-vault/pull/1963))
 
 BUGS:
 * auth/aws: enable namespace support for AWS backend config identity: ([#1961](https://github.com/hashicorp/terraform-provider-vault/pull/1961))

internal/consts/consts.go

@@ -422,6 +422,7 @@ const (
 	VaultVersion112 = "1.12.0"
 	VaultVersion113 = "1.13.0"
 	VaultVersion114 = "1.14.0"
+	VaultVersion115 = "1.15.0"
 
 	/*
 		Vault auth methods

internal/provider/meta.go

@@ -41,6 +41,7 @@ var (
 	VaultVersion112 = version.Must(version.NewSemver(consts.VaultVersion112))
 	VaultVersion113 = version.Must(version.NewSemver(consts.VaultVersion113))
 	VaultVersion114 = version.Must(version.NewSemver(consts.VaultVersion114))
+	VaultVersion115 = version.Must(version.NewSemver(consts.VaultVersion115))
 
 	TokenTTLMinRecommended = time.Minute * 15
 )

vault/resource_aws_auth_backend_client.go

@@ -14,6 +14,10 @@ import (
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 )
 
+const (
+	useSTSRegionFromClient = "use_sts_region_from_client"
+)
+
 func awsAuthBackendClientResource() *schema.Resource {
 	return &schema.Resource{
 		Create: awsAuthBackendWrite,
@@ -69,6 +73,12 @@ func awsAuthBackendClientResource() *schema.Resource {
 				Optional:    true,
 				Description: "Region to override the default region for making AWS STS API calls.",
 			},
+			useSTSRegionFromClient: {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "If set, will override sts_region and use the region from the client request's header",
+			},
 			"iam_server_id_header_value": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -91,6 +101,7 @@ func awsAuthBackendWrite(d *schema.ResourceData, meta interface{}) error {
 	iamEndpoint := d.Get("iam_endpoint").(string)
 	stsEndpoint := d.Get("sts_endpoint").(string)
 	stsRegion := d.Get("sts_region").(string)
+	stsRegionFromClient := d.Get("use_sts_region_from_client").(bool)
 
 	iamServerIDHeaderValue := d.Get("iam_server_id_header_value").(string)
 
@@ -110,6 +121,10 @@ func awsAuthBackendWrite(d *schema.ResourceData, meta interface{}) error {
 		data["secret_key"] = d.Get("secret_key").(string)
 	}
 
+	if provider.IsAPISupported(meta, provider.VaultVersion115) {
+		data[useSTSRegionFromClient] = stsRegionFromClient
+	}
+
 	// sts_endpoint and sts_region are required to be set together
 	if (stsEndpoint == "") != (stsRegion == "") {
 		return fmt.Errorf("both sts_endpoint and sts_region need to be set")
@@ -159,6 +174,10 @@ func awsAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("sts_endpoint", secret.Data["sts_endpoint"])
 	d.Set("sts_region", secret.Data["sts_region"])
 	d.Set("iam_server_id_header_value", secret.Data["iam_server_id_header_value"])
+	if provider.IsAPISupported(meta, provider.VaultVersion115) {
+		d.Set(useSTSRegionFromClient, secret.Data[useSTSRegionFromClient])
+	}
+
 	return nil
 }
 

vault/resource_aws_auth_backend_client_test.go

@@ -18,7 +18,7 @@ import (
 
 func TestAccAWSAuthBackendClient_import(t *testing.T) {
 	backend := acctest.RandomWithPrefix("aws")
-	resource.Test(t, resource.TestCase{
+	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		Providers:    testProviders,
 		CheckDestroy: testAccCheckAWSAuthBackendClientDestroy,
@@ -39,7 +39,7 @@ func TestAccAWSAuthBackendClient_import(t *testing.T) {
 
 func TestAccAWSAuthBackendClient_basic(t *testing.T) {
 	backend := acctest.RandomWithPrefix("aws")
-	resource.Test(t, resource.TestCase{
+	resource.ParallelTest(t, resource.TestCase{
 		Providers:    testProviders,
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		CheckDestroy: testAccCheckAWSAuthBackendClientDestroy,
@@ -58,7 +58,7 @@ func TestAccAWSAuthBackendClient_basic(t *testing.T) {
 
 func TestAccAWSAuthBackendClient_nested(t *testing.T) {
 	backend := acctest.RandomWithPrefix("aws") + "/nested"
-	resource.Test(t, resource.TestCase{
+	resource.ParallelTest(t, resource.TestCase{
 		Providers:    testProviders,
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		CheckDestroy: testAccCheckAWSAuthBackendClientDestroy,
@@ -77,7 +77,7 @@ func TestAccAWSAuthBackendClient_nested(t *testing.T) {
 
 func TestAccAWSAuthBackendClient_withoutSecretKey(t *testing.T) {
 	backend := acctest.RandomWithPrefix("aws")
-	resource.Test(t, resource.TestCase{
+	resource.ParallelTest(t, resource.TestCase{
 		Providers:    testProviders,
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		CheckDestroy: testAccCheckAWSAuthBackendClientDestroy,
@@ -104,7 +104,7 @@ func TestAccAWSAuthBackendClient_withoutSecretKey(t *testing.T) {
 
 func TestAccAWSAuthBackendClientStsRegionNoEndpoint(t *testing.T) {
 	backend := acctest.RandomWithPrefix("aws")
-	resource.Test(t, resource.TestCase{
+	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		Providers:    testProviders,
 		CheckDestroy: testAccCheckAWSAuthBackendClientDestroy,
@@ -117,6 +117,35 @@ func TestAccAWSAuthBackendClientStsRegionNoEndpoint(t *testing.T) {
 	})
 }
 
+func TestAccAWSAuthBackendClientStsRegionFromClient(t *testing.T) {
+	backend := acctest.RandomWithPrefix("aws")
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion115)
+		},
+		Providers:    testProviders,
+		CheckDestroy: testAccCheckAWSAuthBackendClientDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSAuthBackendClientConfigSTSRegionFromClient(backend, false),
+				Check: resource.ComposeTestCheckFunc(
+					testAccAWSAuthBackendClientCheck_attrs(backend),
+					resource.TestCheckResourceAttr("vault_aws_auth_backend_client.client", useSTSRegionFromClient, "false"),
+				),
+			},
+			{
+				Config: testAccAWSAuthBackendClientConfigSTSRegionFromClient(backend, true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccAWSAuthBackendClientCheck_attrs(backend),
+					resource.TestCheckResourceAttr("vault_aws_auth_backend_client.client", useSTSRegionFromClient, "true"),
+				),
+			},
+			testutil.GetImportTestStep("vault_aws_auth_backend_client.client", false, nil),
+		},
+	})
+}
+
 func testAccCheckAWSAuthBackendClientDestroy(s *terraform.State) error {
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "vault_aws_auth_backend_client" {
@@ -286,3 +315,18 @@ resource "vault_aws_auth_backend_client" "client" {
   iam_server_id_header_value = "vault.test"
 }`, backend)
 }
+
+func testAccAWSAuthBackendClientConfigSTSRegionFromClient(backend string, useSTSRegionFromClient bool) string {
+	return fmt.Sprintf(`
+resource "vault_auth_backend" "aws" {
+  path = "%s"
+  type = "aws"
+  description = "Test auth backend for AWS backend client config"
+}
+
+resource "vault_aws_auth_backend_client" "client" {
+  backend = vault_auth_backend.aws.path
+  access_key = "AWSACCESSKEY"
+  use_sts_region_from_client = %v
+}`, backend, useSTSRegionFromClient)
+}

website/docs/r/aws_auth_backend_client.html.md

@@ -68,6 +68,12 @@ The following arguments are supported:
 * `sts_region` - (Optional) Override the default region when making STS API 
     calls. The `sts_endpoint` argument must be set when using `sts_region`.
 
+* `use_sts_region_from_client` - (Optional) Available in Vault v1.15+. If set, 
+    overrides both `sts_endpoint` and `sts_region` to instead use the region
+    specified in the client request headers for IAM-based authentication.
+    This can be useful when you have client requests coming from different 
+    regions and want flexibility in which regional STS API is used.
+
 * `iam_server_id_header_value` - (Optional) The value to require in the
 	`X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests
 	that are used in the IAM auth method.