Add new WIF fields for GCP Auth (Vault Enterprise only) (#2256)

hashicorp · Jun 6, 2024 · 877124b · 877124b
1 parent 0876810
commit 877124b
Show file tree

Hide file tree

Showing 13 changed files with 288 additions and 129 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,8 +4,9 @@ FEATURES:
 * Add support for `iam_tags` in `vault_aws_secret_backend_role` ([#2231](https://github.com/hashicorp/terraform-provider-vault/pull/2231)).
 * Add support for `inheritable` on `vault_quota_rate_limit` and `vault_quota_lease_count`. Requires Vault 1.15+.: ([#2133](https://github.com/hashicorp/terraform-provider-vault/pull/2133)).
 * Add support for new WIF fields in `vault_gcp_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2249](https://github.com/hashicorp/terraform-provider-vault/pull/2249)). 
-* Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
 * Add support for new WIF fields in `vault_azure_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2250](https://github.com/hashicorp/terraform-provider-vault/pull/2250))
+* Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
+* Add support for new WIF fields in `vault_gcp_auth_backend` ([#2256](https://github.com/hashicorp/terraform-provider-vault/pull/2256))
 * Add new data source and resource `vault_pki_secret_backend_config_est`. Requires Vault 1.16+. *Available only for Vault Enterprise* ([#2246](https://github.com/hashicorp/terraform-provider-vault/pull/2246))
 
 IMPROVEMENTS:

diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -432,6 +432,9 @@ const (
 	FieldEnableSentinelParsing         = "enable_sentinel_parsing"
 	FieldAuditFields                   = "audit_fields"
 	FieldLastUpdated                   = "last_updated"
+	FieldCustomEndpoint                = "custom_endpoint"
+	FieldPrivateKeyID                  = "private_key_id"
+	FieldTune                          = "tune"
 
 	/*
 		common environment variables
@@ -501,17 +504,15 @@ const (
 	/*
 		Vault version constants
 	*/
-	VaultVersion190    = "1.9.0"
-	VaultVersion110    = "1.10.0"
-	VaultVersion111    = "1.11.0"
-	VaultVersion112    = "1.12.0"
-	VaultVersion113    = "1.13.0"
-	VaultVersion114    = "1.14.0"
-	VaultVersion115    = "1.15.0"
-	VaultVersion116    = "1.16.0"
-	VaultVersion116Ent = "1.16.0+ent"
-	VaultVersion117    = "1.17.0"
-	VaultVersion117Ent = "1.17.0+ent"
+	VaultVersion190 = "1.9.0"
+	VaultVersion110 = "1.10.0"
+	VaultVersion111 = "1.11.0"
+	VaultVersion112 = "1.12.0"
+	VaultVersion113 = "1.13.0"
+	VaultVersion114 = "1.14.0"
+	VaultVersion115 = "1.15.0"
+	VaultVersion116 = "1.16.0"
+	VaultVersion117 = "1.17.0"
 
 	/*
 		Vault auth methods

diff --git a/internal/provider/meta.go b/internal/provider/meta.go
@@ -35,16 +35,14 @@ const (
 var (
 	MaxHTTPRetriesCCC int
 
-	VaultVersion110    = version.Must(version.NewSemver(consts.VaultVersion110))
-	VaultVersion111    = version.Must(version.NewSemver(consts.VaultVersion111))
-	VaultVersion112    = version.Must(version.NewSemver(consts.VaultVersion112))
-	VaultVersion113    = version.Must(version.NewSemver(consts.VaultVersion113))
-	VaultVersion114    = version.Must(version.NewSemver(consts.VaultVersion114))
-	VaultVersion115    = version.Must(version.NewSemver(consts.VaultVersion115))
-	VaultVersion116    = version.Must(version.NewSemver(consts.VaultVersion116))
-	VaultVersion116Ent = version.Must(version.NewSemver(consts.VaultVersion116Ent))
-	VaultVersion117    = version.Must(version.NewSemver(consts.VaultVersion117))
-	VaultVersion117Ent = version.Must(version.NewSemver(consts.VaultVersion117Ent))
+	VaultVersion110 = version.Must(version.NewSemver(consts.VaultVersion110))
+	VaultVersion111 = version.Must(version.NewSemver(consts.VaultVersion111))
+	VaultVersion112 = version.Must(version.NewSemver(consts.VaultVersion112))
+	VaultVersion113 = version.Must(version.NewSemver(consts.VaultVersion113))
+	VaultVersion114 = version.Must(version.NewSemver(consts.VaultVersion114))
+	VaultVersion115 = version.Must(version.NewSemver(consts.VaultVersion115))
+	VaultVersion116 = version.Must(version.NewSemver(consts.VaultVersion116))
+	VaultVersion117 = version.Must(version.NewSemver(consts.VaultVersion117))
 
 	TokenTTLMinRecommended = time.Minute * 15
 )

diff --git a/vault/resource_aws_auth_backend_client.go b/vault/resource_aws_auth_backend_client.go
@@ -5,13 +5,13 @@ package vault
 
 import (
 	"context"
-
 	"log"
 	"regexp"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 )
@@ -146,7 +146,7 @@ func awsAuthBackendWrite(ctx context.Context, d *schema.ResourceData, meta inter
 		data[useSTSRegionFromClient] = stsRegionFromClient
 	}
 
-	if provider.IsAPISupported(meta, provider.VaultVersion117Ent) {
+	if provider.IsAPISupported(meta, provider.VaultVersion117) && provider.IsEnterpriseSupported(meta) {
 		data[consts.FieldIdentityTokenAudience] = identityTokenAud
 		data[consts.FieldRoleArn] = roleArn
 		data[consts.FieldIdentityTokenTTL] = identityTokenTTL
@@ -217,7 +217,7 @@ func awsAuthBackendRead(ctx context.Context, d *schema.ResourceData, meta interf
 			return diag.FromErr(err)
 		}
 	}
-	if provider.IsAPISupported(meta, provider.VaultVersion117Ent) {
+	if provider.IsAPISupported(meta, provider.VaultVersion117) && provider.IsEnterpriseSupported(meta) {
 		wifFields := []string{
 			consts.FieldIdentityTokenAudience,
 			consts.FieldRoleArn,

diff --git a/vault/resource_aws_auth_backend_client_test.go b/vault/resource_aws_auth_backend_client_test.go
@@ -5,13 +5,13 @@ package vault
 
 import (
 	"fmt"
-
 	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/testutil"
@@ -109,8 +109,8 @@ func TestAccAWSAuthBackend_wif(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		ProviderFactories: providerFactories,
 		PreCheck: func() {
-			testutil.TestAccPreCheck(t)
-			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion117Ent)
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion117)
 		},
 		CheckDestroy: testAccCheckAWSAuthBackendClientDestroy,
 		Steps: []resource.TestStep{

diff --git a/vault/resource_azure_secret_backend.go b/vault/resource_azure_secret_backend.go
@@ -7,14 +7,14 @@ import (
 	"context"
 	"errors"
 	"fmt"
-
 	"log"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/vault/api"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+
 	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
 	"github.com/hashicorp/terraform-provider-vault/util"
@@ -125,7 +125,7 @@ func azureSecretBackendCreate(ctx context.Context, d *schema.ResourceData, meta
 	log.Printf("[DEBUG] Mounting Azure backend at %q", path)
 
 	mountConfig := api.MountConfigInput{}
-	useAPIVer117Ent := provider.IsAPISupported(meta, provider.VaultVersion117Ent)
+	useAPIVer117Ent := provider.IsAPISupported(meta, provider.VaultVersion117) && provider.IsEnterpriseSupported(meta)
 	if useAPIVer117Ent {
 		identityTokenKey := d.Get(consts.FieldIdentityTokenKey).(string)
 		if identityTokenKey != "" {
@@ -219,7 +219,7 @@ func azureSecretBackendRead(ctx context.Context, d *schema.ResourceData, meta in
 		return diag.FromErr(err)
 	}
 
-	useAPIVer117Ent := provider.IsAPISupported(meta, provider.VaultVersion117Ent)
+	useAPIVer117Ent := provider.IsAPISupported(meta, provider.VaultVersion117) && provider.IsEnterpriseSupported(meta)
 	if useAPIVer117Ent {
 		if err := d.Set(consts.FieldIdentityTokenKey, mount.Config.IdentityTokenKey); err != nil {
 			return diag.FromErr(err)
@@ -311,7 +311,7 @@ func azureSecretBackendRequestData(d *schema.ResourceData, meta interface{}) map
 		}
 	}
 
-	useAPIVer117Ent := provider.IsAPISupported(meta, provider.VaultVersion117Ent)
+	useAPIVer117Ent := provider.IsAPISupported(meta, provider.VaultVersion117) && provider.IsEnterpriseSupported(meta)
 	if useAPIVer117Ent {
 		if v, ok := d.GetOk(consts.FieldIdentityTokenAudience); ok && v != "" {
 			data[consts.FieldIdentityTokenAudience] = v.(string)

diff --git a/vault/resource_azure_secret_backend_test.go b/vault/resource_azure_secret_backend_test.go
@@ -114,7 +114,7 @@ func TestAccAzureSecretBackend_wif(t *testing.T) {
 		ProviderFactories: providerFactories,
 		PreCheck: func() {
 			testutil.TestEntPreCheck(t)
-			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion117Ent)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion117)
 		},
 		CheckDestroy: testCheckMountDestroyed(resourceType, consts.MountTypeAzure, consts.FieldPath),
 		Steps: []resource.TestStep{