Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add user_path and permissions_boundary_arn arguments to aws_secret_backend_role #781

Merged
merged 1 commit into from
May 3, 2022
Merged

Add user_path and permissions_boundary_arn arguments to aws_secret_backend_role #781

merged 1 commit into from
May 3, 2022

Conversation

bakeemawaytoys
Copy link
Contributor

I modified the aws_secret_backend_role resource to accept the user_path and permissions_boundary_arn arguments. I updated the resource's tests to account for the new arguments and consolidated some duplicate code in the tests into functions. I also removed the tests' dependency on AWS credentials because Vault doesn't interact with AWS during CRUD operations on the backend role. It will now be easier to run the tests on the aws_secret_backend_role resource.

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #716, #769

Release note for CHANGELOG:

Add `user_path` and `permissions_boundary_arn` fields to `aws_secret_backend_role`.

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSSecretBackendRole'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -run=TestAccAWSSecretBackendRole -timeout 120m
?       github.com/terraform-providers/terraform-provider-vault [no test files]
?       github.com/terraform-providers/terraform-provider-vault/cmd/coverage    [no test files]
testing: warning: no tests to run
PASS
ok      github.com/terraform-providers/terraform-provider-vault/util    0.023s [no tests to run]
=== RUN   TestAccAWSSecretBackendRole_basic
--- PASS: TestAccAWSSecretBackendRole_basic (0.27s)
=== RUN   TestAccAWSSecretBackendRole_import
--- PASS: TestAccAWSSecretBackendRole_import (0.23s)
=== RUN   TestAccAWSSecretBackendRole_nested
--- PASS: TestAccAWSSecretBackendRole_nested (0.25s)
PASS
ok      github.com/terraform-providers/terraform-provider-vault/vault   0.772s
...

@gfalqui
Copy link

gfalqui commented Jul 10, 2020

Please merge this! I'd love to have this too!

@gfalqui
Copy link

gfalqui commented Jul 10, 2020 

resource "vault_aws_secret_backend_role" "readonly" {
  backend         = vault_aws_secret_backend.aws.path
  name            = "readonly"
  credential_type = "iam_user"

  policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess"
  ]

  provisioner "local-exec" {
    command = "vault write -address=${var.vault_endpoint} -namespace=${var.vault_namespace} ${vault_aws_secret_backend.aws.path}/roles/readonly user_path=\"/vault-users/${local.vault_namespace_with_dashes}/\" permissions_boundary_arn=\"arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/policy-boundaries-name\""
  }
}

Using a provisioner can be a workaround!

Just make sure the environment contains Vault in the $PATH that has got a version that supports the new parameters.

@cyriptix
Copy link

Using a provisioner can be a workaround!

Worked a treat, thank you! 👍

@billyaustin84
Copy link
Contributor

Is this likely to make it to the top of the pile for merging?

@hashicorp-cla
Copy link

hashicorp-cla commented Nov 25, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from 824ac62 to f73a785 Compare November 25, 2020 22:13
@bakeemawaytoys
Copy link
Contributor Author

I think I was supposed to sign the CLA when I first submitted this PR but failed to do so. A helpful bot has alerted me to the situation. I've signed it and rebased to address the conflicts. Sorry about the delay on my end.

@jasonodonnell jasonodonnell self-requested a review December 11, 2020 15:44
@billyaustin84
Copy link
Contributor

Could I ask again when this is likely to be reviewed and merged?

@billyaustin84
Copy link
Contributor

@jasonodonnell This PR seems to have been forgotten. Is there anything I can do to help get it back on track?

@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from f73a785 to 4e25264 Compare October 20, 2021 18:31
@benashz benashz removed the request for review from jasonodonnell February 10, 2022 22:22
@benashz benashz added this to the 3.4.0 milestone Feb 10, 2022
@benashz benashz self-requested a review February 10, 2022 22:25
@benashz
Copy link
Contributor

benashz commented Feb 10, 2022

Hi @bakeemawaytoys ,

We'd like to take another look at this PR. If you still have interest, would you mind rebasing it off of main. If not we would be happy to take it over.

Thanks,

Ben

@bakeemawaytoys
Copy link
Contributor Author

Sure thing. I should have some time to rebase it this weekend.

@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from 4e25264 to 7aa86f3 Compare February 12, 2022 17:30
@github-actions github-actions bot added size/XL and removed size/L labels Feb 12, 2022
bakeemawaytoys added a commit to bakeemawaytoys/terraform-provider-vault that referenced this pull request Feb 12, 2022
@bakeemawaytoys
Modified the aws_secret_backend_role resource to accept the user_path…
357e5d6 
… and permissions_boundary_arn arguments. Updated the resource's tests to account for the new arguments. Consolidated some duplicate code in the tests into functions. Removed the tests' dependency on AWS credentials because Vault doesn't interact with AWS during CRUD operations on a backend role. It will now be easier to run the tests on the aws_secret_backend_role resource. Split two large multiline strings into smaller strings to make it easier modify them. (hashicorp#781)
@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from 7aa86f3 to 357e5d6 Compare February 12, 2022 19:23
@bakeemawaytoys
Copy link
Contributor Author

Some of my changes to the test file made for a tricky rebase, but I think it is all set.

@benashz
Copy link
Contributor

benashz commented Feb 14, 2022

@bakeemawaytoys thanks!

@benashz benashz modified the milestones: 3.4.0, 3.5.0 Mar 15, 2022
@benashz benashz modified the milestones: 3.5.0, 3.6.0 Apr 20, 2022
@benashz
Copy link
Contributor

benashz commented Apr 29, 2022
edited
Loading

Hi @bakeemawaytoys, it looks like this PR has broken some of the acceptance tests (see below for an example). Please let us know if you need an assist here.

Thanks,

Ben

=== RUN   TestAccAWSSecretBackendRole_nested
    resource_aws_secret_backend_role_test.go:100: Step 1/2 error: Error running pre-apply refresh: exit status 1
        
        Error: Missing item separator
        
          on terraform_plugin_test.tf line 19, in resource "vault_aws_secret_backend_role" "test_policy_arns":
          19:   policy_arns = ["{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:*","Resource": "*"}]}"]
        
        Expected a comma to mark the beginning of the next item.
    testing_new.go:63: Error retrieving state, there may be dangling resources: exit status 1
        
        Error: Missing item separator
        
          on terraform_plugin_test.tf line 19, in resource "vault_aws_secret_backend_role" "test_policy_arns":
          19:   policy_arns = ["{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:*","Resource": "*"}]}"]
        
        Expected a comma to mark the beginning of the next item.
        
--- FAIL: TestAccAWSSecretBackendRole_nested (0.66s)

bakeemawaytoys added a commit to bakeemawaytoys/terraform-provider-vault that referenced this pull request Apr 30, 2022
@bakeemawaytoys
Modified the aws_secret_backend_role resource to accept the user_path…
1445718 
… and permissions_boundary_arn arguments. Updated the resource's tests to account for the new arguments. Consolidated some duplicate code in the tests into functions. Removed the tests' dependency on AWS credentials because Vault doesn't interact with AWS during CRUD operations on a backend role. It will now be easier to run the tests on the aws_secret_backend_role resource. Split two large multiline strings into smaller strings to make it easier modify them. (hashicorp#781)
@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from 357e5d6 to 1445718 Compare April 30, 2022 15:16
bakeemawaytoys added a commit to bakeemawaytoys/terraform-provider-vault that referenced this pull request Apr 30, 2022
@bakeemawaytoys
Modified the aws_secret_backend_role resource to accept the user_path…
00660c0 
… and permissions_boundary_arn arguments. Updated the resource's tests to account for the new arguments. Consolidated some duplicate code in the tests into functions. Removed the tests' dependency on AWS credentials because Vault doesn't interact with AWS during CRUD operations on a backend role. It will now be easier to run the tests on the aws_secret_backend_role resource. Split two large multiline strings into smaller strings to make it easier modify them. (hashicorp#781)
@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from 1445718 to 00660c0 Compare April 30, 2022 16:44
@bakeemawaytoys
Copy link
Contributor Author

@benashz I fixed the failing tests and a few others that revealed themselves after I fixed the initial issue. Sorry for not catching that myself.

benashz
benashz reviewed May 2, 2022
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I only have a few comments/suggestions that need to be addressed before approval.

website/docs/r/aws_secret_backend_role.html.md Outdated Show resolved Hide resolved
website/docs/r/aws_secret_backend_role.html.md Outdated Show resolved Hide resolved
vault/resource_aws_secret_backend_role.go Show resolved Hide resolved
vault/resource_aws_secret_backend_role.go Show resolved Hide resolved
bakeemawaytoys added a commit to bakeemawaytoys/terraform-provider-vault that referenced this pull request May 2, 2022
@bakeemawaytoys
Modified the aws_secret_backend_role resource to accept the user_path…
d5ab5fd 
… and permissions_boundary_arn arguments. Updated the resource's tests to account for the new arguments. Consolidated some duplicate code in the tests into functions. Removed the tests' dependency on AWS credentials because Vault doesn't interact with AWS during CRUD operations on a backend role. It will now be easier to run the tests on the aws_secret_backend_role resource. Split two large multiline strings into smaller strings to make it easier modify them. (hashicorp#781)
@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from 00660c0 to d5ab5fd Compare May 2, 2022 23:21
bakeemawaytoys added a commit to bakeemawaytoys/terraform-provider-vault that referenced this pull request May 3, 2022
@bakeemawaytoys
Modified the aws_secret_backend_role resource to accept the user_path…
796db2a 
… and permissions_boundary_arn arguments. Updated the resource's tests to account for the new arguments. Consolidated some duplicate code in the tests into functions. Removed the tests' dependency on AWS credentials because Vault doesn't interact with AWS during CRUD operations on a backend role. It will now be easier to run the tests on the aws_secret_backend_role resource. Split two large multiline strings into smaller strings to make it easier modify them. (hashicorp#781)
@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from d5ab5fd to 796db2a Compare May 3, 2022 00:16
@bakeemawaytoys
Modified the aws_secret_backend_role resource to accept the user_path…
4e3717f 
… and permissions_boundary_arn arguments. Updated the resource's tests to account for the new arguments. Consolidated some duplicate code in the tests into functions. Removed the tests' dependency on AWS credentials because Vault doesn't interact with AWS during CRUD operations on a backend role. It will now be easier to run the tests on the aws_secret_backend_role resource. Split two large multiline strings into smaller strings to make it easier modify them. (hashicorp#781)
@bakeemawaytoys bakeemawaytoys force-pushed the add_missing_fields_to_aws_secret_backend_role branch from 796db2a to 4e3717f Compare May 3, 2022 00:18
benashz
benashz approved these changes May 3, 2022
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Thanks again for your contribution to HashiCorp!

@benashz benashz merged commit 2d584c6 into hashicorp:main May 3, 2022
@benashz benashz mentioned this pull request May 3, 2022
Closed
marcboudreau pushed a commit to marcboudreau/terraform-provider-vault that referenced this pull request Nov 6, 2022
@bakeemawaytoys
Support setting user_path and permissions_boundary_arn fields in aws_…
bb2db77 
…secret_backend_role (hashicorp#781)
@thyton thyton mentioned this pull request Nov 17, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benashz benashz benashz approved these changes

Assignees
No one assigned
Labels
documentation size/XL
Projects
None yet
Milestone
3.6.0
Development

Successfully merging this pull request may close these issues.

vault_aws_secret_backend_role: currently doesn't support specifying permissions_boundary_arn
6 participants
@bakeemawaytoys @gfalqui @cyriptix @billyaustin84 @hashicorp-cla @benashz