only support external_id on vault versions >= 1.17

helenfufu · helenfufu · commit 1eb7bdff53f0 · 2024-11-19T17:22:13.000-08:00
external_id support for aws auth sts configuration added in 1.17.0: hashicorp/vault#26628
diff --git a/vault/resource_aws_auth_backend_sts_role.go b/vault/resource_aws_auth_backend_sts_role.go
@@ -76,8 +76,11 @@ func awsAuthBackendSTSRoleCreate(d *schema.ResourceData, meta interface{}) error
 	path := awsAuthBackendSTSRolePath(backend, accountID)
 
 	data := map[string]interface{}{
-		"sts_role":             stsRole,
-		consts.FieldExternalID: externalID,
+		"sts_role": stsRole,
+	}
+
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		data[consts.FieldExternalID] = externalID
 	}
 
 	log.Printf("[DEBUG] Writing STS role %q to AWS auth backend", path)
@@ -128,8 +131,10 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("account_id", accountID)
 	d.Set("sts_role", resp.Data["sts_role"])
 
-	if v, ok := resp.Data[consts.FieldExternalID]; ok {
-		d.Set(consts.FieldExternalID, v)
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		if v, ok := resp.Data[consts.FieldExternalID]; ok {
+			d.Set(consts.FieldExternalID, v)
+		}
 	}
 
 	return nil
@@ -147,8 +152,11 @@ func awsAuthBackendSTSRoleUpdate(d *schema.ResourceData, meta interface{}) error
 	path := d.Id()
 
 	data := map[string]interface{}{
-		"sts_role":             stsRole,
-		consts.FieldExternalID: externalID,
+		"sts_role": stsRole,
+	}
+
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		data[consts.FieldExternalID] = externalID
 	}
 
 	log.Printf("[DEBUG] Updating STS role %q in AWS auth backend", path)
diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go
@@ -56,18 +56,35 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) {
 				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""),
 				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
 			},
+			{
+				// Update ARN.
+				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""),
+				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
+			},
 			{
 				// Add external ID.
-				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID),
-				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
+				SkipFunc: func() (bool, error) {
+					meta := testProvider.Meta().(*provider.ProviderMeta)
+					return !meta.IsAPISupported(provider.VaultVersion117), nil
+				},
+				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, externalID),
+				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
 			},
 			{
-				// Update ARN and external ID.
+				// Update external ID.
+				SkipFunc: func() (bool, error) {
+					meta := testProvider.Meta().(*provider.ProviderMeta)
+					return !meta.IsAPISupported(provider.VaultVersion117), nil
+				},
 				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID),
 				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
 			},
 			{
 				// Remove external ID.
+				SkipFunc: func() (bool, error) {
+					meta := testProvider.Meta().(*provider.ProviderMeta)
+					return !meta.IsAPISupported(provider.VaultVersion117), nil
+				},
 				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""),
 				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
 			},
