Modified the aws_secret_backend_role resource to accept the user_path…

… and permissions_boundary_arn arguments. Updated the resource's tests to account for the new arguments. Consolidated some duplicate code in the tests into functions. Removed the tests' dependency on AWS credentials because Vault doesn't interact with AWS during CRUD operations on a backend role. It will now be easier to run the tests on the aws_secret_backend_role resource.
hashicorp · Feb 12, 2022 · 7aa86f3 · 7aa86f3
1 parent 6026031
commit 7aa86f3
Show file tree

Hide file tree

Showing 3 changed files with 174 additions and 164 deletions.
diff --git a/vault/resource_aws_secret_backend_role.go b/vault/resource_aws_secret_backend_role.go
@@ -85,6 +85,16 @@ func awsSecretBackendRoleResource(name string) *schema.Resource {
 				Computed:    true,
 				Description: "The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token.",
 			},
+			"permissions_boundary_arn": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached.",
+			},
+			"user_path": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "The path for the user name. Valid only when credential_type is iam_user. Default is /",
+			},
 		},
 	}
 }
@@ -113,9 +123,16 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 
 	credentialType := d.Get("credential_type").(string)
 
+	userPath := d.Get("user_path").(string)
+
+	permissionBoundaryArn := d.Get("permissions_boundary_arn").(string)
+
 	data := map[string]interface{}{
 		"credential_type": credentialType,
 	}
+	if d.HasChange("permissions_boundary_arn") {
+		data["permissions_boundary_arn"] = permissionBoundaryArn
+	}
 	if d.HasChange("policy_document") {
 		data["policy_document"] = policyDocument
 	}
@@ -128,6 +145,9 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error {
 	if d.HasChange("iam_groups") {
 		data["iam_groups"] = iamGroups
 	}
+	if d.HasChange("user_path") {
+		data["user_path"] = userPath
+	}
 
 	defaultStsTTL, defaultStsTTLOk := d.GetOk("default_sts_ttl")
 	maxStsTTL, maxStsTTLOk := d.GetOk("max_sts_ttl")
@@ -202,6 +222,13 @@ func awsSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error {
 	if v, ok := secret.Data["iam_groups"]; ok {
 		d.Set("iam_groups", v)
 	}
+	if v, ok := secret.Data["permissions_boundary_arn"]; ok {
+		d.Set("permissions_boundary_arn", v)
+	}
+	if v, ok := secret.Data["user_path"]; ok {
+		d.Set("user_path", v)
+	}
+
 	d.Set("backend", strings.Join(pathPieces[:len(pathPieces)-2], "/"))
 	d.Set("name", pathPieces[len(pathPieces)-1])
 	return nil