only support external_id on vault versions >= 1.17

helenfufu · helenfufu · commit c5e7afa9d3a0 · 2024-11-19T18:35:11.000-08:00
external_id support for aws auth sts configuration added in 1.17.0: hashicorp/vault#26628
diff --git a/vault/resource_aws_auth_backend_sts_role.go b/vault/resource_aws_auth_backend_sts_role.go
@@ -76,8 +76,11 @@ func awsAuthBackendSTSRoleCreate(d *schema.ResourceData, meta interface{}) error
 	path := awsAuthBackendSTSRolePath(backend, accountID)
 
 	data := map[string]interface{}{
-		"sts_role":             stsRole,
-		consts.FieldExternalID: externalID,
+		"sts_role": stsRole,
+	}
+
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		data[consts.FieldExternalID] = externalID
 	}
 
 	log.Printf("[DEBUG] Writing STS role %q to AWS auth backend", path)
@@ -128,8 +131,10 @@ func awsAuthBackendSTSRoleRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("account_id", accountID)
 	d.Set("sts_role", resp.Data["sts_role"])
 
-	if v, ok := resp.Data[consts.FieldExternalID]; ok {
-		d.Set(consts.FieldExternalID, v)
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		if v, ok := resp.Data[consts.FieldExternalID]; ok {
+			d.Set(consts.FieldExternalID, v)
+		}
 	}
 
 	return nil
@@ -147,8 +152,11 @@ func awsAuthBackendSTSRoleUpdate(d *schema.ResourceData, meta interface{}) error
 	path := d.Id()
 
 	data := map[string]interface{}{
-		"sts_role":             stsRole,
-		consts.FieldExternalID: externalID,
+		"sts_role": stsRole,
+	}
+
+	if provider.IsAPISupported(meta, provider.VaultVersion117) {
+		data[consts.FieldExternalID] = externalID
 	}
 
 	log.Printf("[DEBUG] Updating STS role %q in AWS auth backend", path)
diff --git a/vault/resource_aws_auth_backend_sts_role_test.go b/vault/resource_aws_auth_backend_sts_role_test.go
@@ -6,6 +6,7 @@ package vault
 import (
 	"fmt"
 	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -22,6 +23,13 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) {
 	accountID := strconv.Itoa(acctest.RandInt())
 	arn := acctest.RandomWithPrefix("arn:aws:iam::" + accountID + ":role/test-role")
 	externalID := "external-id"
+
+	importStateVerifyIgnore := make([]string, 0)
+	// Ignore external_id if Vault version is < 1.17.0.
+	if !provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) {
+		importStateVerifyIgnore = append(importStateVerifyIgnore, consts.FieldExternalID)
+	}
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:          func() { testutil.TestAccPreCheck(t) },
 		ProviderFactories: providerFactories,
@@ -32,9 +40,10 @@ func TestAccAWSAuthBackendSTSRole_import(t *testing.T) {
 				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
 			},
 			{
-				ResourceName:      "vault_aws_auth_backend_sts_role.role",
-				ImportState:       true,
-				ImportStateVerify: true,
+				ResourceName:            "vault_aws_auth_backend_sts_role.role",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: importStateVerifyIgnore,
 			},
 		},
 	})
@@ -56,13 +65,18 @@ func TestAccAWSAuthBackendSTSRole_basic(t *testing.T) {
 				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, ""),
 				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
 			},
+			{
+				// Update ARN.
+				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, ""),
+				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
+			},
 			{
 				// Add external ID.
-				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, arn, externalID),
-				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, arn),
+				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, externalID),
+				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
 			},
 			{
-				// Update ARN and external ID.
+				// Update external ID.
 				Config: testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, updatedArn, updatedExternalID),
 				Check:  testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, updatedArn),
 			},
@@ -130,9 +144,13 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string)
 		}
 
 		attrs := map[string]string{
-			"sts_role":             "sts_role",
-			consts.FieldExternalID: consts.FieldExternalID,
+			"sts_role": "sts_role",
 		}
+		// Only check external_id if Vault version is >= 1.17.0
+		if provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion117) {
+			attrs[consts.FieldExternalID] = consts.FieldExternalID
+		}
+
 		for stateAttr, apiAttr := range attrs {
 			if resp.Data[apiAttr] == nil && instanceState.Attributes[stateAttr] == "" {
 				continue
@@ -146,30 +164,27 @@ func testAccAWSAuthBackendSTSRoleCheck_attrs(backend, accountID, stsRole string)
 }
 
 func testAccAWSAuthBackendSTSRoleConfig_basic(backend, accountID, stsRole, externalID string) string {
-	roleResource := fmt.Sprintf(`
-resource "vault_aws_auth_backend_sts_role" "role" {
-	backend = vault_auth_backend.aws.path
-	account_id = "%s"
-	sts_role = "%s"
-}
-`, accountID, stsRole)
+	backendResource := fmt.Sprintf(`
+resource "vault_auth_backend" "aws" {
+	type = "aws"
+	path = "%s"
+}`, backend)
 
+	roleResourceOptionalFields := ""
 	if externalID != "" {
-		roleResource = fmt.Sprintf(`
+		roleResourceOptionalFields += fmt.Sprintf(`
+	external_id = "%s"`, externalID)
+	}
+
+	roleResource := fmt.Sprintf(`
 resource "vault_aws_auth_backend_sts_role" "role" {
 	backend = vault_auth_backend.aws.path
 	account_id = "%s"
-	sts_role = "%s"
-	external_id = "%s"
+	sts_role = "%s"%s
 }
-`, accountID, stsRole, externalID)
-	}
+`, accountID, stsRole, roleResourceOptionalFields)
 
-	return fmt.Sprintf(`
-resource "vault_auth_backend" "aws" {
-  type = "aws"
-  path = "%s"
-}
-%s
-`, backend, roleResource)
+	resources := []string{backendResource, roleResource}
+
+	return strings.Join(resources, "\n")
 }
