Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Consul secrets engine enhancements #1518

Merged
merged 16 commits into from
Jul 19, 2022
Merged

Add support for Consul secrets engine enhancements #1518

merged 16 commits into from
Jul 19, 2022

Conversation

robmonte
Copy link
Member

This adds supports for service identities and node identities in Consul and for the ability to bootstrap the Consul ACL system by writing the secrets engine config without a token.

Bootstrapping example:

resource "vault_consul_secret_backend" "config" {
  path    = "consul"
  address = "http://127.0.0.1:8500"
}

Identities example:

resource "vault_consul_secret_backend_role" "role" {
  name               = "management"
  backend            = vault_consul_secret_backend.config.path
  node_identities    = ["server-1:dc1"]
  service_identities = ["db-service:dc1"]
}

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Release note for CHANGELOG:

IMPROVEMENTS
* resource/vault_consul_secret_backend: Try automatically bootstrapping the Consul ACL system when a token is not provided
* resource/vault_consul_secret_backend_role: Add support for service identities and node identities

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestConsulSecretBackendRole'
=== RUN   TestConsulSecretBackendRole
--- PASS: TestConsulSecretBackendRole (2.17s)
=== RUN   TestConsulSecretBackendRoleNameFromPath
--- PASS: TestConsulSecretBackendRoleNameFromPath (0.00s)
=== RUN   TestConsulSecretBackendRoleBackendFromPath
--- PASS: TestConsulSecretBackendRoleBackendFromPath (0.00s)
PASS

@robmonte robmonte force-pushed the consul-secrets-identities-support branch from f7ab399 to b33e7a9 Compare June 29, 2022 22:35
austingebauer
austingebauer approved these changes Jun 30, 2022
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM otherwise.

vault/resource_consul_secret_backend_role.go Outdated Show resolved Hide resolved
benashz
benashz reviewed Jun 30, 2022
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good. I added a few comments/suggestions. Also I think we need to update the website docs.

vault/resource_consul_secret_backend_role.go Outdated Show resolved Hide resolved
vault/resource_consul_secret_backend_role.go Outdated Show resolved Hide resolved
vault/resource_consul_secret_backend_role.go Outdated Show resolved Hide resolved
@benashz
Copy link
Contributor

benashz commented Jun 30, 2022

Looks like the build is failing when testing against Vault-1.10, we will probably need special case some of the tests to account for feature differences between 1.10 and 1.11.

@benashz benashz changed the base branch from release/vault-next to main June 30, 2022 17:25
@benashz benashz changed the base branch from main to release/vault-next June 30, 2022 17:25
robmonte and others added 3 commits June 30, 2022 14:15
@robmonte @benashz
Update vault/resource_consul_secret_backend_role.go
e42f1df 
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
@robmonte
Restructure test cases based on VAULT_VERSION env var
bac7bf1
@robmonte
Remove parameter validation to let Vault handle it and check whether …
0283556 
…consul_policies or policies is returned by Vault when building the resourcedata
@github-actions github-actions bot added size/XL and removed size/L labels Jul 5, 2022
@github-actions github-actions bot added size/L and removed size/XL labels Jul 6, 2022
vinay-gopalan
vinay-gopalan reviewed Jul 18, 2022
View reviewed changes
testutil/testutil.go Outdated Show resolved Hide resolved
vinay-gopalan
vinay-gopalan approved these changes Jul 18, 2022
View reviewed changes
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work! Couple of nits and questions but PR is looking great

@robmonte robmonte requested a review from benashz July 19, 2022 17:20
@benashz benashz added this to the 3.8.0 milestone Jul 19, 2022
benashz
benashz approved these changes Jul 19, 2022
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@robmonte
Copy link
Member Author

Thanks for all of the help!!

@robmonte robmonte merged commit fd31b6a into release/vault-next Jul 19, 2022
@robmonte robmonte deleted the consul-secrets-identities-support branch July 19, 2022 20:30
@optiz0r optiz0r mentioned this pull request Jul 25, 2022
Closed
marcboudreau pushed a commit to marcboudreau/terraform-provider-vault that referenced this pull request Nov 6, 2022
@robmonte @benashz
Add support for Vault 1.11 Consul secrets engine enhancements (hashic…
ab0c4a9 
…orp#1518)

* Add support for Vault 1.11 Consul secrets engine's new features

* Update test coverage for vault 1.10 and vault 1.11

* Update docs to reflect new parameters

* Add TF_VAULT_VERSION to the README and GHA workflow

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@austingebauer austingebauer austingebauer approved these changes

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

@benashz benashz benashz approved these changes

Assignees
No one assigned
Labels
dependencies documentation size/L
Projects
None yet
Milestone
3.8.0
Development

Successfully merging this pull request may close these issues.
4 participants
@robmonte @benashz @austingebauer @vinay-gopalan