Add iam_tags to vault_aws_secret_backend_role resource

[pporee]

Description

Fix #1073

Relates OR Closes #0000

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

[hashicorp-cla]

All committers have signed the CLA.

[thyton]

Hi @pporee, this PR seems to break some of the acceptance tests (see below for an example). Local test setup guides can be found at https://github.com/hashicorp/terraform-provider-vault/blob/main/README.md#developing-the-provider. Could you take a look and drop your acceptance tests' output in the description like #781's?

~/go/src/github.com/community/pporee/terraform-provider-vault (main) $ make testacc TESTARGS='-run=TestAccAWSSecretBackendRole'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -run=TestAccAWSSecretBackendRole -timeout 30m ./...
?   	github.com/hashicorp/terraform-provider-vault	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/coverage	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/generate	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/helper	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/consts	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/group	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/mfa	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/pki	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/codegen	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/internal/identity/entity	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/schema	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/internal/provider	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/testutil	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/util	(cached) [no tests to run]
--- FAIL: TestAccAWSSecretBackendRole_import (2.63s)
    resource_aws_secret_backend_role_test.go:61: Step 2/6 error running import: ImportStateVerify attributes not equivalent. Difference is shown below. The - symbol indicates attributes missing after import.
        
          map[string]string{
        - 	"iam_tags.%":    "2",
        - 	"iam_tags.key1": "value1",
        - 	"iam_tags.key2": "value2",
          }
FAIL
FAIL	github.com/hashicorp/terraform-provider-vault/vault	12.007s
FAIL
make: *** [testacc] Error 1

Please let us know if you need any help.

Thanks,
Thy

[thyton]

I think another test for the map's key length can ensure the map value.

Suggested change

	resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "0"),
	resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "0"),
	resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_tags.%", "2"),

[thyton]

Suggested change

	resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "2"),
	resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "2"),
	resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_tags.%", "2"),

[thyton]

Get will return the data for the given key, or nil if the key doesn't exist in the schema.

Suggested change

	iamTags, iamTagsOk := d.GetOk("iam_tags")
	iamTags := d.Get("iam_tags")

[thyton]

We should also check if the value has changed, following the current practice from other fields/keys.

Suggested change

	if iamTagsOk {
	if d.HasChange("iam_tags") {

[thyton]

Looks like resource.TestCheckResourceAttr(...) tests for iam_tags of resource "vault_aws_secret_backend_role.test_policy_arns" are missing.

Could you please enhance its test coverage like how you did for resource "vault_aws_secret_backend_role.test_policy_inline"?

[thyton]

Similar comment to the above to enhance test coverage.

[thyton]

Similar comment to the above to enhance test coverage.

[thyton]

Similar comment to the above to enhance test coverage.

[thyton]

Suggested change

	iam_tags = {
	"key1" = "value1"
	"key2" = "value2"
	}
	iam_tags = {
	"key1" = "value1"
	"key2" = "value2"
	}

[thyton]

Suggested change

	iam_tags = {
	"key1" = "value1"
	"key2" = "value2"
	}
	iam_tags = {
	"key1" = "value1"
	"key2" = "value2"
	}

[Shocktrooper]

Hello! I am interested in this because it will allow us to use AWS policy variables in our IAM policies. Without this we cannot do that and thus cannot use AWS Policy variables based off of tags

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html

[Shocktrooper]

@thyton Can you check this code again and see if there are any other changes needed other than what you have reviewed since its a few months old now. if @pporee cannot complete this I can go ahead and try to finish it with a new MR

[thyton]

@Shocktrooper Thank you for your patience! I've created a WIP #2231 to finish the remaining work and close this PR.
I'm expecting to close #2231 within 2 weeks.

[Shocktrooper]

Thank you for picking this up! @thyton Let me know if there is anything I can do

[thyton]

@pporee @Shocktrooper This feature will be out in release 4.3.0. Thank you again for your patience!