From d5f7d6b123f7014afd6159ce19a654112cb6a630 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Thu, 16 Nov 2023 15:04:54 -0800 Subject: [PATCH 1/4] add iam_tags to vault_aws_secret_backend_role --- vault/resource_aws_secret_backend_role.go | 13 +++++++++++++ vault/resource_aws_secret_backend_role_test.go | 7 +++++++ 2 files changed, 20 insertions(+) diff --git a/vault/resource_aws_secret_backend_role.go b/vault/resource_aws_secret_backend_role.go index 50f4d3fa42..69fb73132d 100644 --- a/vault/resource_aws_secret_backend_role.go +++ b/vault/resource_aws_secret_backend_role.go @@ -76,6 +76,14 @@ func awsSecretBackendRoleResource(name string) *schema.Resource { Optional: true, Description: "A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters.", }, + "iam_tags": { + Type: schema.TypeMap, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + Description: "A map of strings representing key/value pairs used as tags for any IAM user created by this role.", + }, "default_sts_ttl": { Type: schema.TypeInt, Optional: true, @@ -123,6 +131,8 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error { iamGroups := d.Get("iam_groups").(*schema.Set).List() + iamTags := d.Get("iam_tags") + if policyDocument == "" && len(policyARNs) == 0 && len(roleARNs) == 0 && len(iamGroups) == 0 { return fmt.Errorf("at least one of: `policy_document`, `policy_arns`, `role_arns` or `iam_groups` must be set") } @@ -155,6 +165,9 @@ func awsSecretBackendRoleWrite(d *schema.ResourceData, meta interface{}) error { if d.HasChange("iam_groups") { data["iam_groups"] = iamGroups } + if d.HasChange("iam_tags") { + data["iam_tags"] = iamTags + } if d.HasChange("user_path") { if credentialType == "iam_user" { data["user_path"] = userPath diff --git a/vault/resource_aws_secret_backend_role_test.go b/vault/resource_aws_secret_backend_role_test.go index 3cca088cbf..1145510655 100644 --- a/vault/resource_aws_secret_backend_role_test.go +++ b/vault/resource_aws_secret_backend_role_test.go @@ -145,6 +145,9 @@ func testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend string) resou resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "backend", backend), testutil.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "0"), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_tags.#", "0"), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_tags.key1", "value1"), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_tags.key2", "value2"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.#", "1"), @@ -224,6 +227,10 @@ resource "vault_aws_secret_backend_role" "test_policy_inline" { policy_document = %q credential_type = "assumed_role" backend = vault_aws_secret_backend.test.path + iam_tags = { + "key1" = "value1" + "key2" = "value2" + } } `, name, testAccAWSSecretBackendRolePolicyInline_basic), From e7d7cd62ecc7c5f38203eb458df3c6e73a1418e4 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 30 Apr 2024 17:23:25 -0700 Subject: [PATCH 2/4] fix vault_aws_secret_backend_role test --- vault/resource_aws_secret_backend_role.go | 3 ++ .../resource_aws_secret_backend_role_test.go | 37 ++++++++++++++----- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/vault/resource_aws_secret_backend_role.go b/vault/resource_aws_secret_backend_role.go index 69fb73132d..dc62bbe8c9 100644 --- a/vault/resource_aws_secret_backend_role.go +++ b/vault/resource_aws_secret_backend_role.go @@ -252,6 +252,9 @@ func awsSecretBackendRoleRead(d *schema.ResourceData, meta interface{}) error { if v, ok := secret.Data["iam_groups"]; ok { d.Set("iam_groups", v) } + if v, ok := secret.Data["iam_tags"]; ok { + d.Set("iam_tags", v) + } if v, ok := secret.Data["permissions_boundary_arn"]; ok { d.Set("permissions_boundary_arn", v) } diff --git a/vault/resource_aws_secret_backend_role_test.go b/vault/resource_aws_secret_backend_role_test.go index 1145510655..4892a55623 100644 --- a/vault/resource_aws_secret_backend_role_test.go +++ b/vault/resource_aws_secret_backend_role_test.go @@ -27,6 +27,10 @@ const ( testAccAWSSecretBackendRolePermissionsBoundaryArn_updated = "arn:aws:iam::123456789123:policy/boundary2" testAccAWSSecretBackendRoleIamUserPath_basic = "/path1/" testAccAWSSecretBackendRoleIamUserPath_updated = "/path2/" + testAccAWSSecretBackendRoleIamTag_key_basic = "key1" + testAccAWSSecretBackendRoleIamTag_value_basic = "value1" + testAccAWSSecretBackendRoleIamTag_key_updated = "key2" + testAccAWSSecretBackendRoleIamTag_value_updated = "value2" ) func TestAccAWSSecretBackendRole_basic(t *testing.T) { @@ -145,9 +149,6 @@ func testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend string) resou resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "backend", backend), testutil.TestCheckResourceAttrJSON("vault_aws_secret_backend_role.test_policy_inline", "policy_document", testAccAWSSecretBackendRolePolicyInline_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_groups.#", "0"), - resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_tags.#", "0"), - resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_tags.key1", "value1"), - resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_inline", "iam_tags.key2", "value2"), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "name", fmt.Sprintf("%s-policy-arn", name)), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "backend", backend), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_policy_arns", "policy_arns.#", "1"), @@ -170,6 +171,8 @@ func testAccAWSSecretBackendRoleCheckBasicAttributes(name, backend string) resou resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "permissions_boundary_arn", testAccAWSSecretBackendRolePermissionsBoundaryArn_basic), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "user_path", testAccAWSSecretBackendRoleIamUserPath_basic), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "iam_tags.%", "1"), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", fmt.Sprintf("iam_tags.%s", testAccAWSSecretBackendRoleIamTag_key_basic), testAccAWSSecretBackendRoleIamTag_value_basic), ) } @@ -208,6 +211,8 @@ func testAccAWSSecretBackendRoleCheckUpdatedAttributes(name, backend string) res resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "policy_arns.0", testAccAWSSecretBackendRolePolicyArn_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "permissions_boundary_arn", testAccAWSSecretBackendRolePermissionsBoundaryArn_updated), resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "user_path", testAccAWSSecretBackendRoleIamUserPath_updated), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", "iam_tags.%", "1"), + resource.TestCheckResourceAttr("vault_aws_secret_backend_role.test_iam_user_type_optional_attributes", fmt.Sprintf("iam_tags.%s", testAccAWSSecretBackendRoleIamTag_key_updated), testAccAWSSecretBackendRoleIamTag_value_updated), ) } @@ -227,10 +232,6 @@ resource "vault_aws_secret_backend_role" "test_policy_inline" { policy_document = %q credential_type = "assumed_role" backend = vault_aws_secret_backend.test.path - iam_tags = { - "key1" = "value1" - "key2" = "value2" - } } `, name, testAccAWSSecretBackendRolePolicyInline_basic), @@ -281,8 +282,17 @@ resource "vault_aws_secret_backend_role" "test_iam_user_type_optional_attributes backend = vault_aws_secret_backend.test.path permissions_boundary_arn = "%s" user_path = "%s" + iam_tags = { + %s = "%s" + } } -`, name, testAccAWSSecretBackendRolePolicyArn_basic, testAccAWSSecretBackendRolePermissionsBoundaryArn_basic, testAccAWSSecretBackendRoleIamUserPath_basic), +`, + name, + testAccAWSSecretBackendRolePolicyArn_basic, + testAccAWSSecretBackendRolePermissionsBoundaryArn_basic, + testAccAWSSecretBackendRoleIamUserPath_basic, + testAccAWSSecretBackendRoleIamTag_key_basic, + testAccAWSSecretBackendRoleIamTag_value_basic), } return strings.Join(resources, "\n") @@ -367,8 +377,17 @@ resource "vault_aws_secret_backend_role" "test_iam_user_type_optional_attributes backend = vault_aws_secret_backend.test.path permissions_boundary_arn = "%s" user_path = "%s" + iam_tags = { + %s = "%s" + } } -`, name, testAccAWSSecretBackendRolePolicyArn_updated, testAccAWSSecretBackendRolePermissionsBoundaryArn_updated, testAccAWSSecretBackendRoleIamUserPath_updated), +`, + name, + testAccAWSSecretBackendRolePolicyArn_updated, + testAccAWSSecretBackendRolePermissionsBoundaryArn_updated, + testAccAWSSecretBackendRoleIamUserPath_updated, + testAccAWSSecretBackendRoleIamTag_key_updated, + testAccAWSSecretBackendRoleIamTag_value_updated), } return strings.Join(resources, "\n") } From aa29920451ddbd9d47899663ef075ec6f11d1349 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 30 Apr 2024 17:27:43 -0700 Subject: [PATCH 3/4] update website/docs --- website/docs/r/aws_secret_backend_role.html.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/website/docs/r/aws_secret_backend_role.html.md b/website/docs/r/aws_secret_backend_role.html.md index be51aec81d..3bf1c1367d 100644 --- a/website/docs/r/aws_secret_backend_role.html.md +++ b/website/docs/r/aws_secret_backend_role.html.md @@ -90,6 +90,9 @@ The following arguments are supported: policies from each group in `iam_groups` combined with the `policy_document` and `policy_arns` parameters. +* `iam_tags` (Optional) - A map of strings representing key/value pairs + to be used as tags for any IAM user that is created by this role. + * `default_sts_ttl` - (Optional) The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, From 395f7a05079021f1269a89efe56942e1e3ea48f3 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 30 Apr 2024 17:27:52 -0700 Subject: [PATCH 4/4] update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85116ed822..f18ecd392f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +FEATURES: +* Add support for `iam_tags` in `vault_aws_secret_backend_role` ([#2231](https://github.com/hashicorp/terraform-provider-vault/pull/2231)). + ## 4.2.0 (Mar 27, 2024) FEATURES: